Category Archives: data protection

Back to School: Cybersecurity in the Classroom

It’s hard to believe that summer is coming to an end and that back-to-school time is around the corner. For some kids, that means cyberbullies are traded in for school bullies and social engagement will turn into in-person interactions. But for others — dubbed Extreme Internet Users — the screen stays. When it comes time to go back to the classroom, the six hours or more a day these kids spent online during summer may be curtailed in favor of educational screen time instead.

Every year around this time, I reflect on how much has changed for children, especially when it comes to mobile devices in the classroom. This trend has become increasingly popular and, on the rise, as technology has improved, education adapts to rapid changes, and our world becomes more interconnected. Either these devices are given to kids or their classrooms by their school, or parents are encouraged to purchase one for their child to help support internet research and to digitize note-taking and homework.

Regardless of whether you’re a technophile or technophobe when it comes to leveraging screens in education, one thing is for sure – their presence in learning environments is here to stay. And with this shift, security is of the utmost importance.

Since January 2016, there have been 353 cybersecurity incidents in the United States related to K-12 public schools and districts. These attacks range include phishing, ransomware, DoS attacks and breaches that have exposed personal data. However, the question – what motivates cybercriminals to target schools? – still persists. The answer is complex, because what cybercriminals could exploit depends on what they want to accomplish.  Extorting school faculty, hacking private student data, disrupting school operations, or disabling, compromising, or re-directing school technology assets are all regular tools of the trade when it comes to hacking schools.

You may not be able to control how your child’s school thinks about cybersecurity, but you can take matters into your own hands. There are steps you can take to make sure your child is ready to face the school year head-on, including protecting their devices and their data.

  • Start a cybersecurity conversation. Talk with school faculty about what is being done in terms of a comprehensive cybersecurity plan for your child’s school. It’s worth starting the conversation to understand where the gaps are and what is being done to patch them.
  • Install security software on all devices. Don’t stop at the laptop, all devices need to be protected with comprehensive security software, including mobile devices and tablets.
  • Make sure all device software is up-to-date. This is one of the easiest and best ways to secure your devices against threats.
  • Teach your child how to connect securely on public Wi-Fi networks. Public Wi-Fi networks are notoriously used as backdoors by hackers trying to gain access to personal information. If Wi-Fi is absolutely necessary, ensure the network is password protected. However, if you want a secure encrypted connection, consider using a virtual private network (VPN).
  • Designate a specific date and time for regular data back-ups. If ransomware hits, you won’t have to pay to get your child’s information back. You can back up that personal data to a physical external hard drive or use an online backup service, such as Dropbox or Google Drive. That way you can access your files even if your device gets compromised.
  • Understand your child’s school bring your own device (BYOD) policy. Each school is different when it comes to BYOD and understanding your child’s school policy will save you a headache down the road. Some schools buy devices for students to rent, with parents having to pay for any incidentals, and some ask parents to buy the devices outright. Take the time to understand your child’s school policy before accidents happen.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Back to School: Cybersecurity in the Classroom appeared first on McAfee Blogs.

How Will You Solve the Data Classification Conundrum?

Co-authored by David A. Valovcin and Enrique Gutierrez-Alvarez.

Data classification is a trending topic within the security world these days — and for a good reason. As a critical step in any comprehensive data protection program, classification takes on even greater importance today in the context of regulatory compliance mandates and debates over data privacy.

So, what are the classification basics, challenges and best practices?

Data Classification 101

Before we delve into the nuances of data classification, let’s lay out a standard definition. Classification, as it pertains to data security, involves three primary parts:

  1. Parsing structured and unstructured data;
  2. Identifying which of that data matches a predefined set of patterns or keywords; and
  3. Assigning labels to data based on levels of sensitivity or business value.

Classification functions as a second step in analyzing your data resources after discovery, which is the process of identifying where data resides. But why do we care about classification? In short: Organizations cannot protect their data if they don’t know what type of data exists, its value to the organization and who can use it.

Classification enables you to assign an identity to your data, which helps you understand how to treat it. This understanding is especially important for sensitive or regulated data that requires specific layers of protection. It can also help hone a more mature security program by helping you identify specific subsets of data that should be watched for activity monitoring — it can also let you know what you don’t need to focus on protecting.

However, there are different ways to think about classification. This process can be leveraged for purposes related to security, compliance, data integrity, business usage, technology purposes and more. But we are most concerned with classification for the compliance and security use cases. Why? Because you can’t protect what you don’t know you have.

Classification is a key piece of the data-protection puzzle because the way a particular data set is classified in a security context can dictate how it’s protected or controlled via various policies or rules an organization might create to function as the backbone of their security program.

What Are the Common Approaches to Data Classification?

Today, there are several different approaches to classification on the market. Some organizations opt to undertake manual classification efforts — but this can become incredibly time-consuming and operationally complex. There are catalog-based search methods, which essentially scan for metadata or column names and assign labels to data within those columns based on predefined policies.

The challenge with this approach is that if the column name is not accurate, the classification result will not be accurate. For example, if you have telephone numbers in a column titled “Column A” and social security numbers in a column titled “Column B,” the engine would not pick this up, leaving your sensitive data unclassified and potentially exposed.

Building upon this approach, there are solutions available that leverage catalog-based search and data sampling search with regular expressions simultaneously. This approach results in a richer set of rules and expressions considered, which contributes to higher accuracy. Both of the previously stated methods leverage automation and are highly preferable to manual classification efforts.

Despite the methods available, however, many organizations today still struggle with accuracy in data classification and integrating classification into a holistic and informed security program.

Why might this be?

What Are the Challenges With Classification?

Classification can be vastly improved by leveraging technologies that automate the process, but this also introduces risk due to data-pattern complexities that machines may miss.

For example, you’d think finding a U.S. telephone number would be easy — just look for a one preceding a 10-digit string of random numbers, right? Wrong. What if dashes or spaces separate the numbers? What if instead of 1-800-356-9377, the number is stored as 1-800-FLOWERS?

Classification clearly needs to be streamlined with technology — but it also needs context provided by humans. To remove as much risk as possible from the overall equation, organizations should look for the most advanced classification technology available that enables parsing through potentially sensitive datasets in a scalable way while still being able to identify complex patterns.

What Is Next-Generation Data Classification?

Ideally, technology that supports this advanced classification would be able to:

  • Search beyond metadata or column names;
  • Match against multiple patterns for the same classification — not just one. For example, it could know that a string of numbers that looks like “1-800-356-9377” and a combination of numbers and letters that looks like “1-800-FLOWERS” could both be classified as “phone numbers”;
  • Be taught more rules and patterns over time to build out a more robust classification library for particular functions, such as government- or industry-mandated compliance regulations; and
  • Scan in a way that is quick, scalable and nondisruptive to performance.

Some technologies enable this next-generation data classification, such as the IBM Security Guardium Analyzer that leverages elements of System T, a technology developed by IBM Research. How? By allowing the overall technology to extract all of the data from a table, crawl it, apply taxonomy and conduct a dictionary lookup and find patterns that have been identified as personal or sensitive data.

Rules for this kind of classification can be more expressive, which improves accuracy. This classification allows for a more granular look at data matched against a more granular and specific set of patterns that all occur rapidly, without negatively impacting database performance.

While having technology like this at your fingertips provides immense opportunity, you still need humans to make the rules that this technology uses, because the classification results are only as good as the rules they are written on. Humans provide the context and understanding that enable the development of classification patterns in the first place.

Today, IBM Security is working internally to develop an extensive library of classification patterns for the IBM Security Guardium Analyzer that can help it identify a broad array of sensitive data — from U.S. Social Security numbers and telephone numbers from numerous countries to German pension insurance numbers and more. Because System T can incorporate new rules over time, it allows people from all over the world — people who are experts in identifying data patterns — to work together in improving the classification engine. This means that classification can proceed as teamwork.

Watch this video to see how IBM Security Guardium Analyzer works

The post How Will You Solve the Data Classification Conundrum? appeared first on Security Intelligence.

Why You Should Do Your Homework Before Investing in Enterprise Blockchains

Blockchains are the latest darling of the technology world. Enterprise blockchains promise to unify and secure transactions and data records between disparate organizations through the use of cryptography. Because this technology is new, researchers are coming up with innovative ideas and new applications every day. In fact, IBM has built more than 700 enterprise blockchains in the past year.

Fundamentally, a blockchain is a data structure. We could certainly use this structure for security purposes. (Indeed, the market for security tools based on blockchains has only started to emerge.) We could hypothesize hundreds of ideas for this technology.

But first things first: How can organizations secure enterprise blockchain platforms and applications?

The Enterprise Blockchain Platform

An enterprise blockchain platform typically includes:

  • A network of organizations which have agreed to share the platform;
  • Organizations that are members of the network, with varying levels of authority over data and transactions;
  • The fabric of the platform, which includes all the shared systems, infrastructure, applications that manage the blockchain, functionality and use cases;
  • Applications that interact with and affect the data of the blockchain;
  • The blockchain data, including the information stored within the blockchain and the data elements for which the members are authorities; and
  • A vendor who creates and likely hosts the blockchain platform.

IBM Blockchain

Enterprise blockchain platform providers are typically cloud-based to provide dynamic scalability, neutrality and consistent access. Therefore, the components and security are often a black box — but that doesn’t mean security is guaranteed. Before selecting a platform vendor and joining a blockchain network, an organization must undergo extensive legal review and conduct cross-network trust, governance and technology reviews. Security needs to be part of all of these evaluations.

Some vendors’ enterprise blockchains include applications used by end users, while others are simply systems exposed via application programming interfaces (APIs). Regardless of their type, the applications require the same security controls as other enterprise applications. Each component must adhere to and leverage corporate policies, standards, processes and technology for continuity and operational efficiency.

In the interest of building cross-network trust, it is also important to share and enforce consistent application security control information among the member organizations.

Platform and Application Components

The components underlying the enterprise blockchain platform will likely be unknown to the member organizations. Unless a company develops the blockchain platform itself, it won’t be possible to understand the technology in-depth. Let’s assume that the platform contains the components shown below. As you can see, these are typical components among enterprise applications.

IBM Blockchain Network Platform

Enterprise blockchains include a “secret sauce” in the form of the fabric code. This code defines the data structures, functionality and capabilities each member has to use the blockchain. To a certain extent, this fabric can be standardized — but, as of now, every fabric is bespoke for the network.

Similarly, the applications that interact with the platform use familiar architecture components. The business logic and functionality are in the application code and configuration information. Since each member organization’s blockchain application is likely created and managed separately, each member organization should have full control over its application and components.

IBM Blockchain Application Platform

As security professionals, we care about the security of each component of both the platform and the application, and especially the coding practices of the fabric and application code. Therefore, we need to apply as many corporate security policies and tools as possible for consistency and operational efficiency.

Vendor Selection and Validation

On the surface, the blockchain network includes the other member companies. In reality, the most important unofficial member is the blockchain vendor. We all have policies and procedures for assessing vendors — these are often merely rubber-stamp assessments.

Given the sensitivity and impact of enterprise blockchains — the impact on multiple companies and the potentially critical nature of the data — this assessment needs to be more comprehensive. A simple request for proposal (RFP) won’t suffice — and a third-party security audit report is just a start.

An assessment should also consider:

  • The size and reputation of the company;
  • Security for each component in the platform;
  • The security stature of each member of the network;
  • Minimal storage of sensitive data in the blockchain;
  • Proper data life cycle controls, such as creation, management, validation, encryption and destruction;
  • Quantum-proof encryption and technologies to ensure that the blockchain cannot be decrypted or corrupted in the future as quantum computing becomes mainstream;
  • Capacity for growth and assurance of performance as the size of the blockchain grows;
  • Availability, uptime and disaster recovery capabilities of the platform;
  • Component patching and maintenance processes;
  • Privileged access control and a responsible, accountable, consulted and informed (RACI) matrix within the vendor and among the members of the network;
  • RACI for operations and support activities within the vendor and among members of the network;
  • Reliability of the cryptography management; and
  • Testing to prove transaction integrity.

Over time, market leaders will rise, and their security will be proven — as was the case with cloud providers in decades past. Until then, organizations must conduct their own comprehensive evaluations before investing in a blockchain vendor.

Blockchain Platform Security Considerations

After assessing the vendor’s secure posture, the next major task is to evaluate the platform itself. This step is really an extension of the vendor assessment, but it requires participation and agreement by the other member organizations.

Legal and Contractual

All aspects of the enterprise blockchain platform, network and fabric must be defined contractually. Of course, security must be a substantial part of this. This part is likely the most difficult consideration because all members must agree. More members means longer legal reviews and more red lines.

Liability is an important element of this assessment, and each company likely has different requirements driven by their legal departments. For this reason, it’s critical to explicitly define the liability of each member and the vendor in the event of a security violation or breach.

Functional Use Cases

Start with the use cases. Define them contractually and via detailed designs with the vendor. These will typically include things like “create transaction,” “approve transaction,” “look up data” and other business functions. Security activities and component interactions — such as multifactor authentication (MFA), validation of entitlement to approve transactions, encryption and decryption and API security — should be included in each of these use case definitions.

Network Governance

Members often govern themselves, with some minimal participation from the vendor. It’s important to understand the roles of each member, the individuals who have authority within the member organizations, the cadence of activities, dispute resolution, reporting among constituents and many other areas. In other words, organizations should apply a consistent security program to both members and the blockchain vendor.

Cloud-Based Security Controls

The security frameworks from the Cloud Security Alliance (CSA) and similar groups are good foundations on which to assess the blockchain platform. While it would be nice to have full visibility into the platform components, most vendors won’t reveal their intellectual property.

So, the member organizations must ask questions and quantify and qualify as much as they can. The CSA provides a good framework to solicit detailed answers.

Shared Operations

The blockchain vendor will likely do the technology-level hosting and maintenance, but the members need to perform specific operational tasks too.

All tasks — ranging from server operating system (OS) hardening to blockchain data validation — must be defined. Security operations and controls, such as rolling encryption keys, periodic penetration testing, incident response and forensics and patch and configuration management, require the participation of many or all members.

Data Ownership

The best practice is to avoid storing sensitive data on the blockchain — only shared and reference information should be included. This tactic keeps the size manageable and the performance of the blockchain as high as possible. It also means data is distributed among the authoritative parties.

Therefore, it is essential to define and codify which member owns each data element, how it can be accessed or validated, who can access it and how the owners will protect it. This is especially complex when multiple members may be authoritative for the same data element under different conditions. It’s also significantly impacted by General Data Protection Regulation (GDPR) requirements if personally identifiable information (PII) is being stored.

Security Testing Other Members

The security of other members is an important part of building trust within the network. So, annual third-party security testing, including penetration testing, vulnerability scanning and policy reviews, should be mandatory for the applications used by all members, and the results should be published to all other members.

How to Secure the Blockchain Application

The security around each enterprise blockchain application — assuming they are managed separately by each member — is much easier to control. In general, these should be secured like any other enterprise application, with the following special areas of concern.

Implement Corporate Security Standards and Systems

All corporate policies, standards and common security platforms should be used. This provides consistency, reliability, familiarity and operational efficiency.

For example, the enterprise-standard identity and access management (IAM) tools should be used for authentication, MFA, access control and identity data storage. Similarly, the secure software development life cycle (SDLC) and application-scanning tools should be used to ensure secure code development and deployment.

If integration patterns or specific security policies don’t exist for the technologies used, take this opportunity to develop them.

Assume Highest Data Classifications

Assume the blockchain will manage data of the highest risk classification. Even though your member organization may not manage or access confidential information, other members might. Assuming the highest data classification also demonstrates a commitment to other members about security — thus building trust among the network.

Mandate MFA

Humans are often the weakest link in security, and MFA helps counter this risk. MFA has become the de facto standard for cloud-based applications, and it should be used for blockchain too. This is driven by the distributed nature of blockchains, the potential sensitivity of the data and the need to instill trust among other members.

Mandate Identity-Aware API Security

Most blockchains rely on APIs, and this will continue for the foreseeable future. API security best practices include user identity and session information associated within each API call. This should also be the standard practice for blockchain applications because it provides an audit trail and allows function-level entitlements to be applied.

Mandate Strong Cryptographic Key Management

Ensure that your organization has a strong and reliable key management system. Blockchain is based on the use of encrypted data, and a blockchain network might contain hundreds of encryption keys. It requires a lot of effort to manage these keys manually, but it’s essential to protect the data and the member organizations.

Correlate Security Events

Members should share security event information as transparently as possible. Nondisclosure agreements (NDAs) should allow members to pass security incident forensic information. While it may be difficult to share one security information and event management (SIEM) system, security event feeds should be established from the platform to the members and for selected event information between members.

A Bright Future for Enterprise Blockchains

There’s no telling what the future holds for this versatile and complex distributed ledger technology. If implemented correctly, enterprise blockchains offer tremendous advantages and unprecedented capabilities to unify and secure transactions between disparate organizations.

But until the market catches up and security standards are established and widely followed, it’s crucial for businesses to thoroughly assess the security posture of blockchain vendors and evaluate the ability of their own technology infrastructure to integrate with the blockchain platform.

The post Why You Should Do Your Homework Before Investing in Enterprise Blockchains appeared first on Security Intelligence.

SaaS Data Protection Trends in the Tech Industry

As we enter into the third quarter of 2018, the Spanning data security, product and engineering teams took stock of how the year is shaping up for organizations in terms

The post SaaS Data Protection Trends in the Tech Industry appeared first on The Cyber Security Place.

5 Ways Privacy by Design Can Rebuild Consumer Trust

Among the many requirements of the General Data Privacy Regulation (GDPR) is a directive to implement new systems of “privacy by design and default.” In this post-GDPR era, the practice may turn out to be more than a mandate. True privacy by design could be a timely opportunity to engage and empower customers.

According to an April 2018 survey by IBM and Harris Poll, 78 percent of U.S. respondents said that an organization’s data privacy capabilities are “extremely important,” while only 20 percent “completely trust” those companies whose products they use. The findings of a 2017 study by software corporation SAP found that 79 percent of consumers will disengage from a brand if their data is used without consent or knowledge.

These attitudes expose a vast opportunity in making the shift to security by design and default. Adopting transparency around data privacy practices could provide the chance to rebuild customer trust and develop lasting relationships.

What is Privacy by Design?

The concept of “privacy by design” was introduced by Ann Cavoukian in the 1990s. She presented outlining principles for proactively incorporating data protection into systems and operations from the ground up. It was imperative, she wrote in her paper, that privacy “become integral to organizational priorities, project objectives, design processes and planning operations.”

From the user’s perspective, according to Cavoukian, the organization is responsible for establishing “openness and transparency … relating to the management of personal information.” The privacy by design mandate in the GDPR was directly influenced by Cavoukian’s work.

Even beyond very costly GDPR fines, there’s enormous risk in failing to adopt secure design. According to a June 2018 Ponemon Institute study, 74 percent of IT security practitioners say it’s “likely” their company had a security incident in the last year because of their digital transformation processes.

The Key: Respect for the Individual

Openness and transparency would require a transition of practice and priority from meeting disclosure requirements to genuine education, including the adoption of language that makes sense to the user.

“Until now, the average consumer was likely unaware that when they ‘turn on cookies’ it means they are agreeing to share their information with dozens — and, in some cases, hundreds — of affiliated partners. Those days are over,” wrote Kevin Cochrane in the Harvard Business Review.

At the core of Cavoukian’s content on privacy by design is the concept of “respect for the individual.” Organizations are well-served to consider the role of UX design principles outlined in the international standard 13407 (revised to 9241 in 2015) from the International Standard Organization (ISO), in which a key goal identified is “empowering the user.”

When privacy by design is achieved in the enterprise, customers should feel confident about how personal data is used and kept secure, how artificial intelligence (AI)-based recommendations are generated and how to revoke personal data at any time.

Five Ways to Rebuild Customer Trust

With consumer trust at historic lows, chief information security officers (CISOs) should view privacy by design as more than just a regulatory directive. When put into practice, genuinely user-centric, privacy-focused design practices can provide the groundwork for meaningful customer relationships.

The following are examples of ways the enterprise can embrace the GDPR’s directive to adopt privacy-based design and make these business practices apparent to the public.

1. Adopt Smarter Identity and Access Management (IAM)

A key opportunity for organizations to reduce friction in their users’ experiences while improving data privacy is through the adoption of smarter solutions for IAM.

Eight out of 10 data breaches involve weak or stolen credentials, according to the 2017 Data Breach Investigations Report from Verizon, and password reuse remains an undisputed problem. Enabling trust-based access through interoperable credentials, biometrics and multi-factor authentication represents a shift in IAM practices — and it’s a viable solution to password fatigue.

2. Prioritize Risk-Aware Authentication

Consumers are increasingly aware of the risks of password-based authentication methodologies, according to a January 2018 study by IBM — their survey of 4,000 consumers’ priorities found that security ranked higher than convenience, especially when it relates to money-based applications.

Organizations who adopt risk-aware authentication solutions for user detection and new account creation may have an advantage when it comes to both customer trust and risk mitigation.

Read the complete IBM Study on The Future of Identity and Authentication

3. Emphasize Customer Benefits

When data is being collected for personalization algorithms, it’s imperative to educate the consumer on how data-sharing can improve their experience through continual customer education efforts built into the user experience.

An August 2017 study by Pegasystems on consumer attitudes toward AI found that 70 percent are open to AI if it can provide some distinct value, such as saving the customer money or time. However, 88 percent demand that businesses are “more open about where AI is currently being used while also showcasing how it improves the customer experience.”

4. Offer Value in Exchange for Data Shared

You don’t need to limit the value you provide the customer to brand-specific purchases. When possible, data shared by customers should provide value across brand interactions. For example, customers of VineSleuth are provided with free, on-demand access to their algorithmically-generated personal wine taste profiles to share with friends and inform wine purchases outside the app.

5. Provide On-Demand Access to Data

While GDPR Article 15 details the “[r]ight of access by the data subject,” brands should consider implementing on-demand access. Cochrane recommends the inclusion of tools for managing privacy and data sharing within customer applications. The in-app customer data privacy center could include the ability for the individual to review their consent, update specific data permissions and download the sum total of data shared at any time.

While many security leaders are struggling to gain footing and update processes in the post-GDPR era, it’s valuable to consider the customer’s perspective.

Enterprises which embrace the directive to practice privacy by design have an opportunity for more secure authentication and access management, meaningful customer education and better data privacy. The results will likely shift data-dependent organizations toward design practices which balance UX with privacy compliance, but also the opportunity to rebuild critical customer trust and relationships.

The post 5 Ways Privacy by Design Can Rebuild Consumer Trust appeared first on Security Intelligence.

20+ Security Forums for Free Malware Removal Help

Malware can hide in places you probably haven’t though about them before, If you’ve been affected by malware, it’s important to know where you can ask for help.  We recommend checking out (and bookmark) this useful list of security forums that will provide guides and step-by-step instructions to solve your malware issues.

Don’t be so sure and believe that “this can’t happen to me”, especially today when we are dealing with malware as a business (MaaS) that it’s alive and growing day by day.

We think that one of the easiest and cheapest ways to address your malware problems is on a security forum. That’s the place where other people have encountered the same problem as yours and found a solution.

But with so many security forums out there, which one should you choose?

We have organized a list of security malware forums below, places where you can find professional insights and assistance when in trouble.

The security forums from this list can help you on a variety of topics, from best practices, how-to articles, step-by-step guides to security news and friendly advice. So, feel free to bookmark the article and use it accordingly.

1. Major Geeks

Major Geeks is the place where you find not just a good malware section in the support forum, but also lots of useful reviews for beginners to improve the computer performance.

2. MalwareHelp.org

This security website provides step-by-step instructions on removing malware, security news, including plenty of useful articles and free utilities that can help to remove malicious software from the system.

3. TechSupport Forum

A very well organized forum that addresses many online security issues, from spyware, malware, Windows problems, networking to hardware related subjects. Their technical articles are a good source of information to stay up-to-date and learn more about technology.

4. What the Tech?

This forum defines itself as a community of volunteers who provide IT knowledge and answer to various technical questions. The Spyware/ Malware/ Virus Removal section contains instructions to provide solutions to common spyware/ malware infections. Only trained people are allowed to offer help with infection removal processes.

5. Geeks To Go!

The team behind this forum say it is a helpful hub, where you can find answers and free support for your malware and technical questions, including malware removal, how-to guides, and tutorials.

6. Malware removal

This forum defines itself as providing 100% free of charge malware removal help from well-trained helpers and security experts to people with infected systems, so they have a clean and safe computer. A malware library of tips and tricks is available.

8. Sensors Tech Forum

This is the forum where you can find solutions to your PC issues and educate yourself about malware, so you learn how to remove it or prevent from getting infected in the first place.

9. DSLReports.com

DSLReports is an online location where you can find security news, technical information and reviews on software. Their forum on security and privacy addresses technical issues and malware removal tools.

10. Bleeping Computer

Bleeping Computer is one of the best security forums online and we recognize it as a source of inspiration for all of us, whether we talk about security news or forum. It defines itself as a community that provides free original content and tutorials that anyone can understand.

11. Malware Tips

MalwareTips forum is an online community where you can find security news, how-to articles and guides, troubleshooting, technical and malware advice. It’s the place where you can also find plenty of useful resources, reviews and many more.

You’ll get all the assistance you need to clean infected PCs and avoid getting infected with malware.

12. Computer Hope Forum

Here’s another security forum that includes a good spyware/ malware removal section and plenty of others places where you can find advice related to computer software, from anti-spyware tools, scanners to antivirus and Trojan protection utilities.

13. Malwarebytes

The Malwarebytes forum, from the renowned security provider, comes with a malware removal section and an FAQ area that you can use. It also offers a Tools section and a general computer support area, where you can find self-help articles and general computer help.

14. TechSpot

Virus and Malware Removal forum from TechSpot, the PC technology publication, comes with product guides, software recommendations and technical advice on software issues and malware problems. If you are encountering a malware issue, make sure you check out this forum and get help.

15. Cyber Tech Help

Here’s a helpful community in which you’ll find free assistance and guidance when they are dealing with a technical problem or a malware is reaching your device. At the same time, it is a great place to look for tutorials and news articles.

16. Spybot Forum

Here are useful malware and rootkit removal tools that provides free help and analysis in case you’ve been infected with malware. If you access their forum, you will find a team of authorized volunteer analysts who can assist and offer guidance with malware removal.

17. Tech Support Guy

Need help to remove your malware infection? We recommend to check out this malware forum and ask for help, whenever you have a technical problem. There’s a group of volunteers who are experts in Windows, Mac, Linux, and more, offering you free technical support and hardware issues, including malware removal.

18. Technet Forum

This forum belongs to Microsoft provides antimalware and antispyware support to users, and it’s a great place to discuss with the community about any technical issue you may encounter.

19. BestTechie

The BestTechie Malware Removal forum is the place where you can receive malware removal assistance, find self-help guides and learn how to clean the toughest malware from the system.

20. Techie7

Techie7 is a security forum that provides free resources and support to advanced users and beginners alike on a variety of computer issues, from malware and spyware to the Windows operating system.

21. TechRepublic Forum

We advise you have a look at this friendly community of IT experts that can help with any of your malware questions, from learning how to detect, fix or remove all types of malicious threats. A good place to seek recommendations and ask malware related matters.

22. MalwareTips Forum

Here is another security forum in which you can share your cyber security knowledge and get in touch with people from this field, as well as to discuss and find out useful guides on how to remove malware, the latest cyber security news and many more.

23. Gladiator Security Forum

An extensive forum where you can find answers and solutions to many security-related issues, from news and alerts to data breaches, online threats or info about security software products. For a fast solution, you can address your issue to a special malware help area or you can receive advice on what security software to use.

24.LandzDown Forum

The forums from LandzDown have the purpose to help users get their computers “cleaned up” from malware or any other forms of malicious software, like spyware, rootkits or adware. At the same time, they don’t forget to have a bit of fun, so you will find the “Jokes” section, including general software news and many more.

25. SpywareInfo

This forum comes in handy with to main security sections offered to its readers and users. You can access the “Malware removal” part to find information on how you can get rid of rootkits, spyware and other types of malware. Or, you can check out a program or software to make sure it’s not dangerous for your system from the Spywatch section.

26. Wilders Security Forums

Wilders Security Forums cover a wide array of topics, from spyware, malware, and privacy issues to antivirus software, backup options, firewalls and virtualization.

Conclusion

Keeping your online assets safe from cybercriminals requires constant attention and continuous learning.

All these forums that address online security are free and easy to use by anyone and we recommend you check them out at any time you are encountering a problem.

How do you keep safe from malware? What malware forums would you recommend?

This list isn’t complete, and we’ll continue to constantly keep it up to date. If you have any recommendations or know other security forums that should be on this list, please let us know.

