Category Archives: data protection

What CES Can Show Us About Evolving Consumer Security Needs: A Timeline

Appropriately dubbed the ‘Global Stage for Innovation,’ it’s no wonder CES showcases the most cutting-edge consumer technologies coming out in the year ahead. No topic is off the table; Attendees will learn more about connected homes, smart cities and self-driving cars, try out shiny new digital health wearables, headsets, and other connected tech, explore AI-driven technologies, and so much more.

Although events like CES showcase breakthrough technologies, interestingly, they also highlight how rapidly new technology is replaced with the next new thing. The rate at which we are treading on new ground is shifting exponentially, and what we see at CES this January might be obsolete in just a few years.

This rapidly changing technological landscape poses a significant predicament to consumers, a ‘digital dilemma’ if you will: as new technologies accelerate and IoT devices that house them progress, new challenges arise with them. This is particularly the case when it comes to security and privacy. And, just as security and products change and adapt, so do our needs and wants as consumers. Those of a teen differ from those of a parent, from those of a baby boomer, and so on. Let’s see how those needs change over time.

A Digital Life Timeline

2015: The Teen Technologist

Born in the late ‘90s, this teen is an everyday gamer, who loves to play games online with friends. They also love their smartphone, mostly for the access to social media. A teen wouldn’t necessarily be concerned with security, so having a comprehensive system built in is crucial.

2021: The Young Professional

Entering the workforce for the first time, the young professional is finally able to buy the gadgets that were once luxuries. They might have two phones; one for work and a personal device. Additionally, they are bringing more connected devices into their home, so the need for a secure home network has become obvious. They are also always on the go and having to connect to public Wi-Fi, so a Virtual Private Network (VPN) should be considered.

2032: The Concerned Parent

Fast forward almost ten years, the young professional has become a worrying parent. Their kids are spending too much time on screens. Having a way to monitor what they are doing on the internet and limit their time online is crucial, and an application that could  provide parental controls would be welcomed. Also, as they bring larger, more connected devices into the home, like smart refrigerators and thermostats, they are excited about a platform that will bake in security through a home network.

2038: The Brand Loyalists

The concerned parent has found devices they like and those they do not like. But more importantly, they have found brands they love, and they may continue to purchase from to bring the latest technology into their family’s lives. A comprehensive security system that covers all types of devices is exactly what they would need to keep a layer of protection

2045: The Unacquainted User

At this point in a digital journey, our user has stopped keeping up with trends because things have changed so much. Almost to the point where they are unwilling to learn new tech, or are untrusting of it all together. But the need to maintain their security and privacy is still top of mind –especially as cybercriminals often prey on this demographic due to being an easy target. A person like this might worry about ransomware, viruses, and identity theft along with protecting their home network.

As you can see, a person’s security and safety needs, desires, and even their devices evolve depending on the moment in which they are within their life. With so much in flux, the last thing anyone wants to think about is security – but with constantly changing technology at an all-time high, it’s safe to bet that threats will evolve to keep pace, and so should the ways in which we protect devices. For these reasons, it’s important to leverage a security partner that will keep this in mind, and will grow with not only our evolving needs, but evolving technology, too.

To learn more about consumer security and our approach to it, be sure to follow us at @McAfee and @McAfee_Home.

The post What CES Can Show Us About Evolving Consumer Security Needs: A Timeline appeared first on McAfee Blogs.

Egress Secures $40 Million Growth Equity Funding Led By FTV Capital.

Egress, a leading provider of data privacy and compliance software designed to secure unstructured data, today announced it has raised $40 million in a Series C financing round led by FTV Capital, with continued participation from existing backer AlbionVC. Egress will use this investment to build on its ongoing rapid growth in Europe and North America, as well as accelerate development of new technology across its data security platform.

A market leader in privacy and risk management, Egress helps enterprises protect unstructured data to meet compliance requirements and drive business productivity. The company’s AI-powered platform enables users to control and secure the data they share in line with evolving compliance regulations, including GDPR, the NYDFS Cybersecurity Regulation (23 NYCRR 500), and the recently-passed California Consumer Privacy Act. Since raising $3.6 million in Series A funding in February 2014, Egress has grown ARR by 9x, acquired over 2,000 customers and now supports more than five million users globally.

Egress customer, the US State of Delaware, has been using the technology to help protect highly sensitive data and manage compliance. “As a regulated US Government State Agency, we recognised the importance of selecting a best-of-breed security partner,” explained Director of Network Engineering Mark Cabry. “Egress understands our complex business requirements and their technical innovation has helped us to maintain privacy and mitigate risk when sharing data across and outside government, leading us to deploy the service state-wide. It is therefore of little surprise that Egress is continuing to gain significant traction throughout the US market.”

Tony Pepper, CEO and co-founder of Egress, commented on the announcement: “Today’s heightened security threats, combined with an increasingly complex regulatory landscape, means that organisations face considerable risk from data breaches, resulting in reputational damage and significant financial loss. At Egress, we help businesses mitigate this risk by wrapping security around the user and managing their experience using machine learning and AI. This risk-based approach helps users avoid potential mistakes, such as sending information to the wrong recipients, and provides security administrators with insight into behavioural anomalies across the business.

“We are delighted to be partnering with FTV as we enter the next phase of our development. A prominent growth equity firm with an impressive track record of helping similar companies in our space to scale rapidly, FTV will bring invaluable strategic expertise to help expand our technical capabilities and business operations into new markets and geographies.”

As part of the transaction, FTV partner Kyle Griswold will join the Egress board of directors. “The need for comprehensive data security systems that help prevent data breaches and maintain compliance has become one of the key strategic priorities for businesses globally,” stated Griswold. “Egress’ user-centric strategy, combined with their use of AI-driven technical innovation, is helping to tackle these challenges head on. Their success in highly regulated markets is evidenced by their rapid growth and exceptional customer retention rates, which make them an ideal partner for FTV and an attractive solution for the financial institutions in our Global Partner Network.

“By partnering with Egress at this point in their journey, FTV will offer strategic support and guidance designed to accelerate growth and capitalise on what is a significant market opportunity, in addition to commercial introductions to our Global Partner Network enterprises.”

Ed Lascelles, partner at AlbionVC, commented: “We look forward to supporting Egress as it enters the next stage of expansion. We have witnessed first-hand how the business has built out an enterprise-grade data security platform from a niche point solution, while growing into new verticals and geographies during the period. The demand for enhanced data security is only going to increase and so we remain excited about the team’s ability to continue delivering rapid growth.”

The post Egress Secures $40 Million Growth Equity Funding Led By FTV Capital. appeared first on IT Security Guru.

From Naughty to NICE: Best Practices for K–12 Cybersecurity Education

In an effort to raise cybersecurity awareness and help both school districts and teachers develop security-based curricula, the National Institute for Cybersecurity Education (NICE), part of the National Institute of Standards and Technology (NIST), hosted two consecutive conferences this fall.

These back-to-back conferences brought experts from industry and academia together to share creative strategies to help educators teach youngsters how to change their “naughty” online behaviors into good cyber hygiene.

The NICE Conference in Miami was held in November, followed by December’s NICE K12 Cybersecurity Education Conference in San Antonio, which introduced some innovative technologies as well as multiple trainings to help schools make students more aware of how to protect themselves online and the many career paths available to them in cybersecurity.

Let the Youth Lead Cybersecurity Education

I had the pleasure of speaking at the NICE K12 Cybersecurity Education conference on how to create a cyber-aware classroom, but my presentation was just one of many and paled in comparison to that of the keynote speaker, Kyla Guru, a 16-year-old high school junior from Illinois who is the founder and CEO of Bits ‘N Bytes Cybersecurity Education (BNBCE), a youth-built nonprofit that provides suggestions for day events and classroom discussions.

Also among Guru’s list of notable cybersecurity education resources are CommonSenseMedia, CodeHS Cybersecurity, Facebook Security Centre and (ISC)2.

In her work over the past few years, Guru has seen that students are increasingly encouraged to take at least one computer science course starting in middle school, and are subsequently guided to pursue the subject with a progression of courses in high school.

Implement Student-Created Curricula

What’s unique about the BNBCE curriculum is that it’s created by youth. The nonprofit offers lessons on encryption, privacy policies, digital citizenship, data breaches, passwords and social engineering, all of which are organized by age group.

“BNBCE also produces animated videos tailored for each school’s core values and principles, as well as conducts outreach events and runs biweekly research-based blog posts on relevant cybersecurity concepts for the classroom. We would love to support schools as they integrate cyber in their classroom discussions,” Guru said.

How to Break Google’s Influence on a Generation

Recognizing that her generation is digitally driven and has been raised to consider “Googling” as sufficient research, Guru said it is critical that the time young people spend using technology as their new medium for discovery and exploration be spent securely and safely so they can learn without limitation.

“K–12 students are by far the greatest consumers of digital information there are. In fact, a recent survey showed that 82 percent of Generation Z shares that Instagram, Snapchat, Buzzfeed and other social media sites are their primary news sources,” Guru said.

Engage Students in Cyber Awareness

In the Cyber Day 4 Girls workshop, hosted by IBM in advance of the NICE K12 Cybersecurity Education conference, young women in grades six through nine had a chance to learn how to protect their online identities and internet-connected devices while working alongside some impressive female role models who are already studying and working in cybersecurity.

Attendees also heard about the defensive hacking curriculum created by IBM and Hacker High School (HHS), and how to infuse ethical hacking skills across the curriculum, which was presented by HHS director Kim Truett.

Learn more about Hacker High School

Industry Professionals: Step Up

Clearly, educators and students alike are doing their part to move the cybersecurity needle forward, but industry leaders also play a critical role in helping to raise cybersecurity awareness and education among today’s youth.

In his presentation to audience members at the Miami conference, Eduardo Cabrera, chief cybersecurity officer at Trend Micro, talked about the need for more partnerships between enterprises and the K–12 sector.

“We have to rethink what we are doing around cybersecurity education, not only from an awareness and hygiene perspective, but also from the perspective of establishing a permanent pipeline of talent from K–12 that feeds into higher education,” Cabrera said.

What would that actually look like, though? According to Cabrera, one model that could work is what has been happening with DevOps. “There is a concept or movement around DevOps that is speeding up the cycle, taking plays out of the playbook of agile development and looking at the partnerships required between operators, developers and testers. These microservices are creating smaller, quicker sprints. We need to move toward a DevOps model of workforce development.”

Rather than operating in silos, all connected parties can work together. “The operators are the industry, developers are educators and the testers are certifying bodies,” Cabrera said.

Teaching cybersecurity is not solely about STEM and technical skills, either, Cabrera said. “Soft skills are becoming equally as important as technical skills. We have a rock-star employee when they can be technical but equally as skilled at communicating and storytelling.”

Cybersecurity isn’t just about defending one’s digital footprint, after all, but is just one piece of a network of protection for the whole person. To teach the best, most complete self-defense is to teach the whole student — not just the computer-savvy parts.

The post From Naughty to NICE: Best Practices for K–12 Cybersecurity Education appeared first on Security Intelligence.

Top 5 Questions to Ask Your Managed Security Services Provider

There is no shortage of spend or need on security services. Gartner has recently predicted that worldwide spend on security products and services will reach $124 billion in 2019. This coupled with

The post Top 5 Questions to Ask Your Managed Security Services Provider appeared first on The Cyber Security Place.

Application Security and Software Development

Due to faster connectivity and the lower barriers to application development with open source software, the amount of applications and data held by organizations has continued to grow. As a

The post Application Security and Software Development appeared first on The Cyber Security Place.

2018 in Cybersecurity Review: What Happened and What the Future Brings (Part 1)

After a year filled with incidents, 2018 brought a host of reveals about the extent of this threat. Then, it quickly became the year of privacy concerns, after an onslaught of major data breaches and the never-ending Cambridge Analytica scandal.

We put together this timeline for a quick overview of what came before, so everyone is better equipped for 2019.

Because we don’t believe in alarmism and scaremongering just for the sake of getting a reaction, we gathered both the good and the bad news of cybersecurity.

We also included a few helpful tips to keep your digital life safe, so scroll on!

January in cybersecurity review

The bad news:

January probably marked the fever pitch of buying cryptocurrencies, as Bitcoin soared to the $20,000 mark. Unfortunately, this also started a forest fire of cyber attacks, with cryptocurrency exchanges getting hacked, users getting scammed, phishing multiplying and so on. Wherever there’s money being traded online, that’s where you’ll find malicious actors trying to turn a profit.

The crypto area proved to be particularly profitable to them and most outlets rushed to it.

hs-How-to-safely-invest-in-digital-currency_BC9917

However, the two big bads of January were Meltdown and Spectre, attacks everyone has heard about by now, as it sent security experts around the world in a full panic.

These two major vulnerabilities were discovered not in online platforms, as usual, but in Intel chips, critical components providing the processing power of most computers in the world. The aptly-named “Meltdown” could let hijackers get into higher-privileged parts in a computer’s memory. The haunting Spectre let them access data from other apps running on the machine. The worst part?

Both of these fundamental vulnerabilities were also present in processors made by companies like AMD and ARM, so they were basically in every computer.

In the following months, chipset makers released various patches and temporary fixes, which slowed down some computers by even 20%.

While news like this usually gets stuck in enthusiast circles, the whole world felt the impact of Spectre and Meltdown, as patches were issued at a breakneck pace and everyone could feel their machines slowing down.

The good news:

On the upside, Google X made the biggest announcement: the Alphabet group, Google’s mother company, debuted Chronicle, its own cybersecurity product that includes the famous VirusTotal service.

It was good news for consumers, as, with Google’s resources and data, perhaps companies would do a better job of keeping user data safe.

However, since then, we’ve not heard much on Chronicle’s cybersecurity efforts. Perhaps in 2019?

Takeaways:

You can’t do anything about flawed systems but that doesn’t mean you shouldn’t take care of yourself. If you’re thinking about investing, especially in cryptocurrencies, following these protection steps is essential.

February in cybersecurity review

The bad news:

2017 was the year of ransomware, with devastating attacks shaking healthcare, transportation, state agencies and businesses both big and small.

February kicked off with a major reveal from the US Government: the Trump administration attributed the devastating NotPetya ransomware attacks of 2017 to Russia. This announcement showed just how far cyberwarfare can go and how many innocent businesses and individuals can get in the crossfire.

hs-New-ransomware-outbreak-combines-attack-vectors-delivers_A40000

For those who weren’t quite as aware of cybersecurity or data protection back then, NotPetya was the most devastating cyber attack in history, crippling essential infrastructure, and services. The White House described said that it “quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin’s ongoing effort to destabilize Ukraine, and demonstrates ever more clearly Russia’s involvement in the ongoing conflict.”

Even though the White House said that “this was also a reckless and indiscriminate cyberattack that will be met with international consequences,” NotPetya and similar strains continued to show up in 2018, highlighting how unprepared businesses are for this threat.

We wrote more on the topic here and explained why traditional solutions like Antivirus are, due to their nature, simply unable to detect ransomware in time.

The good news:

The good guys took down “Infraud,” a criminal online, arresting and indicting dozens of criminals that dealt in stolen user data, malware, skimmed devices for ATMs and so on.

The criminal marketplace was one of the major Dark Web operations in history, putting to shame even the famous Silk Road. Authorities estimated that, through it, regular Internet users lost a total of up to half a billion USD.

The hackers were arrested en masse through a Homeland Security action coordinated with law enforcement in Australia, Britain, Italy, France, Kosovo, and Serbia. In the world of cybercrime, this win is not a tiny drop in a bucket but a great example of how collaboration and resource sharing can positively make an impact for everyone.

Takeaway:

For ransomware protection, you need more than a simple antivirus. This goes for regular users and doubly so for businesses so that a large-scale attack doesn’t catch so many computers lacking the essential security layers.

March in cybersecurity review

The bad news:

March definitely started off on the wrong foot, with a host of revelations giving headaches to mostly anyone connected to the internet.

First, GitHub revealed that it had survived the biggest DDoS attack ever recorded. The attack saw 1.3 terabits of traffic per second levered against GitHub servers. This time, it wasn’t a huge botnet of devices left unsecured by regular users and hijacked by attackers to do their bidding, but another type of DDoS attack that relied on querying databases responsible for website loading speed. If you want to know more about DDoS and how various attacks work, check out this in-depth explanation.

Then, just a day after the GitHub announcement, Equifax made a chilling announcement once again. Another 2.4 million people were affected by the 2017 Equifax data breach, which meant 2.4 million more people having to go through the headaches involved with credit freezing. There was also a massive UnderArmor data breach with 150 million accounts compromised but, fortunately, that only included information like usernames and emails, not passwords or other highly sensitive data.

Isn’t it concerning that you can say “fortunately only emails were stolen” nowadays, especially when discussing the data of hundreds of millions of people?

The pace of data breaches and reveals has been relentless this year, making users extremely untrusting towards major services (and for good reason!).

Oh, and not to mention that the city of Atlanta, from water management departments to police, was hit by the SamSam ransomware. This was an attack that initially cost $2.6 million to recover from, then the costs went up to $9.5 million once the extent of the damage was properly assessed, even though the ransom was only $52.000.

Just goes to show why ransomware should not be underestimated, especially for organizations that do not have the budget or the awareness required for cyber resilience. *cough, cough, healthcare*

most-common-threats-in-cyber-security

The good news:

On the upside, another major bust happened in March, when the Department of Justice indicted nine hackers for attacking over 300 universities worldwide, 144 of which were based in the UK.

The DOJ revealed that the malicious actors took off with an estimated $3 billion in intellectual property (ebooks, research, various other library resources), stealing 31 terabytes of data and selling it on Megapaper.ir and Gigapaper.ir.

How did the attacks happen? Good old spearphishing. The hackers sent off emails to university professors and other employees, tricking them into handing over their login credentials. And yes, just like with NotPetya and other major operations, these were state-sanctioned hackers.

“For many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps,” said Deputy Attorney General Rosenstein.

Fortunately, as collaboration increases, cybercriminals have a tougher time taking advantage of borders to target other countries, as shown by the outcome of this massive investigation.

Another great news was that the Ghostery ad-blocker went open source, finding a better business model and focusing more on their users’ privacy.

We’re major fans of this service and the announcement couldn’t have made us happier, as Ghostery is now vetted by thousands of developers and provides a really granular control over the ads you’re seeing.

Takeaway:

Beyond using proper security shields against ransomware, to be safe you need to know what you’re up against. The best online protection is knowing how phishing and spearphishing attacks work, so learn how to spot malicious links!

April in cybersecurity review

The bad news:

April kicked off with some bad revelations for Android users. A team of security experts from Security Research Labs took to the Hack in the Box security conference to reveal their project: two years spent reverse engineering Android phones’ operating systems to demonstrate that the makers of those phones hid security patches from users.

“We found several vendors that didn’t install a single patch but changed the patch date forward by several months,” said one of the researchers, who gave an example as well. The Samsung 2016 J3 smartphone showed its owners that it had every available update installed in 2017 but skipped 12 security-critical patches. In an Android landscape filled with malicious apps and too many phishing attacks to count, this reveal certainly didn’t help to assuage fears. The researchers fortunately launched an app to check if your phone lacks critical updates, so we encourage you to use it.

Then, after the Android revelation, another bombshell dropped.

Alexa can turn into a spy device.

Security researchers from Checkmarx demonstrated an attack in which they did not have to hack Alexa to make her listen to everything the owners had to say. Essentially, they just manipulated the Alexa skills and showed just why it’s so risky to have an always-on, connected device fitted with a microphone.

 


Fortunately, this attack is no longer possible.

The good news:

And, in even better news for website owners worldwide (and netizens in general), in April Europol managed to finally shut down the biggest DDoS for hire website in the world.

More than 136,000 users wanting to damage had registered for webstresser.org, a malicious service that could launch junk traffic attacks to any website for as little as $19 per month. The authorities from Germany and the US stepped in and arrested the owners, taking down the site’s infrastructure as well.

Takeaways:

Be very careful with what devices you allow in your home, especially smart devices. See what can happen with unsecured devices and what you can do to prevent that.

Always keep your devices updated, from your computer to your phone or any other IoT device. Only buy devices that get updated religiously, outdated software is commonly targeted by criminals.

May in cybersecurity review

The bad news:

While Facebook was the social media platform that took the most heat this year, Twitter also had a major security incident.

In May, the chief technology officer of Twitter announced that a bug in the platform exposed user passwords internally, in plain text. While Twitter said it was unlikely criminals got their hands on those passwords, security experts urged users to change their passwords.

The good news:

On May 25, the General Data Protection Regulation (GDPR) went into effect. This was the biggest piece of legislation every passed design to protect your data and let you know exactly what happens to your information whenever you go online or download an app.

With fines of up to 20 million or up to 4% of the annual worldwide turnover (whichever sum was bigger) for those companies caught mishandling user data, GDPR promised to usher in a new age for the processing of personal data.

However, at the surface level, all that happened is that Internet users from Europe got bombarded with a thousand emails all saying “Please let us use your data from now on.”

Which obviously lead to a lot of misplaced complaining, as users were swamped by too many unwanted communications and missed the opportunity to actually see where their data went.

Like one wise netizen said, complaining about GDPR emails is like putting your fingers in your ears and going “La La La” while a police officer reads you your Miranda rights. Unfortunately, a lot of users did just that, choosing to either remain unaware or simply feeling overwhelmed by too many data breaches and Facebook revelations

Takeaways:

  1. Strong passwords are not enough. Use two-factor authentication, it’s essential to keep your accounts from being compromised.
  2. Read terms of service for the services you use and use efficient privacy tools to minimize the risk of trackers and beacons gathering your data.

June in cybersecurity review

The bad news:

And the data breaches continued all through June, with headlines showing millions of users’ being compromised.

First, the public was made aware by the existence of Exactis, a marketing and data aggregation company. How? A data breach, of course. The company exposed a database with 340 million records with phone numbers, home addresses and personal characteristics of Americans.

A security researcher spotted the unsecured database using Shodan, a common search engine and was shocked to see just how many accounts were contained in it.

Then, right when public sentiment couldn’t be more unfavorable towards Facebook, a bug in the platform made up to 14 million users’ posts public. No matter what your privacy settings and restricted lists were, every post was made available for the world to see.

But, troublesome as that incident was, it paled in comparison to the MyHeritage breach.

Fortunately, the breach for this online genealogy website only exposed email addresses and hashed passwords for 92 million users. Why fortunately? Because MyHeritage also operates MyHeritage DNA, the DNA-testing kit you can order and use at home to find out your ancestry. In the case of a compromised email or online account, you can always make another. What can you do if your DNA and medical info get out there?

If it’s just curiosity urging you to get a consumer DNA testing kit, you know what they say about that and what happens to the cat ;).

The good news:

On the bright side, June brought quite a lot of good news for your security.

hs-Do-you-know-what-antivirus-vendors-do-with-your-data_A90808

Through Operation Wire Wire, US official took down a rink of more than 70 email scammers – 42 US citizens, 29 Nigerians and 3 individuals from Poland, Mauritius, and Canada. The operation seized $2.4 million in funds and recovered more than $14 million in money scammed from unfortunate victims.

The same month, California unanimously passed the California Consumer Privacy Act of 2018, a bill built with GDPR principles in mind, designed to bring the same benefits to US residents of California.

Then, the best news of June: the Wi-Fi Alliance announced the WPA3 security protocol for Wi-Fi, which virtually eliminates the risk of dictionary attacks trying to guess your password.

Seeing how WPA2 was launched in 2018, the WPA3 update was long in the making and will go a long way into making sure Wi-Fi networks are more secure. However, the rollout will take some time, with experts estimating the end of 2019 for large-scale implementation of the protocol.

Takeaways:


This is one of the biggest security lessons of 2018: Don’t put the data you can never change about yourself into the hands of random companies.
Click To Tweet


Until WPA3 gets widely deployed, spend a few minutes to secure your Wi-Fi network and learn more about what the risks are.

And we’ll end this 2018 in cybersecurity retrospective on that happy note. Stay tuned for part two of this series, which will review what happened in the last 6 months and the lessons everyone should learn from those events.

Got anything to add? Drop us a line below.

 

The post 2018 in Cybersecurity Review: What Happened and What the Future Brings (Part 1) appeared first on Heimdal Security Blog.

McAfee Blogs: Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online

It was the last item on my list and Christmas was less than a week away. I was on the hunt for a white Northface winter coat my teenage daughter that she had duly ranked as the most-important-die-if-I-don’t-get-it item on her wishlist that year.

After fighting the crowds and scouring the stores to no avail, I went online, stressed and exhausted with my credit card in hand looking for a deal and a Christmas delivery guarantee.

Mistake #1: I was under pressure and cutting it way too close to Christmas.
Mistake #2: I was stressed and exhausted.
Mistake #3: I was adamant about getting the best deal.

Gimme a deal!

It turns out these mistakes created the perfect storm for a scam. I found a site with several name brand named coats available lower prices. I was thrilled to find the exact white coat and guaranteed delivery by Christmas. The cyber elves were working on my behalf for sure!

Only the coat never came and I was out $150.

In my haste and exhaustion, I overlooked a few key things about this “amazing” site that played into the scam. (I’ll won’t harp on the part about me calling customer service a dozen times, writing as many emails, and feeling incredible stupidity over my careless clicking)!

Stress = Digital Risk

I’m not alone in my holiday behaviors it seems. A recent McAfee survey, Stressed Holiday Online Shopping, reveals, unfortunately, that when it comes to online shopping, consumers are often more concerned about finding a deal online than they are with protecting their cybersecurity in the process. 

Here are the kinds of risks stressed consumers are willing to take to get a holiday deal online:

  • 53% think the financial stress of the holidays can lead to careless shopping online.
  • 56% said that they would use a website they were unfamiliar with if it meant they would save money.
  • 51% said they would purchase an item from an untrusted online retailer to get a good deal.
  • 31% would click on a link in an email to get a bargain, regardless of whether they were familiar with the sender.
  • When it comes to sharing personal information to get a good deal: 39% said they would risk sharing their email address, 25% would wager their phone number, and 16% percent would provide their home address.

3 Tips to Safer Online Shopping:

  • Connect with caution. Using public Wi-Fi might seem like a good idea at the moment, but you could be exposing your personal information or credit card details to cybercriminals eavesdropping on the unsecured network. If public Wi-Fi must be used to conduct transactions, use a virtual private network (VPN) to help ensure a secure connection.
  • Slow down and think before you click. Don’t be like me exhausted and desperate while shopping online — think before you click! Cybercriminal love to target victims by using phishing emails disguised as holiday savings or shipping notification, to lure consumers into clicking links that could lead to malware, or a phony website designed to steal personal information. Check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use comprehensive security protection that can help protect devices against malware, phishing attacks, and other threats. Protect your personal information by using a home solution that keeps your identity and financial information secure.
  • Take a nap, stay aware. This may not seem like an important cybersecurity move, but during the holiday rush, stress and exhaustion can wear you down and contribute to poor decision-making online. Outsmarting the cybercrooks means awareness and staying ahead of the threats.

I learned the hard way that holiday stress and shopping do not mix and can easily compromise my online security. I lost $150 that day and I put my credit card information (promptly changed) firmly into a crook’s hands. I hope by reading this, I can help you save far more than that.

Here’s wishing you and your family the Happiest of Holidays! May all your online shopping be merry, bright, and secure from all those pesky digital Grinches!

The post Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online appeared first on McAfee Blogs.



McAfee Blogs

Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online

It was the last item on my list and Christmas was less than a week away. I was on the hunt for a white Northface winter coat my teenage daughter that she had duly ranked as the most-important-die-if-I-don’t-get-it item on her wishlist that year.

After fighting the crowds and scouring the stores to no avail, I went online, stressed and exhausted with my credit card in hand looking for a deal and a Christmas delivery guarantee.

Mistake #1: I was under pressure and cutting it way too close to Christmas.
Mistake #2: I was stressed and exhausted.
Mistake #3: I was adamant about getting the best deal.

Gimme a deal!

It turns out these mistakes created the perfect storm for a scam. I found a site with several name brand named coats available lower prices. I was thrilled to find the exact white coat and guaranteed delivery by Christmas. The cyber elves were working on my behalf for sure!

Only the coat never came and I was out $150.

In my haste and exhaustion, I overlooked a few key things about this “amazing” site that played into the scam. (I’ll won’t harp on the part about me calling customer service a dozen times, writing as many emails, and feeling incredible stupidity over my careless clicking)!

Stress = Digital Risk

I’m not alone in my holiday behaviors it seems. A recent McAfee survey, Stressed Holiday Online Shopping, reveals, unfortunately, that when it comes to online shopping, consumers are often more concerned about finding a deal online than they are with protecting their cybersecurity in the process. 

Here are the kinds of risks stressed consumers are willing to take to get a holiday deal online:

  • 53% think the financial stress of the holidays can lead to careless shopping online.
  • 56% said that they would use a website they were unfamiliar with if it meant they would save money.
  • 51% said they would purchase an item from an untrusted online retailer to get a good deal.
  • 31% would click on a link in an email to get a bargain, regardless of whether they were familiar with the sender.
  • When it comes to sharing personal information to get a good deal: 39% said they would risk sharing their email address, 25% would wager their phone number, and 16% percent would provide their home address.

3 Tips to Safer Online Shopping:

  • Connect with caution. Using public Wi-Fi might seem like a good idea at the moment, but you could be exposing your personal information or credit card details to cybercriminals eavesdropping on the unsecured network. If public Wi-Fi must be used to conduct transactions, use a virtual private network (VPN) to help ensure a secure connection.
  • Slow down and think before you click. Don’t be like me exhausted and desperate while shopping online — think before you click! Cybercriminal love to target victims by using phishing emails disguised as holiday savings or shipping notification, to lure consumers into clicking links that could lead to malware, or a phony website designed to steal personal information. Check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use comprehensive security protection that can help protect devices against malware, phishing attacks, and other threats. Protect your personal information by using a home solution that keeps your identity and financial information secure.
  • Take a nap, stay aware. This may not seem like an important cybersecurity move, but during the holiday rush, stress and exhaustion can wear you down and contribute to poor decision-making online. Outsmarting the cybercrooks means awareness and staying ahead of the threats.

I learned the hard way that holiday stress and shopping do not mix and can easily compromise my online security. I lost $150 that day and I put my credit card information (promptly changed) firmly into a crook’s hands. I hope by reading this, I can help you save far more than that.

Here’s wishing you and your family the Happiest of Holidays! May all your online shopping be merry, bright, and secure from all those pesky digital Grinches!

The post Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online appeared first on McAfee Blogs.

KoffeyMaker Toolkit Used in Black Box ATM Attacks Against Eastern European Banks

In 2017 and 2018, threat actors utilized a toolkit called KoffeyMaker in multiple black box ATM attacks targeting Eastern European financial institutions.

When Kaspersky Lab investigated KoffeyMaker in connection with the attacks, researchers discovered that the devices in the campaign consisted of Windows laptops containing ATM dispenser drivers and a patched KDIAG tool.

Those behind the attacks secretly opened an ATM at each targeted bank, connected the device to the cash dispenser, closed the ATM and walked away with the device still inside the machine.

Returning at a later time, attackers leveraged a USB GPRS modem to gain remote access to the device, run the KDIAG tool and execute a command for the ATM to dispense bank notes before retrieving the laptop — all while another attacker collected the money. Together, they then made their escape with potentially tens of thousands of dollars in tow.

ATM Attacks Aren’t New to Europe

Attacks like those involving KoffeyMaker aren’t new. As reported by Information Security Media Group (ISMG), the number of jackpotting attacks against ATMs in European countries grew by 231 percent in 2017. Of those attacks, the majority were black box campaigns. One of these cases involved the use of Cutlet Maker, ATM malware detected by Kaspersky Lab that is not unlike KoffeyMaker in its design.

Fortunately, law enforcement had some success in arresting criminals during that same span of time. In one of the most noteworthy takedowns, several EU member states and Norway, supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), arrested 27 individuals responsible for conducting black box ATM attacks across Europe.

How to Defend Against Tools Like KoffeyMaker

According to Kaspersky Lab, the only way for banks to defend against black box attacks is to use hardware encryption between an ATM’s computer and dispenser. Organizations should also implement a stronger data security strategy. This plan should include the use of encryption to protect sensitive cloud-based data.

Sources: Kaspersky Lab, ISMG, Kaspersky Lab (1), EC3

The post KoffeyMaker Toolkit Used in Black Box ATM Attacks Against Eastern European Banks appeared first on Security Intelligence.

Overcoming the Cloud Security Compliance Conundrum

The growing demand for increased business agility and cost reductions in relation to IT infrastructure and applications is not a new agenda item for C-level executives. It has, however, remained a priority topic in 2018.

Compliance with various regulations and cloud security requirements has expanded as technology and cloud uptake advance — albeit not at a similar pace, leaving organizations with a challenging conundrum to solve. This is particularly relevant when executives consider cloud security and business transformations.

Balance the Costs and Benefits of Cloud Migration

The partnership between IBM and Red Hat announced earlier this year highlights a strategic vision to deliver transformational change to clients and meet cloud security demand. We’ve also seen record-breaking technological advancements and a growing number of data and application migrations to the cloud.

In general, these migrations follow either a hybrid or multicloud strategy. Hybrid cloud is defined as a combination of cloud services that are deployed both on-premises and in the cloud. Multicloud means using multiple cloud computing service providers across a single heterogeneous environment for applications, software or infrastructure.

Whatever the strategy, cloud migrations involve transitioning and managing extensive processing and workloads outside of traditional IT infrastructure while addressing cloud security and compliance challenges. The main industries that are seeing an increased focus, volume and complexity of regulations are banking and financial services. In these sectors, many are pursuing innovative business strategies that drive requirements for critical infrastructure and applications to the cloud.

The regulatory compliance challenge for such innovation poses both an opportunity and a concern for the C-suite and boardroom. Financial institutions must confront the reality of dramatically increasing costs while also keeping pace with the legislative and regulatory changes arising from numerous regulatory bodies. Global organizations have the added burden of even more international and nation-specific regulations.