This article was initially written by Andra Zaharia in March 2015 and updated by Ioana Rijnetu in August 2018

The post 20+ Security Forums for Free Malware Removal Help appeared first on Heimdal Security Blog.

Achieving compliance: GDPR, CCPA and beyond

AB 375, or the California Consumer Privacy Act (CCPA) of 2018, was signed into law by California Governor, Jerry Brownon, on June 28, 2018 and is recognized as one of the toughest privacy laws in the U.S. The statute requires companies to disclose to California residents what information is being collected on them and how it will be used. Companies have 18-months to prepare for this new law to go into effect; it’s set to … More

The post Achieving compliance: GDPR, CCPA and beyond appeared first on Help Net Security.

How to Achieve Ransomware Recovery — Without Paying Ransom

Without a ransomware recovery strategy, companies sometimes end up paying to retrieve their data after an attack. At the same time, threat actors are growing more sophisticated in their ability to bypass both antivirus and anti-ransomware tools — thus, they’re also growing bolder. To stay ahead of the curve, organizations will need to develop more complete defense systems and recovery plans.

Putting Prevention First

Recent research from the Ponemon Institute found that the majority of responding companies (69 percent) don’t trust antivirus solutions to stop threats, while CIO Dive revealed that 81 percent of cybersecurity experts predict an increase in ransomware attacks in 2018. Furthermore, human error only increases the potential of a successful ransomware attack. So it’s up to security practitioners to take steps to prevent an incident, and the first of those steps should be to focus on IT hygiene, said Christopher Scott, CTO, global remediation lead, IBM X-Force IRIS.

“IT departments should focus on keeping endpoints up to date to reduce the attack surface for ransomware attacks,” Scott advises. “Security groups should look to embrace endpoint detection and response (EDR) technology to detect these attacks earlier to reduce the overall impact.”

Once they have taken the time to fully examine and improve their IT hygiene, companies can start preparing for a ransomware attack. According to Bruno Carrier, IT security strategist at BoldCloud, a layered defense strategy is the best guard. Carrier suggests that a strong defense against ransomware should include:

  • Antivirus or anti-malware solutions that are active and up to date;
  • Anti-data encryptors, which can prevent malware from locking your data access;
  • Anti-spam, which is an essential tool for reducing a business’s exposure to email-borne threats such as suspicious links, malicious downloads, malware-laden websites, etc.;
  • Backup storage for your files, whether cloud-based or on-site, including a full disk image with all installed programs ready to be restored; and
  • Awareness and security training to help employees recognize what types of emails to avoid and which links are safe to visit.

Ransomware Recovery Without the Ransom

Last month, researchers at Cisco Talos revealed a weakness in the Thanatos ransomware code, making it possible for victims to unlock encrypted files without paying a ransom. ThanatosDecryptor is a free ransomware decryption tool available on GitHub.

Despite these available technologies, companies that have decryptors in place prior to an attack will likely face an uphill battle afterward; forensics and data recovery companies can provide additional assistance to those who need it. Even so, the threats are evolving, which is why antivirus and anti-data encryptor solutions are so important.

“The ransomware problem is truly a problem where prevention is far more effective than a treat-the-symptoms approach,” Carrier says.

Related to this Article

In other words, companies shouldn’t get into the habit of waiting for researchers to reverse-engineer decryptor tools for every ransomware strain. The key to recovering from ransomware, without paying the ransom, is having a solid data backup strategy. “Backup systems should be isolated in ways that prevent attackers from encrypting data within this system,” Scott explains.

“A good rule of thumb is configuring backup accounts to be able to access production systems for reading data to back up, while preventing production accounts from having write access of any type to the backup. We have seen cases where the Domain Admin is compromised and is able to encrypt the backups, resulting in difficult and expensive recovery processes.”

Be Prepared — Get Everyone Involved

Many ransomware attacks occur through spear phishing, which brings us back to the people problem. “Companies need to continue to focus on end user education,” Scott says. “In addition to preparing users, companies should be focusing on reducing the attack surface, gaining more visibility into activity and securing the backup systems.”

IBM conducts cyber resiliency workshops to focus on these types of attacks as well as more targeted attackers. “Ransomware attacks are a highly coordinated ‘business,’ which is so developed that what was once acceptable security — like AV/AM/firewall — won’t be enough in today’s threat landscape. You need to do what is expected and then more,” says Carrier.

Listen to the podcast: What’s the Best Defense Against Cyberattacks? You Are

The post How to Achieve Ransomware Recovery — Without Paying Ransom appeared first on Security Intelligence.

How rogue data puts organisations at risk of GDPR noncompliance

The GDPR compliance deadline came in by force on 25th May 2018 and applies to all organisations processing and holding the personal information of data subjects. This includes contacts such as customers, partners and patients. Much has been written about the immense efforts of organisations to improve their data privacy procedures in order to comply with GDPR, but there is a largely undiscussed oversight lurking just under the surface which, if left unaddressed, still leaves … More

The post How rogue data puts organisations at risk of GDPR noncompliance appeared first on Help Net Security.

How Your Data Makes Them Money, at the Edge of The Law: The Rise and Fall of Social Media Giants

You lost almost $150 billion for Facebook. If you know the value of privacy, care about what happens to your data and the legality of the companies you support, if you own a business that relies on social platforms or is adjacent to them, you’re probably responsible for what happened in the past 48 hours at Facebook.

If you read this blog and followed our protection guides, then you’re probably doubly aware of your responsibility. What are you responsible for? For turning the tide.

On Thursday, the social media giant released its quarterly earnings report and, while the numbers did not look scary on the surface, the market was actually hit by a tsunami.

What happened

facebook q2 2018 earnings report

Source

After the Cambridge Analytica breach, the General Data Protection Regulation (GDPR) put in place earlier this year, Facebook’s rise finally stopped and even reversed, just like the tide.

With the report out, shares price fell down by 19%. In actual money, that dip translates to between $120 to $150 billion lost in Facebook’s market cap. As CNBC pointed out, no company in U.S. history managed to actually lose more than $100 billion in just one day. Intel came close, at the end of the dot-com bubble that was essentially a reset button for the whole of the Internet. In third place is Microsoft, whose stock went down 14%, or around $80 billion, on April 3rd, 2000.

Why? A judge’s hammer came down and decided that Microsoft Corp. violated antitrust laws and used its power to stifle competition. Is it not a coincidence that two out of the three biggest market earthquakes happened because a tech giant was walking at the edge of the law, trying to find a way to use it to drown competition while also undermining the landscape in which it was established.

Facebook does not want to provide a good experience to you, inasmuch as it wants to sell you things. It wants to keep you engaged, not happy, on its platform, in order to turn around and sell your attention to the highest bidder. Facebook Ads Manager, even with no previous experience of the platform, lets you play around like this.

(For practice’s sake, the following ad is being set up by the owner of a small coffee shop who wants to draw in commuters from Moira to Belfast. He/she also hopes that those commuters will not only stop for an iced coffee but they’ll also be inclined to post on social media the delicious drink. He excluded people who have a paleo diet because he doesn’t think they’d be interested. He also offers vegan options, so he left that one open.)

facebook ads manager targeting how it works

These settings are what is available now to advertisers, though you should know they were even more granular before the Cambridge Analytica incident, Facebook’s own Watergate. As you can see in the screenshot above, there is a notice that a lot of these options will no longer be available in the near future.

The poker-faced reason for why these ad targeting settings exist is that users freely share their personal info with Facebook and other social media giants. It’s meaningless little streams of information for the individual, which can indeed provide much better ads, but for Facebook and other giants is the actual revenue stream and the temptation to bend the rules.

As recent events revealed, the companies holding that data themselves are vulnerable to speculators like Cambridge Analytica.

You see, the online advertising ecosystem thrives under very specific conditions: it has to know exactly what Facebook users are doing and thinking at the moment so that they can serve up the best ad. And Facebook does have a history of questionable privacy practices and security incidents.

facebook timeline of privacy breaches and incidents

It’s easy to cast blame on one company alone but it would be unfairly singling them out since the practices of handling large amounts of data have not always fallen into the “fair” category and have always carried the “risky” label.

Google was slammed with a $2.8 billion fine for antitrust violations this summer, for almost the same tricks that brought the hammer down on Microsoft almost 2 decades ago.

“Today, mobile internet makes up more than half of global internet traffic. It has changed the lives of millions of Europeans. Our case is about three types of restrictions that Google has imposed on Android device manufacturers and network operators to ensure that traffic on Android devices goes to the Google search engine. In this way, Google has used Android as a vehicle to cement the dominance of its search engine. These practices have denied rivals the chance to innovate and compete on the merits. They have denied European consumers the benefits of effective competition in the important mobile sphere. This is illegal under EU antitrust rules,” said Commissioner Margrethe Vestager.

Coming back to the past few months and the events of the last 48 hours, Facebook lost the trial in the public court and now it’s losing ground with investors too.

For privacy and security-oriented individuals, this is good news, though it doesn’t come from a good place.

Like the investment firm who is now calling for Mark Zuckerberg to step down from his position said,  “this lack of independent board Chair and oversight has contributed to Facebook missing, or mishandling, a number of severe controversies, increasing risk exposure and costs to shareholders.”

You could agree fully with the statement and sentiment. You could sigh and say “capitalism”. However, we’re here to look at it from the perspective of privacy and security. In this context, it’s a signal to you is that you have to be even more vigilant than usual.

Right now, more than ever, investors are pushing companies to the limit of legality, in the name of profits. They’re not saying “be careful with users’ data and their wellbeing, they’re saying “be careful the users don’t realize what you’re doing with their data” and “make sure you assuage their fears.”

“Looking ahead, we will continue to invest heavily in security and privacy because we have a responsibility to keep people safe,” he said.

It sounds nice but we are sure you know better by now. You need to invest in your own security and privacy because your and your business’s valuable data should not be at the mercy of giants.

Where to go from here

If you’re a home user, use one of our privacy guides to start protecting your digital life, they’re quite easy to follow and will ensure that you’re safe not just from cybercriminals, but also from those companies that sit at the edge of the law.

If you’re approaching this from an organization’s perspective, reach out to us for the best tools to protect your and your customers’ interests. For a healthy digital economy in which all parties are satisfied, security and compliance are essential.

 

Disclosure: This post probably ended up after we spent a very small sum to buy advertising space on a social platform. The only criteria we used to “target” you was the fact you speak English and value both privacy and security. We know that’s what you also look for when you come to us for cybersecurity expertise.

The post How Your Data Makes Them Money, at the Edge of The Law: The Rise and Fall of Social Media Giants appeared first on Heimdal Security Blog.

The New Age of Accountability

The EU has been busy in the cybersecurity department, and for good reason. Given Europe’s ever-rising cybercrime rates, a new approach to data protection was in order. This cued the

The post The New Age of Accountability appeared first on The Cyber Security Place.

Should We be Looking Down Under to Improve Our Security?

Security is a global problem, so it makes sense that we look beyond our own borders for a solution. One source of inspiration in its approach to security is the Australian

The post Should We be Looking Down Under to Improve Our Security? appeared first on The Cyber Security Place.

Millions of iOS and Android Users Could Be Compromised by Bluetooth Bug

Similar to smartphones and computers, Bluetooth is one of the modern-day pieces of tech that has spread wide and far. Billions of devices of all types around the world have the technology woven into their build. So when news about the BlueBorne vulnerabilities broke back in late 2017, everyone’s ears perked up. Fast forward to present day and a new Bluetooth flaw has emerged, which affects devices containing Bluetooth from a range of vendors—including Apple, Intel, Google, Broadcom, and Qualcomm.

Whether it’s connecting your phone to a speaker so you can blast your favorite tunes, or pairing it with your car’s audio system so you can make phone calls hands-free, the pairing capabilities of Bluetooth ensures the technology remains wireless. And this bug affects precisely that — Bluetooth’s Secure Simple Pairing and Low Energy Secure Connections, which are capabilities within the tech designed to assist users with pairing devices in a safe and secure way.

Essentially, this vulnerability means that when data is sent from device to device over Bluetooth connections, it is not encrypted, and therefore vulnerable. And with this flaw affecting Apple, Google and Intel-based smartphones and PCs, that means millions of people may have their private data leaked. Specifically, the bug allows an attacker that’s within about 30 meters of a user to capture and decrypt data shared between Bluetooth-paired devices.

Lior Neumann, one of the researchers who found the bug, stated, “As far as we know, every Android—prior to the patch published in June—and every device with a wireless chip from Intel, Qualcomm or Broadcom is vulnerable.” That includes iPhone devices with a Broadcom or Qualcomm chip as well.

Fortunately, fixes for this bug within Apple devices have already been available since May with the release of iOS 11.4. Additionally, two Android vendors, Huawei and LG, say they have patched the vulnerability as well. However, if you don’t see your vendor on this list, or if you have yet to apply the patches – what next steps should you take to secure your devices? Start by following these tips:

  • Turn Bluetooth off unless you have to use it. Affected software providers have been notified of these vulnerabilities and are working on fixing them as we speak. But in the meantime, it’s crucial you turn off your Bluetooth unless you absolutely must use it. To do this on iOS devices, simply go to your “Settings”, select “Bluetooth” and toggle it from on to off. On Android devices, open the “Settings” app and the app will display a “Bluetooth” toggle button under the “Wireless and networks” subheading that you can use to enable and disable the feature.
  • Update your software immediately. It’s an important security rule of thumb: always update your software whenever an update is available, as security patches are usually included with each new version. Patches for iOS and some Android manufacturers are already available, but if your device isn’t on the list, fear not – security patches for additional providers are likely on their way.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Millions of iOS and Android Users Could Be Compromised by Bluetooth Bug appeared first on McAfee Blogs.

How kidney stones help us think better about implementing security

Sometimes in life we go through very disruptive experiences that make us think about how we can better prepare ourselves. Kidney stones, while small, have that effect. The experiences you

The post How kidney stones help us think better about implementing security appeared first on The Cyber Security Place.

Quantum Leaps and Bounds: Why Quantum Computing Will Have a Positive Impact on Cybersecurity

Earlier this year, our chief technology officer (CTO) of data security, Walid Rjaibi, outlined his perspective on the risks that quantum computers might pose to cybersecurity, particularly concerning common algorithms used in encryption. He astutely observed, however, that the risks are only one part of the story.

Quantum computing also has the potential to revolutionize our cybersecurity capabilities.

How Will Quantum Computing Enhance Cybersecurity?

According to a new IBM Institute for Business Value (IBV) paper, the two most notable areas of cybersecurity that quantum computing promises to enhance are machine learning and quantum number generation.

Machine learning is already a widely used and understood term in the cybersecurity world. We use machine learning capabilities today in security information and event management (SIEM), data protection, incident response and other solutions to improve behavior anomaly detection, classification and prediction capabilities. Given their improved speed and power, quantum computers have the potential to enhance the efficacy of machine learning when used for cybersecurity pursuits.

Random number generation is a key component of cryptography (pun intended). Classical random number generation can be split into two categories: pseudo-random number generators (PRNGs) and true random number generators (TRNGs). TRNGs are more suitable for generating strong encryption keys (you can read more about why in the IBV paper). Quantum random number generators (QRNGs) would be a special subset of TRNGs, which exploit the inherent randomness of quantum physics to generate even more random sequences of numbers, thus stronger encryption keys.

Download the complete IBM IBV paper: Preparing Cybersecurity Now for a Quantum World

Cybersecurity: Why the Sky Isn’t Falling

As you may have learned at Think 2018, despite the risks quantum computing may pose to cybersecurity, the sky is not falling. There are many measures organizations can take to safeguard their critical data today and in the future.

For example, doubling the key size of existing symmetric encryption algorithms can help companies prepare for how the cybersecurity landscape may change when large-scale quantum computers become available. Beyond that, the improvements quantum computing could potentially bring to cybersecurity will also contribute to stronger protection capabilities.

To learn more about the cybersecurity implications of quantum computing and how you can prepare for the future, download our recent paper from the IBM IBV, “Wielding a Double-Edged Sword: Preparing Cybersecurity Now for a Quantum World.”

The post Quantum Leaps and Bounds: Why Quantum Computing Will Have a Positive Impact on Cybersecurity appeared first on Security Intelligence.

Are Fake Apps Taking Over Your Phone?

It seems some malicious app developers have taken the phrase “fake it ‘til you make it” to heart, as fake apps have become a rampant problem for Android and iPhone users alike. Even legitimate sources, such as Google Play and Apple’s App Store, have been infiltrated with illegitimate applications, despite their own due diligence in combating this phenomenon.

After downloading a fake app, cybercriminals leverage ransomware or malware through ads to run in the background of your device to do damage, making it difficult to notice something’s off. But while you’re minding your own business, your personal data –such as usernames, photos, passwords, and credit card information– can be compromised.

Malicious apps have become more challenging to detect, and even more difficult to delete from a device without causing further damage. The trend of fake apps shows no sign of slowing down either, as bad actors have become more brazen with the apps they work to imitate. From Nordstrom to Fortnite to WhatsApp, it seems no business or industry is off limits.

Luckily, cybercriminals have yet to figure out a sure-fire way to get their fake apps onto our devices. By paying extra attention to detail, you can learn to identify a fake app before downloading it. Here’s how:

  • Check for typos and poor grammar. Double check the app developer name, product title, and description for typos and grammatical errors. Malicious developers often spoof real developer IDs, even just by a single letter, to seem legitimate. If there are promises of discounts, or the description just feels off, those signals should be taken as red flags.
  • Look at the download statistics. If you’re attempting to download a popular app like WhatsApp, but it has an inexplicably low number of downloads, that’s a fairly good indicator that an app is most likely fraudulent.
  • Read what others are saying. When it comes to fake apps, user reviews are your ally. Breezing through a few can provide vital information as to whether an app is authentic or not, so don’t be afraid to crowdsource those insights when you can.

If you do find yourself having accidentally downloaded a fake app, there are steps you can take to rid your phone of it. Here’s what to do:

  • Delete the app immediately or as soon as you notice anything suspicious. If you can’t find it, but you’re still having issues, the app could still be on your device. That’s because, in the interest of self-preservation, fake apps can try and protect themselves from disposal by making their icon and title disappear. If that happens, go to your installed apps page(s) and look for blank spaces, as it may be hiding there.
  • Check the permissions. After installation, check the app’s permissions. Fake apps usually give long lists of frivolous requests in an effort to get access to more data.
  • Clear the app’s cache and data. If you do find the app you want to delete, this is the first step you must take in order to get the app completely off your phone.
  • Take it into your provider. If you’re still having issues after you’ve deleted an app, consider taking your device into your provider to run a diagnostic test.
  • Factory reset. As a last resort, if you can’t find the app because it has “disappeared,” or traces of the app and malware linger, the best way to ensure it is completely gone is to wipe the data, factory reset your device, and start over. This is why it is vital to have backups of your devices.

Even as this ever-growing trend of malicious developers spoofing legitimate applications to gain access to victims’ personal information continues, we can deter their advances simply by paying closer attention to detail. Remember to be vigilant about being aware of the signs to avoid fake apps at all costs.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Are Fake Apps Taking Over Your Phone? appeared first on McAfee Blogs.

It’s time to relook at, rethink and then restructure our fragmented IT security landscape

GDPR and the NIS Directive present the perfect opportunity to eliminate tool bloat at your organisation. The run-up to Brexit has led to a boost in wages for professionals of

The post It’s time to relook at, rethink and then restructure our fragmented IT security landscape appeared first on The Cyber Security Place.

Cyber Security Roundup for July 2018

The importance of assuring the security and testing quality of third-party provided applications is more than evident when you consider an NHS reported data breach of 150,000 patient records this month. The NHS said the breach was caused by a coding error in a GP application called SystmOne, developed by UK based 'The Phoenix Partnership' (TTP). The same assurances also applies to internally developed applications, case-in-point was a publically announced flaw with Thomas Cook's booking system discovered by a Norwegian security researcher. The research used to app flaw to access the names and flights details of Thomas Cook passengers and release details on his blog. Thomas Cook said the issue has since been fixed.

Third-Third party services also need to be security assured, as seen with the Typeform compromise. Typeform is a data collection company, on 27th June, hackers gained unauthorised access to one of its servers and accessed customer data. According to their official notification, Typeform said the hackers may have accessed the data held on a partial backup, and that they had fixed a security vulnerability to prevent reoccurrence. Typeform has not provided any details of the number of records compromised, but one of their customers, Monzo, said on its official blog that is was in the region of 20,000. Interestingly Monzo also declared ending their relationship with Typeform unless it wins their trust back. Travelodge one UK company known to be impacted by the Typeform breach and has warned its impacted customers. Typeform is used to manage Travelodge’s customer surveys and competitions.

Other companies known to be impacted by the Typeform breach include:

The Information Commissioner's Office (ICO) fined Facebook £500,000, the maximum possible, over the Cambridge Analytica data breach scandal, which impacted some 87 million Facebook users. Fortunately for Facebook, the breach occurred before the General Data Protection Regulation came into force in May, as the new GDPR empowers the ICO with much tougher financial penalties design to bring tech giants to book, let's be honest, £500k is petty cash for the social media giant.
Facebook-Cambridge Analytica data scandal
Facebook reveals its data-sharing VIPs
Cambridge Analytica boss spars with MPs

A UK government report criticised the security of Huawei products, concluded the government had "only limited assurance" Huawei kit posed no threat toUK national security. I remember being concerned many years ago when I heard BT had ditched US Cisco routers for Huawei routers to save money, not much was said about the national security aspect at the time. The UK gov report was written by the Huawei Cyber Security Evaluation Centre (HCSEC), which was set up in 2010 in response to concerns that BT and other UK companies reliance on the Chinese manufacturer's devices, by the way, that body is overseen by GCHQ.

Banking hacking group "MoneyTaker" has struck again, this time stealing a reported £700,000 from a Russia bank according to Group-IB. The group is thought to be behind several other hacking raids against UK, US, and Russian companies. The gang compromise a router which gave them access to the bank's internal network, from that entry point, they were able to find the specific system used to authorise cash transfers and then set up the bogus transfers to cash out £700K.


NEWS

Unsecured Third-Party Access Puts Personal Data at Risk

Organizations that fail to vet third-party suppliers properly are vulnerable to a threat that steals credit card data over long periods of time, according to a July 2018 IBM X-Force advisory.

The threat alert outlines details about a recent breach against Ticketmaster that affected several of its third-party websites. According to the advisory, a threat group used a tactic called digital skimming to harvest credit card information, login credentials and names from online forums.

The group, dubbed Magecart, has been running the campaign since at least December 2016.

Digital Skimming Threat Exploits Third-Party Access

It’s important to note that Magecart launched its attack not through Ticketmaster itself, but via one of its digital suppliers, Inbenta, and possibly through a second vendor called SocialPlus.

This incident shows how an extended ecosystem of partners and suppliers can significantly expand the perimeter that security professionals must protect. A May 2018 study from Kaspersky Lab found that incidents affecting third-party infrastructure have led to an average loss of $1.47 million for large enterprises.

How Can Organizations Thwart Third-Party Threats?

While malicious actors have been secretly inserting physical devices to skim credit card data at point-of-sale (POS) terminals for years, digital skimming makes this threat much more difficult to contend with. This is especially true for large organizations that oversee dozens of websites, landing pages and other digital properties that prompt customers to enter their personal data.

To keep third-party threats in check, IBM experts recommend:

  • Taking inventory of third-party network connections to understand where they are coming from, where they are going to and who has access;
  • Conducting vulnerability assessments on their external-facing hosts and cloud environments to look for services that are listening for inbound connections; and
  • Using encryption to ensure that their sensitive data is useless to cybercriminals in the event that it is stolen via unsecured third-party access.

The post Unsecured Third-Party Access Puts Personal Data at Risk appeared first on Security Intelligence.

GDPR has made life easier for cyberciminals

Removal of PII data from Whois records makes protecting Internet users increasingly difficult for security professionals. New research conducted by domain name and DNS-based cyber threat intelligence firm DomainTools has revealed that

The post GDPR has made life easier for cyberciminals appeared first on The Cyber Security Place.

Recent Attack Suggests Ransomware Is Alive and Well in Healthcare

A U.S. hospital disclosed that it suffered a ransomware attack, the latest in a spate of such incidents befalling the industry in recent years. Despite the fact that ransomware has declined in most other industries, these continued attacks highlight the need for healthcare organizations to boost their defenses and adopt strategies to proactively fight against this persistent threat.

Another Hospital, Another Data Breach

The hospital announced that it became aware of a crypto-malware attack on the morning of July 9. The incident affected the organization’s internal communications systems and access to its electronic health record (EHR).

Soon after discovering the malware, the hospital quickly initiated its incident response protocol, and IT professionals worked with law enforcement and forensics experts to investigate the incident. The security team also evaluated the hospital’s digital defense capabilities and decided to divert ambulance patients suffering from trauma or stroke to other institutions.

Although the investigators did not discover any evidence of the attack compromising patient data, they did opt to temporarily shut down the system as a precaution.

Ransomware Rates Remain High in Healthcare

According to Recorded Future, ransomware campaigns began declining in 2017, driven largely by the disappearance of many exploit kits (EKs) on the cybercrime market. At the same time, the remaining EKs made a tactical shift toward distributing crypto-mining malware. Unfortunately for hospitals, the decline in overall ransomware attacks does not apply to the healthcare sector.

Healthcare companies are still prime targets for ransomware because they invest relatively little in IT security. In addition, hospitals are often more willing to pay ransoms due to the criticality of their IT systems and EHRs. As John Halamka, chief information officer (CIO) at Boston’s Beth Israel Deaconess Medical Center, noted in Fierce Healthcare, some of these systems are not up to date, which makes them susceptible to vulnerability-driven attacks.

“Each time a patch is introduced, the act of changing a mission-critical system impacts reliability and functionality,” Halamka explained. “Some mission-critical systems were created years ago and never migrated to modern platforms.”

According to ZDNet, many hospitals have recently paid ransoms of tens of thousands of dollars to regain access to their data. Threat actors view these incidents as evidence that ransomware is still an effective and lucrative tactic to use against healthcare organizations.

How Can Hospitals Protect Their Data?

To protect healthcare data from threat actors looking to hold it for ransom, hospitals should double down on patch management to ensure that all networks, endpoints, applications, databases and medical devices are up to date. They should also implement network segmentation to limit attackers’ lateral movement and regularly back up data so that operations can resume quickly in the event of a breach.

As always, the best defense against threats such as ransomware is continuous training and education throughout the organization. By ensuring that everyone from rank-and-file employees to top leadership can recognize signs of a ransomware attack and act accordingly, these users can serve as the first line of defense against this persistent threat.

The post Recent Attack Suggests Ransomware Is Alive and Well in Healthcare appeared first on Security Intelligence.

Digital Strategy Isn’t Meeting Security Needs — Here’s What to Do

We are in the midst of a digital transformation. And yet, IT departments are struggling to develop a digital strategy that addresses data privacy and cybersecurity. In a world where the General Data Protection Regulation (GDPR) is now in effect, the lack of such a strategy could end up coming back to haunt your organization and its leadership.

The Greatest Challenge Facing Digital Strategy Leadership

According to a June 2018 Harvey Nash/KPMG CIO Survey, the greatest challenge facing security and information technology leadership is the ability to deliver dynamic data while simultaneously providing a high level of security and privacy.

Only 32 percent of organizations have a company-wide digital strategy, the same survey found, and of those, 78 percent admit that the strategy in place is moderately effective at best. These insights imply that all of the data transmitted through organizations, including the personal information of customers, isn’t getting the level of protection necessary or satisfying GDPR compliance.

Jumping Into the Digital Transformation Too Fast

Let’s face it, most companies are failing or falling behind when it comes to cybersecurity — and the ongoing digital transformation is only exacerbating the situation. The Harvey Nash/KPMG survey states IT departments are doing fine when it comes to traditional technologies, but it also recognizes the increasing complexity that digital technologies bring to organizations.

Understanding these technologies is part of the problem — not only how they work, but also how they’ll best improve the nature of the business. It might be tempting to apply the latest and greatest available technology, whether you need it or not.

IT staff are often risk-takers — they like new technology and want to use it right away. Where they run into trouble is bringing in the latest technology without a real strategy to implement it both wisely and securely. Just because IT wants to update its technology doesn’t mean the company is ready for it.

Too Much Data, Not Enough Security

Understanding how a technology’s abilities intersect (or don’t) with a business’s needs makes the difference between a successful transformation and digital nightmare. Whether the technology is a boon or bust for the company, there is one thing it is guaranteed to do: generate more data — which will require layers of security. Without an effective digital strategy, understanding and protecting that data becomes problematic.