The cost of compliance is often high, but any effort to reduce staff without demonstrable and measurable improvements in compliance processes and technology could be viewed negatively by regulatory bodies, investors and shareholders.

Meet Cloud Security Compliance Requirements Head-On

One of the most common misconceptions we hear from clients is that moving to the cloud with data held by multiple third parties on shared systems will be a complex undertaking. Our view is that cloud services can be extremely secure and often a more stable option than utilizing existing internal IT infrastructure. However, there are a some activities that need to be considered to meet regulatory compliance requirements, such as:

  • Deploying continuous monitoring of both technical and nontechnical cloud compliance requirements. This should also include corporate governance, cybersecurity and regulatory compliance controls;
  • Maintaining a unified source or framework of governance, risk and compliance information for how cloud services are utilized;
  • Developing executive and operational dashboards to provide visibility into cloud compliance statuses;
  • Implementing real-time alerting mechanisms for control failures with defined playbooks on how to respond to compliance failures from third-party providers; and
  • Ensuring that you can continuously synchronize new cloud services and capabilities with regulatory compliance requirements.

These cloud security to-dos can help your organization take on the seemingly daunting task of cloud migration while remaining secure and compliant.

The post Overcoming the Cloud Security Compliance Conundrum appeared first on Security Intelligence.

SecurityWeek RSS Feed: Rhode Island Sues Alphabet Over Google+ Security Incidents

A government organization in Rhode Island announced on Wednesday that it has filed a lawsuit against Google’s parent company, Alphabet Inc., over the recent security incidents involving the Google+ social network.

read more



SecurityWeek RSS Feed

New Report Finds Emails Containing Dangerous Attachments Up More Than 25 Percent.

Mimecast Limited (NASDAQ: MIME), a leading email and data security company, today announced the availability of its latest quarterly Email Security Risk Assessment (ESRA), an aggregated report of tests that measure the efficacy of widely used email security systems.* In comparison to last quarter’s findings, this new assessment found that email security systems are missing 25 percent more emails containing dangerous file types.

Typically dangerous file types are rarely sent via email for legitimate purposes, such as: .jsp, .exe, .dll and .src, and can be used facilitate an attack. Detailed Mimecast ESRAs help organizations better understand what types of email-borne threats are getting through their current security system. Every quarter Mimecast aggregates the results of individual ESRA tests and reports to the industry its findings. To date Mimecast has inspected more than 180 million emails that were deemed “safe” from these incumbent systems. Within these emails, the tests found 16,581 emails that contained dangerous file types.

The report also found 21,183,014 spam emails, 17,403 malware attachments, 42,350 impersonation attacks and 205,363 malicious URLS, all missed by these incumbent providers and delivered to users’ inboxes. This latest report concludes that an aggregate 12% of all secured and filtered email were unwanted emails and thus were false negatives.

“Mimecast has seen an increase in security efficacy versus legacy vendors along with detailed information on the proliferation of threats of all types. The ESRA provides deep insights for our customers on the types of attacks threatening their business,” says Lindsay Jack, security service director at Mimecast. “Attacks we are seeing include key executives being targeted with cloud storage services exploits, impersonation attacks targeting legal, finance and administrative assistance as well as social engineering attacks against the C-suite. Mimecast helps organizations understand how they compare with other organizations in their geography or industry vertical. Additionally, these reports provide insights on the rise of new types of malware and key trends in malicious email campaigns.”

“Cybercriminals are constantly adapting their email-based attacks, looking for new ways to bypass security solutions that rely too heavily on reputation-based detection or file signature matches. This quarter we saw a particularly large jump in emails containing dangerous file types.,” said Matthew Gardiner, cybersecurity strategist at Mimecast. “Mimecast uses multiple layers and types of detection engines, combined with high performance analytics, a diverse set of threat intelligence sources, and computer aided human analysis to identify and stop unsafe emails from getting into our customers’ inboxes.”

The post New Report Finds Emails Containing Dangerous Attachments Up More Than 25 Percent. appeared first on IT Security Guru.

Why Other Hotel Chains Could Fall Victim To A ‘Marriott-style’ Data Breach.

Written by Bernard Parsons, CEO, Becrypt

Whilst I am sure more details behind the Marriott data breach will slowly come to light over the coming months, there is already plenty to reflect on given the initial disclosures and accompanying hypotheses.

With the prospects of regulatory fines and lawsuits looming, assimilating the sheer magnitude of the numbers involved is naturally alarming. Up to 500 million records containing personal and potentially financial information is quite staggering. In the eyes of the Information Commissioner’s Office (ICO), this is deemed a ‘Mega Breach’, even though it falls short of the Yahoo data breach. But equally concerning are the various timeframes reported.

Marriott said the breach involved unauthorised access to a database containing Starwood properties guest information, on or before 10th September 2018. Its ongoing investigation suggests the perpetrators had been inside the company’s networks since 2014.

Starwood disclosed its own breach in November 2015 that stretched back to at least November 2014. The intrusion was said to involve malicious software installed on cash registers and other payment systems, which were not part of its guest reservations or membership systems.

The extent of Marriott’s regulatory liabilities will be determined by a number of factors not yet fully in the public domain. For GDPR this will include the date at which the ICO was informed, the processes Marriott has undertaken since discovery, and the extent to which it has followed ‘best practice’ prior to, during and after breach discovery. Despite the magnitude and nature of breach, it is not impossible to imagine that Marriott might have followed best practice, albeit such a term is not currently well-defined, but it is fairly easy to imagine that their processes and controls reflect common practice.

A quick internet search reveals just how commonplace and seemingly inevitable the industry’s breaches are. In December 2016, a pattern of fraudulent transactions on credit cards were reportedly linked to use at InterContinental Hotels Group (IHG) properties. IHG stated that the intrusion resulted from malware installed at point-of-sale systems at restaurants and bars of 12 properties in 2016, and later in April 2017, acknowledging that cash registers at more than 1,000 of its properties were compromised.

According to KrebsOnSecurity , other reported card breaches include Hyatt Hotels (October 2017), the Trump Hotel (July 2017), Kimpton Hotels (September 2016) Mandarin Oriental properties (2015), and Hilton Hotel properties (2015).

Therefore perhaps, the most important lessons to be learnt in response to such breaches are those that seek to understand the factors that make data breaches all but inevitable today. Whilst it is Marriott in the news this week, the challenges we collectively face are systemic and it could very easily be another hotel chain next week.

Reflecting on the role of payment (EPOS) systems and cash registers within leisure industry breaches is illustrative of the challenge. Paste the phrase ‘EPOS software’ into your favourite search engine, and see how prominent, or indeed absent, the notion of security is. Is it any wonder that organisations often unwittingly connect devices with common and often unmanaged vulnerabilities to systems that may at the same time be used to process sensitive data? Many EPOS systems effectively run general purpose operating systems, but are typically subject to less controls and monitoring than conventional IT systems.

So why is this?
Often the organisation can’t justify having a full blown operating system and sophisticated defence tools on these systems, especially when they have a large number of them deployed out in the field, accessing bespoke or online applications. Often they are in widely geographically dispersed locations which means there are significant costs to go out and update, maintain, manage and fix them.

Likewise, organisations don’t always have the local IT resource in many of these locations to maintain the equipment and its security themselves.

Whilst a light is currently being shone on Marriott, perhaps our concerns should be far broader. If the issues are systemic, we need to think about how better security is built into the systems and supply chains we use by default, rather than expecting hotels or similar organisations in other industries to be sufficiently expert. Is it the hotel, as the end user that should be in the headlines, or how standards, expectations and regulations apply to the ecosystem that surrounds the leisure and other industries? Or should the focus be on how this needs to be improved in order to allow businesses to focus on what they do best, without being quite such easy prey?

The post Why Other Hotel Chains Could Fall Victim To A ‘Marriott-style’ Data Breach. appeared first on IT Security Guru.

Personal Details of 120 Million Brazilians Exposed

Misconfigured databases with poor or absent access controls on both cloud and in-house servers is a known and common problem. Where these databases are exposed to the internet, anybody -- with or without cyber expertise -- can access the database and its content. While there is no 'hack' involved, such instances should still be called a breach since there is often no way of knowing whether the data contained has been accessed by malicious actors.

read more

12 Days of Hack-mas

2018 was a wild ride when it came to cybersecurity. While some hackers worked to source financial data, others garnered personal information to personalize cyberattacks. Some worked to get us to download malware in order to help them mine cryptocurrency or harness our devices to join their botnets. And the ways in which they exact their attacks are becoming more sophisticated and harder to detect. 2019 shows no sign of slowing down when it comes to attacks. Between the apps and websites we use every day, in addition to the numerous connected devices we continue to add our homes, there are a lot of ways in which our cybersecurity can be compromised. Let’s take a look at 12 common, connected devices that are vulnerable to attacks –most of which our friends at the “Hackable?” podcast have demonstrated– and what we can do to protect what matters. This way, as we move into the new year, security is top of mind.

Connected Baby Monitors

When you have a child, security and safety fuels the majority of your thoughts. That’s why it’s terrifying to think that a baby monitor, meant to give you peace of mind, could get hacked. Our own “Hackable?” team illustrated exactly how easy it is. They performed a “man-in-the-middle” attack to intercept data from an IoT baby monitor. But the team didn’t stop there; next they overloaded the device with commands and completely crashed the system without warning a parent, potentially putting a baby in danger. If you’re a parent looking to bring baby tech into your home, always be on the lookout for updates, avoid knockoffs or brands you’re not familiar with, and change your passwords regularly.

Smart TVs

With a click of a button or by the sound of our voice, our favorite shows will play, pause, rewind ten seconds, and more – all thanks to smart TVs and streaming devices. But is there a sinister side? Turns out, there is. Some smart TVs can be controlled by cybercriminals by exploiting easy-to-find security flaws. By infecting a computer or mobile device with malware, a cybercriminal could gain control of your smart TV if your devices are using the same Wi-Fi. To prevent an attack, consider purchasing devices from mainstream brands that keep security in mind, and update associated software and apps regularly.

Home Wi-Fi Routers

Wi-Fi is the lifeblood of the 21st century; it’s become a necessity rather than a luxury. But your router is also a cybercriminal’s window into your home. Especially if you have numerous IoT devices hooked up to the same Wi-Fi, a hacker that successfully cracks into your network can get ahold of passwords and personal information, all of which can be used to gain access to your accounts, and launch spear phishing attacks against you to steal your identity or worse. Cybercriminals do this by exploiting weaknesses in your home network. To stay secure, consider a comprehensive security solution like McAfee® Secure Home Platform.

Health Devices and Apps

Digital health is set to dominate the consumer market in the next few years. Ranging from apps to hardware, the ways in which our health is being digitized varies, and so do the types of attacks that can be orchestrated. For example, on physical devices like pacemakers, malware can be implanted directly on to the device, enabling a hacker to control it remotely and inflict real harm to patients. When it comes to apps like pedometers, a hacker could source information like your physical location or regular routines.  Each of these far from benign scenarios highlight the importance of cybersecurity as the health market becomes increasingly reliant on technology and connectivity.

Smart Speakers

It seems like everyone nowadays has at least one smart speaker in their home. However, these speakers are always listening in, and if hacked, could be exploited by cybercriminals through spear phishing attacks. This can be done by spoofing actual websites which trick users into thinking that they are receiving a message from an official source. But once the user clicks on the email, they’ve just given a cybercriminal access to their home network, and by extension, all devices connected to that network too, smart speakers and all. To stay secure, start with protection on your router that extends to your network, change default passwords, and check for built-in security features.

Voice Assistants

Like smart speakers, voice assistants are always listening and, if hacked, could gain a wealth of information about you. But voice assistants are also often used as a central command hub, connecting other devices to them (including other smart speakers, smart lights or smart locks). Some people opt to connect accounts like food delivery, driver services, and shopping lists that use credit cards. If hacked, someone could gain access to your financial information or even access to your home. To keep cybercriminals out, consider a comprehensive security system, know which apps you can trust, and always keep your software up to date.

Connected Cars

Today, cars are essentially computers on wheels. Between backup cameras, video screens, GPS systems, and Wi-Fi networks, they have more electronics stacked in them than ever. The technology makes the experience smoother, but if it has a digital heartbeat, it’s hackable. In fact, an attacker can take control of your car a couple of ways; either by physically implanting a tiny device that grants access to your car through a phone, or by leveraging a black box tool and  your car’s diagnostic port completely remotely. Hacks can range anywhere from cranking the radio up to cutting the transmission or disabling the breaks. To stay secure, limit connectivity between your mobile devices and a car when possible, as phones are exposed to risks every day, and any time you connect it to your car, you put it at risk, too.

Smart Thermostats

A smart thermostat can regulate your home’s temperature and save you money by learning your preferences. But what if your friendly temperature regulator turned against you? If you don’t change your default, factory-set password and login information, a hacker could take control of your device and make it join a botnet

Connected Doorbells

When we think high-tech, the first thing that comes to mind is most likely not a doorbell. But connected doorbells are becoming more popular, especially as IoT devices are more widely adopted in our homes. So how can these devices be hacked, exactly? By sending an official-looking email that requests that a device owner download the doorbell’s app, the user unwittingly gave full access to the unwelcome guest. From there, the hackers could access call logs, the number of devices available, and even video files from past calls. Take heed from this hack; when setting up a new device, watch out for phishing emails and always make sure that an app is legitimate before you download it.

Smart Pet Cameras

We all love our furry friends and when we have to leave them behind as we head out the door. And it’s comforting to know that we can keep an eye on them, even give them the occasional treat through pet cameras. But this pet-nology can be hacked into by cybercriminals to see what’s get an inside look at your home, as proven by the “Hackable?” crew. Through a device’s app, a white-hat hacker was able to access the product’s database and was able to download photos and videos of other device owners. Talk about creepy. To keep prying eyes out of your private photos, get a comprehensive security solution for your home network and devices, avoid checking on your pet from unsecured Wi-Fi, and do your research on smart products you purchase for your pets.

Cell Phones

Mobile phones are one of the most vulnerable devices simply because they go everywhere you go. They essentially operate as a personal remote control to your digital life. In any given day, we access financial accounts, confirm doctor’s appointments and communicate with family and friends. That’s why is shocking to know how surprisingly easy it is for cybercriminals to access the treasure trove of personal data on your cell phone. Phones can be compromised a variety of ways; but here are a few: accessing your personal information by way of public Wi-Fi (say, while you’re at an airport), implanting a bug, leveraging a flaw in the operating system, or by infecting your device with malware by way of a bad link while surfing the web or browsing email.  Luckily, you can help secure your device by using comprehensive security such as McAfee Total Protection, or by leveraging a VPN (virtual private network) if you find yourself needing to use public Wi-Fi.

Virtual Reality Headsets

Once something out of a science fiction, virtual reality (VR) is now a high-tech reality for many. Surprisingly, despite being built on state of the art technology, VR is quite hackable. As an example, though common and easy-to-execute tactics like phishing to prompt someone to download malware, white-hat hackers were able to infect a linked computer and execute a command and control interface that manipulated the VR experience and disorientated the user. While this attack isn’t common yet, it could certainly start to gain traction as more VR headsets make their way into homes. To stay secure, be picky and only download software from reputable sources.

This is only the tip of the iceberg when it comes to hackable, everyday items. And while there’s absolutely no doubt that IoT devices certainly make life easier, what it all comes down to is control versus convenience. As we look toward 2019, we should ask ourselves, “what do we value more?”

Stay up-to-date on the latest trends by subscribing to our podcast, “Hackable?” and follow us on Twitter or Facebook.

The post 12 Days of Hack-mas appeared first on McAfee Blogs.

McAfee Blogs: 12 Days of Hack-mas

2018 was a wild ride when it came to cybersecurity. While some hackers worked to source financial data, others garnered personal information to personalize cyberattacks. Some worked to get us to download malware in order to help them mine cryptocurrency or harness our devices to join their botnets. And the ways in which they exact their attacks are becoming more sophisticated and harder to detect. 2019 shows no sign of slowing down when it comes to attacks. Between the apps and websites we use every day, in addition to the numerous connected devices we continue to add our homes, there are a lot of ways in which our cybersecurity can be compromised. Let’s take a look at 12 common, connected devices that are vulnerable to attacks –most of which our friends at the “Hackable?” podcast have demonstrated– and what we can do to protect what matters. This way, as we move into the new year, security is top of mind.

Connected Baby Monitors

When you have a child, security and safety fuels the majority of your thoughts. That’s why it’s terrifying to think that a baby monitor, meant to give you peace of mind, could get hacked. Our own “Hackable?” team illustrated exactly how easy it is. They performed a “man-in-the-middle” attack to intercept data from an IoT baby monitor. But the team didn’t stop there; next they overloaded the device with commands and completely crashed the system without warning a parent, potentially putting a baby in danger. If you’re a parent looking to bring baby tech into your home, always be on the lookout for updates, avoid knockoffs or brands you’re not familiar with, and change your passwords regularly.