If the data were stored in one location, it might be easier to manage. But with increasing diversity of technologies, from the Internet of Things (IoT) and cloud computing to blockchain and virtual reality (VR), databases for one company are stored in thousands of endpoints. This reality is leading to increased risk of data breaches.

“[W]ith the emergence of these transformative technologies the perimeter has become dynamic and ever-changing,” wrote Peter Galvin, chief strategy and marketing officer at Thales eSecurity. “[W]hile protecting the perimeter is still important, it simply is not enough to prevent sensitive data from being stolen.”

Getting Leadership on Board

A strong digital strategy will provide the layers of security and privacy needed in the digital transformation, but this requires cooperation from all levels of leadership. Just as IT departments have a responsibility to be more business-aware and recognize how new technologies fit (or don’t fit) into corporate strategies, boards of directors must be more realistic about creating digital strategies that will meet today’s and tomorrow’s privacy concerns.

In the past, the fallout from data breaches and other security incidents fell directly on C-suite employees: Chief executive officers (CEOs), chief information officers (CIOs) and chief information security officers (CISOs) have been held accountable by directors. However, the responsibility often falls on the board to approve budgets, support cybersecurity funding and efforts and create corporate strategies.

Thanks to GDPR — and rising security and privacy threats — boards may finally be getting the message. The Harvey Nash/KPMG survey found that boardrooms are increasingly prioritizing security. In fact, security has received the most significant increase in business priority over the past year.

And according to Board Effect, more boards are expanding to bring cybersecurity experts directly to the table as full members.

“Cybersecurity experts on the board have the proper expertise to advise the board about the best tools, processes and resources to keep hackers at bay,” the publication stated. “In addition, cybersecurity experts are the prime resource people for identifying new developments in IT as technology advances.”

This shift is promising for security professionals. With a digital perspective integrated directly into board decisions, IT departments should gain the leverage necessary to lobby for tools and support they need to meet the digital transformation with an adequate strategy to keep data secure.

Read the study from Ponemon Institute: Bridging the Digital Transformation Divide

The post Digital Strategy Isn’t Meeting Security Needs — Here’s What to Do appeared first on Security Intelligence.

How to Navigate Business Ethics in a Data-Hungry Digital World

In this data-hungry world, high-profile breaches continue to make headlines. As global corporations and technology giants continue to collect enormous amounts of personal information, legislators and consumers are starting to ask pointed questions about business ethics.

Even when companies aren’t directly profiting from sharing their users’ personal information, they often fail to protect what they have. Consumers have begun to realize that what they read, who they engage with, what they buy — and even the pictures they share online — are all data monetized.

The critical question: Do the businesses who profit from the use of this personal data have integrity? If not, what needs to change to achieve ethical business practices?

How to Define Business Ethics in a Digital World

In general, ethics is a gray area. As different entities emerge — and the players evolve — ideas about right and wrong shift. Therefore, the goal for businesses must be to find a starting point, explained Jason Tan, CEO and co-founder of machine learning company Sift Science, to SecurityIntelligence.

“Each business needs to define for itself a clear North Star of what is right and what is wrong,” Tan said. “That doesn’t have to get into the nitty-gritty of what is right and wrong — but establish a baseline of what they want for a cultural mindset so that everyone is guided by the principle of doing the right thing as much as possible.”

Unfortunately, the “right thing” is often unclear. Since the General Data Protection Regulation (GDPR) went into effect, consumers’ inboxes have been flooded with emails updating them about privacy policy changes.

There’s a greater issue, however: Even when it comes to privacy policy and terms of service agreements, “users enter into legal agreements that are often difficult or impossible for the everyday person to understand,” Tan said.

While that’s not unethical, per se, it does err on the side of what is not right for the users.

“We think of business ethics as the set of values that a company uses to make decisions with an eye to all of its different stakeholder groups — employees, customers, value chain partners, investors, the communities in which it operates — and the impact the decision might have upon them,” said Erica Salmon Byrne, executive vice president at the Ethisphere Institute, to SecurityIntelligence.

Navigate Changes in Technology With a Moral Compass

Rapid changes in technology have impacted the speed with which businesses need to react, especially since the effects of their decisions have an increasingly global reach. Ethical companies know who they are and what matters to them. Therefore, in times of crisis, they can rely on this moral compass to direct their responses.

To be an ethical company, organizations must recognize risks in the actions of their employees and the behaviors of the company itself. Examples include how they work with personal data, other company information or trade secrets.

Businesses can mandate ethics with a moral compass that won’t compromise the personal information used to make business-critical decisions by clearly conveying what their expectations are and why they matter.

“Provide context to show how those expectations pertain to the area the employee is working in, provide trustworthy avenues to raise concerns and monitor and follow-up where possible,” Bryne said. “… but at the end of the day, your controls are only as good as your people.”

Find True North

Another step toward moral practice: Draft a more ethical version of your user agreements that are clear, transparent and accessible. This strategy will help your users understand the rights they are transferring — which is a whole branch of communication that hasn’t been developed.

“The norm for users is to never even look at the terms of service,” Tan said. “As a society, we want instant gratification quickly and effectively — so it is on the businesses to be thinking about how to make all this legalese more accessible to the everyday person to help them clearly understand what is happening.”

All of these ideas are lofty — but mean little unless they are put to action. While some technology giants continue to seek redemption for their reported misuse of personal data, many companies pride themselves on their business ethics. As governments continue to respond to heightened concerns about protecting privacy, there will likely be more regulations that attempt to legislate the ethical behavior of businesses.

Bryne warned that in the midst of trying to comply with regulations, it’s often easy to forget what those regulations are trying to achieve.

“If the company has clear values, ties their policies and procedures to those values, takes the time to engage employees on the values and expectations and offers avenues to ask questions that employees feel secure in using, it will go a very long way towards mitigating the risk of improperly using or protecting data and lots of other risks too,” Bryne said.

Download the 2018 Cost of a Data Breach Study from Ponemon Institute

The post How to Navigate Business Ethics in a Data-Hungry Digital World appeared first on Security Intelligence.

Here Are the Biggest Cybersecurity Threats to Watch out for in 2018

Cybercriminals are always evolving their tactics in order to steal and compromise data. To stay ahead of them, we compiled the biggest cybersecurity threats in 2018, from cryptojacking to already-infected smartphones, and provided actionable tips for you to stay safe online. As the old saying goes, prevention is better than the cure!

1. Getting their info compromised in massive data leaks

There’s no question about it, the biggest risk for users comes without them even having a choice or an input in the matter. It’s, of course, data leaks.

Beyond the Equifax hack and the Cambridge Analytica scandal and their far-reaching implications, it seems that every month brings a new data leak from a major company.

To help combat this, Firefox announced that they will implement Troy Hunt’s Have I Been Pwned tool into their browser, allowing users to check if their email address was compromised. It’s a great start but it’s not enough.

Firefox-Monitor-Website---General-Homepage-1

Unfortunately, as a user, there’s not much you can do about the big services getting hacked. You can, however, protect yourself to the best of your ability, which will eliminate a large number of attack angles on your data and finances.

How to protect yourself:

  1. For non-essential services like newsletters, promotions and various sign-ups, use one or more “burner” email addresses that are not used for your important accounts
  2. Periodically check if your main email address shows up in Have I Been Pwned or Firefox Monitor
  3. Secure every login with two-factor authentication
  4. Carefully consider how much personal information you give away on social media

 


Tips on how to minimize personal impact in the case of a #databreach
Click To Tweet


 

2. Smartphones shipping with malware and malicious apps

Mobile malware is one of the fastest growing types of malware and this trend has continued for a few years. Because smartphones have become replacements for desktop computers and laptops for many people, the data they collect and contain is a very appealing target for cybercriminals.

It goes without saying that you should never download apps from unknown sources and stick to the official app stores. However, malicious apps can regularly bypass security measures in the Google Play Store or Apple’s App Store.

Trend Micro actually uncovered apps that promised “smartphone security”, not to mention a host of malicious apps that claimed to clean up storage space or optimize battery usage. All of them actually harvested user data and location, while also pushing advertising in multiple ways. Even the App Store, usually having strict review processes, accidentally allowed a calendar app to secretly mine cryptocurrency in the background.

Just how bad is it?

In 2017, out of around 3.5 million apps in Google Play Store, 700.000 of them were deemed “problematic” – they were either app clones or they were designed to steal information, intercept text messages and send phishing links to the user’s list of contacts.

Maybe 2018 is better. Well, that’s a big maybe. Even with Google Play Protect and other measures from other smartphone or OS makers, things slip by.

top mobile malware families 2018 sophos

Source

Some devices actually ship with malware on them, straight from the factory floor!

In 2017, cybersecurity experts from Checkpoint pointed out that more than 30 high-end smartphones were infected with malware somewhere in the supply chain, before even reaching consumers.

In 2018, Dr. Web drew the alarm that dozens of low-cost Android phones were shipping with the powerful banking Trojan called Triada.

How to protect yourself:

  1. Don’t be lured by the appeal of cheap smartphones if you don’t know the brand – do research before buying a device and make sure the brand has an established community.
  2. Update your apps everytime you receive a notification or let them update automatically. A security patch applied immediately can and will protect you from a lot of malicious attacks on your smartphone.
  3. Take the time to review app permissions when you install them and periodically check those permissions in case they were reset after an update. Does a photo scanning app actually need permission to access your location? No, it does not.
  4. When searching for and installing an app, take a minute and read some reviews about it, checking both the high and low scores. If it doesn’t have reviews yet promises a widely-needed functionality, steer clear of it.
  5. Try to back up your smartphone data at least twice a month

Smartphones are shipping with #malware. Here’s what you should know.
Click To Tweet


3. Ransomware attacks on cloud services

Ransomware is one of the biggest threats for both home users and organizations. Attacks that will encrypt data and then demand hefty ransoms are obviously a profitable endeavor for criminals.

What’s really bad is that usually, a ransomware attack can be minimized if someone has a back-up of their data. That data is usually in the cloud and the cloud can be hit by ransomware.

Petya itself, one of the most virulent strains, was spread through an infected file on Dropbox, one of the most popular backup solutions. Clearly, ransomware in the cloud is a major problem for everyone.

According to MIT, this is one of the six biggest cyber threats. Just like in the case of data breaches, you cannot stop your cloud provider from getting infected, but you can take measures to protect yourself from ransomware.

ransomware statistics 2018 kaspersky

How to protect yourself:

We put together this mega-guide on ransomware protection, but in short, here’s what you should do:

  1. Keep your valuable data backed up, both locally and in the cloud, preferably in multiple locations
  2. Don’t rely on Antivirus alone, as this reactionary software can’t handle the newest strains. Use a proactive tool capable of blocking infections at their source and stopping dangerous links

 

4. Cryptojacking that affects their hardware

As we explained in our protection guide against cryptojacking, this type of attack involves hijacking your computer’s hardware in order to mine cryptocurrency for the criminals.

One of the most popular ways to do this was to target a vulnerable website and inject a script (Coinhive has been the most popular). Then, unprotected visitors on that website had their computers enslaved in order to mine cryptocurrency.

Cryptojacking has been one of the most popular attacks this year, almost surpassing ransomware, and it’s constantly evolving.

How to protect yourself:

  1. Use a reputable antivirus and, alongside it, an anti-malware solution that constantly scans traffic and blocks infected domains
  2. On any browser, use an Adblocker that has can stop cryptocurrency-mining scripts. One example is uBlock Origin but you can also use the popular extension NoScript
  3. Always update your software, especially your browser, since some cryptojacking targets the browser directly

 

Spend time with your family, not updating their apps!
Let Heimdal FREE Silently and automatically update software Close security gaps Reinforce your antivirus of choice

INSTALL IT, FORGET IT AND BE PROTECTED

Download Heimdal FREE

5. Financial losses and data compromise due to cryptocurrency trading

The end of 2017 marked a crazy in the world of cryptocurrency, with the value of Bitcoin reaching $20K. At the same time, cybercriminals also had an even bigger incentive to get creative with their attacks.

Beyond cryptojacking, which usually affects those who are not invested in cryptocurrencies, those who owned any type of virtual coins were prime candidates to lose their money.

In  June, the sixth-biggest crypto exchange in the world, Bithumb, was hacked, and around $30 million was lost. Fortunately, those users who kept their coins there were reimbursed, but others were not so lucky.

In February, another crypto exchange (BitGrail) was hacked. The attackers took off with $195 million worth of Nano cryptocurrency belonging to users. That incident blew up in a scandal after the company initially refused to refund users. And that’s only the attacks on the exchanges themselves.

cryptojacking cryptocurrency hacks

Cryptocurrency holders around the world are constantly targeted by ever-evolving attacks aimed at their virtual wallets.

One cryptocurrency trader and YouTube personality, Ian Balina, was targeted in a hack and lost almost $2 million dollars. Another, Peter Saddington, told the press that someone used social engineering on Verizon’s customer service then targeted him. He lost a “significant amount” of money and a lot of valuable data.

“It fundamentally changed my life. I lost everything. I lost 13 years of emails,” he said.

In January, a criminal stole $150.000 by tricking would-be investors in an ICO sale to send their payments to a fraudulent wallet address using good, old-fashioned phishing. Wired had a great write-up on why it’s so easy to hack a cryptocurrency fundraiser.

Even the popular Hola VPN chrome extension was hacked and replaced with a compromised one designed to steal cryptocurrency.

How to protect yourself:

While it’s impossible to control for all outcomes, especially a data breach, there are some steps you can take:

  1. If you invest in cryptocurrency do not tell others about this. Specifically, don’t post on social media about it.
  2. Use this guide to secure your assets before even considering investing, as security best practices will help you have a good base.
  3. Keep your funds in multiple wallets
  4. Secure all your logins with two-factor authentication
  5. Stay on top of the news to keep up with the latest types of scams. A dose of paranoia when involved in crypto is one of the healthiest things you can do.

Actionable tips to safely use #cryptocurrency
Click To Tweet


 

6. Scams with advanced social engineering tactics

We try to keep up with the most popular or creative online scams and gather them in our prevention guides so that you can stay safe. Fossbytes wrote a very good rundown on the types of social engineering techniques that can compromise your info, from phishing to baiting and the “quid pro quo”, where criminals pose as support employees.

However, with the rise of AI and machine learning, those criminals can efficiently automate their attacks in order to maximize their reach.

“Machine learning models can now match humans at the art of crafting convincing fake messages, and they can churn them out without tiring,” warns MIT Technology Review.

How to protect yourself:

  1. Learn how to spot a phishing link and understand how other techniques like vishing or spear phishing work
  2. Install a traffic scanner on your PC that can block malicious links and attempts to connect to infected domains
  3. Avoid posting too much personal information on social media

 

7. IoT devices like smart locks or smart assistants being hacked

In May, an NYTimes piece perfectly articulated privacy advocates’ biggest concerns and one of the biggest cybersecurity threats, citing a group of Berkeley researchers who managed to attack Alexa.

“Inside university labs, the researchers have been able to secretly activate the artificial intelligence systems on smartphones and smart speakers, making them dial phone numbers or open websites. In the wrong hands, the technology could be used to unlock doors, wire money or buy stuff online — simply with music playing over the radio.

A group of students from University of California, Berkeley, and Georgetown University showed in 2016 that they could hide commands in white noise played over loudspeakers and through YouTube videos to get smart devices to turn on airplane mode or open a website.

This month, some of those Berkeley researchers published a research paper that went further, saying they could embed commands directly into recordings of music or spoken text. So while a human listener hears someone talking or an orchestra playing, Amazon’s Echo speaker might hear an instruction to add something to your shopping list.”

amazon echo

While the reporter and researchers underlined that, to the extent of their knowledge, fortunately, no such attacks have been spotted in the wild.

By exploiting the “re-prompt” feature that makes Alexa clarify an order, Checkmarx tricked Amazon Echo to record everything spoken even if the wake word wasn’t used. It was just this year’s headline, as in 2017 one security researcher, Mark Barnes, showed off how to install malware on an Amazon Echo.

Of course, Amazon is a huge company, so it invests plenty in securing their devices and their reputation. However, there is no such thing as unhackable software, so you need to exercise caution.

How to protect yourself:

  1. Consider if you do need to have a device like a voice assistant connected to every smart appliance you own. “Convenience versus privacy and security” is a debate everyone should have with themselves before purchasing devices and software.
  2. If you own a device like this, make sure you connect it to a secure WiFi. Use this guide to enhance the security of your home network.
  3. Be careful about allowing smart devices access to your credit card. Last year, an Amazon Echo owner woke up to find Alexa had purchased a lot of dollhouses.
  4. Take stock of who visits your home and what kind of access your friends and family have to your voice assistant

 

While not all of them are new and most are based on tactics already seen, these are the biggest cybersecurity threats for users in 2018. If you have one more to add to the list (or even a great security tip!) let us know below. We’d love your input!

The post Here Are the Biggest Cybersecurity Threats to Watch out for in 2018 appeared first on Heimdal Security Blog.

GDPR Hurts Security but Publicity Might Help

A survey of 900 security professionals conducted by AlienVault at Infosecurity Europe found that spending on GDPR compliance efforts has hindered threat detection but cybersecurity publicity might actually benefit the industry. Additionally,

The post GDPR Hurts Security but Publicity Might Help appeared first on The Cyber Security Place.

Why Consumers Demand Greater Transparency Around Data Privacy

Although consumers have a wide range of attitudes toward data privacy, the vast majority are calling for organizations to be more transparent about how they handle customer information, according to a July 2018 survey from the Direct Marketing Association.

Previous research has shown that many companies are not doing enough to communicate and clarify their data-handling policies to customers. Given these findings, what practices can organizations adopt to be more upfront with users and build customer trust?

How Important Is Data Privacy to Consumers?

The Direct Marketing Association survey sorted respondents into three categories:

  1. Data pragmatists (51 percent): Those who are willing to share their data as long as there is a clear benefit.
  2. Data unconcerned (26 percent): Those who don’t care how or why their data is used.
  3. Data fundamentalists (23 percent): Those who refuse to share their personal data under any circumstances.

It’s not just fundamentalists who see room for improvement when it comes to organizations’ data-handling practices. Eighty-two percent of survey respondents said companies should develop a flexible privacy policy — while 84 percent said they should simplify their terms and conditions. Most tellingly, 86 percent said organizations should be more transparent with users about how they engage with customer data.

There Is No Digital Trust Without Transparency

The results of a May 2018 study from Ranking Digital Rights (RDR), Ranking Digital Rights 2018 Corporate Accountability Index, suggest that consumers’ demands for more transparency are justified. Not one of the 22 internet, mobile and telecommunications companies surveyed for the study earned a privacy score higher than 63 percent, indicating that most organizations fail to disclose enough information about data privacy to customers.

Transparency is often a critical factor for consumers when deciding whether to establish digital trust with a company or service provider. According to IBM CEO Ginni Rometty, organizations can and should work to improve their openness by being clear about what they’re doing with users’ data. Those efforts, she said, should originate from companies themselves and not from government legislation.

“This is better for companies to self-regulate,” Rometty told CNBC in March 2018. “Every company has to be very clear about their data principals — opt in, opt out. You have to be very clear and then very clear about how you steward security.”

The post Why Consumers Demand Greater Transparency Around Data Privacy appeared first on Security Intelligence.

Only 20% of companies have fully completed their GDPR implementations

Key findings from a survey conducted by Dimensional Research highlight that only 20% of companies surveyed believe they are GDPR compliant, while 53% are in the implementation phase and 27% have not yet started their implementation. EU (excluding UK) companies are further along, with 27% reporting they are compliant, versus 12% in the U.S. and 21% in the UK. While many companies have significant work to do, 74% expect to be compliant by the end … More

The post Only 20% of companies have fully completed their GDPR implementations appeared first on Help Net Security.

Why Malware as a Business is on the Rise

The alarming growth of malware attacks in the last years should concern each of us, but what is more important, should make us AWARE of the risks and consequences. Taking action and preventing these malicious activities operated by cybercriminals has to be a top priority IF we want to stay safe online.

The reality is that cyber attackers now use different strains of malware, much more sophisticated and agile that prove to be effective and successful, challenging us to build a stronger defense against them.

Malware evolves at a rapid pace because of advanced malware mastering the art of evasion. Thus, traditional antivirus engines find it difficult to detect attacks in the first stages. Malware is getting bigger and bigger. It fuels growth, innovation and encourages malicious actors to easily reach their goals.

In this article, we’ll have an in-depth analysis of malware and learn: where it hides, what are the most dangerous malware attacks so far, why malware a profitable business for cybercriminals and offer actionable security tips to help you better prevent these attacks and keep yourself (and your digital assets) safe.

Why malware attacks keep happening?

In the context of this ever-changing threat landscape that never ceases to challenge everyone from home users, organizations to security researchers and communities, this question makes a good point.

It’s simple. Malware still works, and humans have their contribution to helping attackers succeed with their malicious plans.

True fact: Throughout our old habits that seem to die hard (not updating our software frequently, or reusing the same password for various online accounts), we maintain security holes that malicious actors are exploiting and fueling this growing malware business.

According to a report from Trustwave security company, 22 percent of respondents (security respondents) said that “preventing malware, including ransomware, was their biggest security threat and obligation for 2018”, while the second biggest pressure was identifying vulnerabilities (17%) and the third one (13%) was preventing social engineering and phishing attacks.

Paul Edmunds, Head of Technology at the National Crime Agency’s National Cyber Crime Unit (NCCU) states that:

 It’s really important to understand the impact that malware has. It’s a massive criminal enabler that underlines most cybercrime. It’s an infrastructure that’s used for compromising devices to conduct most of the prominent attacks that you see.

The evolution of malware

Before we understand its impact, let’s take a few steps back and have a look at how malware evolved lately to become such a serious and threatening business to everyone.

The malware market evolved from something that was tested and probably used for fun, – with hackers creating programs to see how they can gain access to unauthorized places and then focusing on money and going for stealing personal data – into a more targeted attack vector.

Did we ask for malware? No, but there’s a big business out there and we are all responsible in a way or another for making it alive and growing.

According to Cisco 2018 Annual Cybersecurity Report, the evolution of malware was “one of the most important developments in the attack landscape in 2017”. “Malware is becoming more vicious. And it’s harder to combat. We now face everything from network-based ransomware worms to devastating wiper malware.”

This graphic from AV-Test shows the growth of total malware over the last five years:

Here's how malware evolved

Source: AV-TEST.org

Also, did you know that “in the second half of 2017 on average 795 new malware specimen were discovered per hour i.e. 13 per minute.”?

Source: Gdatasoftware.com

Regardless of the smartphone landscape, mobile malware is one of the fastest types of malware, targeting more and more Android users. In the first quarter of 2018, the G DATA security experts detected “an average of 9,411 new malware every day for the popular Android operating system”. This means: A new malware appearing every 10 seconds.

The rise of ransomware attacks

Perhaps a clear evolution of malware economy has seen last year with the two massive and devastating cyber attacks: WannaCry and (non)Petya.

The first one was called by Europol an attack of “an unprecedented level” that took down entire networks and caused business disruption across 150 countries and infecting more than 200,000 computers. Not to mention about the financial damage caused, because many companies and public institutions have had their computers and data encrypted, and the only way to get it back was to pay a ransom.

If during the WannaCry ransomware, cyber criminals used the EternalBlue method, with (non)Petya ransomware outbreak, – that also spread fast and had self-replicating abilities. -, they changed the type of malware from ransomware to wiper. How is this different? The purpose of a wiper is to destroy and damage, while ransomware is mainly focused on making money.

In 2018, malware is even more agile, and Gandcrab ransomware is a great example. It is a fast-growing malware that’s been used and spread in waves of spam campaigns. While it reached the version 4 already, this piece of malware was initially distributed via exploit kits which abuses software vulnerabilities found in systems.


Here’s what you need to know about the growth of malware as a business.
Click To Tweet


The newest version 4 of this malware family includes “different encryption algorithms, a new .KRAB extension, new ransom note name, and a new TOR payment site”. So far, Gandcrab is one of the most prevalent and biggest ransomware attacks in 2018. Here’s a more in-depth and technical analysis of how Gandcrab ransomware evolved if you want to dive into this topic.

If you’ve been hit by any of these ransomware attacks or others, we strongly advise you NOT to pay the ransom to get your data back. Instead, check out this list of decryption tools to unlock your data for free.

5 key places where malware can hide

Malware authors often look out for new techniques to hide their malicious files which often go unnoticed by antivirus software or threat intelligence analysis.

Here are the most common places where malware can hide:

  • Email attachments – Most of the security alerts we’ve written talk about malware being delivered via emails to potentially infect victims’ computers. Sadly, many people still download, open, click and enable malicious attachments to run on their computers. Here the example of a variant of Trickbot malware in which cybercriminals lure victims into clicking on a malicious word document attached in the email.
  • Links sent via email – Another common place where malware can hide is a link received via email which is more tempting for users to simply click it than downloading an attachment. This mindless clicking behavior is known and exploited by cybercriminals.
  • Traffic redirect – Another place that malicious actors exploit to hide malware is in the Internet traffic(especially in the browser). As we spend most of the time reading online, browsing blogs or buying on the Internet, it’s easy to become a target. Traffic redirect may be invisible for the unskilled users, so they land on sites where malware is hidden in the code of the page or on the ads listed on the site.
  • Software updates – Probably the story of compromised versions of CCleaner software apps is the best example here. Hackers spread hidden malware in the version 5.33 of the CCleaner software which has been downloaded by more than two million users. Full story here.
  • Hidden and infected mobile apps – Given the rise of mobile apps, we’re likely to download and install all kind of apps on our device, without taking any caution. Here’s an example of malware threat known as hidden administrator app that targets Android users. It is an infected app that installs itself with administrator privileges and takes control of your mobile device.

If you want to find out more about how and where cybercriminals hide their malicious code in files, links, apps we use on a daily basis, read this guide.

Why Malware is a profitable business for malicious authors

Just like any other business, the purpose of malware authors is to turn it into a big and profitable business of millions (or even billions of dollars). To do that, it’s important for them to know and ask for the right price.

Making money from malware has proved to be a winning option for cybercriminals. Usually, they choose rich and developed countries, target large and successful organizations, from where they can extort a lot of money and access their valuable data.

As the number of ransomware attacks continue to grow exponentially, its authors will keep making a lot of money, because most of the victims choose to pay the ransom.

According to the Telstra Security Report, more than half of businesses who were victims of a ransomware attack have paid the ransom and they would do it again. “Some 60 percent of ransomware victims in New Zealand and 55 percent in Indonesia paid the ransom, making it the highest for Asia. In Europe, 41 percent of respondent ransomware victims paid up.”

On top of that, another research conducted by Cybersecurity Ventures estimates that ransomware damages will cost the world more than $8 billion in 2018 and they will reach $11.5 billion annually by 2019.

The attackers behind Wanna cry ransomware may have caused global panic among users and organizations, but what about its financial costs? In total, it has been estimated that they made $143,000 in Bitcoin of this massive attack.

The Gandcrab ransomware that continues to evolve and quickly being spread into various spam campaigns “has infected over 50,000 victims and claimed an estimated $300-600K in ransom payments”, according to Check Point Research. In the figure below, you can see the attack by geographic location of a target.

Source: Checkpoint.com

The success of Bitcoin cryptocurrency and its price reaching a historic $20K at the end of 2017 influenced the rise of cryptojacking malware attacks.

New findings from Check Point research stated that “the number of global organizations affected by crypto-mining malware more than doubled from the second half of 2017 to the first six months of this year, with cybercriminals making an estimated $2.5 billion over the past six months.”

The research also discovered that hackers are now targeting cloud services because most businesses store their sensitive data there. And there are more cyber security threats that should concern us and determine to implement solid prevention and security measures.

All these examples from above show that malware business is still growing, by switching from a macroeconomic level to microeconomic level. The malware market, like any other, offers a wide range of products to fit users’ diverse needs. You can find APTs, ransomware, banking trojans, cryptojacking, data breach, online scams, malware families with as many names as you can possibly wish for. Just like when you go to the supermarket and you have a plethora of vegetables and fruits to choose from.

Today’s malware is more targeted, but not necessarily more sophisticated. They still exploit software vulnerabilities found in devices, and that’s not something too complicated about it. Today malicious actors are both agile and creative and try techniques that still work. Today next-gen malware attacks have the ability to evade detection and bypass antivirus programs users install on their computers to keep their data safe.

Security measures to apply against malware attacks

We might not have asked for a malware market, but we are still serving it through unpatched software, by not backing up data, not getting enough education and knowledge of cyber security and many more.

Time to act is right NOW!

Malware threats are wide spreading and difficult to combat, so, once again, we emphasize that prevention is the best strategy to stay safe online.