Smart TVs

With a click of a button or by the sound of our voice, our favorite shows will play, pause, rewind ten seconds, and more – all thanks to smart TVs and streaming devices. But is there a sinister side? Turns out, there is. Some smart TVs can be controlled by cybercriminals by exploiting easy-to-find security flaws. By infecting a computer or mobile device with malware, a cybercriminal could gain control of your smart TV if your devices are using the same Wi-Fi. To prevent an attack, consider purchasing devices from mainstream brands that keep security in mind, and update associated software and apps regularly.

Home Wi-Fi Routers

Wi-Fi is the lifeblood of the 21st century; it’s become a necessity rather than a luxury. But your router is also a cybercriminal’s window into your home. Especially if you have numerous IoT devices hooked up to the same Wi-Fi, a hacker that successfully cracks into your network can get ahold of passwords and personal information, all of which can be used to gain access to your accounts, and launch spear phishing attacks against you to steal your identity or worse. Cybercriminals do this by exploiting weaknesses in your home network. To stay secure, consider a comprehensive security solution like McAfee® Secure Home Platform.

Health Devices and Apps

Digital health is set to dominate the consumer market in the next few years. Ranging from apps to hardware, the ways in which our health is being digitized varies, and so do the types of attacks that can be orchestrated. For example, on physical devices like pacemakers, malware can be implanted directly on to the device, enabling a hacker to control it remotely and inflict real harm to patients. When it comes to apps like pedometers, a hacker could source information like your physical location or regular routines.  Each of these far from benign scenarios highlight the importance of cybersecurity as the health market becomes increasingly reliant on technology and connectivity.

Smart Speakers

It seems like everyone nowadays has at least one smart speaker in their home. However, these speakers are always listening in, and if hacked, could be exploited by cybercriminals through spear phishing attacks. This can be done by spoofing actual websites which trick users into thinking that they are receiving a message from an official source. But once the user clicks on the email, they’ve just given a cybercriminal access to their home network, and by extension, all devices connected to that network too, smart speakers and all. To stay secure, start with protection on your router that extends to your network, change default passwords, and check for built-in security features.

Voice Assistants

Like smart speakers, voice assistants are always listening and, if hacked, could gain a wealth of information about you. But voice assistants are also often used as a central command hub, connecting other devices to them (including other smart speakers, smart lights or smart locks). Some people opt to connect accounts like food delivery, driver services, and shopping lists that use credit cards. If hacked, someone could gain access to your financial information or even access to your home. To keep cybercriminals out, consider a comprehensive security system, know which apps you can trust, and always keep your software up to date.

Connected Cars

Today, cars are essentially computers on wheels. Between backup cameras, video screens, GPS systems, and Wi-Fi networks, they have more electronics stacked in them than ever. The technology makes the experience smoother, but if it has a digital heartbeat, it’s hackable. In fact, an attacker can take control of your car a couple of ways; either by physically implanting a tiny device that grants access to your car through a phone, or by leveraging a black box tool and  your car’s diagnostic port completely remotely. Hacks can range anywhere from cranking the radio up to cutting the transmission or disabling the breaks. To stay secure, limit connectivity between your mobile devices and a car when possible, as phones are exposed to risks every day, and any time you connect it to your car, you put it at risk, too.

Smart Thermostats

A smart thermostat can regulate your home’s temperature and save you money by learning your preferences. But what if your friendly temperature regulator turned against you? If you don’t change your default, factory-set password and login information, a hacker could take control of your device and make it join a botnet

Connected Doorbells

When we think high-tech, the first thing that comes to mind is most likely not a doorbell. But connected doorbells are becoming more popular, especially as IoT devices are more widely adopted in our homes. So how can these devices be hacked, exactly? By sending an official-looking email that requests that a device owner download the doorbell’s app, the user unwittingly gave full access to the unwelcome guest. From there, the hackers could access call logs, the number of devices available, and even video files from past calls. Take heed from this hack; when setting up a new device, watch out for phishing emails and always make sure that an app is legitimate before you download it.

Smart Pet Cameras

We all love our furry friends and when we have to leave them behind as we head out the door. And it’s comforting to know that we can keep an eye on them, even give them the occasional treat through pet cameras. But this pet-nology can be hacked into by cybercriminals to see what’s get an inside look at your home, as proven by the “Hackable?” crew. Through a device’s app, a white-hat hacker was able to access the product’s database and was able to download photos and videos of other device owners. Talk about creepy. To keep prying eyes out of your private photos, get a comprehensive security solution for your home network and devices, avoid checking on your pet from unsecured Wi-Fi, and do your research on smart products you purchase for your pets.

Cell Phones

Mobile phones are one of the most vulnerable devices simply because they go everywhere you go. They essentially operate as a personal remote control to your digital life. In any given day, we access financial accounts, confirm doctor’s appointments and communicate with family and friends. That’s why is shocking to know how surprisingly easy it is for cybercriminals to access the treasure trove of personal data on your cell phone. Phones can be compromised a variety of ways; but here are a few: accessing your personal information by way of public Wi-Fi (say, while you’re at an airport), implanting a bug, leveraging a flaw in the operating system, or by infecting your device with malware by way of a bad link while surfing the web or browsing email.  Luckily, you can help secure your device by using comprehensive security such as McAfee Total Protection, or by leveraging a VPN (virtual private network) if you find yourself needing to use public Wi-Fi.

Virtual Reality Headsets

Once something out of a science fiction, virtual reality (VR) is now a high-tech reality for many. Surprisingly, despite being built on state of the art technology, VR is quite hackable. As an example, though common and easy-to-execute tactics like phishing to prompt someone to download malware, white-hat hackers were able to infect a linked computer and execute a command and control interface that manipulated the VR experience and disorientated the user. While this attack isn’t common yet, it could certainly start to gain traction as more VR headsets make their way into homes. To stay secure, be picky and only download software from reputable sources.

This is only the tip of the iceberg when it comes to hackable, everyday items. And while there’s absolutely no doubt that IoT devices certainly make life easier, what it all comes down to is control versus convenience. As we look toward 2019, we should ask ourselves, “what do we value more?”

Stay up-to-date on the latest trends by subscribing to our podcast, “Hackable?” and follow us on Twitter or Facebook.

The post 12 Days of Hack-mas appeared first on McAfee Blogs.



McAfee Blogs

30% of healthcare databases are exposed online

Despite the fact that electronic health records (EHR) contain extremely sensitive information about individuals, it is shockingly easy for malicious actors to get their hands on them, Intsights security researchers have discovered. It took them some 90 hours to try to gain access to 50 databases used by healthcare organizations and they found that 15 of them (i.e., 30 percent) easily discoverable and accessible to anyone who knows where to look and has a basic … More

The post 30% of healthcare databases are exposed online appeared first on Help Net Security.

Latest Malware Strains Target Cloudera Hadoop for Bitcoin Mining and DDoS Attacks

­­

Security researchers discovered that several new malware strains are targeting known Cloudera Hadoop vulnerabilities.

The malware variants, including XBash and DemonBot, target Hadoop clusters that are connected to the internet and do not use Kerberos authentication, according to Cloudera. This can lead to certain exploits such as bitcoin mining and distributed denial-of-service (DDoS) attacks, which can create significant negative performance impacts within client environments.

These vulnerability attacks can occur when your Cloudera Hadoop system is not properly configured and secured. For example, when Kerberos is not enabled clusterwide, your Hadoop clusters become yet another possible attack vector.

The good news is that the attack techniques in question are not sophisticated and utilize known exploits, meaning organizations can protect themselves by taking the right precautions.

Protect Yourself With Strong Kerberos Authentication

Countering such attacks requires the use of strong Kerberos authentication to identify the right access for privileged users. Without proper Kerberos authentication, any user can connect to Hadoop clusters, access the system and make bad choices.

To follow best practices, implement additional authentication steps to secure your Cloudera Hadoop clusters, including the following:

  • Secure default accounts and passwords.
  • Utilize Lightweight Directory Access Protocol (LDAP) authentication for Cloudera Manager.
  • Enable Sentry service using Kerberos.
  • Use a secure protocol such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
  • Secure default ports.

How do you know whether or not your environment is at risk to begin with? That’s where vulnerability scans come into play.

How to Identify if Your Cloudera Hadoop Clusters Are Affected

Vulnerability assessment solutions for Cloudera Hadoop can provide critical insight into your environment to help mitigate potential attacks. Advanced tools offer security checks and hardening rules to help customers secure their Hadoop clusters, provide rules to help identify Hadoop-specific vulnerabilities, and list detailed recommendations to fix and resolve the vulnerabilities.

To use vulnerability assessment tests to check whether a Cloudera authentication parameter is appropriately set to Kerberos — which is strongly recommended by Cloudera — an organization should take the following steps:

  1. Leverage a vulnerability assessment solution to run the following test: “Authentication method set to Kerberos.”
  2. If a cluster is properly configured, it will pass the test. Multiple systems can be connected to check for this test and get visibility into configuration statuses in minutes.
  3. After running the tests, organizations should attend to the clusters that did not pass. Note that such vulnerabilities can only be addressed with proper configuration, not by simply applying the latest security patches.
  4. Once the configurations have been updated and all nodes authenticate using Kerberos, the problem will be resolved.

As these recent attacks illustrate, vulnerability assessment is a critical piece of any comprehensive data protection program. Last year alone, more than 2 billion records were exposed due to misconfigurations — a number that could have been drastically reduced if teams had been leveraging vulnerability scanning tools.

Source: Cloudera

The post Latest Malware Strains Target Cloudera Hadoop for Bitcoin Mining and DDoS Attacks appeared first on Security Intelligence.

Avoid Coal in Your Digital Stocking — Here’s How to Improve Your Security Posture in 2019

As 2018 draws to a close, it’s time to reflect on the strides the cybersecurity industry made over the past year, and how far companies around the world still have to go to improve their security posture. Throughout the year, businesses were plagued by cybersecurity risks and hit with massive data breaches. In the lead-up to the holiday season, security leaders across industries are wishing for a quiet 2019 with no negative data breach headlines.

5 Cybersecurity Missteps That Put Enterprises at Risk in 2018

What lessons did we learn in 2018? And as we look forward, what best practices can we implement to improve defenses in the new year? We asked industry experts where they observe the worst security practices that still leave enterprises exposed to cybersecurity risks, and they offered advice to help companies and users enjoy a merrier, brighter, more secure 2019.

1. Poor Password Policies

Although passwords are far from perfect as a security mechanism, they are still used pervasively in the enterprise and in personal life. Yet password policies are still rife with problems around the globe.

Idan Udi Edry, CEO of Trustifi, said the most foundational — and also most disregarded — cybersecurity practice is maintaining a strong password.

“A unique password should be utilized for every account and not reused,” said Edry. “It is important to update passwords every 30–90 days. Passwords should never include a significant word, such as a pet’s name, or a significant date, such as a birthdate.”

Deploying devices and appliances and then leaving default passwords in place is also still a shockingly common practice. A threat actor with knowledge of a manufacturer or service provider’s default password conventions can do a lot of damage to an organization with factory settings still in place.

Edry advised enterprises to employ two-factor authentication (2FA) to add more security to their access strategy. Douglas Crawford, digital privacy adviser for BestVPN, meanwhile, recommended encouraging employees to use a password manager.

“It is hard to remember strong passwords for every website and service we use, so people simply stop bothering,” said Crawford. “Use of ‘123456’ as a password is still scarily common. And then we use the same password on every website we visit. This [is] particularly irksome, as this entire security nightmare can be easily remedied through use of password manager apps or services, which do the heavy lifting for us.”

2. Misconfigured Cloud Storage

Earlier this year, researchers from Digital Shadows uncovered more than 1.5 billion sensitive files stored in publicly available locations, such as misconfigured websites and unsecured network-attached storage (NAS) drives.

“Unfortunately, many administrators misconfigure [these buckets] rendering the contents publicly-accessible,” wrote Michael Marriott, senior strategy and research analyst with Digital Shadows.

The information uncovered included a treasure trove of personal data, such as payroll, tax return and health care information — all available to prying eyes thanks to overlooked security best practices in cloud storage.

“With the rise of mobility and cloud usage in enterprises, one of the worst security practices is leaving critical cloud services and SaaS applications open to the internet,” said Amit Bareket, co-founder and CEO of Perimeter 81.

It’s time to get proactive to analyze potential exposures in storage and then devise a plan to address cloud data risks to your organization. It’s also important to remember that with any connected service, it is often better not to deploy than to deploy insecurely.

3. Ineffective Cyber Awareness Training

Security begins and ends with your employees — but how much do they know about security? Specifically, how much do they know about the risks they are facing and how their actions could set your business up for a potential incident?

“At this time of the year, it’s critically important to ensure proper employee awareness of the risks related to travel,” said Baan Alsinawi, president and founder of TalaTek, a Washington-based risk management firm. “Using public Wi-Fi at airports or hotels to access corporate data, possible loss of personally-held devices such as an iPad, iPhone or corporate laptop, especially if not encrypted, talking to strangers about work issues or projects over a glass of wine can expose confidential information.”

Of course, a robust awareness program needs to be in place year-round. Data from London-based advisory and solutions company Willis Towers Watson found that employees are the cause of 66 percent of all cyberbreaches, either through negligence or deliberate offense.

Employees should be regularly educated on phishing, social engineering techniques and other attack vectors that could put corporate data at risk. If awareness training isn’t part of your security strategy, 2019 is the time to learn what an effective awareness program looks like and implement one to promote security best practices in your organization.

4. Poor Oversight of Third-Party Cybersecurity Risks

Third-party vendors and partners can be a source of compromise if criminals can access your organization’s sensitive information through their poorly secured systems. If you’re working with third-party vendors and partners, your security is only as good as theirs. If their systems are breached, your data is also at risk.

“Attackers seeking access to hardened company systems can pivot to breaching an integrated third party, establishing a beachhead there and then leveraging the trust implicit in the integration to gain access,” explained Ralph R. Russo, director of applied computing programs and professor of practice of IT management and cybersecurity at Tulane University School of Professional Advancement.

In 2019, evaluate the state of your third-party risk management. Make it a priority to identify gaps that may put you at risk if you are working with less-than-secure vendors. Implement a vigorous vetting process to determine the security level of your trusted partners.

5. Lack of an Incident Response Plan

A formal, regularly tested cybersecurity incident response plan is essential, yet many organizations continue to operate without one. In fact, 77 percent of companies do not have any formal plan.

Without a written and tested incident response plan, you’re unprepared for the worst-case scenario. It is not enough to focus on prevention; it is essential to establish a comprehensive incident response plan that is clear, detailed, flexible, includes multiple stakeholders, and tested and updated regularly.

Improve Your Security Posture in 2019 and Beyond

If your organization engages in any of these poor practices, it may be time to brush up on your basic cyber hygiene best practices. By following the recommendations outlined here, you can confidently resolve to close gaps in risk mitigation and establish more effective strategies to improve your company’s security posture in 2019 and beyond.

The post Avoid Coal in Your Digital Stocking — Here’s How to Improve Your Security Posture in 2019 appeared first on Security Intelligence.

Not all data collection is evil: Don’t let privacy scandals stall cybersecurity

Facebook continues to be criticized for its data collection practices. The media is hammering Google over how it handles data. JPMorgan Chase & Company was vilified for using Palantir software to allegedly invade the privacy of employees. This past June marked the five-year anniversary of The Guardian’s first story about NSA mass surveillance operations. These incidents and many others have led to an era where the world is more heavily focused on privacy and trust. … More

The post Not all data collection is evil: Don’t let privacy scandals stall cybersecurity appeared first on Help Net Security.

Data Privacy Must Evolve Beyond Confidentiality

Most security systems today are built with data confidentiality in mind. This is a crucial exercise, but confidentiality only makes up for one dimension of data privacy. As security expert Bruce Schneier told the audience at SpiceWorld 2018, the time has come to reconsider our understanding of data privacy and how we strategize for it.

Because of the ways data is used today, we need to distribute more of that focus onto protecting the integrity and availability of data.

Learn the CIA Triad

More security professionals have begun to follow the CIA triad: confidentiality, integrity and availability. Together, these represent the most important aspects of data security.

Confidentiality — the current emphasis of data privacy — is about regulating the amount of access individuals and third-party organizations have to personal data as defined by thoroughly structured classification guidelines, according to Infosec Institute.

Integrity, meanwhile, “makes sure that the information is not tampered whenever it travels from source to destination or even stored at rest,” while the “availability concept is to make sure that the services of an organization are available.”

Examples of availability threats are denial-of-service (DoS) attacks and ransomware, both of which prevent users from accessing files or websites. An example of an integrity attack is a threat actor accessing an account to manipulate information, such as changing the numbers in a bank account — even if nothing is stolen, the information is no longer accurate.

Because the Internet of Things (IoT) now connects humans and machines in ways never seen before, integrity and availability threats are much worse than confidentiality threats, Schneier told the SpiceWorld attendees.

“The effects are greater because they affect life and property,” he said. “I’m concerned that someone could go in and steal my hospital records, but I’m more concerned that they don’t change my blood type.”

Shift the Way You Think of Data Privacy

The biggest security incidents of the past few years have revolved around data confidentiality issues. Cybercriminals have been able to steal credit card information, names, birth dates, Social Security numbers and even biometric data such as fingerprints that are part of a government worker’s security clearance files.

It’s no wonder in our present milieu that consumers are upset when their data confidentiality is compromised. Privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are primarily designed to keep information confidential while giving control of that information to its rightful owner: the consumer.

However, GDPR also requires companies to make data readily available to consumers if there is a security incident. Schneier pointed out that data privacy has moved beyond consumer data, the information that surrounds an individual’s identity. We now have to consider the data generated by cars, home thermostats, drones, smart cities, medical devices, critical infrastructure and military systems — anything that is connected and generates data.

“We are starting to see DDoS attacks against critical systems,” Schneier said. “We are starting to see ransomware attacks on cars.”

We have to recognize the practical implications of attacks that target each element of the CIA triad. There is a fundamental difference between a spreadsheet crash leading to a loss of patient data and an IoT-connected pacemaker crash leading to a loss of life, so prioritize your security strategies accordingly. When integrity and availability of the data is given greater emphasis, we can design security systems to address potential vulnerabilities and attack vectors.

Protect Data Integrity With Backups and Audits

Addressing data integrity will involve aspects of data confidentiality, because files that are difficult to access are even more difficult to manipulate. A critical aspect of data integrity is ensuring that the information is accurate and unchanged. Backup systems are vital to protect data integrity as a way to check what is currently on file with what was on file before a suspected cybersecurity incident.

Regular audits of data managed by your organization will also provide a snapshot of what the files should look like over time. Is the information changing when it should be constant? Have the ebbs and flows been regular, or have they taken an unusual turn?

The better you know your data, the better you can ensure its integrity. Also, the fewer people touching the data, the better. Too many employees accessing or editing the data increases the chances of someone making an error that goes undetected until it is too late.

Data Availability Can Be the Difference Between Life and Death

Data availability ensures that relevant information is quickly accessible after a breach. Again, this is bolstered by having a solid backup or data loss recovery system in place.

Think about situations where availability could be an issue in your organization. Is there potential for a ransomware attack? A distributed denial-of-service (DDoS) attack? Infrastructure that is old and unprepared for a natural disaster or breach attempt?

Having a secondary source can protect against data availability risks. A data center in a different part of the country or world, cloud services that can restore a website’s accessibility in minutes, and tools and awareness training to lower the risk of ransomware attacks are all ways to decrease potential data loss and downtime.

Due to the increasing connectedness of the cyber world, confidentiality can no longer be handled as the sole aspect of data privacy. Improving the confidentiality, integrity and availability of data is critical not only for privacy issues, but as the potential difference between life and death.

The post Data Privacy Must Evolve Beyond Confidentiality appeared first on Security Intelligence.

Here are the most common cyber security threats that occur in the healthcare sector

Cyber attacks are growing at alarming rates with no signs of slowing down. Actually, a new attack can unfold right now, as we write this article.

What’s worrying is that these types of threats target everything and everyone from large and small organizations, to home users, or various industries and sectors.

The worst part is the impact and the damages caused. Recovering after a major cyber attack – whether it’s an organization, institution, or home user – it requires a mix of resources: time, money, qualified people, to get back on track.

The healthcare sector is no exception.

Last year, when the devastating WannaCry ransomware happened, healthcare was among the most affected sectors. The National Health Service (NHS) in England and Scotland was a prime target for cybercriminals with more than 40 NHS medical organizations and practices having their services disrupted.

Recently, the same institution disclosed a data breach in which confidential and sensitive data of 150,000 NHS patients have been disclosed. The incident was a result of a coding error by healthcare software supplier TPP.

According to a study from IBM Security, “healthcare organizations had the highest costs associated with data breaches – costing them $408 per lost or stolen record – nearly three times higher than the cross-industry average”.

The  2018 Thales Data Threat Report (Healthcare edition) stated that 77% of healthcare organizations have been breached, with some of the most valuable personal data about their patients and customers being exposed.

These numbers tell us just a part of the reality, and if statistics and findings didn’t raise your blood pressure, let’s see find out:

Why cybercriminals target the healthcare system

Money isn’t the prime motivator for malicious actors to target patients’ records, and manipulate data in ways that will determine doctors and other medical professionals to provide wrong diagnostics for different diseases.

All the protected healthcare information is valuable and attractive for cybercriminals knowing that these sensitive data is a matter of “life and death” and they can create chaos in institutions.

In many cases, the IT infrastructure used in hospitals and other medical institutions is vulnerable, because most of the medical devices used by doctors and nurses aren’t patched. Cybercriminals take advantage of software vulnerabilities, exploit them and hack hospitals, wreaking havoc.

The human nature is also vulnerable and untrained to spot such attacks, which lead to people getting easily lured into clicked on a malicious link or attachment send via email. Key findings from the 2018 Annual Healthcare Cybersecurity Report by Proofpoint pointed out that malicious actors “trick healthcare workers into opening an unsafe attachment, impersonate members of the executive team, instructing staff to wire money or send sensitive information.”

As we all know, in many countries, the healthcare system is viewed as critical and vital for the entire population along with electricity or transportation which makes it even more attractive to cybercriminals.

The growing number of healthcare IoT devices used by medical personnel to diagnose, monitor, and treat complicated disease cases represent another attractive target for malicious actors to exploit. After these devices are installed in a hospital, doctors and nurses don’t focus on the security and privacy aspects, but on its main purpose: to provide a better experience for patients and improve the medical workflow.

While cybersecurity, in general, isn’t a top priority for medical institutions, if all the products used are built to be “secure by default”, there will be less cyber threats to expose and compromise personal information.

Here are the main cybersecurity threats in healthcare

Any type of cyber threats can occur on a small or large scale for the healthcare sector, but what are the most frequent ones? And how can we prevent them from exposing our most valuable data?

Ransomware and advanced malware attacks 

These popular cyber threats remain lucrative for malicious actors which will continue to use it during their campaigns. Malware is a serious issue for all industries, but “ransomware exploded between Q2 and Q4 of 2017, dwarfing all other types of cyber attacks against healthcare companies combined”, said the report from Proofpoint. Also, WannaCry is one of the best examples.

According to Verizon’s 2018 Breach Investigations report, 92 percent of malware is still delivered by email. Of all the malware attacks out there, phishing emails will continue to be a persistent threat and “plague the healthcare sector”, say security experts.

There are a few reasons why this will not be going away. One is the evolving nature of the types of emails the hackers are sending, and another is not keeping the [warnings] to employees fresh,

added Susan Lucci, Senior privacy and security consultant.

Cybercriminals will not stop turning their attention to healthcare, but they will evolve their tactics with more sophisticated and targeted attacks to steal and compromise sensitive information.

How to protect yourself:

  • Train your employees about security awareness and teach them how to easily spot phishing emails, so they are not tempted to click on suspicious links or attachments received on the email.
  • Periodically check if your main email address shows up in Have I Been Pwned or Firefox Monitor to find out if your account is part of a data breach.
  • Don’t forget to secure every login on your online accounts with the two-factor authentication system.
  • We put together this actionable guide in which you will find the safety checklist to follow and prevent ransomware attacks.
  • Carefully consider how much personal information you share on social media, and consider revise your privacy settings for each social account.

Insider threats

According to the 2018 Protected Information Data Breach Report by Verizon, healthcare is the only industry in which internal actors represent the biggest risk to an organization. Moreover, key findings show that 58% of all healthcare data breaches and security threats are caused by insiders, people who have access to healthcare resources and important data.

When these individuals perform current medical tasks in a way that negatively affect an organization or institution, a lot of damage is caused: bad image for the organization, loss of patients’ trust, possible lawsuits and others.

How to mitigate them:

  • Educate and train your employees and other persons with access to critical medical resources about the top risks associated with certain behaviors, data protection of patients, or privacy. Focus on improving employees’ cyber resilience and learn them to adopt the mindset of working with security in mind.
  • Teach employees and medical personnel to use browser add-ons and extensions and always keep them enabled on browsers.
  • Rely on technology and implement solutions that allow decision-makers to detect healthcare data breaches quickly or even prevent them.
  • When data breaches are detected, the authorized persons need to respond effectively by initiating an investigation to reduce or limit the impact.

Cryptojacking attacks

These cyber threats have been one of the most popular attacks in 2018, almost surpassing ransomware, and they’re constantly evolving. The healthcare sector is also targeted by cryptojacking attacks, as malicious actors can target a vulnerable website and inject a script. Then, unprotected visitors on that website had their computers enslaved in order to mine cryptocurrency.

Mining software can be also installed on IoT medical devices and networks, and the rule is simple: the longer your computer runs, the more cybercriminals can use it to secretly mine cryptocurrencies.

How to stay safe:

  • Use a reputable antivirus product, coupled with an anti-malware solution that periodically scans your online traffic and blocks infected websites you could access.
  • Scan your system and see if you observe unusual activities at your computer, especially an increase at the CPU usage.
  • On any browser, use an Adblocker that has can stop cryptocurrency-mining scripts. One example is uBlock but you can also use an Adblock extension for your browser.
  • Remember to always keep your systems, networks, and software patched, especially your browser which is the direct target for some malicious actors.

IoT healthcare attacks

IoT continues to evolve and still be a hot topic. The adoption of the Internet-connected medical devices has proven to have great benefits for hospitals focused on improving infrastructure and keeping employees and patients’ data secure.

However, keep in mind that there’s no such thing as 100% secure software, so the medical personnel needs to practice precaution.

New research demonstrated that “hackers can <trick> or induce medical devices into sharing detailed information about the device’s inner workings.” Moreover, malicious actors can target specific devices to get error messages, gather information to customize a potential attack to be tailored to the target device.

Most of the IoT devices and software used in hospitals aren’t checked for updates and existing vulnerabilities are immediately exploited by cybercriminals. And from here we can unfold a scenario in which an upcoming cyber attack happens.

This is why more attention to the safety aspect is required, in order to protect patients’ personal information stored on these devices.

How to protect IoT medical devices:

  • Make sure you check for updates and apply them immediately, to prevent exposing your IoT medical devices to cyber attacks;
  • Remember to always use a secure Internet network and protect this network with a unique and strong password.
  • Medical institutions need to demand from manufacturers that software products are “secure by default” or/and improve devices security.
  • To reduce the impact of these attacks, manufacturers SHOULD take security seriously and work on providing transparency about devices security.
  • Decision-makers need to be aware of the importance of protecting these devices after deployment and put all efforts into keeping patients’ personal data secure.

Healthcare supply chain attacks

The supply-chain attack involves exploiting vulnerabilities in a supply network used by specific organizations. It could be a medical institution, such as a private or public hospital which is targeted by this type of attack.

These attacks happen when cybercriminals intercept a delivery from a supplier and inject malicious code directly into the medical devices delivered, without anyone being aware of the risks. Basically, hackers look for backdoors in the systems of a trusted partner/business that provide software for medical devices.

The worst part is that these products (considered legitimate) from medical devices makers “arrive at the destination” after being injected with malware and can compromise patients personal information.

How to mitigate supply chain attacks

  • To avoid such attacks and ensure the protection of medical records, medical institutions should require all third-parties to have certification (HIPAA) and meet the standards they need to meed and be compliant.
  • Have clear terms and conditions of established business agreements with suppliers and make sure they are fully met.
  • Limit employees access to specific data which is absolutely needed to perform their daily tasks.
  • As the old saying goes, prevention is the best medicine, so it’s for the best to have a crisis management plan in place and use it accordingly.
  • In case of a supply chain attack, ensure employees are trained to follow the company’s policy and procedure and lower the impact of data breaches.

These main cybersecurity threats will challenge healthcare organizations/institutions to find the best defense and protect patients and employees the most valuable data.

It’s worth reminding that the costs of these cyber threats in healthcare are too expensive to be ignored, so organizations need to allocate wisely budget for cybersecurity, educate employees with security in mind, and know the importance of securing health data.

During an interview for DefCamp 2018, Jelena Milosevic, Pediatric nurse and Independent researcher, emphasizes the importance of building a safe and secure environment in healthcare:

“Healthcare without (basic) security is like surgery without sterile instruments / The operation was (technically) a success, but the patient died from sepsis.”

Have you applied any of these security measures? Do you have others we should add? What about the security threats targeting healthcare? What else should we include in the list? Let us know, we’d love to know your thoughts!

The post Here are the most common cyber security threats that occur in the healthcare sector appeared first on Heimdal Security Blog.

Measuring privacy operations: Use of technology on the rise

Critical privacy program activities such as creating data inventories, conducting data protection impact assessments (DPIA), and managing data subject access rights requests (DSAR) are now well established in large and small organizations in both Europe and the United States, according to TrustArc and the International Association of Privacy Professionals (IAPP). “Among our thousands of members, we know that privacy teams are now reporting on a regular basis to company leadership, and consequently they need to … More

The post Measuring privacy operations: Use of technology on the rise appeared first on Help Net Security.

House GOP Campaign Arm Targeted by ‘Unknown Entity’ in 2018

Thousands of emails were stolen from aides to the National Republican Congressional Committee during the 2018 midterm campaign, a major breach exposing vulnerabilities that have kept cybersecurity experts on edge since the 2016 presidential race.

read more

A New Privacy Frontier: Protect Your Organization’s Gold With These 5 Data Risk Management Tips

This is the third and final blog in a series about the new digital frontier for data risk management. For the full picture, be sure to read part 1 and part 2.

Mining customer information for valuable nuggets that enable new business opportunities gets riskier by the day — not only because cyberthieves constantly find new ways to steal that gold, but also due to the growing number of privacy regulations for corporations that handle increasingly valuable data.

The enactment of the European Union (EU)’s General Data Protection Regulation (GDPR) in May of this year was just the start. Beginning in early 2020, the California Consumer Privacy Act of 2018 (CCPA) will fundamentally change the way businesses manage the personal information they collect from California residents. Among other changes, organizations will find a much broader definition of personal information in the CCPA compared to other state data breach regulations. Pundits expect this legislation to be followed by a wave of additional data privacy laws aimed at shoring up consumers’ online privacy.

One major factor behind these new regulations is the widely perceived mishandling of personal information, whether intentionally or unintentionally as a result of a serious data breach perpetrated by cybercriminals or malicious insiders.

Taming the Wild West With New Privacy Laws

The first GDPR enforcement action happened in September, when the U.K. Information Commissioner’s Office charged Canadian data analytics firm AggregateIQ with violating the GDPR in its handling of personal data for U.K. political organizations. This action highlights the consequences that come with GDPR enforcement beyond the regulation’s potential penalty of up to 20 million euros, or 4 percent of a company’s annual revenues worldwide, whichever is higher. It can also require the violator to cease processing the personal information of affected EU citizens.

Although the CCPA does not take effect until January 2020, companies that handle the personal information of Californians will need to begin keeping records no later than January 2019 to comply with the new mandate, thanks to a 12-month look-back requirement. The act calls for new transparency and disclosure processes to address consumer rights, including the ability to opt in and out, access and erase personal data, and prevent its sale. It applies to most organizations that handle the data of California residents, even if the business does not reside in the state, and greatly expands the definition of personal information to include IP addresses, geolocation data, internet activity, households, devices and more.

While it’s called the Consumer Privacy Act, it really applies to any resident, whether they are a consumer, employee or business contact. There may still be corrections or clarifications to come for the CCPA — possibly including some exclusions for smaller organizations as well as health and financial information — but the basic tenants are expected to hold.

Watch the on-demand webinar to learn more

Potential Civil Lawsuits and Statutory Penalties

The operational impact of these new regulations will be significant for businesses. For example, unlike other regulations, companies will be required to give consumers a “do not sell” button at the point of collecting personal information. Companies will also be required to include at least two methods to submit requests, including a toll-free number, in their privacy statements.

The cost of failure to comply with data privacy regulations is steep. Organizations could face the prospect of civil penalties levied by the attorney general, from $2,500 for each unintentional violation up to $7,500 for each intentional violation, with no upper limit. Consumers can also sue organizations that fail to implement and maintain reasonable security procedures and practices and receive statutory payments between $100 and $750 per California resident and incident or actual damages, whichever is greater. As one of the most populous states in the nation, representing the fifth-largest economy in the world, a major breach affecting California residents could be disastrous.

5 Tips to Help Protect Your Claim

The need to comply with data privacy regulations has obviously taken on greater urgency. To do it effectively requires a holistic approach, rather than one-off efforts aimed at each specific set of regulations. Organizations need a comprehensive program that spans multiple units, disciplines and departments. Creating such a program can be a daunting, multiyear effort for larger organizations, one that requires leadership from the executive suite to be successful. The following five tips can help guide a coordinated effort to comply with data privacy regulations.

1. Locate All Personal and Sensitive Data

This information is not just locked up in a well-secured, centralized database. It exists in a variety of formats, endpoints and applications as both structured and unstructured data. It is handled in a range of systems, from human resources (HR) to customer relationship management (CRM), and even in transactional systems if they contain personally identifiable data.