Make sure you don’t fall victim to malware and follow these cyber security measures:

  • Always keep your software patched and up to date, including the operating system and every application you’re using on a daily basis;
  • Keep a backup with all your important data on external sources like a hard drive or in the cloud (Google Drive, Dropbox, etc.). This guide shows you how to do it;
  • Once again, we urge you: Do NOT OPEN emails or click on suspicious files/attachments. Be very cautious!
  • Remember to set strong and unique passwords with the help of a password management system. This security guide comes in handy.
  • Use a reliable antivirus program as a basic protection for your device, but also consider including a proactive cyber security solution as a second layer of defense for maximum protection.
  • Always secure your browsing while navigating the Internet and click on websites that include only HTTPS certificate;
  • Teach yourself (and master basic cyber security) to easily spot online threats delivered via emails, social engineering attacks or any other method attackers may use.
  • We remind you that security is not just about using a solution or another, it’s also about improving our online habits and being proactive every day.

Will malware as a business continue to grow? I think it will, as long as was – and still is – heavily sustained by ransoms paid by victims who want immediate access to their valuable data. It will continue to grow as long as we don’t apply basic security measures that can make us less vulnerable to these attacks.

This article was initally written by our CEO, Morten Kjaersgaard, in 2015, but refreshed and improved by Ioana Rijnetu in July 2018.

The post Why Malware as a Business is on the Rise appeared first on Heimdal Security Blog.

Eight Weak Links that Make Cryptocurrency Exchanges Vulnerable

Cryptocurrency is all the rage right now. There are currently over 1,600 different cryptocurrencies in circulation with a combined value approaching $350 billion.The top three cryptocurrencies alone—Bitcoin, Ethereum, and Ripple—are worth more

The post Eight Weak Links that Make Cryptocurrency Exchanges Vulnerable appeared first on The Cyber Security Place.

SecurityWeek RSS Feed: Death by Leaks: Russian Hacking Helped Sink Clinton 2016 Campaign

In September 2015 an FBI cybersecurity agent called up the Democratic National Committee, just gearing up for the coming presidential election, to report that Russia-linked hackers had penetrated their network.

The agent was passed on to the help desk, where his message died.

read more



SecurityWeek RSS Feed

Think You’ve Got Nothing to Hide? Think Again — Why Data Privacy Affects Us All

We all hear about privacy, but do we really understand what this means? According to privacy law expert Robert B. Standler, privacy is “the expectation that confidential personal information disclosed in a private place will not be disclosed to third parties when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities.”

It’s important to remember that privacy is about so much more than money and advertisements — it ties directly to who we are as individuals and citizens.

What Is the Price of Convenience?

Most users willingly volunteer personal information to online apps and services because they believe they have nothing to hide and nothing to lose.

When I hear this reasoning, it reminds me of stories from World War II in which soldiers sat on the sideline when the enemy was not actively pursuing them. When the enemy did come, nobody was left to protect the soldiers who waited around. That’s why it’s essential for all users to take a stand on data privacy — even if they’re not personally affected at this very moment.

Some folks are happy to disclose their personal information because it makes their lives easier. I recently spoke to a chief information security officer (CISO) and privacy officer at a major unified communications company who told me about an employee who willingly submitted personal data to a retail company because it streamlined the online shopping experience and delivered ads that were targeted to his or her interests.

This behavior is all too common today. Let’s dive deeper into some key reasons why privacy should be top of mind for all users — even those who think they have nothing to hide.

How Do Large Companies Use Personal Data?

There is an ongoing, concerted effort by the largest technology companies in the world to gather, consume, sell, distribute and use as much personal information about their customers as possible. Some organizations even market social media monitoring tools designed to help law enforcement and authoritarian regimes identify protesters and dissidents.

Many of these online services are free to users, and advertising is one of their primary sources of revenue. Advertisers want high returns per click, and the best way to ensure high conversion rates is to directly target ads to users based on their interests, habits and needs.

Many users knowingly or unknowingly provide critical personal information to these companies. In fact, something as simple as clicking “like” on a friend’s social media post may lead to new ads for dog food.

These services track, log and store all user activity and share the data with their advertising partners. Most users don’t understand what they really give up when technology firms consume and abuse their personal data.

Advanced Technologies Put Personal Data in the Wrong Hands

Many DNA and genomics-analysis services collect incredibly detailed personal information about customers who provide a saliva-generated DNA sample.

On the surface, it’s easy to see the benefit of submitting biological data to these companies — customers get detailed reports about their ancestry and information about potential health risks based on their genome. However, it’s important to remember that when users volunteer data about their DNA, they are also surrendering personal information about their relatives.

Biometrics, facial recognition and armed drones present additional data-privacy challenges. Governments around the world have begun using drones for policing and crowd control, and even the state of North Dakota passed a law in 2015 permitting law enforcement to arm drones with nonlethal weapons.

Facial recognition software can also be used for positive identification, which is why travelers must remove their sunglasses and hats when they go through immigration control. Law enforcement agencies recently started using drones with facial recognition software to identify “potential troublemakers” and track down known criminals.

In the U.S., we are innocent until proven guilty. That’s why the prospect of authorities using technology to identify potential criminals should concern us all — even those who don’t consider privacy to be an important issue in our daily lives.

Who Is Responsible for Data Privacy?

Research has shown that six in 10 boards consider cybersecurity risk to be an IT problem. While it’s true that technology can go a long way toward helping organizations protect their sensitive data, the real key to data privacy is ongoing and companywide education.

According to Javelin Strategy & Research, identity theft cost 16.7 million victims $16.8 billion in the U.S. last year. Sadly, this has not been enough to push people toward more secure behavior. Since global regulations and company policies often fall short of protecting data privacy, it’s more important than ever to understand how our personal information affects us as consumers, individuals and citizens.

How to Protect Personal Information

The data privacy prognosis is not all doom and gloom. We can all take steps to improve our personal security and send a strong message to governments that we need more effective regulations.

The first step is to lock down your social media accounts to limit the amount of personal information that is publicly available on these sites. Next, find your local representatives and senators online and sign up to receive email bulletins and alerts. While data security is a global issue, it’s important to keep tabs on local legislation to ensure that law enforcement and other public agencies aren’t misusing technology to violate citizens’ privacy.

Lastly, don’t live in a bubble: Even if you’re willing to surrender your data privacy to social media and retail marketers, it’s important to understand the role privacy plays in day-to-day life and society at large. Consider the implications to your friends and family. No one lives alone — we’re all part of communities, and we must act accordingly.

The post Think You’ve Got Nothing to Hide? Think Again — Why Data Privacy Affects Us All appeared first on Security Intelligence.

Want to avoid GDPR fines? Adjust your IT procurement methods

Gartner said many organizations are still not compliant with GDPR legislation even though it has been in force since May 2018. This is because they have not properly audited data handling within their supplier relationships. Sourcing and vendor management (SVM) leaders should, therefore, review all IT contracts to minimise potential financial and reputation risks. “SVM leaders are the first line of defense for organizations whose partners and suppliers process the data of EU residents on … More

The post Want to avoid GDPR fines? Adjust your IT procurement methods appeared first on Help Net Security.

Understanding SIEM Technology: How to Add Value to Your Security Intelligence Implementation

Security information and event management (SIEM) technology has been around for more than a decade — and the market is growing by the minute.

So, it may seem strange that so many organizations lack a proper understanding of what a security intelligence and analytics solution can do, what type of data it ingests and where to begin when it comes to implementation.

As the threat environment expands in both diversity and volume, IT skills are becoming increasingly scarce, and point solutions are increasingly flooding the market. As a result, many security leaders are at a loss when it comes to selecting the right SIEM solutions to serve their unique needs.

Clear the Fog Surrounding SIEM Technology

Why all the confusion? For one thing, many companies just throw money at a SIEM platform to solve all their security use cases or as a silver bullet for compliance. These are ill-advised strategies because customers are often left to their own devices to both define and implement the system.

So, how should these companies proceed? The first step is to identify the primary security challenges they are trying to solve and the outcomes they hope to achieve.

To shed light on their SIEM implementation, security leaders need a single pane of glass across the organization’s infrastructure to detect and investigate threats, both internal and external. In both cases, these threats are typically after the enterprise’s critical data, whether they aim to steal or destroy it. Since more and more of this data is being moved off premises, cloud security has become a critical function of security operations.

Threat actors will do anything they can to gain access to the enterprise’s crown jewels — and, when they do, security teams need a rapid and efficient incident-response process that enables analysts to take action quickly and confidently.

Finally, and perhaps most crucially, organizations must be able to prove all of the above to various compliance and regulatory auditors.

Related to this Article

How to Optimize Your SIEM Implementation

To clear up the uncertainty surrounding SIEM technology — and to maximize the value of their implementation — security leaders should:

  • Understand the outcomes their SIEM solution can deliver against common use cases;
  • Create a road map for SIEM maturity;
  • Understand how adding different types of data to the SIEM can improve outcomes; and
  • Continuously review their processes and educate staff and stakeholders accordingly.

By following these basic steps, chief information security officers (CISOs) can demonstrate the value of their SIEM implementation in a way that is easily communicable to business leaders and lead the way toward smarter, more prudent investments.

Download the 2017 Gartner Magic Quadrant for SIEM

The post Understanding SIEM Technology: How to Add Value to Your Security Intelligence Implementation appeared first on Security Intelligence.

ICO to Fine Baby Club £140K for Illegally Sharing Data with Labour Party

The Information Commissioner’s Office (ICO) announced its decision to fine a baby club £140,000 for illegally sharing individuals’ personal data with the Labour Party. The United Kingdom’s data watchdog said it intends to impose the penalty as a result of Lifecycle Marketing (Mother and Baby) Ltd (“LCMB”) failing to fulfill its responsibilities as a data […]… Read More

The post ICO to Fine Baby Club £140K for Illegally Sharing Data with Labour Party appeared first on The State of Security.

How Local Privacy Regulations Influence CISO Spending Around the World

As local privacy regulations take effect in places like California and the U.K., security leaders around the world are sensing a shift toward stronger data privacy and transparency — and are using these laws as guidelines to help them make budgetary decisions.

The California Consumer Privacy Act was signed into law on June 28, 2018, and will take effect by 2020. The law will take an approach similar to the General Data Protection Regulation (GDPR) regarding transparency and consent around personal information. GDPR went into effect across the European Union (EU) just one month before the new law’s signing.

Like other privacy regulations, organizations in California must now ensure their customers know what kind of information they are collecting and sharing with third parties, such as advertisers and marketers. Consumers can choose to opt out of having their information collected, and companies that fail to comply risk incurring fines from the state’s attorney general.

Local Privacy Regulations Guide Private Sector Security Strategies

While GDPR and the California Consumer Privacy Act focus on how companies gather and manage data, other legislators are trying to ensure that the systems they use don’t fall prey to cybercriminals.

The U.K.’s Cabinet Office, for instance, published the first iteration of its “Minimum Cyber Security Standard” in June 2018. Though designed as a checklist for government agencies, organizations can adopt some of its practices in the private sector — such as checking websites and applications for common vulnerabilities — to keep ahead of further privacy legislation. As with more traditional privacy regulations, it outlines several mandatory requirements, including support for Transport Layer Security (TLS) encryption.

Regulatory Activity Impacts Security Budgets Around the World

These new laws and regulations reveal that chief information security officers (CISOs) from California to the U.K. are starting to use privacy regulations as a guide to determine what resources they will need to be effective.

For instance, according to a February 2018 report from consulting group Ankura, The Shifting Cybersecurity Landscape: How CISOs and Security Leaders Are Managing Evolving Global Risks to Safeguard Data, 73 percent of CISOs said regulatory activity drives their decision-making around security budgets — and all respondents said they had to comply with at least one such framework.

Even if privacy regulations like GDPR don’t directly pertain to their organizations, the Ankura report suggested that security leaders are paying close attention because they recognize that one piece of legislation can influence what other governments may demand in the future.

In other words: The effects of cybersecurity legislation in places like the E.U., the U.K. and California are reaching far past their own borders. As data privacy laws proliferate around the world, security leaders everywhere will be impacted by the shift toward greater protection and transparency.

The post How Local Privacy Regulations Influence CISO Spending Around the World appeared first on Security Intelligence.

Calculating the Cost of a Data Breach in 2018, the Age of AI and the IoT

Businesses run on risk: They take a chance, place their bets in the marketplace and often reap great rewards. But when thinking about the cost of a data breach, you may wonder about the price for your company and what, exactly, is at stake.

Here’s one way to think about it: You’re more likely to experience a data breach of at least 10,000 records (27.9 percent) than you are to catch the flu this winter (5–20 percent, according to WebMD). And as in the case of the flu, it’s crucial to act quickly and seek a cure for a speedy recovery. Since data breaches cost money, it’s best to take a cost-based approach to gain an accurate perspective of the problem at hand.

Sponsored by IBM Security and independently conducted by my team at the Ponemon Institute, the 13th-annual Cost of Data Breach Study includes two new factors in its analysis that influence data-breach costs: deployment of artificial intelligence (AI) and the extensive use of Internet of Things (IoT) devices.

The analysis also includes the cost of a so-called mega breach — an incident resulting in the loss of 1 million records or more — and the financial consequences of customers losing trust in your organization.

Download the complete 2018 Cost of a Data Breach Study from Ponemon Institute

The Global Cost of a Data Breach Is Up in 2018

In this year’s study, the average cost of a data breach per compromised record was $148, and it took organizations 196 days, on average, to detect a breach. Overall, we found that the total cost, per-capita cost and average size of a data breach (by number of records lost or stolen) have all increased year over year.

The average cost of a data breach increased from 2017 to 2018

Locations that experienced the most expensive data breaches include the U.S., where notification costs are nearly five times the global average, and the Middle East, which suffered the highest proportion of malicious or criminal attacks — the most expensive type of breach to identify and address. Data breaches are less expensive in Brazil and India, where detection, escalation and notification costs rank the lowest.

While the cost of a breach increased for organizations in 13 countries compared to the five-year average, it decreased in Brazil and Japan, according to this year’s report.

Based on industry and location, our data breach calculator can determine how much a security incident might cost an organization.

The Bigger the Breach, the Higher the Cost

This year’s report found that the average total cost of a breach ranges from $2.2 million for incidents with fewer than 10,000 compromised records to $6.9 million for incidents with more than 50,000 compromised records.

This graph shows the average total cost by size of the data breach for the past 3 years

But what about those massive breaches that grab national headlines? The study revealed that a mega breach (involving 1 million compromised records) could cost as much as $39.49 million. Unsurprisingly, this figure increases as the number of breached records grows. A breach involving 50 million records, for example, would result in a total cost of $350.44 million.

How Can Companies Reduce Data Breach Costs?

Among the 477 companies examined for the study, the mean time to identify a breach is still substantial (197 days), while the mean time to contain a breach is 69 days.

The good news: There are strategies to help businesses lower the potential cost of a data breach. For the fourth year running, the study found a correlation between how quickly an organization identifies and contains a breach and the total cost.

Preparation and vigilance pays: The study found that an incident response team can reduce the cost of a breach by as much as $14 per compromised record from the average per-capita cost of $148. Similarly, extensive use of encryption can cut the cost by $13 per capita.

Customer Trust Impacts the Total Cost of a Breach

Organizations around the world lost customers due to data breaches in the past year. However, businesses that worked to improve customer trust reduced the number of lost customers — thereby reducing the cost of a breach. When they deployed a senior-level leader, such as a chief privacy officer (CPO) or chief information security officer (CISO), to direct customer trust initiatives, businesses lost fewer customers and, again, minimized the financial consequences of a breach.

Additionally, organizations that offered data-breach victims identity protection kept more customers than those that did not. Companies that lost less than 1 percent of existing customers incurred an average total cost of $2.8 million — while companies that experienced a churn rate of greater than 4 percent lost $6 million on average.

Examining the Effects of AI and IoT Adoption

For the first time, this year’s study examined the effects of organizations adopting AI as part of their security automation strategy and the extensive use of IoT devices. AI security platforms save companies money — an average of $8 per compromised record — and use machine learning, analytics and orchestration to help human responders identify and contain breaches. However, only 15 percent of companies surveyed said they had fully deployed AI. Meanwhile, businesses that use IoT devices extensively pay $5 more per compromised record on average.

To get the full rundown of the potential costs associated with a data breach — and learn what you can do to help protect your business — download the 2018 Cost of Data Breach Study: Global Overview, and take a look at our accompanying infographic.

You can also use our data breach calculator to explore the industry, location and cost factors if you experience a security incident.

Download the complete 2018 Cost of a Data Breach Study from Ponemon Institute

Examine the cost of a data breach in 2018 with this data breach calculator

The post Calculating the Cost of a Data Breach in 2018, the Age of AI and the IoT appeared first on Security Intelligence.

The GDPR Evolution: A Letter to the CISO

The long-term impact of the General Data Protection Regulation (GDPR) is on the minds of key technology leaders around the world — from Singapore to Ireland to my current home of Austin, Texas to everywhere in between. You can see this manifest in major tech publications like SecurityIntelligence (and, perhaps, in the day-to-day interactions occurring within your organization).

For me, these sentiments were echoed during a several-week, multi-continent business trip I took to visit with clients and partners in Europe and Asia. Nearly every leader we sat down with asked us how they should be shepherding their teams through the enforcement of this transformative regulation and who should lead this effort between the security and privacy teams.

This state of confusion is not surprising, especially given the hype surrounding GDPR. A recent IBM Institute of Business Value (IBV) survey found that 44 percent of executives responsible for GDPR compliance worried the regulation would be replaced or modified sometime in the near future. This perception undoubtedly muddies the waters and influences their approach to compliance.

Even with enforcement live, it’s still somewhat unclear what GDPR compliance truly means for organizations worldwide; how it will impact people, process and technology; and (even more importantly) how it will affect relationships with customers.

But one thing is abundantly clear: GDPR is here to stay.

Who Is Responsible for GDPR Compliance?

Let’s take a step back for a moment to reflect on where we started. GDPR originated as a means to help infuse a higher standard of privacy into global business practices and give data subjects from the European Union (EU) more control over their personal information — a sovereignty that was challenged somewhat by the digital data explosion of the past decade. While the regulation only technically applies to EU data subjects, it signals a shift in how we think about privacy everywhere.

This redistribution of control in favor of consumers is a good thing. As security professionals, this supports our highest calling, which is to protect personal data in the face of cyber uncertainty. Ensuring data privacy is a core component of this mission — and the spirit of GDPR supports this goal. Some organizations recognize the importance of data privacy. In fact, 59 percent of respondents to the IBV study said they see GDPR as an occasion for transformation. Still, challenges remain.

Some of the pain originates from the fact that ownership of GDPR compliance initiatives shifted between 2016 (when the legislation was passed) and May 25, 2018 (when the regulation took effect). Originally, legal teams bore the core responsibility for validating the internal processes and controls that would drive the progression toward supporting GDPR requirements. This has morphed into a discussion led by chief information officers (CIOs) and chief information security officers (CISOs) about the implementation of technical controls, the creation of special teams, the appointment of chief data officers (CDOs) and the reshaping of organizational privacy processes to support the stringent requirements, such as a customer’s right to erasure.

Today, the responsibility is shared among technical teams, as well as CIOs and CISOs, who serve as the establishers, enablers and enforcers of a comprehensive GDPR program backed by robust technical controls. This accountability will likely remain for the foreseeable future — no pressure, though.

Collaboration is a key component of GDPR success, but the transition of responsibilities between teams is a challenge. I saw this in practice when visiting Singapore several weeks ago when leaders repeatedly asked where to begin so they could be ready to answer GDPR audit inquiries, which they expect to receive very soon.

Yes, the structures were in place from the legal side to support GDPR readiness, but now it’s game time. Despite years of effort to prepare for this moment, many technology leaders are still left scratching their heads, unsure of what comes next.

What Solutions Should CISOs Invest in to Get on Track?

According to the IBV study, the number one struggle among the surveyed group was performing data discovery and ensuring data accuracy, which is a principal task of GDPR preparation (and the first step for many). This issue illustrates the complex nature of operationalizing all the plans that have been made to get us to (and, hopefully, past) this point.

This point is where technology solutions and services can provide support. Unfortunately, although many vendors might want you to believe otherwise, there’s no silver bullet to establishing GDPR readiness or enforcing the new requirements across your organization. This behemoth of a compliance regulation requires a programmatic approach, but it can often be difficult to see the forest through the trees.

My suggestion: Remember that you don’t have to reinvent the wheel.

There are countless industry frameworks — including IBM’s own GDPR framework, a continuous loop outlining five key phases for readiness — that can serve as your guide. The fact that these guidelines are based on the experiences of others can provide some peace of mind.

It’s also a great idea to leverage a trusted partner or adviser to guide you throughout your readiness and enforcement processes. Rather than going it alone, lean on the organizations that already have deep expertise in the privacy space and can use that insight to help your company avoid missteps as you implement processes and select technologies.

Finally, when it comes to implementing requisite technology controls, I would advise you to think about the regulation and follow a risk-based approach to conducting business with consumers. Consider the data you’re being asked to protect and how it relates to your customers: What personal or sensitive information does your organization hold? Where does it live? Is it actually vulnerable to compromise? Have you taken the necessary steps to put privacy and security protections into place?

As a first step toward gaining this understanding, you should investigate solutions that help identify and remediate risk, such as Guardium Analyzer, which can help you find and classify GDPR-relevant data, irrespective of where it resides (whether on-premises or in the cloud); identify vulnerabilities associated with that data; and, ultimately, prioritize existing risks and take action to remediate them.

The Secret to GDPR Compliance Is Collaboration

During my last customer visit on the trip, a CISO expressed confidence that her organization would be able to legally respond to GDPR demands. But she’s now setting up the technology teams with members from the privacy and security teams to assess and validate vulnerabilities without exposing the personally identifiable data that is deployed across multiple geographies and data center environments, both on-premises and in the cloud.

As you continue on your GDPR journey, don’t forget the importance of collaboration in making compliance happen — across teams, with business partners and even with your customers — so that you can best support the positive aims of GDPR today and in the future.

Sign Up for a 30-Day Free Trial of IBM Security Guardium Analyzer

DISCLAIMER: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

The post The GDPR Evolution: A Letter to the CISO appeared first on Security Intelligence.

Time to Take a Good, Hard Look at Your Cybersecurity Health

What happens when your livelihood is at stake, thanks to someone stealing your identity or draining your account? The real-life possibilities are nerve-wracking, to say the least. The constant barrage of cyberthreats we face as consumers today is exhausting. Just this month, two major situations were revealed.  A Florida marketing firm, Exactis, had their database on a publicly accessible server. The information exposed ranged from phone numbers, home, and email addresses to the number, age, and gender of a customer’s children. As of now, social security numbers and credit card data have not been leaked. However, what makes this breach particularly anxiety-inducing is that now cybercriminals have the ability to improve the success rate of socially engineered attacks. For example, phishing attacks could become rampant through social media and email.

To add insult to injury, last week, researchers found a way to discover everything you type and read on your phone simply by studying the differing power levels of a smart battery. By implanting a micro-controller into a phone’s battery, they could record the power flowing in and out of the device. Then, with the use of AI, power flows were matched with specific keystrokes. Using this technique, the researchers proved that cybercriminals could record passwords, monitor website activity, access call records, and know the last time the camera was used. Smart batteries are attractive targets because they are not as secure as your phone. In fact, they expose all personal data. While the possibilities are stressful, the good news is that this attack remains theoretical.

The seemingly endless string of security events and the stress they cause can take a serious toll on our well-being. While we can’t prevent breaches from occurring, it’s important to remember that we can be prepared to take the right steps to minimize any damage when one hits. Whether we’re dealing with the repercussions of a data breach, or adapting to new vulnerabilities, developing positive security habits can help improve and maintain your digital health. Taking care of your mobile devices to ensure they remain secure – and therefore optimally functional – is like taking care of your own well-being; to maintain cybersecurity health, you have to perform basic upkeep.

To help you prepare in advance for the next data breach and ensure your device remains in good cybersecurity health, here are some habits you should consider picking up, stat:

  • Be aware of your surroundings. Mindfulness is a habit that can be developed, provides almost instant results, can support longevity, general awareness and well-being. We can learn a lot from mindfulness when it comes to cybersecurity. By taking a little bit of time to be aware of our surroundings, we can prevent vulnerabilities and potential threats simply by paying attention.
  • Set up alerts. Just like going to a doctor regularly for check-ups, you should “check-up” on your accounts. Not all data breaches expose financial data, but personal data that is leaked can still be used to access your financial accounts. Talk with your bank or financial planner about setting up a fraud alert on your cards to maintain control of your accounts.
  • Stay away from untrustworthy emails or messages. The mantra “no bad vibes” is surprisingly full of wisdom. Ridding your life of energy suckers and toxic people supports health – and the same goes for malicious messages. If you see a suspect item from an unknown source in your inbox or via a direct message or comment on social media, do not click on the message. If you do open it, be sure not to click on any links. To be safe, delete the email or message altogether.
  • Avoid public Wi-Fi when possible. Just as sleep is a panacea of sorts that helps to fight off bugs, giving your phone a break from public Wi-Fi is one of the best things you can do to ensure your cybersafety. The use of public Wi-Fi can offer cybercriminals a backdoor into your phone. By spoofing a legitimate website, they can gain access to your sensitive information. Give your device a much-needed break until you can use Wi-Fi you trust, you’ll save yourself a serious headache.
  • Switch up your passwords. It’s been said that variety is the spice of life, the secret to a happy relationship, and a way to stay engaged and aware in old age. The same is true when it comes to your passwords. When you mix it up, you keep cybercriminals guessing. Passwords are your data’s first defense against cybercriminals. Be sure to change them every so often and never use “1234” or “password.” If remembering a difficult password or remembering a multitude of them is hard, consider using a password manager.
  • Consider investing in identity theft protection. Vitamins are excellent supplements to a healthy diet, adding in additional nutrition when and where you need it — but not meant to be taken as the sole way to maintain health. Identity theft protection can be a supplement of sorts to your already positive security habits. With McAfee Identity Theft Protection, users can take proactive steps toward protecting their identities with personal and financial monitoring and recovery tools.

The power of habit actually dictates 40% of our day. As with your body and mind, the more you create healthy, positive habits, the easier it is to maintain health. The same is true for your security “health.” The more you express safe habits, the easier it will become and the safer you will be – both in the short and long term.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Time to Take a Good, Hard Look at Your Cybersecurity Health appeared first on McAfee Blogs.

Report: Gaming Addiction is a Real Thing. So What Can Parents Do Next?

It’s one of my biggest parenting regrets to date: About a decade ago, I failed to put limits around my teen’s passion for playing video games. He loved them, and I let him.

I convinced myself that my son’s video gaming provided him with an instant community where he daily climbed to the top of the scoreboard. A personal, consistent win for my first-born, more quiet child, right?

Looking back, I lied to myself at crucial moments along the way. I minimized his growing obsession by calling it a hobby. As he grew more engaged with gaming, he became more distant from our family. I ignored the fact that he was acquiring friends I didn’t know and forfeiting time outdoors for his preferred virtual landscape.

When our relationship hit several rough patches in later years, I failed to connect that friction back to his topheavy gaming habits. All the while, as a mom, I knew deep down (in my mom “knower”) I could have — should have — done more to limit his gaming.

New Findings

Not surprising, the World Health Organization (WHO) just recently classified a new form of addiction called “gaming disorder.” That designation means health professionals can now treat dangerous levels of video gaming as a legitimate addiction.

Thankfully, my son’s one-time excessive gaming didn’t reach the addiction level even though it was serious enough to negatively impact our family dynamic.

I can’t go back. However, if there’s a parent who can learn from my heartache in this area, I hope this post might help.

The Upside

We know gaming isn’t the enemy. In fact, gaming has been credited with helping kids overcome depression, anxiety, and social insecurities. Gaming is also blowing open new doors in education as we understand how today’s digital learners (many of whom are gamers) consume information and find solutions. We know gaming skills are helping build tomorrow’s cybersecurity experts, app developers, programmers, military strategists, surgeons, and leaders.

With the benefits understood, balance is the magic word when it comes to the healthy use of any technology we welcome into our homes.

Definition

The WHO’s official definition of “gaming disorder” includes:

  • A pattern of behavior for at least 12 months in which gaming is out of control.
  • The pattern of behavior must show an “increased priority given to gaming” to the point that gaming “takes precedence over other interests and daily activities.”
  • A “continuation or escalation of gaming despite the occurrence of negative consequences,” or behavior that affects one’s relationships, education, or occupation.

So what can you do if you recognize even one of the warning signs above? Plenty. It’s never too late to make changes in your family. All you need is knowledge, action, and some mad follow-through skills.