Determining where this information exists and its usage, purpose and business context will require the help of the owners or custodians of the sensitive data. This phase can take a significant amount of time to complete, so take advantage of available tools to help discover sensitive data.

2. Assess Your Security Controls

Once personal data is identified, stakeholders involved in creating a risk management program must assess the security controls applied to that data to learn whether they are adequate and up-to-date. As part of this activity, it is crucial to proactively conduct threshold assessments to determine whether the business and operating units are under the purview of the CCPA.

At the same time, it’s important to assess how personal information is handled and by whom to determine whether processes for manipulating the data need to change and whether the access rights of data handlers are appropriate.

3. Collaborate Across the Enterprise

Managing data risk is a team effort that requires collaboration across multiple groups within the organization. The tasks listed here require the involvement of data owners, line-of-business managers, IT operations and security professionals, top executives, legal, HR, marketing, and even finance teams. Coordination is required between data owners and custodians, who must establish appropriate policies for who can access data, how it should be handled, the legal basis for processing, where it should be stored, and how IT security professionals should be responsible for enforcing those policies.

4. Communicate With Business Leaders

Effectively communicating data risk, including whether existing controls are adequate or require additional resources and how effectively the organization is protecting customer and other sensitive data, requires a common language that can be understood by business executives. Traditional IT security performance metrics, such as block rates, vulnerabilities patched and so on, don’t convey what the real business risks are to C-level executives or board members. It’s critical to use the language of risk and convey data security metrics in the context of the business.

5. Develop a Remediation Plan

Once the business’s compliance posture with the CCPA is assessed, organizations should develop risk remediation plans that account for all the processes that need to change and all the relevant stakeholders involved in executing the plan.

Such a plan should include a map of all relevant personal information that takes into account where the data is stored, how it is used and what controls around that data need to be updated. It should also describe how the organization will safely enable access, deletion and portability requests of California residents, as well as process opt-out requests for sharing their data.

Automate Your Data Risk Management Program

Thankfully, there are tools available to help automate some of the steps required in developing and maintaining a holistic data risk management initiative. Useful data from security information and event management (SIEM), data loss prevention (DLP), application security, and other IT tools can be combined with advanced integration platforms to streamline efforts.

Privacy mandates such as the GDPR and the CCPA are just the start; a California-style gold rush of data privacy regulations is on the horizon. Countries such as Brazil and India are already at work on new data privacy laws. A comprehensive data risk management program established before more regulations go into effect is well worth its weight in gold.

Watch the on-demand webinar

The post A New Privacy Frontier: Protect Your Organization’s Gold With These 5 Data Risk Management Tips appeared first on Security Intelligence.

Marriott Data Breach Impacts Personal Information of up to 500 Million Guests

Marriott disclosed a breach of its Starwood reservation database that potentially affects an estimated 500 million guests.

Details of the Marriott data breach, which goes back to 2014, have been reported to law enforcement and regulatory authorities, according to the company. Marriott said it received an initial alert on Sept. 8 that an unauthorized third party had attempted to access the Starwood database. Further investigation revealed that an unknown entity copied and encrypted guest information and also attempted to steal the database. The public first learned of the data breach when it was disclosed on Nov. 30.

What Personal Information Was Stolen?

Although the company stated that it had not finished decrypting the copied information at the time of disclosure, it confirmed that the personally identifiable information (PII) of approximately 327 million people might have been comprised. The data includes payment card numbers and expiration dates, though it is not yet known if the two keys needed to decrypt the Advanced Encryption Standard (AES-128) protocol used to protect this information were also stolen.

In addition to payment card information, threat actors also accessed the 327 million customers’ names, passport numbers, Starwood Preferred Guest account information, dates of birth, genders and email addresses. For the remaining guests, the information was limited to names and mailing or email addresses.

The Marriott incident is one of the largest in history, and could be one of the first opportunities for European Union regulators to flex their General Data Protection Regulation (GDPR) muscles. The GDPR was enacted in late May, promising severe fines for violations of data privacy and disclosure.

Response to the Marriott Data Breach

Since the Marriott data breach was disclosed, two class-action lawsuits seeking damages for the exposure of personal information have been filed. Multiple news outlets, including The New York Times, have reported that the Federal Bureau of Investigation (FBI) is tracking the situation, and investigations have been launched by attorneys general in several states.

Customers affected by the Marriott data breach can access a dedicated website and call center with any questions. The company is also offering guests a free year of the WebWatcher monitoring software to help identify any misuse of personal information.

Of course, Marriott is far from alone in dealing with large data breaches. According to Ponemon’s “2018 Cost of a Data Breach Study,” the number of mega breaches — those involving more than 1 million records — has nearly doubled from 2013 to 2017.

Sources: Marriott, ZDNet, The New York Times

The post Marriott Data Breach Impacts Personal Information of up to 500 Million Guests appeared first on Security Intelligence.

Fight Evolving Cybersecurity Threats With a One-Two-Three Punch

When I became vice president and general manager for IBM Security North America, the staff gave me an eye-opening look at the malicious hackers who are infiltrating everything from enterprises to government agencies to political parties. The number of new cybersecurity threats is distressing, doubling from four to eight new malware samples per second between the third and fourth quarters of 2017, according to McAfee Labs.

Yet that inside view only increased my desire to help security professionals fulfill their mission of securing organizations against cyberattacks through client and industry partnerships, advanced technologies such as artificial intelligence (AI), and incident response (IR) training on the cyber range.

Cybersecurity Is Shifting From Prevention to Remediation

Today, the volume of threats is so overwhelming that getting ahead is often unrealistic. It’s not a matter of if you’ll have a breach, it’s a matter of when — and how quickly you can detect and resolve it to minimize damage. With chief information security officers (CISOs) facing a shortage of individuals with the necessary skills to design environments and fend off threats, the focus has shifted from prevention to remediation.

To identify the areas of highest risk, just follow the money to financial institutions, retailers and government entities. Developed countries also face greater risks. The U.S. may have advanced cybersecurity technology, for example, but we also have assets that translate into greater payoffs for attackers.

Remediation comes down to visibility into your environment that allows you to notice not only external threats, but internal ones as well. In fact, internal threats create arguably the greatest vulnerabilities. Users on the inside know where the networks, databases and critical information are, and often have access to areas that are seldom monitored.

Bring the Power of Partnerships to Bear

Once you identify a breach, you’ll typically have minutes or even seconds to quarantine it and remediate the damage. You need to be able to leverage the data available and make immediate decisions. Yet frequently, the tools that security professionals use aren’t appropriately implemented, managed, monitored or tuned. In fact, 44 percent of organizations lack an overall information security strategy, according to PwC’s “The Global State of Information Security Survey 2018.”

Organizations are beginning to recognize that they cannot manage cybersecurity threats alone. You need a partner that can aggregate data from multiple clients and make that information accessible to everyone, from customers to competitors, to help prevent breaches. It’s like the railroad industry: Union Pacific, BNSF and CSX may battle for business, but they all have a vested interest in keeping the tracks safe, no matter who is using them.

Harden the Expanding Attack Surface

Along with trying to counteract increasingly sophisticated threats, enterprises must also learn how to manage the data coming from a burgeoning number of Internet of Things (IoT) devices. This data improves our lives, but the devices give attackers even more access points into the corporate environment. That’s where technology that manages a full spectrum of challenges comes into play. IBM provides an immune system for security from threat intelligence to endpoint management, with a host of solutions that harden your organization.

Even with advanced tools, analysts don’t always have enough hours in the day to keep the enterprise secure. One solution is incorporating automation and AI into the security operations center (SOC). We layer IBM Watson on top of our cybersecurity solutions to analyze data and make recommendations. And as beneficial as AI might be on day one, it delivers even more value as it learns from your data. With increasing threats and fewer resources, any automation you can implement in your cybersecurity environment helps get the work done faster and smarter.

Make Incident Response Like Muscle Memory

I mentioned malicious insider threats, but users who don’t know their behavior creates vulnerabilities are equally dangerous — even if they have no ill intent. At IBM, for example, we no longer allow the use of thumb drives since they’re an easy way to compromise an organization. We also train users from myriad organizations on how to react to threats, such as phishing scams or bogus links, so that their automatic reaction is the right reaction.

This is even more critical for incident response. We practice with clients just like you’d practice a golf swing. By developing that muscle memory, it becomes second nature to respond in the appropriate way. If you’ve had a breach in which the personally identifiable information (PII) of 100,000 customers is at risk — and the attackers are demanding payment — what do you say? What do you do? Just like fire drills, you must practice your IR plan.

Additionally, security teams need training to build discipline and processes, react appropriately and avoid making mistakes that could cost the organization millions of dollars. Response is not just a cybersecurity task, but a companywide communications effort. Everyone needs to train regularly to know how to respond.

Check out the IBM X-Force Command Cyber Tactical Operations Center (C-TOC)

Fighting Cybersecurity Threats Alongside You

IBM considers cybersecurity a strategic imperative and, as such, has invested extensive money and time in developing a best-of-breed security portfolio. I’m grateful for the opportunity to put it to work to make the cyber world a safer place. As the leader of the North American security unit, I’m committed to helping you secure your environments and achieve better business outcomes.

The post Fight Evolving Cybersecurity Threats With a One-Two-Three Punch appeared first on Security Intelligence.

First Smartphone: Are You Putting Cyberbullies Under the Tree This Year?

first smartphone

There’s pressure — lots of pressure. And not the typical I-want-a-bike or a doll-that-poops kind of pressure your kids may have foisted upon you just a few Christmases ago. No, this is the big leagues. Your child wants his or her first smartphone to show up under the tree this year. Is your son or daughter ready? Bigger question: Are you ready?

A first smartphone is a big step in a family that can’t be unstepped. Because it’s not about what a phone used to be about, which is dialing the number of a person you need to speak with. Today, giving your child a cell phone unlocks a hidden wardrobe door that leads to a whole new Narnia-like world abounding in both hills of goodness and valleys of emotional punches.

A first cell phone isn’t a casual purchase. Besides the financial investment (these things aren’t cheap), there’s a family dynamic that will likely change and a peer-to-peer dynamic that will go through its tumultuous metamorphosis.

Here are a few things to consider and talk through with your family before making your final decision to purchase that first smartphone.

Family talking points

first smartphone

  1. Maturity milestones. A phone is a small computer your child will carry in his or her pocket from this point forward. Has your child demonstrated maturity in other areas? Can he or she stay home alone responsibly for short periods? Does your child take care of his or her possessions, complete chores, and homework on time and without you nagging? Does your child earn/save/spend his or her allowance in a mature way? Does your child show empathy for others or deal with conflict well? These milestones are worth examining. If you feel uneasy about your child’s overall maturity, you might consider setting some goals to move your child toward cell phone ownership sometime in the future.
  2. The cyberbully factor. We know you’d never willingly invite a cyberbully into your home and especially wouldn’t put one under the tree for your child to discover on Christmas morning. However, that’s the reality of what phone ownership will bring sooner or later. Is your child emotionally strong enough to handle mean comments, feeling excluded, or being criticized or joked with in public? How does your child handle peer conflict without a phone? The emotional impact of owning a phone is not something you will see advertised, but it’s a huge factor to consider.
  3. Peer pressure. Digital peer pressure is a real thing. There’s pressure to dress a certain way, post pictures a certain way, and post activities online to gain status points in certain social circles. The selfie craze, online dares, digital trends and hashtags, and other pressures are all part of the smartphone equation.
  4. Harmful content. There’s a lot of great content online — educational, entertaining, and fun — but there’s a lot of content that is harmful to kids such as pornography, hateful ideology, and cruelty. Can your child resist the temptation to seek out or look at concerning content? Can your child discern ideas? Are you as a parent willing to take the extra steps to filter inappropriate content?
  5. Privacy issues. With a new phone comes great responsibility toward guarding first smartphoneone’s personal information. Do you have the time to communicate, teach, and monitor your child’s online footprint? Getting kids off to a strong start will require much time and care up front until your son or daughter has a grasp on the value of personal data.
  6. Social media. Social media owns vast real estate on a child’s phone and includes everything from gaming, to social networks, to various “communities” attached to apps. Anywhere your child can create a username and profile and connect with others, opens him or her up to risks of cyberbullying, strangers, and scams. Discuss new apps and establish ground rules and phone usage boundaries that make sense for your family. The most important part of setting rules is to enforce the rules.
  7. Screentime ground rules. With a first smartphone comes the risk of too much screen time. Addiction to online gaming, social media, and phones, in general, have become a public health concern. Put family rules in place that set time limits and phone free zones. Keep communication open and consistent to keep your kids following healthy screen time habits.

 

 

The post First Smartphone: Are You Putting Cyberbullies Under the Tree This Year? appeared first on McAfee Blogs.

Affected by a Data Breach? 6 Security Steps You Should Take

It’s common for people to share their personal information with companies for multiple reasons. Whether you’re checking into a hotel room, using a credit card to make a purchase at your favorite store, or collecting rewards points at your local coffee shop, companies have more access to your data than you may think. While this can help you build relationships with your favorite vendors, what happens if their security is compromised?

A high-profile hotel and another popular consumer brand’s perks program recently experienced data breaches that exposed users’ personal information. If you think you were affected by one of these breaches, there are multiple steps you can take to help protect yourself from the potential side effects.

Check out the following tips if you think you may have been affected by a data breach, or just want to take extra precautions:

  • Change your password. Most people will rotate between the same three passwords for all of their personal accounts. While this makes it easier to remember your credentials, it also makes it easier for hackers to access more than one of your accounts. Try using a unique password for every one of your accounts or employ a password manager.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts, alert you of any suspicious activity, and help you to regain any losses in case something goes wrong.
  • Update your privacy settings. Be careful with how much of your personal information you share online. Make sure your social media accounts and mobile apps are on private and use multi-factor authentication to prevent your accounts from being hacked.
  • Be vigilant about checking your accounts. If you suspect that your personal data has been compromised, frequently check your bank account and credit activity. Many banks and credit card companies offer free alerts that notify you via email or text messages when new purchases are made, if there’s an unusual charge, or when your account balance drops to a certain level. This will help you stop fraudulent activity in its tracks.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Affected by a Data Breach? 6 Security Steps You Should Take appeared first on McAfee Blogs.

How to Future-Proof Your Enterprise With Quantum-Safe Cryptography

Quantum computers are poised to solve currently intractable problems for traditional technology. At some point in the next 10 or 15 years, quantum computers may be powerful enough to put your data at risk by compromising your cryptography. Data protected by today’s encryption methods may become susceptible to decryption by the unprecedented processing power of the emerging quantum computer.

Act Today to Prepare for the Future

The urgency to act now is based on a data risk timeline. Data stored today may need to remain confidential or valid for up to 30 years. There are four factors that influence the data risk timeline:

  1. The strength of your current cryptographic algorithms. Weaker algorithms may be at risk before stronger algorithms. The challenge is to know your complete cryptographic inventory.
  2. The security time value of data being protected. How long must the data be protected throughout the life cycle of a product?
  3. Crypto-agility. How quickly can an enterprise upgrade existing cryptographic deployments? For some organizations, it may take years.
  4. The pace of quantum technology improvements.

What Is Quantum-Safe Cryptography?

Quantum-safe cryptography refers to algorithms that run on today’s classical computers but are secure against quantum adversaries. The implication is that we can protect data today.

IBM develops and standardizes quantum-safe cryptographic algorithms in an open and collaborate fashion. Cryptographic standards are important to facilitate the widespread and interoperable adoption of security. IBM believes that lattice-based cryptography has the best combination of quantum-resistant properties and is part of three lattice-based consortium submissions to the National Institute of Standards and Technology (NIST)’s call for post-quantum standards.

Why Crypto-Agility Is Crucial

Few enterprises know the full range of cryptographic solutions they have deployed. For some, it may take years to upgrade their cryptography, as with migrations from SHA-1 to SHA-2 or Triple Data Encryption Standard (TDES) to Advanced Encryption Standard (AES). The transition from today’s cryptography to quantum-safe technology offers an opportunity to rethink how applications consume cryptography. Cryptographic agility is a key aspect of cybersecurity, and organizations would be wise to leverage it as part of their quantum-safe journey.

If you’re interested in setting up a Quantum Risk Assessment for your organization, please get in touch.

The post How to Future-Proof Your Enterprise With Quantum-Safe Cryptography appeared first on Security Intelligence.

Things To Understand To Prevent Data Loss

By Julia Sowells Senior Information Security Specialist at Hacker Combat, Customer data is the lifeblood of any business entity; they are driven towards the increasing obligation of securing it as they

The post Things To Understand To Prevent Data Loss appeared first on The Cyber Security Place.

5 Recommendations to Improve Retail Cybersecurity This Holiday Season

This is the first installment in a two-part series about how retailers can help protect their enterprises this holiday season.

With the holiday season upon us, retailers have an opportunity to boost revenues before the end of the year. Any increase in profit at the expense of retail cybersecurity, however, can cost a company more in the long run, given the rising size and costs of data breaches and associated revenue and reputational loss. With extra web traffic and high order volumes coming in, the holiday shopping season can be a particularly perilous time for businesses seeking to safeguard customer information.