5 Ways to Help Kids Balance Gaming

Set and enforce time limits. Start setting technology time limits when your kids are young. If your kids are older, don’t shy away from announcing new house rules starting today. Yes, kids may complain, but experts agree: Rules help kids feel loved and safe. Parental control software will help you set time limits on your child’s device usage and help minimize exposure to potentially malicious or inappropriate websites. Another tip: Set a timer on your smartphone or go old school and crank up that kitchen timer. Take it from this regret-filled mom: Time limits will make every difference in helping kids find balance.

Be a role model. You can’t tell your kids they have to get off of Call of Duty then spend the next eight hours constructing high-scoring word combos on Words with Friends. Model smart tech use and moderation. Even place that kitchen timer next to you if you need it.

Roll up your sleeves — get gaming. Jump into the game with your kids so you can better understand the content, the community, and the messages coming into your home. Get a glimpse into the appeal of the game for your child and the skills needed to advance. Once you have this perspective, you will intuitively know how to monitor your child’s time on specific games. This is also a great opportunity to share your values on certain topics or narratives addressed in games.

Stay safe while gaming. Gaming’s purpose is fun, so it’s rare that a child or even a parent is focused too much on safety when kids log on to play. Still, there are safety risks. A recent McAfee survey found that parents are concerned with issues connected to gaming such as sexual predators, data risks, inappropriate content, and bullying, but few take steps to remedy those concerns. Several products such as McAfee Total Protection can help keep connected devices safe from malware and McAfee WebAdvisor can help you avoid dangerous websites and links.

Don’t overreact. It’s easy to fear what we don’t understand. True video game addiction is rare. The WHO’s new classification isn’t describing the average gamer who spends a few of hours a day gaming with friends. The designation targets serious gaming habits that destroy people’s lives such as neglecting hygiene and nutrition, rejecting loved ones, staying up all night, and losing jobs due to gaming. The more you understand about your child’s favorite games, the better parenting decisions you will be able to make.

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Report: Gaming Addiction is a Real Thing. So What Can Parents Do Next? appeared first on McAfee Blogs.

Survey identifies three types of consumer attitudes to data privacy

Leveraging customer data is the lifeblood of today’s digital economy, but regulations like the EU’s GDPR threaten to make it difficult to mine this precious “ore.” Businesses still have a few options at their disposal, if they are to continue to sell their services – and stay competitive.

A poll of 11,474 consumers commissioned by market intelligence consortium DMA has revealed that 51% are more than happy to hand over their personal data to businesses that can offer a clear benefit in exchange.

The report – Global data privacy: What the consumer really thinks – places these 51% into a category called “data pragmatists,” a group described as those who exchange their data as long as there’s a clear benefit.

Another important demographic is the “data unconcerned” (26%), described by the surveyors as those who do not mind how and why their data is used. The remaining 23% are the so-called “data fundamentalists,” or those who never share their data for any reason.

Countries with the most data pragmatists include Spain (59%), USA (58%) and Singapore (57%), while data fundamentalists are mostly found in Australia (27%), The Netherlands (26%), and Germany (26%). However, these countries also house a sizeable proportion of data-unconcerned folk (Netherlands 35%, Germany 34%, Argentina 29%).

“We are in a new era of data privacy,” said Chris Combemale, Group CEO of DMA. “Questions have been raised about whether major data breaches and increased talk about the value of our personal data is impacting consumer anxiety over how their information is used. In fact, our research shows that even though consumers are more aware than ever and have concerns about their online privacy, the majority will continue to share their personal information if they trust the organisation and gain something in return.”

Respondents further revealed that they place great importance on transparency (86%), simple terms and conditions that they can properly interpret and understand (84%), and flexible privacy policies (82%).

On a global level, 83% of consumers would like more control over their data, and 49% named “trust” as the most important factor when deciding whether to hand over their data to an organization.

“Globally, the majority of consumers are pragmatists – willing to share their data so long as there is a benefit. Trading data is a common desire amongst consumers and data as a commodity will become more important for companies in the years to come,” reads the report. “However, ensuring that your organization is transparent, with its customers in how data is used and stored, together with putting them in control of their own data, is key to building trust with consumers and making them comfortable with data sharing. This can build a solid platform for the future of data economy, bringing benefit to consumers and businesses alike.”

The Exactis Data Breach: What Consumers Need to Know

There are data breaches, and then there are data breaches. For example, who could forget the Equifax data breach, which compromised the personal information of over half of the citizens of the United States? And now, a breach of similar magnitude has emerged, as a security researcher has discovered that marketing firm Exactis’ database was sitting on a publicly accessible server. Specifically, there were two versions of the database exposed online, each with around 340 million records—roughly two-thirds on consumers and the rest on businesses.

So how did Exactis have this much data in the first place? The Florida-based marketing firm collects and trades consumer data in order to refine the accuracy of targeted ads. Which is precisely what makes this breach so crucial, as the information exposed is highly personal. The leaked data includes people’s phone numbers, home and email addresses, interests, and the number, age, and gender of their children. As of now, credit card information and Social Security numbers don’t appear to have been leaked.

The behavioral data involved in this leak, alongside the personal information, makes this breach particularly concerning because of how this information can be used by cybercriminals to improve the success of socially engineered attacks. For instance, crooks can use such personal information in phishing attacks over email or social media. Now, cybercriminals can enact highly personalized attacks against consumers, who will already be faced with potentially fraudulent activity against their names.

Therefore, it’s important consumers immediately take action to protect their personal security and identity. To do just that, follow these tips:

  • Keep an eye out for sketchy emails and messages. Cybercriminals can leverage this stolen information for phishing emails and social engineering scams. So, if you see something sketchy or from an unknown source in your email inbox or a social media message, be sure to avoid clicking on any links provided. Better to just delete the email or message entirely.
  • Set up an alert. Though this data breach does not compromise financial data, this personal data can still be used to obtain access to financial accounts. Therefore, it’s best to proactively place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report, so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Invest in an identity theft solution. With this breach, almost every American adult could be facing the possibility of identity theft. That’s precisely why they should leverage an identity theft solution such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.


{
"metadata": {
"id": "0314018a-527d-44cc-a71d-995cd761cd4a",
"version": "1.0",
"ep": "ta",
"lang": "en-us",
"original-url": "https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/exactis-data-breach/",
"author": "Gary Davis",
"author-page": "https://securingtomorrow.mcafee.com/author/gary-davis/",
"category": "Consumer Threat Notices",
"draft": "false",
"authordetail": "Gary Davis is Chief Consumer Security Evangelist. Through a consumer lens, he partners with internal teams to drive strategic alignment of products with the needs of the security space. Gary also provides security education to businesses and consumers by distilling complex security topics into actionable advice. Follow Gary Davis on Twitter at @garyjdavis",
"tinyimage": "https://securingtomorrow.mcafee.com/wp-content/uploads/2018/06/img_1604537239013014.jpg",
"feedimageurl": "https://securingtomorrow.mcafee.com/wp-content/uploads/2018/06/img_1604537239013014.jpg",
"pubDate": "Thurs 28 June 2018 12:35:48 +0000"
}
}

The post The Exactis Data Breach: What Consumers Need to Know appeared first on McAfee Blogs.

A Traveler’s Guide to International Cybersecurity

When you think of the most valuable thing you could lose while traveling, what comes to mind? Your suitcase, wallet, passport? What comes to my mind is my mobile device. Especially while traveling abroad, my mobile device is my lifeline and is essentially the remote control to my digital life.

What many international travelers do not realize is that their devices are often more vulnerable when taking a long-distance trip. Because they store and transmit our personal information – from website logins to banking information – these devices are much more valuable than the contents of your wallet or suitcase. Especially while you’re abroad and not used to your surroundings, pickpockets and cybercriminals can prey on your vulnerability to steal or infect your devices. Luckily, there are cybersecurity precautions you can take before, during and after international travel to ensure your information stays safe.

Before Travel

First and foremost, you have to get your device security in order before you hit the skies or hit the road. Now is the time to be proactive, not reactive, when it comes to protecting your information. The best thing to do would be to leave your devices at home where you know they will be safe. However, that’s unrealistic for most people, since we’re tethered to our mobile gadgets. So at the very least, before you head on your trip, make sure to:

  • Clean up your device. Clear your browser history and delete cookies.
  • Consider deleting apps that you don’t use altogether to avoid unnecessary vulnerability.
  • Encrypt any personal data to ensure that information stays protected. Back up any files to an external hard drive or desktop if your encryption fails.

During Travel

Whether you’re home or abroad, it’s important to always be vigilant and aware of your surroundings, both online and in-person. While device theft is uncontrollable, you can control how and where you use your devices. When you’re traveling internationally, public, free Wi-Fi is sometimes the only option for service. Unfortunately, it can be exploited by cybercriminals as a gateway to your devices. By spoofing legitimate Wi-Fi networks, these nefarious folks could gain access to sensitive data and private accounts and potentially request money for the return of your information, making public Wi-Fi the biggest threat to your cybersecurity. To avoid being compromised, be sure to:

  • Mitigate risk and avoid making online purchases or accessing bank accounts while using public Wi-Fi.
  • Use your smartphone to create a personal hotspot, if you are in dire need of an internet connection.
  • Use a Virtual Private Network (VPN) to encrypt any data you may receive while on your trip.

After Travel

Arriving home after travel is an already exhaustive experience – don’t exhaust your device by bringing any malware back with you. Remember that if you connected to local networks abroad, your mobile devices may have been susceptible to malware. So, in order to help your device be ready for its return back home, follow these tips:

  • Update your software. By updating your apps when prompted, you’ll ensure you have the latest patch and avoid any vulnerabilities that may have surfaced while you were away.
  • Delete travel apps you needed for your trip but no longer use. These can store personal information that can be accessed if they are not regularly used or updated.
  • Reset your passwords, pins and other credentials you may have used while abroad, regardless if you think you were compromised or not. Changing them will render the stolen credentials useless.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post A Traveler’s Guide to International Cybersecurity appeared first on McAfee Blogs.

Fmovies, uTorrent and Other Common Ways to Get Infected with Malware

During the journey of protecting our Heimdal PRO users, we’ve seen plenty of ways in which they can get malware infections.
From fmovies to fishy Kodi repositories and uTorrent spreading malvertising, they have one thing in common: online piracy.


It’s a very scary name for a very basic desire: go home, relax, watch your TV show and recharge for a new work day.

With the rise of paid subscriptions like Netflix, Hulu or Amazon and the veritable cornucopia of award-winning TV content, more and more online users turn to piracy in order to keep up with that content (and not break the bank by doing so!).

Unfortunately, this means they turn to google “watch free movies”.

Then, they end up on domains like “fmovies”, “popcorntime” or “putlocker” with ever-changing extensions and their PC gets exposed to malware that would make any Antivirus do a triple take (if the software even detects that infection!).

According to the latest research, the more time a user spends on a piracy site the higher are the chances to get a malware infection.

Here’s what Rahul Telang from Carnegie Mellon University found out, after tracking more than 250 users for over a year:

“In particular, we estimate that doubling the time spent on infringing sites leads to 20 percent increase in total malware files and 20 percent increase in malware files after removing potential adware. We also find no evidence that users who visit infringing sites more take more precautions. In particular, users visiting infringing sites are less (not more) likely to install an antivirus (AV) software.”

The fact that users don’t rely on antivirus to keep them fully safe is not new, especially because the reactive nature of antivirus makes it very difficult to detect and fight against new malware.

However, I was curious to see what kind of pirate-related domains Heimdal PRO blocked before the compromised traffic could reach your PC.

I’ll tell you, it was a long list with more than 200.000 domains. Here are a couple of keywords I investigated.

number of blocked domains

The chart makes it pretty clear that everyone wants to watch TV online and that’s when the risk of malware increases.

Since YouTube, Spotify Free and other streaming services make music available essentially free, you’ll see that there are very few domains Heimdal PRO blocked in that area.

With the World Cup happening these days, our users haven’t clicked a lot of compromised links when trying to watch the games. This could be explained by the fact that broadcasters really do invest in stopping pirates from streaming their content. What’s clear is that the majority of domains are related to video content streaming, which really shows how attractive they are as a host for malware.

Out of a total of 12,602 piracy-related Heimdal PRO blocked domains, a whopping 2,444 domains contained the word “TV” in their name. 1,925 promised users to let them “watch” content. Surprisingly, there are only 34 Netflix-clones on the list.

What about Kodi player or old-fashioned torrenting sites?

Last summer, a Checkpoint report revealed that users could get infected with malware not just by visiting compromised websites but also by loading translations.

Usually, you run the risk of clicking on a compromising link when visiting suspicious websites for downloading subtitles. However, software like VLC or Kodi can let you download subtitles right there, without visiting an additional website.

And that’s a very good target for malware.

“These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker’s malicious subtitles a high score, which results in those specific subtitles being served to the user. This method requires little or no deliberate action on the part of the user, making it all the more dangerous.

Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files. This means users, Anti-Virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk,” explains Checkpoint.

Updates were deployed to eliminate that vulnerability but consider this:

VLC has been downloaded 2,567311646 times (as of writing this article).

Yes, that’s more than two billion versions of VLC floating on users’ PCs. If you look at the official stats page, it’s obvious that not all of the users are updating their software so cybercriminals have plenty of vulnerabilities to target.

In January 2018, Kodi had 19 million active users, one Fmovies domain registered 26.35 million unique visitors and, dwarfing them all, the classic The Pirate Bay boasted 62.21 visitors.

Meanwhile, the AV-Test Security Institute says it registers over 350,000 new malware and potentially unwanted applications daily.

malware-last-10-years_sum_en

Source

Scary, right? Just as troubling is the fact that a lot of torrent users still rely on uTorrent to open files downloaded from piracy websites. In 2015, uTorrent deployed a version that contained a cryptocurrency-mining tool, without revealing it to users properly. A year ago, uTorrent was showing an ad that was using a flash exploit to install malware, as spotted by these users.

In February this year, famous researcher Travis Ormandy warned that uTorrent had a vulnerability so serious that it could have allowed others to remotely control an infected PC.

And let’s not forget about that time when Cerber ransomware spread via pop-under ads targeted those who wanted to find a Game of Thrones episode on The Pirate Bay.

If you check for uTorrent on VirusTotal, you’ll see that some anti-viruses, including Microsoft’s, consider it to be potentially malicious software.

Popcorn Time, for example, was shut down after a copyright infringement suit but was so popular that a ransomware strain was named after it.

popcorn-time ransomware example

Source

A great report by The Independent shows just why digital piracy is so linked to cybersecurity risks, and why it’s very profitable for both hackers and bootleggers.

How to avoid malware infections

Of course, the best answer would be to “stop pirating”. However, we know digital piracy is a topic that can be debated for a decade. We also know that this particular advice can sometimes fall on deaf ears, so it’s best to just give you the tools (and recommended security guides) to avoid malware infections.

If you or your friends/family engage with sites like fmovies / vumoo / downloadflix, use uTorrent or stream via Kodi, here are the essential steps for online security:

  • Install a proactive security tool like a traffic-scanner to stop malware, ransomware, malvertising, and other threats that commonly go unnoticed by Antivirus;
  • Use a well-known antivirus as a reactive security measure or at least let Windows Defender do its job;
  • Tweak your browser security settings and use an adblocker like uBlock Origin to stop malvertising and cryptojacking scripts;
  • For torrents, consider using a VPN – it will protect your privacy against both legitimate and fake copyright infringement notices;
  • If downloading videos, stick to standard formats like AVI and MKV to avoid the trap of downloading infected codecs;

Always keep your software updated, as malware commonly exploits older versions;


How to safely #stream content without risking a #malware infection
Click To Tweet


This setup will keep you safe for web browsing in general, not just for video streaming and other activities. However, nothing quite beats prevention!

If you don’t want to risk your data, it’s wiser to stick to Netflix or Hulu and split the subscription cost with a friend. If you suspect your risky browsing might have lead to a malware infection, use this guide to find out if there’s reason for concern.

The post Fmovies, uTorrent and Other Common Ways to Get Infected with Malware appeared first on Heimdal Security Blog.

The Best Encrypted Messaging Apps You Should Use Today [Updated]

Do you want to know which is the best encrypted messaging app out there and how it can protect your valuable data? This guide might be exactly what you’re looking for.

We compiled a list of useful encrypted apps because the struggle for keeping our data secure is fiercer than ever. Governments crave for it, companies seek access to it, and cyber criminals probably want it the most.

Many of you could believe that all the confidential data shared is safe via Facebook Messenger, Skype or Snapchat, but sometimes it’s just an illusion. The recent events in which Facebook shared users’ private information with Cambridge Analytica in what seems to be one of the social network’s largest data breaches, should make us more aware of the importance of data privacy.


Check out this list of the best #encrypted messaging apps to protect your privacy & security:
Click To Tweet


Use this privacy and security guide to better secure your Facebook account.

Without end-to-end encryption, your conversations most likely will get into the hands of cyber criminals, and other malicious actors focused on stealing them.

To better understand how end-to-end encryption works, check out this infographic below:

Source: Chatmap.io

Why end-to-end encryption matters

In a nutshell:
End-to-end encryption means encrypting communications in order to make information unavailable to third parties. So when two or more devices communicate via an app that features this level of encryption, the information will be transmitted using a secret code rather than insecure plain text.

As a result, only the people communicating can read the messages and no other person. Not even Internet service providers, the app maker, the government or anyone else.

The data is protected against tampering, surveillance, cyber criminals while it’s transmitted and stored. The encryption key is stored locally, for improved protection.

Martin Kleppmann, former Rapportive co-founder, and LinkedIn engineer sums up the value of end-to-end encryption in a great blogpost:

Although encryption in transit is widely used, it has serious security problems.

For example, the service provider could be hacked by an adversary, or compromised by an insider, causing sensitive information to be leaked. A fault in the service provider could cause data to be corrupted.

For these reasons, security experts are pushing towards widespread use of end-to-end encryption, which reduces the exposure to such attacks.

His comparison between different types of data encryption is also useful to explain the difference between the widely used encryption in transit and the more secure end-to-end encryption process:

end-to-end encryption comparison

Source: Martin Kleppmann’s personal blog

The most secure messaging apps

1. WhatsApp

whatsapp logo
 

Since 2016, WhatsApp has enabled and implemented end-to-end encryption, so users can enjoy a more secure communication. With more than 1.5 billion users, the platform has been acquired by Facebook and offers a free app to small-to-medium sized and enterprise businesses alike.

Security-wise, encryption enhances communication privacy and protects users’ messages from impostors or malicious actors.  While security flaws may appear, if cyber criminals were to breach WhatsApp today, they couldn’t decrypt your conversations. That’s due to the encryption and to the fact that WhatsApp doesn’t store your messages on its servers.

App cost: FREE

2. Viber

viber logo
When it launched its 6.0 version, Viber also rolled out end-to-end encryption, providing more safety for its users. The app maker even created a Viber Encryption Overview which serves as a great guide for those who want to learn in-depth information on this security enhancement.

Since 2017 its corporate name has been Rakuten Viber and is currently based in Luxembourg.

This private chat app has plenty of useful features in order to offer users high-quality calling experience and all of them are secured, so the information shared is protected along the way with the end-to-end encryption system.

As long as you make sure to use the sharing method pointed out by Viber, your data will remain encrypted from your end all the way up the recipient.

App cost: FREE

Users: More than 900 million registered users

3. LINE

LINE logo
Another secure texting app that you can use to  This app has quite an unusual story. It was originally built by a team of Japanese engineers as a solution to communicate after the devastating Tōhoku earthquake which happened in 2011. The calamity damaged the telecommunications infrastructure all over the country, so the only way to communicate was based on Internet-connected platforms.

The same year, LINE added end-to-end encryption to its platform. This featured is called “Letter Sealing” and it’s available to all its users. They just have to turn it on to benefit from it.

App cost: FREE

Users: over 700 million

4. Telegram

telegram logo
In their own words: “Telegram is a messaging app with a focus on speed and security.” The app has reached 200 million active users in March 2018 and continues to grow.

Similar to other messaging apps, Telegram offers end-to-end encryption as well, being considered one of the most secure messaging platforms. For users who want more privacy, they can turn on “Secret Chats” from the app’s advanced settings. Read more details about this feature:

“And when you delete messages on your side of the conversation, the app on the other side of the secret chat will be ordered to delete them as well.

You can order your messages, photos, videos and files to self-destruct in a set amount of time after they have been read or opened by the recipient. The message will then disappear from both your and your friend’s devices.”

All secret chats in Telegram are device-specific and are not part of the Telegram cloud, meaning that you can only access messages in a secret chat from their device of origin. If your device is safe, your secret chats are safe as well.

App cost: FREE

Users: Over 200 million active users

5. KakaoTalk

kakaotalk logo
Similar to other private chat apps listed above, KakaoTalk is a Korea-based messaging app that fully encrypts our conversations since 2014! To benefit from this feature, you have to use the “Secret Chat” feature, which is inspired by Telegram.

This feature offers users the option of securing messages with end-to-end encrypted chatting option. However, KakaoTalk’s default chat mode is not end-to-end encrypted, so you’ll have to enable it.

The app makers boast that KakaoTalk is used by over 90% of smartphone users in South Korea, for which privacy and data security are main concerns.

App cost: FREE

Users: Over 220 million registered

6. Signal – Private Messenger

signal messenger app
Here’s another secure messaging app that uses encryption system and can keep your messages safe.

Whisper Systems created Signal as a successor to two separate apps dedicated to encrypted voice calling and encrypted texting.

Encryption was always at the core of the company’s products. When Twitter acquired it in 2011, the goal was to improve the security in the microblogging platform.

Its encryption engine is open source, which means is available for everyone to inspect.

Signal is used by leading figures in cyber security and data privacy, such as Edward Snowden and Bruce Schneier! That’s because in Signal all communication is encrypted end-to-end by default.

Recently, the app received a $50 million investment from the WhatsApp co-founder Brian Acton which is supporting the non-profit Signal Foundation’s mission of “making private communication accessible and ubiquitous”.

Signal is also WIRED’s secure messaging recommendation to use it because “it’s free, it works on every mobile platform, and the developers are committed to keeping it simple and fast by not mucking up the experience with ads, web-tracking, stickers, or animated poop emoji.”

App cost: FREE

It can be downloaded for free on Google Play or App Store.

7. Dust

cyber dust logo
Formerly known as Cyber Dust, it’s another private messaging app that uses end-to-end encryption as the main security and privacy feature. You may think of Snapchat when you’ll read about its way of functioning, as it says on the website:

“You can erase your messages off other people’s phones. No messages are permanently stored on phones or servers. Messages are heavily encrypted and not accessible to anyone, even us.”

What Dust is trying to create is a social communication platform with enhanced security and privacy, by using a combination of AES 128 and RSA 248 encryption.

App cost: FREE for both Android and iOS platforms

8. Threema

threema logo
Here’s another secure texting app that we suggest giving a try. Everything you communicate while using Threema is encrypted end-to-end: not only messages but also group chats, voice calls, media files and even status messages. Your messages can be read only the intended recipient, so nobody else can interfere and have access to them.

The app makers also boast that they delete the messages you send from their servers once they’ve been delivered.

Threema app has a “Private Chats” feature that can help users protect individual chats with a PIN code. This way, confidential chats are protected from malicious actors.

Another great thing about this app is the QR code and key fingerprint available for user verifications to prevent man-in-the-middle attacks.

App cost: 2,99 EUR

9. Wickr – Secure Messenger

wickr logo
Another chat app that offers end-to-end encryption was created in 2012 by a group of security experts and privacy advocates.

This app is open source and doesn’t require a phone number or email address to register. Built with privacy in mind, Wickr I does not collect data or have access to users’ data.

This page dedicated to the encryption standard used in Wickr is extremely useful for those who want to understand how end-to-end encryption works.

App cost: FREE for Android and iOS

10. Cyphr

cyphr logo
Cyphr is another encrypted messaging that is easy to use and free for both Android and iOS users.

The company’s Chief Technical Officer explains on the blog how Cyphr works in plain terms, so we recommend reading this section before you install the app.

Golden Frog, the company which makes Cyphr, also makes a VPN product, so they certainly know a bit about privacy and security.

Cyphr is a zero-knowledge messaging app, which means that your private messages cannot be read, shared or decrypted but third-parties.

Although it doesn’t have desktop or web apps yet, Cyphr is worth a try.

App cost: FREE

11. CoverMe

coverme logo
CoverMe is another secure chat app that uses end-to-end encryption technology for better securing your messages and files sent from intruders who try to get access to them.

By using it, you can also make encrypted voice calls, without any records on your phone bill. The app also includes a private vault feature for extra security so you can use to store your files in and hide videos, photos, passwords and any files.

App cost: FREE

Download it from Google Play Store or Apple Store

12. Silence 

Is another messaging app that focuses on keeping your messages safe, using encryption for text messages over the air and on your phone.  Similar with Signal and Wickr Me apps, it is open source and free.

Formerly known as SMSecure, Silence app has a simple and friendly interface and uses encrypted SMS messages with no Internet connection required.

App cost: FREE

Download it from Google Play Store

13. Pryvate Now 

Whether you are an Android or iOS user, you can freely start chatting and messaging with Pryvate app.

In 2015 it won the award for “Best Business – Best Mobile App” and ensures your communications are encrypted and fully secured.

This messaging app offers world-class RSA 4096-bit encryption technology and involves NO servers or middleman for communications, so users can enjoy direct communications with their colleagues, friends or family.

It includes a “Self Destruct” feature which lets you delete all your messages sent on recipients device at any time.

App cost: FREE for Android and iOS

14. SureSpot

This small mobile messaging app uses end-to-end encryption technology for every text, image, and voice you are sending to one of your friends or colleagues, so no stranger can read it.

Surespot app doesn’t share any data about you and transfers your conversations securely to other devices. This guide can show how the app works and how can you protect all your mobile messages.

It worths knowing that it does not require or store your data.

App cost: FREE for Android and iOS

15. Wire

Here’s another great encrypted messaging app that is worth a try. Unlike other services out there, it offers end-to-end encryption by default to secure your conversations, files and images, text files and more.

It is open source and collaborative platform, and has plenty of useful features:  fully encrypted video calls, secure file sharing, synced between devices and others. Wire has a free version for personal use ( after creating an account) and paid one for organizations (large enterprises).

It works on all popular platforms: Windows, Android, iOS, macOS, Linux, and different browsers (Chrome, Firefox, Edge, Opera).

More to come

This list isn’t complete, so we believe we’ll update it soon.

If you have any encrypted messaging apps that should be on this list to add, do let us know, or leave a comment below, and we’ll be happy to include them.

Until then, remember that popular apps like Twitter, Instagram, Snapchat or Facebook Messanger don’t use end-to-end encryption, so your conversations and files may not be fully secured. If you are a Skype user like me, you should know that the company has introduced end-to-end encryption at the beginning of 2018.

If you want to explore more data encryption methods, we have a dedicated guide you’ll find helpful.

Conclusion

We’re living in a digital world where security and privacy matter more than ever. If you are concern about your data and value privacy, then it’s a must to use one of these encryption messaging apps to better secure them from spies, hackers or any other malicious actors.

Spend time with your family, not updating their apps!
Let Heimdal FREE Silently and automatically update software Close security gaps Reinforce your antivirus of choice

INSTALL IT, FORGET IT AND BE PROTECTED

Download Heimdal FREE

This article was initially written by Andra Zaharia in June 2016, and updated by Ioana Rijnetu in June 2018.

The post The Best Encrypted Messaging Apps You Should Use Today [Updated] appeared first on Heimdal Security Blog.

#CyberAware: 4 Actionable Steps to Boost Your Family’s Safety Online

Summer has officially rolled out its welcome mat. But as most parents might be thinking about slowing down, for most kids, summer is when digital device use goes into overdrive. That’s why June — which also happens to be Internet Safety Month — is a perfect time strengthen your family’s digital readiness.

Good news: This digital safety skills booster is quick and actionable. And who knows — if a few of these tips boost your family’s safety, you may have just saved summer for everyone!

4 Ways to Boost Family Safety Online 

Practice safe social. Challenge your family to reign in its social footprint by taking these specific actions: 1) Adjust privacy settings on all social networks. 2) Trim friend and follower lists. 3) Delete any personal data on social profiles such as birthdate, address, or school affiliation. 4) Edit, limit app permissions. As we’ve just seen in the headlines, the misuse of personal data is a very big deal. 5) Share with care. Routinely scrolling, liking, and commenting on social sites such as Snapchat and Instagram can give kids a false sense of security (and power). Remind tweens and teens to share responsibly. Oversharing can damage a reputation and words or images shared callously can damage other people.