A Timely Cause for Retail Cybersecurity Concerns

Tis the season for retailers to buckle down on security, since data breaches typically peak just prior to and during the holiday shopping season. IBM X-Force Incident Response and Intelligence Services (IRIS)’s assessment of X-Force Interactive Security Incident data recorded between 2012 and 2017 revealed that 41 percent of all retail and consumer product breaches occurred between September and December, elevating the risk for enterprise network breaches during that time of year. More than two-thirds of all records in the consumer products sector were leaked, lost or stolen during these last four months of the year — that’s nearly 180 million records each year.

Don’t Reward the Naughty

A growing number of retailers now offer rewards programs to retain and nurture their customer bases. For shoppers to join these programs, most retailers ask for personally identifiable information (PII) such as name, address, phone number and email address. If ever compromised, an attacker can correlate this customer PII to payment data and use it to aggregate information to compromise the user’s identity.

In line with recent regulatory laws such as the General Data Protection Regulation (GDPR), retailers should collect the least possible amount of PII on customers, have a clear purpose for each data element, and make sure to always keep data encrypted and safeguarded, both in transit and at rest.

Phishing Is in Season

Attackers don’t wait for the holiday season to begin launching spam campaigns, which are often employed as the first stage of their overall fraud and attack campaigns. Analysis of X-Force spam honeypot data collected between 2015 and 2018 revealed a notable rise in the average volume of spam emails beginning in August, with September slightly lower and October ranking third.

Average Spam per Month

Figure 1: Total volume of spam emails recorded, 2015–2018 (Source: IBM X-Force)

Preventing and responding to data breaches leading up to and during the holiday shopping season has become imperative. It is incumbent on retail security professionals to perform due diligence during this time, and there are several ways to accomplish this goal.

Below are five holiday season tips for retailers to help make your enterprise a safer shopping environment. These techniques can help retailers identify impending data breaches and sidestep the costs associated with a major data breach.

While I’ve listed these tips in the order of what I generally consider to be top-of-mind for retailers, this list can be customized to serve your organization’s specific needs.

1. Mitigate the POS Malware Threat

After a popular big box retailer suffered a breach in 2013, public awareness around the vulnerability of point-of-sale (POS) systems grew exponentially. That breach was facilitated by malware that infected POS machines and helped threat actors access a large volume of credit card information to sell to other criminals on the dark web. This intrusion resulted in the theft of more than 110 million records.

Five years later, POS malware continues to plague retailers. According to IBM X-Force, 74 percent of publicly reported POS malware breaches in 2017 impacted the retail sector. X-Force IRIS has observed malicious actors using POS malware, such as FrameworkPOS and PoSeidon, to siphon credit card data from POS terminals. Web-based malware, which steals credit card data on the fly as online transactions are processed, is also gaining steam.

To help mitigate these risks, both in physical and virtual realms, retailers should take the following steps:

  • Use some form of malware detection on your entire network to include the network of POS systems.
  • Test the devices’ hardware and software (more to come on penetration testing in the second installment of this series) and keep devices up-to-date through regular patching.
  • Work with a supplier that will contractually adhere to both your regulatory standards and security requirements.
  • When using mobile POS, have controls in place to ensure the integrity of the hand-held device and the encryption of its communication channels with the server that processes and stores card data.
  • Ensure any mobile payment system is from a trusted provider that supplies regular updates, patches, and equipment upgrades to comply with advances in encryption requirements and evolving threats.

Cybercriminals also commonly steal credit card data through payment card skimmers. These physical devices are fitted into the mouth of card readers and work by copying track data from the credit card and storing it on a memory chip inside the skimming device. In addition to retail establishments, skimmers are often found in ATMs, restaurants and gas stations.

As a precaution, retailers should frequently search for devices on their POS terminals and swiping equipment. Attackers typically attach skimmers to the device by sliding them onto the scanners and collecting them later. To check for a skimmer, examine devices daily and pull on the scanner if anything appears different. If part of the device comes off, it may be a skimming device. Call your service provider and IT security team to report it before resuming activity with that terminal or device.

With security controls and practices becoming more efficient, threat actors have resorted to gluing card skimmers to machines. This makes it difficult to detach by simply pulling it off the affected device. Retailers should train employees in all locations to recognize the proper look and components of their POS terminals and swiping devices. Employees should also know how to report suspicious devices.

2. A Clean Network Is a Safe Network

Payment card data carries immediate monetary value to criminals, and there are many methods by which they aim to steal it.

One tactic IBM X-Force researchers have seen increasingly often is the injection of malicious code into legitimate e-commerce websites. By compromising websites where people shop online, attackers can send payment data submitted during customer checkout to their own infrastructure.

To help reduce the likelihood of becoming a feeding ground for criminals, online retailers should take the following steps:

  • Harden the security of underlying web servers.
  • Limit access to critical assets and properly manage the privileges of those that maintain them.
  • Ensure that web applications are secure, harden them against threats like SQL injections and other common attacks, and have them tested regularly.
  • Deploy a change monitoring and detection solution to spot unauthorized modifications to your e-commerce platform’s web hosting directories. If this is not feasible, schedule periodic, manual reviews of these assets.

Account takeover (ATO), which occurs when a threat actor gains unauthorized access to an online account that belongs to someone else, can also affect e-commerce customers. With access to shoppers’ accounts, fraudsters can wreak havoc by stealing stored payment data, making fraudulent purchases and rerouting existing orders to a different address, for example.

Unauthorized access requires the use of legitimate credentials, which criminals can attain through a variety of tactics. The most common methods include phishing, brute-forcing weak passwords and launching SQL injection attacks on the web application itself.

You can help mitigate these threats by practicing good network hygiene. Here are some useful tips retailers can apply today to lower the risk of user account compromises:

  • Employ the most recent patches for all hardware, internal and external software, network communication protocols, and database security protocols.
  • Sanitize user input to prevent injection attacks.
  • Prioritize patching for the threats most relevant to your organization. Look out for the most-exploited vulnerabilities and ensure that internet-facing servers and systems are up to date.
  • Always consult your local computer emergency response team (CERT), IBM X-Force Exchange and other threat intelligence sources to gather the latest news on vulnerabilities and mitigation techniques.
  • Enforce multifactor authentication (MFA) for employees.

3. Go to Your Separate Corners

Cybercriminals are always leveraging new ways to steal payment card data and correlate it with PII. Elevated volumes of web traffic during the holiday season provide attackers with even more targets and opportunities.

To help keep customer data safe, even in cases where criminals manage to infiltrate assets, security teams should keep PII, financial data and POS information separate by segmenting enterprise networks. By keeping this information separated and encrypted, attackers will find it much harder to correlate data on customers. While segmenting a network can be an intensive process, it’s a small price to pay to keep customer data safe.

In network segmentation, allow only one IP address per segment to communicate at a time to detect suspicious traffic. While an attacker may spoof his or her IP address, this control can allow defenders to find out about most intruders rather easily. Here are some other best practices to consider:

  • Conduct internal audits for segment crossover to ensure that segregated data sets do not get mixed over time and appear in other places on the network, which can help attackers with identity theft.
  • Deploy web application firewalls (WAFs) to help ensure that incoming traffic is filtered, monitored and blocked to and from web applications to mitigate threats such as cross-site scripting (XSS) and SQL injection.
  • As a secondary measure, a firewall should be implemented to effectively govern all traffic coming in and out of the network. Firewall configuration is a key element in its effectiveness and should be performed by a certified network technician.
  • Have administrative users log in with a lower privilege level before escalating their privileges to perform updates and maintenance.
  • Prevent sensitive users and systems from communicating with the internet.

4. Learn From History and Educate Users

Nearly every company has some kind of data protection training in place. To make employee training programs more effective, organizations must understand that training materials are sometimes clicked through at a rapid pace to complete them as quickly as possible in favor of getting back to work. So how can an organization effectively educate their users?

  • Plan for role-based training of all employees in the organization.
  • Train employees on both physical and digital security.
  • Conduct short training sessions and field-test them by asking for employee feedback.
  • Launch an internal phishing campaign: Send a spoofed email from a dummy account with official-sounding names, titles and subjects, and track the number of users who click on the links or attachments. Offer additional training according to the conclusions from the campaign.
  • Identify users who need remedial training and retest as needed.
  • Most importantly, provide all users with an easily accessible resource to report issues. Users should be able to contact IT security with any question or suspicion.

For education to be effective, it has to be repetitive and stay top-of-mind for users across the entire organization. Get management to support awareness campaigns and find opportunities to educate users. Having vigilant employees makes mitigating attacks during the holiday season that much more effective. Frequent email reminders, illustrative posters and communicating best practices during team meetings can demonstrate your organization’s commitment to secure day-to-day conduct. Giving users personalized attention can go a long way toward making the message resonate with them — for example, you might consider gifting a security-themed mug for the holiday season.

5. Use Network IP Whitelists and Blacklists

Whitelists are IP addresses or domains used specifically for allowing access, whereas blacklists are used to help prevent IP addresses or domains from entering a network. Whitelists and blacklists are useful for keeping unauthorized and authorized connections within or outside the network. Keeping these lists up-to-date demands some diligence, but they can be crucial to boosting network security.

Filtering IPs according to these lists is more suitable for enterprises that do not manage e-commerce activity, since e-commerce companies have to accept inbound requests from all over the world, especially during the holiday shopping season.

These lists are much easier to maintain for networks that do not face external customers because blacklists can be used on both inbound and outbound access to help block known malicious hosts from communicating or accessing the organization’s data and assets. Below are some basic tips for filtering hosts:

  • Blacklist any IP addresses known to be malicious. Constantly updated lists can be fed into security solutions directly from threat intelligence platforms.
  • Should a blacklisted IP address have legitimate reasons for communicating with the network, investigate, confirm and allow access via the whitelist.
  • Whitelists should include any internal company addresses.
  • Whitelists should exclude any websites that are not relevant for employees carrying out their daily tasks (e.g., social media, webmail, etc.).
  • It is imperative to verify these lists periodically to help ensure that all information is accurate.
  • Should any IP addresses on the whitelist become outdated, it should be promptly removed or moved to the blacklist.
  • Keeping allowed and banned IP addresses from becoming intermingled is a basic premise of effective whitelist/blacklist practices.

Stay Tuned for More Holiday Season Tips for Retailers

There is no such thing as unimportant data. Take every necessary precaution to help protect enterprise and customer data by implementing strong retail cybersecurity controls, educating users and following current best practices. Maintaining customer confidence in your ability to protect their PII can result in more business, increased customer loyalty and stronger organizational reputation.

Stay tuned for five more tips to help retailers stay secure this holiday season.

Read the latest IBM X-Force Research

The post 5 Recommendations to Improve Retail Cybersecurity This Holiday Season appeared first on Security Intelligence.

How Daniel Gor Helps Protect the World — and His Grandparents — From Financial Fraud

Daniel Gor might be “just a regular guy” by his own account, but he’s doing important work that shouldn’t be overlooked. As a solution engineer on IBM Trusteer’s fraud analyst team, Daniel spends his days helping to protect our hard-earned cash from fraudsters.

“There’s a nice feeling knowing that you’re with the good guys,” Daniel said as he talked about social engineering and automated hacking from his office in Tel Aviv, Israel. And, as the product of two cultures, Daniel has a more global view of financial fraud than most.

Born in New York and raised in Miami through his early years, Daniel moved to Israel at the age of seven when his parents decided they wanted to be closer to their families. Today Daniel has a family of his own — a wife and seven-month-old daughter — and still lives close to his extended family in Ra’anana, a suburb not far from Tel Aviv.

He said the impact of two very different cultures sometimes comes out in his work style: A combination of American diligence and persistence with a hint of the typical Israeli “chutzpah.” He said his experiences in the army, as part of Unit 8200 in the Israeli Intelligence Corps, and at university gave him “perspective about how to get things done and how to approach tasks.”

Namely, he said, there’s an element of searching for the truth, “even if you don’t go by all the rules.” That comes in handy when writing policies for his fraud analyst colleagues.

Humble Beginnings as a Financial Fraud Analyst

Daniel graduated from university less than two years ago and went straight to work at IBM Trusteer. He started as a fraud analyst, conducting research to determine the rules the team needed to establish to protect financial data for a range of banks. The team writes rules and policies that are applied behind the scenes for the banks’ different applications; these, in turn, help identify behavioral anomalies that may indicate a fraud attempt.

Each analyst is responsible for monitoring the performance of the policies and rules at several banks; this often constitutes hundreds of rules and reams of data. Daniel’s firsthand experience as an analyst informs his current work as a solution engineer to automate processes designed to assist analysts in this monitoring and, in addition, implement machine learning algorithms that can strengthen the policies even more.

But rules and policies are just one part of the equation. Banks also need to build a picture of what each customer’s “digital identity” looks like so they can detect fraud sooner and more efficiently. Without an idea of how Joe from Jacksonville regularly interacts with his accounts, the bank will never know whether Joe’s profile has been compromised. This is an entirely new research field that Daniel is a part of.

Daniel Gor

Automated Behavioral Analysis Is a Game-Changer

In his present role as a solution engineer, Daniel partners with the team to analyze behavior indicators using machine learning models. He trains the models to identify behavioral anomalies and then writes those models as rules in the bank’s policies.

So that phone call you got from the bank asking if you were currently hesitant or suspiciously stalling while committing a transaction? That’s likely because, thanks to Daniel’s work, your bank identified an anomaly in your normal behavior patterns.

Daniel believes automation technology and AI have had a “great impact” on security in the financial sector.

“The machine learning algorithms are so smart now, they can detect anomalies only by mouse movement or the time that the fraudster spends on a page inside the account,” he explained. “The AI allows us to detect those anomalies in the user’s behaviors.”

Standing Up for Good Values

Unfortunately, fraudsters continue to exploit our human innocence and conduct artful sophistry such as social engineering to target vulnerable banking customers and steal their credentials. Daniel said he’s been surprised at the sophistication and methods used by these fraudsters, who can go so far as calling customers posing as bank personnel to supposedly help them recover money.

“In a way, I was surprised at how people can exploit people’s good natures and vulnerabilities,” he said.

In light of this threat, Daniel noted that he works in cybersecurity so his grandparents can live their lives without fear of being deceived every time the phone rings. And to those who are considering following in his footsteps, Daniel encouraged aspiring cybersecurity professionals to “just do it.” While tech careers are becoming more and more coveted, he believes the goal of working in a company “where you feel you’re adding to the world with good values” is worth aspiring to.

“In a way, I can say that I’m working for myself,” he said. “I want my money to be safe in a place only people I trust have access to, and it’s very important for the world to have these kinds of shields from people that are eventually trying to steal our money, to steal credentials. The world needs companies that are here to prevent those kinds of cases.”

Meet Fraud Analyst Shir Levin

The post How Daniel Gor Helps Protect the World — and His Grandparents — From Financial Fraud appeared first on Security Intelligence.

C-Suite: GDPR Could Lead to Greater Risk of Breaches

Almost a quarter of UK and German businesses (23%) believe the GDPR may have resulted in a greater risk of data breaches, six months after the legislation was introduced.  The

The post C-Suite: GDPR Could Lead to Greater Risk of Breaches appeared first on The Cyber Security Place.

Keeping data swamps clean for ongoing GDPR compliance

The increased affordability and accessibility of data storage over recent years can be both a benefit and a challenge for businesses. While the ability to stockpile huge volumes and varieties of data can deliver previously unattainable intelligence and insight, it can also result in ‘data sprawl’, with businesses unclear of exactly what information is being stored, where it’s being held, and how it’s being accessed. The introduction of the General Data Protection Regulation (GDPR) in … More

The post Keeping data swamps clean for ongoing GDPR compliance appeared first on Help Net Security.

Why Is the Retail Industry Still Lacking Security?

As another busy shopping season kicks into high gear, many of us will head to online retail sites and apps to check items off their holiday gift list. Security leaders should be mindful that if users do their shopping while at work, they are putting sensitive data — and possibly even the corporate network — at risk. That’s because retail industry sites and systems are too often poorly secured.

A recent survey from third-party risk management firm SecurityScorecard found that retail is among the lowest-ranked industries in terms of its security stance. The report looked at 1,444 domains in the industry with an IP footprint of at least 100 and found that retail had the second-lowest app security performance among major sectors, outperforming only the entertainment industry. What are retailers doing wrong?

Why Can’t Retailers Make the Grade?

“This year the retail industry’s security posture fell lower than in years past, both in application security and social engineering,” Fouad Khalil, head of compliance at SecurityScorecard, said in a press release. “To remain competitive, retailers are adopting new payment and digital technologies, exposing them as prime targets for cybercriminals.”

Despite the establishment of the Payment Card Industry Data Security Standard (PCI DSS) in 2004, SecurityScorecard found that many retailers are largely ignoring it. More than 90 percent of the retail domains analyzed indicated noncompliance with the regulation. Retailers in violation of PCI compliance face steep financial penalties if they are breached.

“As organizations assess their compliance with PCI DSS, they must be able to detect, remediate and recover from any threats or vulnerabilities adding risk to unauthorized access to CDE,” said Khalil in response to the findings.