Practice safe gaming. Summertime is a gamer’s heaven. Endless battles and showdowns await the dedicated. However, some digital pitfalls can quickly douse the fun. According to the National Cyber Security Alliance’s gaming tip sheet, safe gaming includes: updating gaming software, protecting devices from malware, protecting your child’s personal data, using voice chat safely, and paying close attention to content ratings.

Practice strong security. There are some steps only a parent can take to safeguard the family online. 1) Parental controls. Filtering software blocks inappropriate websites and apps as well as establishes boundaries for family tech use. 2) Comprehensive security software helps protect your PCs, tablets, and devices from viruses, malware, and identity theft. 3) Keeping your guard up. According to McAfee’s Gary Davis staying safe online also includes digital habits such as using strong passwords, boosting your network security and firewall, and being aware of the latest scams that target consumers.

Practice wise parenting. 1) Know where kids go. Know which apps your kids love and why, how they interact with others online, and how much time they spend online. 2) Unplug. Establish tech-free family activities this summer. Powering off and plugging into quality time is the most powerful way to keep your family safe online. Strong relationship empowers responsibility. 3) Be confident. As parenting expert, Dr. Meg Meeker says, parents should be parenting from a place of confidence, rather than from a place of fear. “The temptation for parents is to think that they have no control over what their child does online. This isn’t true,” says Meeker. “Parents, you are in control of your child’s technology use; it is not in control of you.”

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post #CyberAware: 4 Actionable Steps to Boost Your Family’s Safety Online appeared first on McAfee Blogs.

Cybercriminals Steal the Show! 26 Million Ticketfly Customers’ Data Compromised in Massive Breach

When we find out our favorite artist is coming to town, we immediately head to the web to snatch up a ticket to their show. This where ticket distribution services, such as Ticketmaster and TicketFly, become handy, as they allow us to easily input our information to claim a spot for the show. But as of this week, users of the latter company are unfortunately now dealing with that very information being compromised by a massive data breach. In fact, Troy Hunt, founder of “Have I Been Pwned,” discovered that a hacker posted several Ticketfly database files to a public server online.

This attack first began with an unnamed hacker informing Ticketfly of a security vulnerability and demanding a ransom of one bitcoin to reveal the flaw and help fix it. This threat was met with no response. Following which, the hacker then defaced the site, prompting the company to take it offline, and stole piles of Ticketfly customer data in the process.

In addition to a whopping 26 million email addresses, this stolen data includes users’ names, phone numbers, home and billing addresses. As of now, no financial information has been published publicly by the hacker, but he or she has threatened to post more data if they are not paid their ransom.

So, with this personal information out in the open and potentially more still to come, what can these Ticketfly customers do to ensure they protected their data? Start by following these tips:

  • Keep an eye out for sketchy emails. One way cybercriminals can leverage stolen emails is by using the list for phishing email distribution. If you see something sketchy or from an unknown source in your email inbox, be sure to avoid clicking on any links provided. Better to just delete the email entirely.
  • Set up an alert. Though this hacker has not published financial data, that doesn’t mean he or she may not still have it on hand. Therefore, if you’re a Ticketfly user, it’s best to proactively place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Invest in an identity theft solution. With this breach, Ticketfly users may be faced with the possibility of identity theft. That’s precisely why they should leverage an identity theft solution such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Cybercriminals Steal the Show! 26 Million Ticketfly Customers’ Data Compromised in Massive Breach appeared first on McAfee Blogs.

High-Tech & Hackable: How to Safeguard Your Smart Baby Devices

It’s just about as creepy as it gets: A hacker breaking into a smart device in your baby’s nursery. The Internet of Things (IoT) has wrapped our homes technology, which means any piece of technology you own — be it a smartphone, a thermostat, or even a baby toy or monitor — is fair game for hackers.

High tech products geared toward parents of newborns and kids are on the rise. Reports show that new parents are fueling this industry and purchasing everything from smart diapers, onesies, baby monitors, digital bassinets, soothers, high-tech swings, breathing monitors, play pads, and a string of smart toys. Parents purchasing baby tech and digital toys are counting on fresh tech ideas and products to increase efficiency and maintain a constant connection to their kids.

But these seemingly efficient products, some argue, could be increasing parent’s stress in some cases. Are these tech products, which are also highly hackable, worth the risk and worry?

The Pros

Peace of mind, safety. Smart baby devices give anxious parents added peace of mind when it comes to worries. Who doesn’t want to see their sweet baby deep in sleep and go to bed without worry? Given a chance, many parents welcome the opportunity to know their baby’s temperature, oxygen levels, heartbeat, and breathing are on track.

Remote monitoring, convenience. When you can be downstairs or working in the yard, or in your home gym, and still check on a sleeping baby, that’s an incredible convenience that many parents welcome as a productivity booster.

Learning and development. Many parents purchase smart devices for kids in an effort to help them stay on track developmentally and ensure they are prepared for the tech-driven world they are heading into.

The Cons

Hackable. Any device that is web-enabled or can connect to the cloud has the potential to be hacked, which can create a whole new set of issues for a family. If you are getting sleeping, breathing, and health data on your child, anyone else could be getting that same information.

False readings. Baby technology, as useful as it appears, can also have glitches that medical professionals argue can be more harmful than helpful. Can you imagine waking up at 2 a.m. to a monitor alarm that falsely says your baby isn’t breathing?

Complex, pricey. Some of the products can be complicated to program and set up and pricey to purchase or replace.

So why would a hacker even want to break into a baby monitor, you may ask? For some hackers, the motive is simply because they can. Being able to intercept data, crash a device, or prove his or her digital know-how is part of a hacker’s reward system. For others, the motives for stalking your family’s activities or talking to kids in the middle of the night can prove to be a far more nefarious activity.

Tips to safeguard baby tech:

Think before you purchase. According to the tech pros, think before buying baby tech and evaluate each item’s usefulness. Ask yourself: Do I need this piece of technology? Will this product potentially decrease or increase my stress? If a product connects to the wi-fi or the cloud, weight its convenience against any risk to your family’s data.

Change default passwords. Many products come with easy-to-guess default passwords that many consumers don’t take the time to change. This habit makes it easy for hackers to break in. Hackers can also gain access to entire wifi networks just by retrieving the password stored on one device. (Sometimes all a hacker does is google a specific brand to find the product’s password — yes, it’s as easy as that!)

Buy from known brands. Buy from reputable manufacturers and vendors. Google to see if that company’s products have ever been digitally compromised. And although it’s tempting to get your device used to save a little money, second-hand technology might have malware installed on it so beware.

Update software, use strong passwords. If there’s a software update alert connected to your baby tech, take the time to update immediately and be sure to choosing a password with a minimum of 16 characters and not using the same password for more than one device.

Turn off. When your devices are not on, there’s no vulnerability so, even with all the safeguards, remember to turn off devices not in use for that last layer of protection.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post High-Tech & Hackable: How to Safeguard Your Smart Baby Devices appeared first on McAfee Blogs.

Cyber Security Roundup for May 2018

I'm sure the release of the GDPR on 25th May hasn't escaped anyone's attention. After years of warnings about the EU parliament's intended tough stance on enforcing the human right to privacy in the digital realm, a real 'game changer' of a global privacy regulation has finally landed, which impacts any organisation which touches EU citizen personal data. 

The GDPR's potential hefty financial penalties for breaching its requirements is firmly on the radar of directors at large enterprises and small businesses alike, hence the massive barrage of emails we have all have received in recent weeks, on changes to company privacy statements and requesting consent, many of which I noted as not being GDPR compliant as obtaining "explicit consent" from the data subject. So there is a long way to go for many organisations before they become truly GDPR compliant state based on what I've seen so far in my mailbox.

Cybercriminals have been quick to take advantage of the GDPR privacy emails deluge, using the subject matter in their phishing attacks to cheat access to accounts and con victims.
On a positive GDPR note, also on 25th May, IBM developerWorks released a three-part guidance series written by myself, aimed at helping Application Developers to develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

Overshadowed by the GDPR coming in force, was the release of new NHS Data Security and Protection Toolkit, aimed at the NHS and their service providers, and the European NIS Directive (for telecom providers) went under the radar, but they are significant to those working in those industries.

Always make sure your Broadband Router\Hub does not permit remote administrative access (over the internet) and is always kept up-to-date with the latest security patches, otherwise, it will be at serious risk of being hacked and remotely controlled by cyber-criminals. As evidenced with month, after a DNS flaw in over 800,000 Draytek Routers has allowed hackers to take them over, malware called VPNFilter has infected 500,000 routers, and serious vulnerabilities has been reported in TP-Link EAP controllers.

IBM made headlines after banning its workers from using USB sticks, which I think is a good and reasonable policy. As quite frankly any modern enterprise, whether large or small, with a decent IT infrastructure and cloud services, staff shouldn't need to use USB devices to move data either internally or externally with third parties, so I see this as a rather smart business and security move to ban all USB devices, as it forces staff to use the more secure and more efficient technology made available.

As my @securityexpert twitter account crossed the 10,000 follower threshold Twitter advised 300 million users to reset their passwords after internal error. Apparently, the passwords for the Twitter accounts were accidentally stored in a database in their "plain text" value instead of using a hashed value for the password, as per best practice. I always strongly recommend Twitter users to take advantage and use the multi-factor authentication system Twitter provides, which reduces the risk of account hacking.

Breaches of note in May included a T-Mobile website bug which exposed personal customer data, Coca-Cola said an insider breached 8,000 accounts, and BMW cars were found to have over a dozen security vulnerabilities.

As always a busy month of new security patch releases, with Microsoft, Adobe, PHP, PGP, Google, Git, and Dell all releasing critical security updates to fix significant security flaws. Click the links for the full details.

Analysis of DDoS Attacks at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacks
Some interesting articles about the Welsh Cyber Security Revolution and a review of the NHS a year on from the WannaCry outbreak

Reports of interest this month include the Thales Data Threat Report, which found UK businesses to be the most breached in Europe. The LastPass Psychology of Passwords Report which found 59% of people surveyed used the same passwords across multiple accounts, despite 91% of them knowing that using the same password for multiple accounts is a security risk. The 2017 Cylance Report stated the number of cyber-attacks on industries such as healthcare, manufacturing, professional services, and education rose by about 13.4% between 2016 and 2017.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Insider Threat at Coca-Cola Compromises 8,000 Employees’ Information

Cybercrime is often seen as a battle of good versus evil – a hacker tries to infiltrate a system while cyber defenders work hard to fend them off. Sometimes, data breaches are the work of these cybercriminals, and other times they’re caused by an actual employee of the affected company – something we like to call an insider threat. Just this past week, popular soft drink producer Coca-Cola announced that they were facing exactly that: an insider threat in the form of a former employee found carrying a personal hard drive of worker data.

So far, we know that this employee uploaded the data of their fellow coworkers onto an external hard drive, which they took with them when departing the company. According to a company representative, “the type of stolen and exposed data varies per employee.” And though there are no more known specifics around the data, we do know that this theft impacts 8,000 individual Coca-Cola employees.

As of now, Coca-Cola says it’s been working with law enforcement to dig into the details of this insider threat, but in the interim, these employees need to start taking proactive steps to protect their personal information. In order to do just that, follow these basic security tips:

  • Set up an alert. If you know there’s a chance your personal data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report, so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Freeze your credit. This allows you to seal your credit reports so no one else can take out new accounts or loans in your name. You can do this without impacting your existing lines of credit, such as credit cards. If you want to apply for services or open new accounts, you can temporarily “unfreeze” your credit using a personal identification code only you have.`
  • Consider an identity theft protection solution. With their personal information floating around, these employees could be faced with the possibility of identity theft. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.


{
"metadata": {
"id": "85576554-caea-4ff0-b59a-9fa580469932",
"version": "1.0",
"ep": "ta",
"lang": "en-us",
"original-url": "https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/insider-threat-at-coca-cola-compromises-information/",
"author": "Gary Davis",
"author-page": "https://securingtomorrow.mcafee.com/author/gary-davis/",
"category": "Consumer Threat Notices",
"draft": "false",
"authordetail": "Gary Davis is Chief Consumer Security Evangelist. Through a consumer lens, he partners with internal teams to drive strategic alignment of products with the needs of the security space. Gary also provides security education to businesses and consumers by distilling complex security topics into actionable advice. Follow Gary Davis on Twitter at @garyjdavis",
"tinyimage": "https://securingtomorrow.mcafee.com/wp-content/uploads/2018/06/img_400X300.jpg",
"feedimageurl": "https://securingtomorrow.mcafee.com/wp-content/uploads/2018/06/img_400X300.jpg",
"pubDate": "Thur, 31 May 2018 12:35:48 +0000"
}
}

The post Insider Threat at Coca-Cola Compromises 8,000 Employees’ Information appeared first on McAfee Blogs.

Application Development GDPR Compliance Guidance

Last week IBM developerWorks released a three-part guidance series I have written to help 
Application Developers develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

The GDPR
The General Data Protection Regulation (GDPR) was created by the European Commission and Council to strengthen and unify Europe's data protection law, replacing the 1995 European Data Protection Directive. Although the GDPR is a European Union (EU) regulation, it applies to any organizations outside of Europe that handle the personal data of EU citizens. This includes the development of applications that are intended to process the personal information of EU citizens. Therefore, organizations that provide web applications, mobile apps, or traditional desktop applications that can indirectly process EU citizen's personal data or allow EU citizens sign in are subject to the GDPR's privacy obligations. Organizations face the prospect of powerful sanctions should applications fail to comply with the GDPR.

Part 1: A Developer's Guide to the GDPR
Part 1 summarizes the GDPR and explains how the privacy regulation impacts and applies to developing and supporting applications that are intended to be used by European Union citizens.

Part 2: Application Privacy by Design
Part 2 provides guidance for developing applications that are compliant with the European Union’s General Data Protection Regulation. 

Part 3: Minimizing Application Privacy Risk

Part 3  provides practical application development techniques that can alleviate an application's privacy risk.

The Ultimate List of 50 Free Security Tools, Tested For You

The idea that we should create a gargantuan list of cyber security tools started running through our minds a while ago because, in our journey into the cyber security and data protection world, we ran into lots of useful tools.

When we decided to work on this list, we had no idea how and where to begin.

What tools should we include? What should we not? How do we tell if one is worthy and the other one is not?

Do we mention ultra-known products?

Should we stick to what’s free or should we also add paid products?

Eventually, we came up with what we’re about to read. But first here’s a quick guideline that you should read before we jump right to the subject:

  1. We don’t claim this is the ultimate list. It’s not complete and it’s definitely not final. It probably never will be. We are aware that we missed lots of essential, important tools – by mistake or just because we can’t know them all. So please feel free to jump in with more useful tools that you feel they should be mentioned.
  2. We stayed away from recommending antivirus, VPN or firewall products. There are independent industry experts who only do that. Instead, we prefer to list those experts or websites that will help you compare such services, in order to choose what’s best for you
  3.  We tried to test them all before recommending them. And we only included tools that have free versions.

Here’s our list :

50+ free security tools you can use for your online protection

Table of contents:

ACCOUNT & AUTHENTICATION MANAGEMENT
Check if your password is strong
Password managers
Activate two-factor authentication
Was your account hacked?
SOCIAL MEDIA SECURITY
Geo-tag removal on social accounts
Revoke access to third-party apps
Do a security check-up
Other communicating tools
SAFE BROWSING
Keeping vulnerable software under control
Extra Encryption, Privacy, and Anonymity
Redirect checkers
Remote screenshots
Scan for threats
BACKUP, BACKUP, BACKUP
REPORTING
MISCELLANEOUS
Conclusion

ACCOUNT & AUTHENTICATION MANAGEMENT

Password

How strong is your password?

A unique and strong password is key to our online safety. We keep recommending this in our articles (and we’ll keep doing it) so people can realize the importance of setting passwords that hackers can’t reach.

First of all, here’s why it should be unique:

We never use the same key for our house and car, right? Then why would we use the same password for our accounts?

Our online accounts are interconnected. If one of those passwords is breached, the cyber criminal will have access to the rest of your accounts.

And no matter how careful you are not to give out your password, sometimes you might not be responsible for the breach. Companies have plenty of vulnerabilities. Their employees can have poor security habits. Their ex-employees might want to get vengeance this way. Your online connection might not be secure and your traffic unencrypted. There are tons of flaws out there that could expose your credentials.

How your online accounts are interconnected

Second of all, here’s why it should be strong (and what does “strong” mean):

Most people have weak passwords. They use family or pets names, favorite songs, birth dates and so on. This type of information nowadays is readily available online – usually posted directly by us, on social networks or blogs or forum comments.

If a cyber criminal really wants to hack your account and you use such a password, all they’ll have to do is spend some time finding out more information about you.

They also have the technical skills to test out millions of passwords combinations in a short period of time. So there’s that.

SplashData released its annual list of top worst passwords of 2017, where we see that people continue using the classic”123456″.


Source: Teamsid.com

We strongly RECOMMEND using strong and unique passwords, and this step-by-step guide will show you how to manage passwords like an expert.

And here are some tools that you can play with to find out how secure a password is considered (don’t test using your real passwords!).

Another great tool can estimate how long it would take for your password to be cracked by a hacker: Estimating Password-Cracking Times

how secure is my password

Password managers

Constantly coming up with strong, unique passwords is hard. We get it.

It’s hard to remember to change them, and it’s even harder to remember them. Especially since it’s not recommended to write them down – not in a document on your desktop, not in an email draft, not in your phone or written on a paper that stays under your mouse pad. No, no, no, no.

And since not all of us have an elephant memory, some smart guys created tools that make it easier for us to manage passwords.

Passwords managers are easy to use. You install them as browsers plug-ins and they help us save passwords and keep them encrypted. When we log in to a new account, the password manager will ask us if we want to save the password.

All we have to do is remember the password that we use for the password manager tool account.

Here are some of the most popular apps for password management:

  • LastPass – it’s one of the oldest and most known password managers.
  • Sticky Password
  • 1Password – not exactly free, but offers a free trial that lasts 30 days

password

Activate two-factor authentication

Ok, so this is plan B. If passwords fail and a cybercriminal somehow manages to find out your beautiful, strong, unique and completely random password, the second-factor authenticator will work as an extra shield.

Two-factor authentication adds an extra layer of protection. This way, the password will not be enough to access your account, you’ll also have to prove your identity using the second method. This usually consists of a unique, time-sensitive code, that you receive using your mobile phone.

In order not to do this every time you log into your account, you can choose to remember the devices you use and only require the second way of authentication when you want to log in from a new device (laptop, PC, tablet, browser, whatever that may be).

I always wonder why the companies don’t enable this option by default. It would help avoid a lot of accounts that end up compromised because of poor passwords habits.

If you want to check what services offer users the possibility to activate two-factor authentication, use this tool:

Two Factor Auth

Was your account hacked?

There are several projects out there that store a huge database of leaked, stolen or compromised passwords. Other projects gather all the past data breaches. You can use them to confront with your passwords or accounts and check their databases. If someone ever used a password that’s the same with yours and was leaked in a past breach, you’ll have to change it.

You can also check if you have any accounts that were compromised in any of those data breaches.

Use these services:

Here are more projects that you can use to inform yourself about data breaches:

World's biggest data breaches (Feb 2016)
Source

SOCIAL MEDIA SECURITY

Geo-tag removal on social accounts

It’s highly recommended that you avoid checking in from your social accounts – especially from your home.

Something so common and apparently innocent as a social media check-in can turn into a nightmare. You can never control who can access your social network posts. You never know who else benefits from the information you shared.

There have been many cases of people who checked in while on vacation, bragged about the wonderful places they visited, only to come back home and find out that they were robbed. Burglars were tipped off thanks to the posts on social media.

However, if it’s already too late and you already have plenty of check-ins made online, you can remove your previous ones.

For Facebook, you’ll have to do that manually for each post you published and then turn off location for future posts. However, for Instagram, there’s an easier batch solution that you can use.

Instagram is constantly updating its network and has changed the geo-map feature for mobile that let you control geotag location. Now you have the option to save photos you see and like on Instagram, save and add them to your photos collections.

Revoke access to third-party apps

You probably logged in with your social accounts to any third-party apps – games, other social networks, streaming services and so on.

For privacy matters, it’s recommended that you only allow access to trustworthy apps. Those apps have access to your profiles and personal information.

From time to time, make sure you check every single app that you allowed to access your account and remove the ones that you don’t use anymore.

Here’s how you can remove access to external apps from every major social network:

Third party apps on Facebook

Do a security check-up

Google and Facebook are among the networks that offer the possibility to do a security check-up. They will take you through the steps you need to check or activate in order to enhance your account’s protection.

Facebook security checkup

Other communication tools

Here are other communicating tools that are focused on anonymity and encryption:

  • Signal – free mobile app that you can use for encrypted communications (phone calls and messages). They also have a partnership with WhatsApp and helped them integrate end-to-end encryption.
  • Off The Record – encrypted app used for instant messaging.
  • Safe Pad – an online notepad that is encrypted end-to-end.

Smartphone

SAFE BROWSING

Keeping malicious software under control

There are some major software apps that are buggy and expose you to global cyber attacks. “Software” and “buggy” might just be pleonasms for the moment, as all software have bugs and vulnerabilities.

What you should bear in mind is that you can reduce your odds of being infected just by keeping those buggy apps up to date. Or disabled until you really need them and activate them punctually. Or uninstalled, if they aren’t vital to your work.

By “apps” we mean browsers, plug-ins, add-ons. Chrome, Firefox, Flash Player, Java, and Adobe Reader, just to name a few of them, but you should take a look over the infographic published here to find out more about the top most vulnerable apps.

8 software apps make 99 percent of computer vulnerable heimdal security

Here’s how you can reduce your odds of getting infected:

1. Keep those vital apps up to date. You can use an automated patching tool that will take care of that for you, silently (Heimdal FREE does that).

2. Use a tool that will scan your traffic and restrict your access to infected web pages (our product also does that, and also makes sure that none of your data goes out to the bad guys).

3. No clicking on suspicious links or attachments, short links that you don’t know where they’ll lead you, nothing that you never requested or sounds fishy (even if it’s coming from your online buddies). Staying away from dangerous web locations also is vital (that means no websites that host illegal content, such as torrents).

4. Keep activated a good, trustworthy antivirus. Here’s how to choose it.

5. Use an app that will block those plug-ins and apps.

You can see in the infographic below how a global ransomware infects your operating system:

simple ransomware infection chain

Some tools that will come in handy:

    • AdBlock – you’ll get rid of annoying ads, but you’ll also reduce your chances of ending up with spreading ransomware from malvertising.
    • NoScript – an add-on for Firefox that allows plugins to be executed only by trusted web sites of your choice.
    • Script Safe – same as NoScript, but for Chrome.
    • Flashblock – Firefox add-on that blocks Flash
    • Flash control – Chrome add-on that lets you take more control over Flash
    • Dragon Internet Browser – a free tool based on Chromium technology that will provide a higher level of protection
    • Google Chrome Cleanup Tool – this app will scan and remove software that can cause problems  with Chrome browser

Extra Encryption, Privacy, and Anonymity

If you want extra anonymity, here is a list of tools that are focused on encryption and privacy:

  • Tor Project – we’re sure you already know about this one. You can use Tor to browse the web while staying anonymous.
  • Comparison VPN – the name is pretty much self-explanatory, right? “VPN” comes from “Virtual Private Network” and it’s used to encrypt your outgoing and ongoing traffic. This tool will help you compare between different VPN services.
  • Duck Duck Go – it’s a free search engine but, unlike others, it doesn’t track you, doesn’t collect or share any of your personal information.
  • Disconnect – the basic version will block trackers from websites.
  • uBlock – a lightweight free and open source browser extension that will help you filter our annoying or unwanted content, such as tracking cookies and ads (available for Mozilla, Chrome, Safari and even Microsoft Edge).
  • Https everywhere – it’s an extension for your browser that encrypts your communications with major websites; resulted in a collaboration between The Tor Project and the Electronic Frontier Foundation.
  • Ghostery – a free browser extension that lets you control trackers from the websites that you visit.

Puzzle chaos

Redirect checkers

If you want to avoid any phishing or malware attacks, it’s best that you don’t click on any links that you don’t know where they’ll lead you. They might be links shortened using services such as Bit.ly or Unshorten or links that look similar to perfectly legitimate ones but use a variation in spelling or domain.

Use one of these services to check where a link will redirect you:

Other dedicated and useful tools that you can use to detect links to malware websites:

Phishing

Remote screenshots

As an alternative to remotely check where a short link will take you, you can also use a service that remotely takes screenshots of a given website.

This kind of services are usually used by developers, to see how a website will look on different resolutions and browsers used by users, but they can also come in handy when it comes to Internet security.

This way, you’ll see how a website looks like and where you’ll end up if you click on that link, without actually visiting it.

You can use one of these services:

Scan for advanced threats

There are services that will help you check if a website has been reported for phishing, malicious code, unwanted software or has a poor reputation. This way, you’ll know to avoid it.

You can check using one of these:

You can also find useful this list of free online anti-malware scanners.

Safety first
Photo credit

BACKUP, BACKUP, BACKUP

How valuable are the work documents that you keep on your desktop, your email or in the cloud?

What about your collection of photos or private conversations? Would you miss them if they were ever deleted or lost?

What if they were stolen? Or, even worse, encrypted in a ransomware attack?

Stop telling yourself “it can’t happen to me”. The odds for ending up with malware attacks are against you.

And most of these attacks are automated, nobody hand picks you as a victim. It’s enough for you to have files and outdated browsers, plugins or apps. You don’t even have to click or download anything to end up infected – nowadays you can be compromised even on perfectly legit websites.

For example, BBC, The New York Times and AOL were recently hit with a malvertising campaign that delivered notable ransomware to users.

Bad news is that even if you pay the ransom, there’s no guarantee that you’ll receive the encryption key to gain back access to your files. Or the encryption might have gone wrong and corrupted the files. It’s one of the reasons why the FBI advises against paying the ransom.

Let’s not forget about the recent cyber attacks (WannaCry, Petya ransomware) impacting big organizations and institutions (Telefonica, Renault, FedEx, the National Health Service (NHS) in England and Scotland, Maersk, Government of Ukraine, and many more) that saw their computers compromised and lost access to valuable information.

No matter how many Internet security layers you have in place, always have a backup. Set in place at least two automatic backups. If everything else fails, at least you’ll be covered.

It’s not complicated to set them up, you don’t need advanced tech skills. Our colleague Andra explained in a separate blog article how you can easily backup your data.

And here are two more tools that will help you out:

  • Best Backup – helps you choose the backup solutions suited to your needs
  • Spider Oak – backup solution focused on encryption and Internet security

Cloud backup

REPORTING

Although ignored by most people, this step is also important to cyber security. Take your time and file a report if you run into anything that looks fishy.

If you have a hunch that something is wrong and you might have fallen into a trap, immediately contact your bank or credit card institution and close the accounts you believe they may have been compromised.

If this is not the case and you simply ran into spam, scams or phishing attempts, it’s best that you report them to government organizations or even cyber security companies.

Here are some of the places where you can do that:

MISCELLANEOUS

A few tools that didn’t fit into any other major category, but we also wanted to mention them.

  • Eraser – Windows tool that allows you to completely remove data from your hard drive, by overwriting it several times.
  • Cvedetails.com – check how many vulnerabilities your favorite apps have and how severe they are..
  • Header Analysis – analyse email header. And here’s how you can read the header details.
  • Free Shredder Software Programs – A very useful list of 36 free software tools that will help you delete files on your computer.
  • Site Safety – A tool that helps you identify whether a site is safe or not
  • Deseat.me – It help you clean up your online presence
  • IP Feeds – This tool analyzes all security IP Feeds that are related to online attacks
  • WhatisMyBrowser – An online service providing data about your browser’s capabilities.
  • Scrim – This tool helps you convert your email address into a short and safe link

We also recommend checking these quizzes to help you test and update your Internet security knowledge:

For the ones with advanced technical skills, here are some tools that show vulnerabilities in software:


Found this super useful list of free #cybersecurity tools, check it out:
Click To Tweet


Conclusion

In the cyber security game, the good guys and the bad ones constantly try to outrun each other. That’s why you should always remember that no tool is bulletproof. Don’t rely exclusively on a software or an app to keep you safe, as they all have flaws and vulnerabilities.

Instead, try to think and act like a journalist. Question everything that you receive or run into in the digital world, even if it only looks slightly suspicious. Triple check it before you act on it, be sure that you don’t throw yourself into anything fishy.

Continue to improve your cyber education. In time, you’ll train your intuition and it will become increasingly easier to spot potential compromises.

It’s essential that you never give up on healthy Internet security habits. Add as many security layers as possible – onion style – in order to decrease the impact of a potential attack.

Hope for the best and prepare for the worst, right?

This article was initially published by Cristina Chipurici in May 2016 and it was republished in July 2017.

The easy way to protect yourself against malware
Here's 1 month of Heimdal PRO, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Try Heimdal PRO

The post The Ultimate List of 50 Free Security Tools, Tested For You appeared first on Heimdal Security Blog.

America’s Dirty Little Secrets: Opening the Door to Protected Data

It’s 2018. Digital assistants have started taking over our homes, with adoption growing tenfold. These smart speakers know everything about us, from our shopping habits to our music tastes — they likely know more about our daily lives than we do. This ever-growing, ever-changing relationship between humans and devices highlights the importance of protecting data – verbal or otherwise – in the home. With connected devices using our personal data to be the most comprehensive in-home assistants possible, we need to prioritize Internet of Things (IoT) security, awareness and the implications of using such devices.

It’s estimated that by 2022, over half of U.S. households will have at least one smart speaker in their home — that’s over 70 million households, topping 175 million installed devices. These devices are aimed at making our lives easier and more convenient than ever before, but to do so they require that we willingly share access to our personal and private information. Whether it’s banking and home address stored directly on the device, or learnings it’s picked up from our conversations, the amount of private data that these devices carry opens up a new array of threats. New research from McAfee reveals that 60% of Americans have considered their digital assistants could be recording or listening to them. If so, what are the security implications of using a digital assistant?

From answering a quick question to ordering items online, controlling the lights, or changing thermostat temperature, digital assistants have become a pseudo-family member in many households, connecting to more IoT things than ever before. But if one of these devices is breached, it can open up an entire home Wi-Fi network and our valuable information could get into the wrong hands. Beyond this, many Americans have developed a very personal relationship with their devices, with 50% admitting to being embarrassed if friends or family knew what questions they asked their digital assistants. Now imagine if any of that information fell into the hands of cybercriminals — it could open the door to your personal data and threaten your family’s security.

In addition to the sensitive data that our smart speakers have stored, and the conversations they may or may not be recording, there are other security risks associated with this technology in the home. In 2016, it was determined that music or TV dialogue could take control of our digital assistants with commands undetectable to human ears. Known as the “Dolphin Attack,” this occurrence essentially hides commands in high-frequency sounds that our assistant-enabled gadgets can detect, but we are unable to hear. Instances of TV commercials activating digital assistants have already been reported, so we can see how this technique could be quite easy for cybercriminals to imitate if they wanted to access our smart homes’ network.

The growing trend of connecting these always-listening assistants to our home appliances and smart home gadgets is only exacerbating these concerns. Aside from digital assistants, other IoT devices such as game consoles, home security systems, thermostats, and smartphones may be at risk and must be secured to avoid becoming targets for cybercriminals. We must proceed with caution and be aware of who, or what could be listening in order to protect ourselves accordingly. Whenever bringing any kind of new, connected device into the home, prioritize safety and privacy.

Here are some top tips to securely manage the connected devices in your home:

  • Vary your passwords. Create passwords that are difficult to crack to ensure accounts are secure and update your passwords on a regular basis. Use multi-factor authentication whenever possible. Simplify password management by using a password manager.
  • Consider setting up a PIN code. Particularly for voice command purchases. Help keep cybercriminals away from your data by setting up an extra layer of security.
  • Invest in a router that delivers security for all your connected devices. It’s important to secure your entire connected home network. And the launch of McAfee Secure Home Platform skill for Alexa is set to make this easier and more convenient than ever before.

Technology is changing our everyday lives but being aware of the security concerns is the key to becoming an empowered consumer.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post America’s Dirty Little Secrets: Opening the Door to Protected Data appeared first on McAfee Blogs.

Get Your Online Privacy Under Control

Online privacy: too often managing this aspect of our digital lives gets shuffled to the bottom of our ‘to-do’ lists. The recent Facebook Cambridge Analytica drama made many of us rethink what private information we are sharing online. But many of us just don’t know what to do to fix it.

This week is Privacy Awareness Week – a great opportunity to check-in and see how we can do better. A recent survey conducted by McAfee shows that most Aussies (54%) are more concerned about their online privacy than five years ago. This is encouraging! However, a whopping 83% of us do not believe that protecting our internet-connected devices is essential to managing our privacy online. Oh dear!! ☹

The survey also showed that 23% of Aussies do not change default passwords when we purchase new devices and that only 35% of us know how to properly check if our connected home appliances or devices are secured. Clearly we still have work to do, people! We have a disconnect on our hands. Most of us realise we need to do something to manage our privacy but don’t realise that protecting our devices is a big part of the solution. You can’t have one without the other!!!

Online Privacy Made Easier

So, I’m going to make it nice and easy for you. I have compiled a list of the steps you need to take to get your online privacy under control. And yes, it may take you a few hours to get on top of it but it’s so worth it. If your privacy is compromised, your identity can be easily stolen. Which could affect you financially as well as undermine your reputation. Let’s get to it – here’s what you need to do:

 1. Protect Your Devices

  • Use comprehensive security software such as McAfee® Total Protection. You know it will guard you against viruses and threats. But do you realise it will also direct you away from dangerous downloads and risky websites – where privacy can easily come unstuck!
  • McAfee® Total Protection will also protect your smartphone and tablet, and can back up your important files.

 2. Manage Your Passwords

  • Ensure all your online accounts and all your devices have a separate, unique password. Ideally, it should have a combination of lower and upper case letters, numbers and special characters. I love using a nonsensical, crazy sentence.

 3. Think Before You Download Apps

  • Never download apps from unknown sources. They may be designed to mine your personal information. Always read reviews to see if anyone has had a problem and check out the app’s fine print before you download.
  • Review the apps that you have signed up to with Facebook. As you would be aware from the recent Cambridge Analytica situation, Facebook provides some of these apps with user’s private information including name, location, email or even friends list.
    So, please review these apps, people. Not sure where to start? Go to Settings > Apps > Logged in with Facebook and remove anything that doesn’t absolutely need access to your Facebook profile. You will still have to contact the app developer to ensure they have deleted the data they already have gathered on you.

 4. Lock Down Your Home Wi-Fi

  • To prevent hackers accessing your fleet of IoT devices at home (including your virtual assistant or your lighting or security systems), secure your home Wi-Fi with a complex password. All device passwords need to have their default passwords changed as well.
  • McAfee’s Secure Home Platform – available soon on D-Link – can secure devices through your internet router to ensure every internet-connected device in your house is safe. How good is that???

 5. Stay On Top Of Software Updates

  • Check all your devices to ensure your software (operating systems, apps) is up-to-date.
  • Out-of-date software often means there is a security vulnerability that makes it so much easier for a cybercriminal to access your device and online life.
  • Why not schedule updates so this happens automatically?

 6. Be Wary Using Wi-Fi Outside Home Or Work

  • Avoid using public or unsecured Wi-Fi, especially when entering personal information online, as it can leave you open to all sorts of nasty attacks.
  • Use a Virtual Private Network (VPN) such as McAfee® Safe Connect to encrypt connections and keep your data secure when sharing online.

 7. Multi-Factor Authentication

And don’t forget about your kids! Teaching them the importance of proactively managing their online privacy is essential. As parents, we need to help our kids develop a toolkit of skills and knowledge, so they can prepare themselves for life’s challenges. So please share this with them – you’ll be doing them a big favour.

Alex x

The post Get Your Online Privacy Under Control appeared first on McAfee Blogs.

Syn/Ack Unique Proactive Protection Technique

McAfee’s Advanced Threat Research team has performed analysis on samples of Syn/Ack ransomware implementing Process Doppelgänging.  For those who are concerned about the potential impact of this ransomware but are currently unable to implement McAfee product protections, we have found a simple but interesting alternative method.  Prior to encryption and ransom, the malware first checks if one of several hardcoded keyboards or languages is installed on the target machine.  If found, the malicious code will terminate, effectively resulting in an extremely simple “patch” of sorts. We have tested the following steps to be effective on several versions of Windows 7 and theoretically on Windows 10 – preventing the malware from encryption and ransom.  These steps can be taken proactively.  Due to limited scope of testing at this time, this technique may not work on all systems, release versions, and configurations.

Windows 7 – Adding Keyboard Layout:

Control Panel > Clock, Language, and Region > Region and Language > Keyboards and Languages

Click the “Change Keyboards” tab

In the Installed Services section click “add”

Select Keyboard – For example: Russian (Russia) > Keyboard > Russian

Click “Ok”

Click “Apply”

Click “Ok”

Here is the list of keyboards layouts you can add – any will suffice:

  • Armenian
  • Azeri, (Cyrillic, Azerbaijan)
  • Belarusian
  • Georgian
  • Kazakh
  • Ukrainian
  • Uzbek (Cryillic, Uzbekistan)
  • Uzbek (Latin,Uzbekistan)
  • Russian
  • Tajik

Windows 10 – Adding Language Support:

Control Panel > Language > Add a language

  • Armenian
  • Azeri, (Cyrillic, Azerbaijan)
  • Belarusian
  • Georgian
  • Kazakh
  • Ukrainian
  • Uzbek (Cryillic, Uzbekistan)
  • Uzbek (Latin,Uzbekistan)
  • Russian
  • Tajik

That’s all it takes!  Please note – this should not be considered a fully effective or long-term strategy.  It is highly likely the malware will change based on this finding; thus, we recommend the McAfee product protections referenced above for best effect.

The post Syn/Ack Unique Proactive Protection Technique appeared first on McAfee Blogs.

Keep Your Mum Safe This Mother’s Day!

On my first Mother’s Day 21 years ago, I received a pair of gorgeous fluffy pink slippers. Last year – it was a sleek shiny green Fitbit! Technology has absolutely transformed our gift giving and Mother’s Day is no exception.

The rising popularity of internet connected gifts means many lucky mums will receive a glossy new device on Mother’s Day. It may be a digital home assistant, a fitness tracker or even a big new Smart TV. Whatever it is, we must understand the potential risks involved when giving or receiving an internet enabled device. Because we don’t want to put our mums (or our families) at risk.

But don’t let this change your shopping plans! Like anything in life, if you’re prepared you can minimise the risks and avoid getting caught out by cyber threats. So, here is the low-down on threats posed by some of the more popular gifts this Mother’s Day and tips on how to protect against them.

Digital Home Assistants

Regardless of which brand you might choose, a digital assistant can be a massive help for any busy mum.  Whether it reading the kids a bedtime story or a recipe while you cook, or setting timers – it’s the closest thing many mums can get to another set of hands!

However, there are risks associated with these mother’s helpers. If your home assistant is hacked, your personal information could be at risk. Which means your  bank accounts details or your identity could be put at risk. And as the device is ‘always on’, your personal assistant can listen to and record what is being said around your house – a definite privacy issue.

What to Do to Stay Safe

  • Protecting your Home Wi-Fi is an essential step to ensuring your home assistant is secure. Solutions such as McAfee’s Secure Home Platform, available soon on D-Link routers, will secure all your devices that connect to your Home Wi-Fi, including your home assistant. So, you have protection and peace of mind.
  • Always change the manufacturer’s default password when setting up the Wi-Fi and ensure you create a complex, unique one instead. A combination of lower and upper-case letters, numbers and special characters is ideal.
  • Don’t allow your home assistant to store your private information. I also advise against allowing your home assistant to store passwords, credit card data, or any of your contact information.

Fitness Trackers

A wearable fitness tracker might be at the top of your mum’s wish list this Mother’s Day. But there are some surprisingly worrying security risks surrounding the popular gift that she should be aware of.

Researchers have found it is possible to crack PINs and passwords by hacking into the motion sensors to track hand movements. Additional research shows that the encryption offered by wearable fitness tracker manufacturers is quite easily intercepted. This means all your personal data stored on the device can easily be hacked. And while info like your calorie intake and step count many not seem valuable to a hacker, information like where you worked out and how long you were away from home can paint a very valuable picture of who you are!

What to Do to Stay Safe

  • Keep your fitness tracker up-to-date. Just like with any connected device, as soon as software updates become available, download them immediately to prevent cyber criminals from hacking your device.
  • Set up your fitness tracker and any associated online accounts with an obscure user name and unique passwords, that are completely unrelated to any of your other accounts.
  • Read the Privacy Policy of the device or app you are considering buying. Make sure you are comfortable with the company’s commitment to protecting your data.
  • Consider disabling certain features of the fitness tracker if you feel that your privacy many be jeopardised.

Smart TVs

Whilst buying mum a smart TV would certainly make her feel spoilt this Mother’s Day, they can come with a more sinister side. In March 2017, news emerged that it may be possible to hack into smart TVs to spy on users. Since then, several critical vulnerabilities have been found in Vestel firmware, which is used in more than 30 popular TV brands. These vulnerabilities could be easily leveraged to spy on smart TV users through the microphones and cameras.

What to Do to Stay Safe

  • Buy smart TVs with security in mind. When purchasing a smart TV, it’s always important to do your homework and read up on any current vulnerabilities.
  • Secure your home’s internet at the source. Smart TVs, like all connected devices, must connect to a home Wi-Fi network to run. If they’re vulnerable, they could expose your network as a whole. Since it can be challenging to lock down all the IoT devices in a home, again a solution like McAfee Secure Home Platform can provide protection at the router-level.

If you are shopping online for mum, please remember to keep your guard up. Only shop from secure websites where the URL begins with ‘https://’ and a lock icon appears in the address bar. NEVER, EVER shop using unsecured Wi-Fi. It can leave you vulnerable to all sorts of nasty attacks and your private information may be hacked by a third party.

Finally, and most importantly, don’t forget to thank your wonderful mum for everything she has done for you. A handwritten card with a few lines of thanks is extremely powerful!!

Happy Mother’s Day!!

Alex xx

 

The post Keep Your Mum Safe This Mother’s Day! appeared first on McAfee Blogs.

Trivia Time: Test Your Family’s Password Safety Knowledge

Strong PasswordPasswords have become critical tools for every citizen of the digital world. Passwords stand between your family’s gold mine of personal data and the entirety of the internet. While most of us have a love-hate relationship with passwords, it’s beneficial to remember they do serve a powerful purpose when created and treated with intention.

But asking your kids to up their password game is like asking them to recite the state capitals — booooring! So, during this first week of May as we celebrate World Password Day, add a dash of fun to the mix. Encourage your family to test their knowledge with some Cybersavvy Trivia.

Want to find out what kind of password would take two centuries to crack? Or, discover the #1 trick thieves use to crack your password? Then take the quiz and see which family member genuinely knows how to create an awesome password.

We’ve come a long way in our understanding of what makes a strong password and the many ways nefarious strangers crack our most brilliant ones. We know that unique passwords are the hardest to crack, but we also know that human nature means we lean toward creating passwords that are also easy to remember. So striking a balance between strong and memorable may be the most prudent challenge to issue to your family this year.

Several foundational principles remain when it comes to creating strong passwords. Share them with your family and friends and take some of the worries out of password strength once and for all.

5 Password Power Principles

  1. Unique = power. A strong password includes numbers, lowercase and uppercase letters, and symbols. The more complicated your password is, the more difficult it will be to crack. Another option is a password that is a Strong Passwordpassphrase only you could know. For instance, look across the room and what do you see? I can see my dog. Only I know her personality; her likes and dislikes. So, a possible password for me might be #BaconDoodle$. You can even throw in a misspelling of your password to increase its strength such as Passwurd4Life. Just be sure to remember your intentional typos if you choose this option.
  2. Diverse = power. Mixing up your passwords for different websites, apps, and accounts can be a hassle to remember but it’s necessary for online security. Try to use different passwords for online accounts so that if one account is compromised, several accounts aren’t put in jeopardy.
  3. Password manager = power. Working in conjunction with our #2 tip, forget about remembering every password for every account. Let a password manager do the hard work for you. A password manager is a tech tool for generating and storing passwords, so you don’t have to. It will also auto-log you onto frequently visited sites.
  4. Private = power. The strongest password is the one that’s kept private. Kids especially like to share passwords as a sign of loyalty between friends. They also share passwords to allow friends to take over their Snapchat streaks if they can’t log on each day. This is an unwise practice that can easily backfire. The most Strong Passwordpowerful password is the one that is kept private.
  5. 2-step verification = power. Use multi-factor (two-step) authentication whenever possible. Multiple login steps can make a huge difference in securing important online accounts. Sometimes the steps can be a password plus a text confirmation or a PIN plus a fingerprint. These steps help keep the bad guys out even if they happen to gain access to your password.

It’s a lot to manage, this digital life but once you’ve got the safety basics down, you can enjoy all the benefits of online life without the worry of your information getting into the wrong hands. So have a fun and stay informed knowing you’ve equipped your family to live their safest online life!

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Trivia Time: Test Your Family’s Password Safety Knowledge appeared first on McAfee Blogs.

Does Your Family Need a VPN? Here are 3 Reasons it May Be Time

At one time Virtual Private Networks (VPNs) used to be tools exclusive to corporations and techie friends who appeared overly zealous about masking their online activity. However, with data breaches and privacy concerns at an all-time high, VPNs are becoming powerful security tools for anyone who uses digital devices.

What’s a VPN?

A VPN allows users to securely access a private network and share data remotely through public networks. Much like a firewall protects the data on your computer, a VPN protects your activity by encrypting (or scrambling) your data when you connect to the internet from a remote or public location. A VPN allows you to hide your location, IP address, and online activity.

For instance, if you need to send a last-minute tax addendum to your accountant or a legal contract to your office but must use the airport’s public Wi-Fi, a VPN would protect — or create a secure tunnel in which that data can travel —while you are connected to the open network. Or, if your child wants to watch a YouTube or streaming video while on vacation and only has access to the hotel’s Wi-Fi, a VPN would encrypt your child’s data and allow a more secure internet connection. Without a VPN, any online activity — including gaming, social networking, and email — is fair game for hackers since public Wi-Fi lacks encryption.

Why VPNs matter

  • Your family is constantly on the go. If you find yourself conducting a lot of business on your laptop or mobile device, a VPN could be an option for you. Likewise, if you have a high school or college-aged child who likes to take his or her laptop to the library or coffee shop to work, a VPN would protect data sent or received from that location. Enjoy shopping online whenever you feel the urge? A VPN also has the ability to mask your physical location, banking account credentials, and credit card information. If your family shares a data plan like most, connecting to public Wi-Fi has become a data/money-saving habit. However, it’s a habit that puts you at risk of nefarious people eavesdropping, stealing personal information, and even infecting your device. Putting a VPN in place, via a subscription service, could help curb this risk. In addition, a VPN can encrypt conversations via texting apps and help keep private chats and content private.
  • You enjoy connected vacations/travel. It’s a great idea to unplug on vacation but let’s be honest, it’s also fun to watch movies, check in with friends via social media or email, and send Grandma a few pictures. Service to some of your favorite online streaming sites can be interrupted when traveling abroad. A VPN allows you to connect to a proxy server that will access online sites on your behalf and allow a secure and easier connection most anywhere you go.
  • Your family’s data is a big deal. Protecting personal information is a hot topic these days and for good reason. Most everything we do online is being tracked by Internet Service Providers (ISPs). ISPs track us by our individual Internet Protocol (IP) addresses generated by each device that connects to a network. Much like an identification number, each digital device has an IP address which allows it to communicate within the network. A VPN routes your online activity through different IP addresses allowing you remain anonymous. A favorite entry point hackers use to eavesdrop on your online activity is public Wi-Fi and unsecured networks. In addition to potentially stealing your private information, hackers can also use public Wi-Fi to distribute malware. Using a VPN cuts cyber crooks off from their favorite watering hole — public Wi-Fi!

As you can see VPNs can give you an extra layer of protection as you surf, share, access, and receive content online. If you look for a VPN product to install on your devices, make sure it’s a product that is trustworthy and easy to use, such as McAfee’s Safe Connect. A robust VPN product will provide bank-grade encryption to ensure your digital data is safe from prying eyes.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Does Your Family Need a VPN? Here are 3 Reasons it May Be Time appeared first on McAfee Blogs.

Cloud Clustering Vulnerable to Attacks

The authors thank John Fokker and Marcelo CaroVargas for their contributions and insights.

In our upcoming talk at the Cloud Security Alliance Summit at the RSA Conference, we will focus our attention on the insecurity of cloud deployments. We are interested in whether attackers can use compromised cloud infrastructure as viable backup resources as well as for cryptocurrency mining and other illegitimate uses. The use of containers has increased rapidly, especially when it comes to managing the deployment of applications. Our latest market survey found that 83% of organizations worldwide are actively testing or using containers in production. Applications need authentication for load balancing, managing the network between containers, auto-scaling, etc. One solution (called a cluster manager) for the automated installation and orchestration of containers is Kubernetes.

Some key components in the Kubernetes architecture appear below:

High-level Kubernetes architecture.

  • Kubernetes master server: The managing machine oversees one or more nodes
  • Node: A client that runs tasks as delegated by the user and Kubernetes master server
  • Pod: An application (or part of an application) that runs on a node. The smallest unit that can be scheduled to be deployed. Not intended to live long.

For our article, we need to highlight the etcd storage on the master server. This database stores the configuration data of the cluster and represents the overall state of the cluster at a given time. Kubernetes saves these secrets in Base64 strings; before Version 2.1 there was no authentication in etcd.

With that knowledge, security researcher Giovanni Collazo from Puerto Rico started to query the Shodan database for etcd databases connected to the Internet. He discovered many and by executing a query, some of these databases started to reveal a lot of credentials. Beyond leaking credentials from databases and other accounts, what other scenarios are possible?

Leaking Credentials

There are several ways that we can acquire credentials for cloud services without hacking into panels or services. By “creatively” searching public sites and repositories, we can find plenty of them. For example, when we searched on GitHub, we found more than 380,000 results for certain credentials. Let’s assume that half of them are useful: We would have 190,000 potentially valid credentials. As Collazo did for etcd, one can also use the Shodan search engine to query for other databases. By creating the right query for Django databases, for example, we were able to identify more cloud credentials. Amazon’s security team proactively scans GitHub for AWS credentials and informs their customers if they find credentials.

Regarding Kubernetes: Leaked credentials, complete configurations of the DNS, load balancers, and service accounts offer several possible scenarios. These include exfiltrating data, rerouting traffic, or even creating malicious containers in different nodes (if the service accounts have enough privileges to execute changes in the master server).

Creating malicious containers.

One of the biggest risks concerning leaked credentials is the abuse of your cloud resources for cryptomining. The adversaries can order multiple servers under your account to start cryptomining, enriching their bank accounts while you pay for the computing power “you” ordered.

Open Buckets

We have heard a lot about incidents in which companies have not secured their Amazon S3 buckets. A number of tools can scan for “open” buckets and download the content. Attackers would be most interested in write-enabled rights on a bucket. For our Cloud Security Alliance keynote address at RSA, we created a list of Fortune 1000 companies and looked for readable buckets. We discovered quite a few. That is no surprise, but if you combine the read-only buckets information with the ease of harvesting credentials, the story changes. With open and writable buckets, the adversaries have plenty of opportunities: storing and injecting malware, exfiltrating and manipulating data, etc.

McAfee cloud researchers offer an audit tool that, among other things, verifies the rights of buckets. As we write this post, more than 1,200 writable buckets belonging to a multitude of companies, are accessible to the public. One of the largest ad networks in the world had a publicly writable bucket. If adversaries could access that network, they could easily inject malicious code into advertisements. (As part of our responsible disclosure process, we reported the issue, which was fixed within hours.) You can read an extensive post on McAfee cloud research and how the analysts exposed possible man-in-the-middle attacks leveraging writable buckets.

Clustering the Techniques

To combat ransomware, many organizations use the cloud to back up and protect their data. In our talk we will approach the cloud as an attack vector for spreading ransomware. With the leaked credentials we discovered from various sources, the open and writable buckets created a groundwork for storing and spreading our ransomware. With attackers having a multitude of credentials and storage places such as buckets, databases, and containers, defenders would have difficulty keeping up. We all need to pay attention to where we store our credentials and how well we monitor and secure our cloud environments.

The post Cloud Clustering Vulnerable to Attacks appeared first on McAfee Blogs.

Service Provider [24]7.ai Breached, Leaking Customer Data from Delta Airlines, Sears, Kmart, and Best Buy

A huge part of modern-day customer service is the chat functionality, which allows customers to converse easily with representatives of the organization in order to find a solution to their problem. This chat functionality is often a service offered by a third-party provider. And just last week, one of these service providers, [24]7.ai, reported that an unspecified cyberattack affected online payment data collected by a “small number of our client companies.” A few of these companies include Delta Airlines, Sears, Kmart, and Best Buy.

The breach was the result of an unspecified malware attack on the service’s chat tool, which occurred between Sept. 26 and Oct. 12, 2017. The malware permitted cybercriminals to obtain unauthorized access to customer data, including payment card numbers, CVV numbers, and expiration dates, in addition to customers’ names and addresses.

Delta Airlines, Sears, Kmart, and Best Buy all have not yet determined how many customers have been impacted so far. But it is believed to be totaling up to hundreds of thousands. So, for those who have been affected – what are the next steps? Start by following these security tips here:

  • Place a Fraud Alert. If you know your data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report, so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account. Then, make sure you correct your credit report by filing a dispute with each of the three credit bureaus.
  • Freeze Your Credit. This allows you to seal your credit reports so no one else can take out new accounts or loans in your name. You can do this without impacting your existing lines of credit, such as credit cards. If you want to apply for services or open new accounts, you can temporarily “unfreeze” your credit using a personal identification code only you have.
  • Consider an identity theft protection solution. With these breaches, consumers are faced with the possibility of identity theft. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Service Provider [24]7.ai Breached, Leaking Customer Data from Delta Airlines, Sears, Kmart, and Best Buy appeared first on McAfee Blogs.

Teen Gaming, Cybersecurity Specialist Training

Many of us parents have a love/hate relationship with teen gaming. While it seems to cast a spell over many kids and lure them into a trance, gaming does provide some quite welcome ‘time-out’ for all family members! But I can honestly say that in my household, disputes over allocated ‘Xbox’ time would be by far the most common variety. And they can drive me insane!!

Now new research from McAfee may just get me rethinking my often negative attitude to gaming. The Winning The Game report investigates the key challenges facing the IT Security industry in the ongoing fight against cyber threats. Just under 1000 cybersecurity managers across the US, UK, Germany, Singapore, Australia and Japan took part in the research which found that gamers may play a very big role in keeping cybercriminals at bay!

Click to view Winning the Game report

The Cybersecurity Skills Shortage

Worldwide the cybersecurity industry currently has a zero-percent unemployment rate. Many experts predict that this will remain the case until at least 2021. While this is great if you are job hunting, it isn’t great news for Government departments, corporations and businesses. The increasing number of cyberattacks means these organisations are struggling to find cybersecurity professionals to help deal with these threats. Which is ultimately putting a lot of us at risk.

In addition to the skills shortage, many IT professionals believe cybersecurity defences are under unprecedented levels of attack. With malware, ransomware, sophisticated advanced threats and modes of attack, many professionals see the cyberthreat landscape as more complex than ever. Nearly half of the cybersecurity professionals who participated  in the survey expressed concern that they will find it difficult or impossible to keep up with the increase and/or complexity of threats over the next year.

So, amid these constantly evolving cyberthreats the pressure is on to find a solution to the skills crisis.

Gamers Could Be the Answer

Well apparently the long list of skills gamers acquire while learning their craft are precisely those required by cybersecurity professionals. Whether it’s cracking systems, avoiding counter attacks or deciphering codes, these talents are very easily transferrable to a security professional role.

Many of us parents might struggle to believe that the hours our teens have spent playing games could in fact have set them up for a career in cybersecurity. But the skills learnt during these ‘training’ hours – including understanding how to approach adversaries, perseverance and logic – are exactly what sets gamers apart ‘from the pack’. The statistics from the report confirm that.

  • Almost all respondents to the survey (92%) believe that gamers possess skills that make them well-suited to a career in cybersecurity. Further, they provide a fresh outlook compared to traditional cybersecurity hires.
  • 72% of respondents agreed that hiring experienced video gamers into their IT departments is a good way of plugging the cybersecurity skills gap.
  • 75% of respondents said they would consider hiring gamers even if they had no prior cybersecurity experience or training.

It’s clearly time to change our perspective, parents!

Everything in Moderation, Kids!

Whether you decide to share this information with your offspring or not, this research is clearly compelling. However, don’t think for a minute that I am suggesting a 24/7 game fest. No, no, no! Time limits, input into/supervision of game purchases and respectful online gaming behaviour still apply!

And please keep an eye out for any signs of addiction. We all know how children’s mood and behaviour can change after lengthy periods in front of a screen. But if you think your child’s interest has gone beyond enthusiasm and that there may be an issue, work through this checklist for gaming addiction. If required, please seek professional help.

Where to From Here?

In my house, nothing will change. There will still be no gaming Monday to Friday, and pre-agreed time limits will still apply. And I’m just wondering how long I can keep this information away from my four boys? Because as soon as they find out, I will be accused of ruining their prospective cybersecurity careers with my strict regime! How dare I!

Take care,

Alex x

 

The post Teen Gaming, Cybersecurity Specialist Training appeared first on McAfee Blogs.

Cyber Security Roundup for March 2018

In the wake of the global political fallout over the Salisbury nerve agent attack, there are reports of a growing threat of Russian state or Russian state-affiliated hacking groups conducting cyber attack reprisals against UK organisations, government officials have directly warned bosses at electricity, gas and water firms, Whitehall departments and NHS hospitals to prepare for a state-sponsored cyber assault


Large-scale data breaches were disclosed with Under Armour’s Fitness App MyFitnessPal (1.5 million personal records compromised), Orbitz (880k payment cards at risk), and at a Walmart partner (1.3 million personal records compromised). The latter was caused when an AWS S3 bucket holding a Walmart database was left with open access, which isn't the first time a cloud service misconfiguration has caused a major data breach.

TalkTalk were warned about their website’s poor security after a hacker known as 'B' disclosed a cross-site scripting vulnerability on the talktalk.co.uk website to Sky News. TalkTalk was given a record £400,000 fine by the Information Commissioner's Office following a major website breach in October 2015, which 157,000 customer details were stolen. And the company were told to "be more diligent and more vigilant” and was fined a further £100,000 after data belonging to 21,000 customers were exposed to "rogue" staff at an Indian call centre.

GitHub survived the largest ever DDoS attack recorded thanks to Akamai DDoS protection, which peaked at a massive 1.35 terabytes of data per second.

UK schools were warned they were soft targets for cybercriminals, experts believe many schools are ill-equipped to prevent cyber thefts, with sensitive data such as children’s medical records said to be lucrative on the dark web. There has been a number of security incidents disclosed involving UK schools in recent months.
Gwent Police are facing scrutiny by the Information Commissioner's Office for not informing 450 people that hackers may have accessed their personal information, after discovering the breach over a year ago.

A hacker alleged to be behind a gang the ran the Carbanak and Cobalt bank target malware has been arrested. The gang is reported to be responsible for the theft of up to billion euros through bank transfers and from cash machines, from over 100 banks since 2013


NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

MyFitnessPal, Panera Bread, Saks Fifth Avenue: What to Know About the Recent Data Breaches

This blog has been updated as of 4/4.

Practically everything has become digitized in 2018. We’ve developed thousands of health apps and gadgets to help monitor our fitness, implemented online ordering services for restaurants, the list goes on. And just this past week – two of these very innovations have been breached for customer data, as well as two traditional brick-and-mortar sites. MyFitnessPal, Panera Bread, and Saks Fifth Avenue and Lord & Taylor have all been faced with data breaches, which have compromised millions of customers.

Let’s start with MyFitnessPal. Just last week, it was revealed that 150 million accounts for the health app and site were breached. As of now, few details have emerged about how the attack happened or what the intention was behind it. While the breach did not compromise financial data, large troves of other personal information were affected. The impacted information included usernames, email addresses, and hashed passwords.

MyFitnessPal, which is a subsidiary of Under Armour, has notified affected customers of the breach (see below), and Under Armour has released an official statement making the public aware of the attack as well.

Then there’s Panera Bread. The popular food chain actually leaked customer data on their website in plain text. This data includes names, email addresses, home addresses, birth dates and final four credit card digits. It’s not clear whether anyone malicious actually accessed any of this data yet, which was supplied by customers who had made online accounts for food delivery and other services. What’s more – a security researcher first flagged this error to Panera Bread eight months ago, which did not acknowledge it until just now. And though the initial number of impacted users was said to be fewer than 10,000 customers, security reporter Brian Krebs estimates that as many as 37 million Panera members may have been caught up in the breach.

Finally there’s Saks Fifth Avenue and Lord & Taylor. A group of cybercriminals has obtained more than five million credit and debit card numbers from customers of the two high-end clothing stores. It appears this data was stolen using software that was implanted into the cash register systems at brick-and-mortar stores and siphoned card numbers.

So, for the millions of affected MyFitnessPal, Panera Bread, and Saks and Lord & Taylor customers, the question is – what next? There are a few security steps these users should take immediately. Start by following these pointers below:

  • Change your password immediately. If you are a MyFitnessPal or Panera Bread customer, you should first and foremost change the password to your account. Then, you should also change your password for any other account on which you used the same or similar information used for your MyFitnessPal or Panera Bread account.
  • Stay vigilant. Another way cybercriminals can leverage stolen emails is by using the list for phishing email distribution. If you see something sketchy or from an unknown source in your email inbox, be sure to avoid clicking on any links provided. Better to just delete the email entirely.
  • Set up an alert. If you know there’s a chance your personal data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Consider an identity theft protection solution. With these breaches, consumers are faced with the possibility of identity theft. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

 

The post MyFitnessPal, Panera Bread, Saks Fifth Avenue: What to Know About the Recent Data Breaches appeared first on McAfee Blogs.

The Tortoise and The Hare Part II: May 25th is a Friday, or Great Data Protection Rocks even after Memorial Day

At one point in my career, I was responsible for launching massive websites.  We’d talk about when and how we flip the switch to launch the new website.  At least once during every project someone would ask me who got to flip the switch, as though we would have a dignitary (or them?) do it.  But depending on the year, the flipping on of a website was handled through technology and not very dramatic and not with the fanfare the non-technologists hoped for. (Dimming lights? Fireworks?  It was New York and it was publishing, so there was often beer and wine and maybe T-shirts after, but everyone went home and slept.)

And now we have May 25th coming around the corner. The other day, I got a picture in a text from a colleague of a can of sardines.  It took me a minute to realize the expiration was May 25.  So, other than the sardines, what happens?  Are we done?

First the bad news:  We won’t ever be done.  GDPR requires constant diligence for its principles, recurring reviews of the processes we’ve built; ongoing use of Data Processing Impact Assessments; vigilance on how we process, store, transfer, use personal data; communications with our customers; new contractual language and new things to negotiate; ongoing discussions around security and what is appropriate.  And of course, the biggest question: What will the data regulators do?  Will there be an immediate fine? (My bet is no.)

But now the good news: If you’ve been doing this right and have managed to focus on the concepts of Great Data Protection Rocks and a culture of security, the following things may have happened:

  • You have a much better idea of what data you have, where it is stored, who can get to it, and how it gets used. Hopefully you have deleted some data and have additional automated processes to delete data when it ceases to be needed.
  • You have processes in place to replace things that were being done on the fly. Maybe there’s some documentation and someone officially designated to help with the processes.
  • You know who your vendors are, and more about your high-risk and cloud vendors.
  • You have determined what needs securing and made sure you are securing it “appropriately.”
  • You’ve got a team of people who understand data protection and GDPR – maybe some new friends and some new project partners. A few of them may not have bought in completely (the people who were “voluntold” to help), but just wait.  Something often  seems to happen in the doubter’s personal life that makes them get it – and big time.  Real examples:  Mortgage application reveals massive identity theft that needs to be fixed or they lose the house; soccer coach sends kid’s medical condition info to the whole team’s parents; intern (not at McAfee!) sends spreadsheet of fraternity members’ contact info, but it also contained everyone’s grade-point average.

Perhaps most importantly, your company now has momentum around doing the right thing regarding data protection.  And May 25th will come – too soon, not soon enough, or both! – and the lights won’t dim but there might be T-shirts.

It would be easy to forget GDPR’s lessons. In the United States, Monday, May 28th, is Memorial Day, and we pull out summer clothes, take off to mark the start of summer, and remember our heroes.  But on that Monday and Tuesday and every day after, Great Data Protection will still Rock, and we will still need to look at data, how it’s used, and how our culture can protect it. Just maybe throw out the sardines if they don’t get eaten beforehand (or leave them on the doubter’s desk as a joke).

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post The Tortoise and The Hare Part II: May 25th is a Friday, or Great Data Protection Rocks even after Memorial Day appeared first on McAfee Blogs.

#DeleteFacebook: Do You Really Need To?

Is it time to #deleteFacebook? Facebook’s long line of dramas has many of us rethinking our dependence on Mark Zuckerberg’s largest social media platform. While many of us were alarmed at the fake news allegations last year, the recent scandal with Cambridge Analytica has us genuinely spooked and now asking ourselves this question.

The fact that Facebook allowed British data analysis firm Cambridge Analytica to tap the Facebook profiles of more than 50 million users without their knowledge has many of us questioning both our – and our children’s – relationship with the social media platform. How compromised is our privacy? What’s really happening with our data? Is our every online move really being monitored?

The immediate reaction of many is to delete their Facebook accounts and insist their kids do the same. When news broke of the Cambridge Analytica scandal, the #deleteFacebook hashtag trended heavily on Twitter. Many high profile tech types deleted their personal and business Facebook accounts and, consequently, drove the Twittersphere into a frenzy.

To #DeleteFacebook Or Not To #DeleteFacebook?

But many of us can’t really afford to be idealists. Some of us run online businesses and rely heavily on Facebook. Others use Facebook for our jobs. Many of us (and our kids) use Facebook to run our social lives – organise events and parties, remember birthdays and stay in touch with friends and family across the world. And for nearly all of us, it is our digital scrapbook that preserves our important life events, shared moments and memories. In short, we would be lost without it.

While the black and white idealist in me absolutely agrees that we should delete Facebook, the realist in me acknowledges that life is often lived in the shades of grey. Facebook has spent more than a decade making itself a deeply entrenched part of our modern society. Saying farewell to this part of your life is a decision that I believe many of us would find almost impossible to make.

So, while deleting Facebook from your online life is the most drastic way of protecting your data, there are steps you can take to keep your account more secure and your personal information more private. Here are my top recommendations:

  1. Set up new logins for each app you are using.

    Setting up a new login and password for each app you’re using is a great way to protect yourself and your data online. Login may take fractionally longer but it will help ensure your data is not shared between different services.

  2. Review your third party apps – the ones you joined using Facebook.

    Facebook has made it just so easy for us to download apps using our Facebook settings that many of us have acquired quite the collection of apps. The problem is that Facebook provides these apps with our data including our name, location, email or even our friends list. So, review these apps, people! Not sure where to start? Go to Settings > Apps > Logged in with Facebook and remove anything that doesn’t absolutely need access to your Facebook profile. You will still have to contact the app developer to ensure they have deleted the data they already have gathered on you. Tedious but worth it!

  3. Don’t overshare on social media.

    Oversharing online gets many of us including our kids into trouble and allows cybercriminals and ‘data analysis types’ the ability to form an accurate picture of us very quickly! Being conscious of what is publicly available from your social media profiles is essential. Ensure every member of the family knows to NEVER share their telephone number, address or details of their school online. Also rethink whether you really want your relationship status made public, or the city of your birth.

  4. Cull your Friends list.

    The Cambridge Analytica scandal should provide us all with a reality check about how we manage online friends. In 2015, an app entitled ‘this is your digital life’ was developed by Cambridge Professor Dr Aleksandr Kogan and then downloaded by 270,000 users. Those who opted in allowed the app access to their information – including their friends – which then gave Kogan access to the data of over 50 million Facebook users. Facebook have reportedly since changed their terms of service and claim app developers can no longer access this detail, or at least, not at the same level of detail. So, go through your friend list and delete those you barely know or who were just passing acquaintances. Do you really want to share your personal or family updates with these people?

  5. Choose a different social media platform to connect to apps.

    If an app lets you choose which account you use to login, pick one which holds limited data about its users. Twitter could be a good choice as it tends to hold less personal information about you.

And while I salute those who are bold enough to #deleteFacebook and insist their kids do so, I know that it isn’t for me. I choose to stay. I’ll navigate my way around the risks and flaws, so I can enjoy the upside – belonging to my community, keeping my job and adding to my digital scrapbook.

Till next time,

Alex x

The post #DeleteFacebook: Do You Really Need To? appeared first on McAfee Blogs.

Don’t Get Duped: How to Spot 2018’s Top Tax Scams

It’s the most vulnerable time of the year. Tax time is when cyber criminals pull out their best scams and manage to swindle consumers — smart consumers — out of millions of dollars.

According to the Internal Revenue Service (IRS), crooks are getting creative and putting new twists on old scams using email, phishing and malware, threatening phone calls, and various forms of identity theft to gain access to your hard earned tax refund.

While some of these scams are harder to spot than others, almost all of them can be avoided by understanding the covert routes crooks take to access your family’s data and financial accounts.

According to the IRS, the con games around tax time regularly change. Here are just a few of the recent scams to be aware of:

Erroneous refunds

According to the IRS, schemes are getting more sophisticated. By stealing client data from legitimate tax professionals or buying social security numbers on the black market, a criminal can file a fraudulent tax return. Once the IRS deposits the tax refund into the taxpayer’s account, crooks then use various tactics (phone or email requests) to reclaim the refund from the taxpayer. Multiple versions of this sophisticated scam continue to evolve. If you see suspicious funds in your account or receive a refund check you know is not yours, alert your tax preparer, your bank, and the IRS. To return erroneous refunds, take these steps outlined by the IRS.

Phone scams

If someone calls you claiming to be from the IRS demanding a past due payment in the form of a wire transfer or money order, hang up. Imposters have been known to get aggressive and will even threaten to deport, arrest, or revoke your license if you do not pay the alleged outstanding tax bill.

In a similar scam, thieves call potential victims posing as IRS representatives and tell potential victims that two certified letters were previously sent and returned as undeliverable. The callers then threaten to arrest if a payment the victim does not immediately pay through a prepaid debit card. The scammer also tells the victim that the purchase of the card is linked to the Electronic Federal Tax Payment System (EFTPS) system.

Note: The IRS will never initiate an official tax dispute via phone. If you receive such a call, hang up and report the call to the IRS at 1-800-829-1040.

Robo calls

Baiting you with fear, scammers may also leave urgent “callback” requests through prerecorded phone robot or robo calls, or through a phishing email. Bogus IRS robo often politely ask taxpayers to verify their identity over the phone. These robo calls will even alter caller ID numbers to make it look as if the IRS or another official agency is calling.

Phishing schemes

Be on the lookout for emails with links to websites that ask for your personal information. According to the IRS, thieves now send very authentic-looking messages from credible-looking addresses. These emails coax victims into sharing sensitive information or contain links that contain malware that collects data.

To protect yourself stay alert and be wary of any emails from financial groups or government agencies Don’t share any information online, via email, phone or by text. Don’t click on random links sent to you via email. Once that information is shared anywhere, a crook can steal your identity and use it in different scams.

Human resource/data breaches

In one particular scam crooks target human resource departments. In this scenario, a thief sends an email from a fake organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2.  This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES). 

Using the collected data criminals then attempt to file fraudulent tax returns to claim refunds. Or, they may sell the data on the Internet’s black market sites to others who file fraudulent tax returns or use the names and Social Security Numbers to commit other identity theft related crimes. While you can’t personally avoid this scam, be sure to inquire about your firm’s security practices and try to file your tax return early every year to beat any potentially false filing. Businesses/payroll service providers should file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

As a reminder, the IRS will never:

  • Call to demand immediate payment over the phone, nor will the agency call about taxes owed without first having mailed you several bills.
  • Call or email you to verify your identity by asking for personal and financial information.
  • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
  • Require you to use a specific payment method for your taxes, such as a prepaid debit card.
  • Ask for credit or debit card numbers over the phone or e-mail.
  • Threaten to immediately bring in local police or other law-enforcement groups to have you arrested for not paying.

If you are the victim identity, theft be sure to take the proper reporting steps. If you receive any unsolicited emails claiming to be from the IRS to phishing@irs.gov (and then delete the emails).

This post is part II of our series on keeping your family safe during tax time. To read more about helping your teen file his or her first tax return, here’s Part I.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post Don’t Get Duped: How to Spot 2018’s Top Tax Scams appeared first on McAfee Blogs.

Travel Agency Orbitz Hit with Data Breach, 880,000 Payment Cards Affected

We all love a good getaway, and as we look ahead to spring and summer, most of us are already planning our next vacation. To do that, we’ll tap one of the many online travel agencies out there to help us organize our plans. Only now, some travel-goers may have to stop trip planning so they can start planning for credit monitoring, as one of the most popular travel agencies, Orbitz.com, was hit with a data breach that may have exposed as many as 880,000 payment cards.

The online travel agency reported two separate data disclosures, as an attacker may have accessed customers’ personal information shared on Orbitz.com and a handful of associated websites between Jan. 1, 2016 between Dec. 22, 2016.

What’s more – in addition to the payment cards, hackers may have also stolen customers’ full name, date of birth, phone number, email address, physical and/or billing address and gender information. Now, with all this personal information potentially out in the open, it’s important affected customers start thinking about protecting their personal identities. To do just that, follow these tips:

  • Regularly review your online account info. Things like regularly reviewing transactions online and making sure account contact info hasn’t changed are good for keeping tabs on anyone trying to hijack your account.
  • Set up an alert. If you know there’s a chance your personal data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Consider an identity theft protection solution. With this breach and others before it, consumers are faced with the possibility of identity theft. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Travel Agency Orbitz Hit with Data Breach, 880,000 Payment Cards Affected appeared first on McAfee Blogs.

How prepared is your business for the GDPR?

The GDPR is the biggest privacy shakeup since the dawn of the internet and it is just weeks before it comes into force on 25th May. GDPR comes with potentially head-spinning financial penalties for businesses found not complying, so it really is essential for any business which touches EU citizen's personal data, to thoroughly do their privacy rights homework and properly prepare.

Sage have produced a nice GDPR infographic which breaks down the basics of the GDPR with tips on complying, which is shared below.

I am currently writing a comprehensive GDPR Application Developer's Guidance series for IBM developerWorks, which will be released in the coming weeks.


The GDPR: A guide for international business - A Sage Infographic

GDPR Material and Territorial Scopes

The new EU General Data Regulation will enter into force 25 May of this year. The GDPR contains rules concerning the protection of natural persons when their personal data are processed and rules on the free movement of personal data. The new regulation is not revolutionary but an evolution from the previous Data Protection Act 1998 […]

Cyber Security Roundup for January 2018

2018 started with a big security alert bang after Google Security Researchers disclosed serious security vulnerabilities in just about every computer processor in use on the planet. Named 'Meltdown' and 'Spectre’, when exploited by a hacker or malware, these vulnerabilities disclose confidential data. As a result, a whole raft of critical security updates was hastily released for computer and smartphone operating systems, web browsers, and processor drivers. While processor manufacturers have been rather lethargic in reacting and producing patches for the problem, software vendors such as Microsoft, Google and Apple have reacted quickly, releasing security updates to protect their customers from the vulnerable processors, kudos to them.

The UK Information Commission's Office (ICO) heavily criticised the Carphone Warehouse for security inadequacies and fined the company £400K following their 2015 data breach, when the personal data, including bank details, of millions of Carphone Warehouse customers, was stolen by hackers, in what the company at the time described as a "sophisticated cyber attack", where have we heard that excuse before? Certainly the ICO wasn't buying that after it investigated, reporting a large number Carphone Warehouse's security failures, which included the use of software that was six years out of day,  lack of “rigorous controls” over who had login details to systems; no antivirus protection running on the servers holding data, the same root password being used on every individual server, which was known to “some 30-40 members of staff”; and the needless storage of full credit card details. The Carphone Warephone should thank their lucky stars the breach didn't occur after the General Data Protection Regulation comes into force, as with such a damning list of security failures, the company may well have been fined considerably more by ICO, when it is granted vastly greater financial sanctions and powers when the GDPR kicks in May.

The National Cyber Security Centre warned the UK national infrastructure faces serious nation-state attacks, stating it is a matter of a "when" not an "if". There also claims that the cyberattacks against the Ukraine in recent years was down to Russia testing and tuning it's nation-state cyberattacking capabilities. 

At the Davos summit, the Maersk chairman revealed his company spent a massive £200m to £240m on recovering from the recent NotPeyta ransomware outbreak, after the malware 'totally destroyed' the Maersk network. That's a huge price to pay for not regularly patching your systems.

It's no surprise that cybercriminals continue to target cryptocurrencies given the high financial rewards on offer. The most notable attack was a £290k cyber-heist from BlackWallet, where the hackers redirected 700k BlackWallet users to a fake replica BlackWallet website after compromising BlackWallet's DNS server. The replica website ran a script that transferred user cryptocurrency into the hacker's wallet, the hacker then moved currency into a different wallet platform.

In the United States, 
the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.

It was reported that a POS malware infection at Forever21 and lapses in encryption was responsible for the theft of debit and credit card details from Forever21 stores late last year. Payment card data continues to be a high valued target for cyber crooks with sophisticated attack capabilities, who are willing to invest considerable resources to achieve their aims.

Several interesting cybersecurity reports were released in January,  the Online Trust Alliance Cyber Incident & Breach Trends Report: 2017 concluded that cyber incidents have doubled in 2017 and 93% were preventable. Carbon Black's 2017 Threat Report stated non-malware-based cyber-attacks were behind the majority of cyber-incidents reported in 2017, despite the proliferation of malware available to both the professional and amateur hackers. Carbon Black also reported that ransomware attacks are inflicting significantly higher costs and the number of attacks skyrocketed during the course of the year, no surprise there.  

Malwarebytes 2017 State of Malware Report said ransomware attacks on consumers and businesses slowed down towards the end of 2017 and were being replaced by spyware campaigns, which rose by over 800% year-on-year. Spyware campaigns not only allow hackers to steal precious enterprise and user data but also allows them to identify ideal attack points to launch powerful malware attacks. The Cisco 2018 Privacy Maturity Benchmark Study claimed 74% of privacy-immature organisations were hit by losses of more than £350,000, and companies that are privacy-mature have fewer data breaches and smaller losses from cyber-attacks.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

Cyber Security Roundup for December 2017

UK supermarket giant Morrisons, lost a landmark data breach court case in December after a disgruntled Morrisons employee had stolen and posted the personal records of 100,000 co-workers online, the supermarket chain was held liable for the data breach by the UK High Court. The High Court ruling now allows those affected to claim compensation for the "upset and distress" caused. Morrisons said it believed it should not have been held responsible and would be appealing against the decision. If the appeal is lost it could open up the possibility of further class action lawsuits cases by individuals. Pending the GDPR becoming law in May 2018, such a court ruling sets a legal precedent for individuals to claim damages after personal data losses by companies through the courts as well. After May 2018, the GDPR grants individuals the right sue companies for damages following personal data breaches. So we can expect 'ambulance chasers' lawyers to pick up on this aspect of the GDPR, with class action lawsuits following data breaches, it well could become the new "P.P.I. industry"

Any businesses or individuals using Kaspersky should be aware the UK National Cyber Security Centre has warned government agencies against using the Russian supplier’s products and services, which follows a ban by US government departments in November. Barclays responded to the warning by stopping their free offering of Kaspersky anti-virus products to its customers. 2017 saw Cyber Security become a political football, so it is no real surprise that the UK and US once again blamed North Korea for the devasting WannaCry attacks earlier in the year, personally, I blame poor patch management and hackers, not the North Korea cyber army!

Nadine Dorries MP got herself in hot water after trying to defend now former political colleague Damian Green, following claims of Mr.Green accessed porn on his Parliment computer. This was activity was reported by a retired Police officer, which was said to be a breach of the data protection act. Nadine tweeted "my staff log onto my computer on my desk with my login everyday" to suggest anyone could have used Damian Green's PC to access the illicit websites. This led to widespread condemnation and a warning by ICO to MPs on password sharing. 

The fact illicit websites were not blocked by Parliament systems is one concerning lack security issue, but the flagrant disregard for basic cybersecurity by government MPs is gobsmacking, especially when you consider they are supposed to be understanding the risk and setting laws to protect UK citizens from cyber attacks and data breaches. Its another "slap palm on head" after the last UK Prime Minister announced he wanted to ban encryption.

2017 has seen huge rises in cryptocurrencies values, which has placed cryptocurrency brokers and user crypto coin wallets in the sights of cybercriminals. This month mining platform NiceHash was breached by hackers, who stole £51 million worth of Bitcoin and Bitcoin exchange Youbit, which lets people buy and sell Bitcoins and other virtual currencies, shut down and filed for bankruptcy after losing 17% of its assets in the cyber-attacks. I think we can expect further cryptocurrencies attacks in 2018 given the cryptocurrency bubble is yet to burst.

Faked LinkedIn profiles are nothing new, however, the German Intelligence Agency (BfV) said it had spotted China were using faked LinkedIn profiles to connect with and gather information on German officials and politicians, which is an interesting development.

Finally, Hackers were reported as taking advantage of poorly secured systems at UK private schools, and it was claimed hackers could turn off heating systems at UK schools and military bases.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen. Uber revealed around 2.7 million of the stolen records were British riders and drivers. As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet. The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had "huge concerns" about the breach and was investigating.

Jewson, Cash Converters, and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of personal customer data. Equifax reported their net income had dropped by £20 million due to the hack, and their breach bill was coming in at a whopping £67 million.

November was a very busy month for security patches releases, with Microsoft, Apple, Adobe, Oracle, Cisco and Intel releasing a raft of patches to fix critical vulnerabilities. Apple even had to quickly release an emergency patch at end of November to fix a root access flaw reported in macOS High Sierra version 10.13.1. So just keep patching everything IT to ensure you and your business stays ahead of enterprising cybercriminals, the Equifax breach is a prime example of what can go wrong if system patching is neglected.

November also saw Open Web Application Security Project (OWASP) finally released an updated version to its Top Ten application vulnerabilities list, which is a ‘must know’ secure coding best practice for all software developers and security testers, especially considering that Akamai reported web application attacks had increased by 69% in the third quarter of 2017. Look out for an updated OWASP Top Ten IBM DeveloperWorks Guidance from me in December to reflect the updated list.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Science of CyberSecurity: Latest Cyber Security Threats

As part of a profile interview for Science of Cybersecurity I was asked five questions on cyber security last week, here's question 5 of 5.

Q. What keeps you up at night in the context of the cyber environment that the world finds itself in?
The growing dependence and integration of connected computers within our daily lives, means we are embarking on an era where cyber attacks will endanger our lives. Networked and complex IT systems are inherently insecure, meaning it is open season for nation-states, cyber terrorists and the curious to attack these life integrated emerging technologies, from driverless cars and countless new home IoT devices. I fear it will only be a matter time before a cyber attack causes human harm or even loss of life. The impact of the recent NHS ransomware attack serves as a warning, this cyber attack directly caused the closure of accidental and energy departments and the cancellation of operations. The future threats posed artificial intelligence and quantum computing are also growing concerns for cyber security, and well worth keeping an eye as these technologies continue to progress.

What is Data Privacy and why is it an important issue?

The question of whether privacy is a fundamental right is being argued before the honorable Supreme Court of India. It is a topic to which a young India is waking up too. Privacy is often equated with Liberty, and young Indians wants adequate protection to express themselves.

Privacy according to Wikipedia is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. There is little contention over the fact that privacy is an essential element of Liberty and the voluntary disclosure of private information is both part of human relationships and a digitized economy.

The reason for debating data privacy is due to the inherent potential for surveillance and disclosure of electronic records which constitute privacy such as sexual orientation, medical records, credit card information, and email.

Disclosure could take place due to wrongful use and distribution of the data such as for marketing, surveillance by governments or outright data theft by cyber criminals. In each case, a cybercitizens right to disclosure specific information to specific companies or people, for a specific purpose is violated.

Citizens in western countries are legally protected through data protection regulation. There are eight principles designed to prevent unauthorized use of personal data by government, organizations and individuals

Lawfulness, Fairness & Transparency
Personal data need to be processed based on the consent given by data subjects. Companies have an obligation to tell data subjects what their personal data will be used for. Data acquired cannot be sold to other entities say marketers.
Purpose limitation
Personal data collected for one purpose should not be used for a different purpose. If data was collected to deliver an insurance service, it cannot be used to market a different product.
Data minimization
Organizations should restrict collection of personal data to only those attributes needed to achieve the purpose for which consent from the data subject has been received.
Accuracy
Data has to be collected, processed and used in a manner which ensures that it is accurate. A data subject has to right to inspect and even alter the data.
Storage limitation
Personal data should be collected for a specific purpose and not be retained for longer than necessary in relation to this purposes.
Integrity and confidentiality
Organizations that collect this data are responsible for its security against data thefts and data entry/processing errors that may alter the integrity of data.
Accountability
Organizations are accountable for the data in their possession
Cross Border Personal information
Requirements.
Personal information must be processed and stored  in secured environment which must be ensured if the data is processed outside the border of the country

It is important for cybercitizens to understand their privacy rights particularly in context of information that can be misused for financial gain or to cause reputational damage.