Listen to the podcast: Examining the State of Retail Security

The Customer Experience Trumps Retail Security

Convenience and the user experience have always contributed to poor retail app security, noted Ron Schlecht, managing partner at cybersecurity consulting firm BTB Security.

“The focus is so much on how technology fills or creates business value, that security is oftentimes an afterthought,” he said. “The only true way to get ahead of this issue in this industry and to protect itself from an increasing level of sophistication in attacks is executive buy-in to the issue, as well as a cohesive security strategy at each organization to make this a priority.”

In an extremely competitive sales landscape, retailers still place precedence on what users want, and front-end ease of transaction wins over back-end retail app security. As a result, according to Mike Wilson, chief technology officer (CTO) of PasswordPing, merchants are reluctant to implement security measures that could get in the way of making a sale.

“Any ‘fraud-proof’ e-commence solution would need to include so many obstacles to block bad actors that real customers would find it practically impossible to complete a transaction,” said Wilson. “Many industries are able to apply security solutions that add some friction to their user experience in exchange for better security, but the retail industry knows that their consumers will go elsewhere if it’s not a seamless experience.”

Attackers Exploit Poor Security Awareness in Retail

Retailers have historically displayed little awareness about security. Despite numerous high-profile breaches over the years that have impacted major merchants, that dearth of understanding continues to cause problems.

The SecurityScorecard report noted that social engineering scams that target retailers are on the rise and ranked the industry last in security against such threats. As retail becomes increasingly digital, this trend could become even worse.

“The way we shop has changed drastically in the last few years,” said Migo Kedem, senior director of product at SentinelOne. “Retail is traditionally a low-tech business. The new technology brings new security challenges, and these ‘digital shoplifters’ can’t be simply scared away using security sensors. The current way of life requires a different security approach that can protect your assets from cyberthreats.”

Scott Swenka, an IT security specialist working for a large grocery chain, believes a lack of security-minded leadership is causing the industry to fall behind others when it comes to risk mitigation.

“They lag behind because most public retail organizations have boards that are built out of retailed-based leaders and simply do not have an understanding of technology and how it affects them,” he said.

How Can Retailers Catch Up?

While PCI does not appear to have improved security in retail, regulations that target point-of-sale (POS) systems have the potential to make a measurable impact in the future, said Jim Barkdoll, CEO at security vendor TITUS.

“Regulation will force the necessary cultural shift in how retailers approach security,” he predicted. “Even those that have had a breach tend to relax their focus on security practices after the public attention around their breach wanes, driving long-term security investments lower on their list of priorities. Regulation changes that and will force a continued and consistent adherence to security policies and practices.”

Security leaders at retail organizations can address this problem by practicing secure development and operations (DevSecOps) and monitoring emerging threats in the digital landscape. If developers build retail apps with security baked in from the beginning of the development process, retail systems will gradually become more secure from the ground up.

Data should be encrypted during system communication and storage, and apps should employ authentication between the app and its servers. Apps should also require customer authentication via factors such as one-time passwords (OTP) and biometrics.

As is the case in many industries, most retail organizations prioritize innovation and customer retention before security. But as consumers become more concerned about their own digital security and privacy, retailers must invest in new security technologies and practices and lean on industry experts to help build secure systems.

Listen to the podcast: Examining the State of Retail Security

The post Why Is the Retail Industry Still Lacking Security? appeared first on Security Intelligence.

How to Defend Against Malvertising Drive-By Attacks

Many longtime internet users will remember receiving pop-up ads warning that their computers were infected with a virus. In nearly all cases, the ad’s specific claims were bogus; the purpose was to scare users into paying for a questionable tech support service or to drive them to a site that would actually infect them with malware.

While browser-based pop-up blockers have largely killed off that particular scam, malicious advertising — or malvertising — is still causing serious damage. Purveyors of malvertisements use an increasingly broad range of techniques to insert malware into ads that run across the web on large advertising networks.

How Malvertising Works

In most cases, threat actors create fake advertisements laden with malware and try to slip them past security checks at large ad networks. These infected ads can then sneak malware onto a web user’s computer, even if he or she doesn’t click on the ad. These so-called drive-by downloads are particularly effective against users who don’t regularly update their software.

The cost of malvertising is huge: A report from ad verification vendor GeoEdge estimated that the threat costs the online advertising industry more than $1.1 billion a year, and anticipated the cost rising another 20–30 percent in 2019.

Know Your Malvertisers

A lack of transparency in the digital ad supply chain “makes loading malicious ads through legitimate ad networks rather painless,” said Alex Calic, strategic technology partnerships officer for The Media Trust, a vendor of digital advertising and app security products. “The sheer number of ads and the large number of digital partners, many unknown to each other, along the supply chain make tracing the malicious code back to the correct offending party extremely difficult.”

It’s tough for ad brokers to keep up with the threat actors, added Jason Hong, associate professor at Carnegie Mellon’s School of Computer Science.

“It’s a cat-and-mouse game. Ad networks need to scan ad submissions for malware, but it can be really hard because attackers have a really strong economic incentive to keep innovating new ways of spreading malware.”

Call in Back-Up

The online advertising industry needs more processes to check submitted ads, added Corey Nachreiner, chief technology officer (CTO) of network security vendor WatchGuard Technologies.

“There are many web tools and frameworks that can help ad brokers escape or remove certain types of web code, such as JavaScript,” he said. “The brokers simply need to check the HTML ads being submitted to them, and make sure they only have clean content and don’t try to invisibly redirect to any off-site source.”

Ad brokers can also require more information from new customers as a way to validate them, he added. But attackers can hide malware in images and other elements, meaning that security teams may need to do more than simply scan the ads.

“Malvertising campaigns regularly slip under the radar of the advertising networks because they typically aren’t spotted until the first victims speak out, by which point it’s already too late,” said Gavin Hill, vice president of product and strategy for cybersecurity vendor Bromium. “Concealing malware within objects or images within the site, or forcing redirects for certain users, makes it extremely difficult for the advertising networks to spot malicious adverts being delivered.”

Using sophisticated tools to hide the malware in the ads, attackers can create highly targeted malvertising campaigns that fuse cybercrime and targeted marketing, Hill added.

“It’s all too easy for cybercriminals to exploit networks for their own gain,” he said. Threat actors can “deliver malicious code to vulnerable users that don’t suspect a thing.”

Broaden Your Thinking

Hill called for a holistic approach to fighting cybercrime by understanding “how the vast cybercrime economy operates.” Hong agreed.

“It really needs to be an entire community effort in combating malvertising,” he said. “Ad networks are the front line and need to improve their malware detection capabilities. We also need to hit the attackers’ finances, too, making it harder for them to monetize.”

To protect themselves from malvertising, consumers should prioritize patching. Users need to keep their software up to date to protect against malicious ads targeting known vulnerabilities.

“On end-user client side, patch, patch, and patch,” said Oliver Münchow, security evangelist with cybersecurity prevention firm Lucy Security. “And beware of the risks associated with downloads and clicks.”

In the end, maintaining your patching cadence and implementing only necessary and heavily vetted browsing tools should be a part of any routine security program. But keeping an extra eye on malvertising strategies and expanding knowledge of threat campaigns overall should help solidify another wall of the data security fortress.

The post How to Defend Against Malvertising Drive-By Attacks appeared first on Security Intelligence.

Retail Security Hygiene: The Case for Seasonal Checkups

The winter holidays offer big potential for retailers, with some companies earning around 30 percent of their annual revenue during the season, according to the National Retail Federation. Big sales numbers, however, also drive increased risks of fraud and theft, and businesses are now spending on extra security measures to keep physical stores safe.

But this is only half the battle. With retail stores moving online and hiring seasonal staff to bridge the holiday gap — not to mention handling employees who are more focused on holiday breaks than network breaches — it’s worth taking stock of retail security hygiene and revisiting how to protect consumer data from opportunistic cybercriminals.

Here’s how a seasonal hygiene checkup can help mitigate three top retail risks.

Fight E-Commerce Fraud During the Holiday Season

Online fraud jumps during the holiday season. As reported by PYMNTS, while total transactions rose 19 percent, online fraud increased by 22 percent from Thanksgiving to the end of 2017. There’s no single point of fraud failure across retail e-commerce stores, but threat actors continue to prioritize phishing emails as the primary point of compromise. If attackers can convince customers or employees to open attachments or follow malicious links, both purchase fraud and network infection are possible.

So how can companies assess their current security hygiene around e-commerce? It starts with simple questions: What do common attacks look like? What are the likely threat vectors? What are the potential costs? If retail organizations aren’t sure of the answers, they’ve got work to do. As U.S. Attorney Erin Nealy Cox wrote in Forbes, companies should create common threat profiles that allow IT teams to focus on vulnerable areas and develop specific countermeasures.

Simple processes — such as locking accounts after multiple failed login attempts and putting a limit on multiple purchases made over short timespans — can help, but it’s also a good idea to leverage automated, real-time fraud detection solutions to help identify attack patterns and reduce total risk.

Seasonal Staffing Concerns

To handle seasonal crowds without compromising customer service, many organizations hire extra staff during the holidays. According to Retail Dive, experts predict that retailers will bring on 650,000 seasonal employees to help offset consumer demand this year. To do their jobs, seasonal workers need access to point-of-sale (POS) networks, checkout systems and any mobile applications used by the company. This is the next hygiene shortfall for many companies: Hiring new employees without effective security onboarding and offboarding.

Consider a staff member who receives access to POS systems that are connected to back-end corporate networks. Inadequate training has them leaving sessions open and sharing passwords with co-workers, while minimal offboarding means they may retain login details and/or remain on internal permissions lists. As noted by Channel Partners Online, better security in this case starts with segmentation: POS and other sales systems should always be logically separated from other network services to prevent unintentional — or malicious — compromise.

Identity and access management (IAM) tools are also critical. IT teams need a way to control access for all retail workers — even those employed for only a few months — at a granular level to help protect consumer financial data and corporate intellectual property (IP). By assigning seasonal workers access roles with privileges that allow the completion of day-to-day tasks but don’t permit extraneous activity, retailers can boost both in-store and online security. Additionally, IAM solutions make it easy for network administrators to remove seasonal accounts and privileges when the holidays are over.

How to Protect Consumer Data From Insider Threats

No seasonal security checkup is complete without taking stock of internal employee risks. While Security Magazine noted that 75 percent of these insider threats are accidental, they’re no less risky to retail bottom lines, especially if users accidentally give threat actors complete access to network resources.

Improving security starts with a look at employee time off. Are workers putting in extra hours, pulling double shifts or working straight through the holidays? As noted by Harvard Business Review, 94 percent of employees who take time off for vacation come back to work with more energy and a better outlook. This may not be possible for retail companies during the holiday season, in turn lowering productivity and putting organizations at risk. It’s also worth assessing the number of employees working from home. As the holidays approach and weather gets worse, more and more employees may opt for home offices instead of slippery commutes. But are they logging into network services safely?

The first step for better internal security is to implement two-factor authentication (2FA). This practice helps reduce the chance of accidental logins and limits the ability of threat actors to compromise networks if less-than-productive employees have clicked on infected links or opened malware-laden attachments. It’s also a good idea to invest in virtual private networks (VPNs) and other network safeguards to help prevent bad actors from eavesdropping on remote workers. Email management solutions, meanwhile, can prevent messages with sensitive attachments from leaving secure corporate environments.

Give the Gift of a Security Hygiene Checkup

With the winter holiday season already upon us, retail companies would be wise to conduct a quick, but thorough security hygiene checkup. Start as early as possible to make it easier to identify key threats across e-commerce systems, seasonal staffing policies and employee behaviors. Then, develop a formal process to address these issues and improve security outcomes. This prevents security best practices from sitting on a shelf while retail risks rack up, and provides a blueprint for technology deployment and implementation.

Listen to the podcast: Examining the State of Retail Security

The post Retail Security Hygiene: The Case for Seasonal Checkups appeared first on Security Intelligence.

What is the challenge in embracing multi-factor authentication?

Only 20% of IBM mainframe customers are embracing multi-factor authentication to protect data and applications, according to findings from a new poll of 81 mainframe users conducted by Macro 4

The post What is the challenge in embracing multi-factor authentication? appeared first on The Cyber Security Place.

Security Affairs: UK Parliament seized confidential Facebook docs to investigate its data protection policies.

UK Parliament Seizes seized confidential Facebook documents from the developer of a now-defunct bikini photo searching app to investigate its data protection policies.

A British lawmaker obliged a visiting tech executive to share the files ahead of an international hearing that parliament is hosting on Tuesday to gather info into disinformation and “fake news.”

Committee Chairman Damian Collins obtained and reviewed the documents the parliament’s Digital, Culture, Media and Sport Committee has received from the app maker Six4Three relating to Facebook.

“Under UK law & parliamentary privilege we can publish papers if we choose to as part of our inquiry.”

Six4Three acquired the files, related to a period between 2013 and 2014, as part of a U.S. lawsuit against Facebook.

The authorities are investigating the Facebook’s privacy policies in 2015 that led Six4Three to shut down its app, Pikinis. Pikinis was an app that allowed users to find photos of their friends in bikinis and bathing suits by searching their friends list.

Collins aims at demonstrating how Facebook abuses could result in misinformation campaigns and interfering with political elections.

Facebook executive, Richard Allan, will have to respond to the answers of lawmakers from seven countries at the committee’s hearing in London next Tuesday.

Lawmakers from seven countries are preparing to grill a Facebook executive, Richard Allan, at the committee’s hearing in London. Facebook CEO Mark Zuckerberg has refused to be present.

“The U.K. committee used its powers to compel the chief executive Six4Three, Theodore Kramer, who was on a business trip to London, to turn over the files, according to parliamentary records and news reports.” reported the AP agency.

“The committee twice requested that Kramer turn over the documents. When he failed to do so, Kramer was escorted to parliament and told he risked imprisonment if he didn’t hand them over, the Observer newspaper reported.”

The company is opposing to the disclosure of the files, a judge in California ordered them sealed earlier this year.

Allan informed Collins via email the judge is expected to give guidance on the legal status of the documents as early as Monday,

“Six4Three’s claims are entirely meritless,” Facebook said in a statement.

Last week, Facebook announced it will appeal the fine for failing to protect the privacy of the users in the Cambridge Analytica scandal. Political consultancy firm Cambridge Analytica improperly collected data of 87 million Facebook users and misused it.

Facebook has been fined £500,000 in the U.K., the maximum fine allowed by the UK’s Data Protection Act 1998, for failing to protect users’ personal information.

Facebook- Cambridge Analytica

The social network giant is sustaining that U.K regulators failed to prove that British users were directly affected.

Britain’s Information Commissioner Office also found that the company failed to be transparent about how people’s data was harvested by others.

According to the ICO,  even after the misuse of the data was discovered in December 2015, the company did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. Other companies continued to access Facebook users’data such as the SCL Group, that was able to access the platform until 2018.

Facebook considers the fine as unacceptable because there are many practices online that are commonly accepted even if they threaten the privacy of the users.

Pierluigi Paganini

(Security Affairs – data protection, UK Parliament)

The post UK Parliament seized confidential Facebook docs to investigate its data protection policies. appeared first on Security Affairs.



Security Affairs

UK Parliament seized confidential Facebook docs to investigate its data protection policies.

UK Parliament Seizes seized confidential Facebook documents from the developer of a now-defunct bikini photo searching app to investigate its data protection policies.

A British lawmaker obliged a visiting tech executive to share the files ahead of an international hearing that parliament is hosting on Tuesday to gather info into disinformation and “fake news.”

Committee Chairman Damian Collins obtained and reviewed the documents the parliament’s Digital, Culture, Media and Sport Committee has received from the app maker Six4Three relating to Facebook.

“Under UK law & parliamentary privilege we can publish papers if we choose to as part of our inquiry.”

Six4Three acquired the files, related to a period between 2013 and 2014, as part of a U.S. lawsuit against Facebook.

The authorities are investigating the Facebook’s privacy policies in 2015 that led Six4Three to shut down its app, Pikinis. Pikinis was an app that allowed users to find photos of their friends in bikinis and bathing suits by searching their friends list.

Collins aims at demonstrating how Facebook abuses could result in misinformation campaigns and interfering with political elections.

Facebook executive, Richard Allan, will have to respond to the answers of lawmakers from seven countries at the committee’s hearing in London next Tuesday.

Lawmakers from seven countries are preparing to grill a Facebook executive, Richard Allan, at the committee’s hearing in London. Facebook CEO Mark Zuckerberg has refused to be present.

“The U.K. committee used its powers to compel the chief executive Six4Three, Theodore Kramer, who was on a business trip to London, to turn over the files, according to parliamentary records and news reports.” reported the AP agency.

“The committee twice requested that Kramer turn over the documents. When he failed to do so, Kramer was escorted to parliament and told he risked imprisonment if he didn’t hand them over, the Observer newspaper reported.”

The company is opposing to the disclosure of the files, a judge in California ordered them sealed earlier this year.

Allan informed Collins via email the judge is expected to give guidance on the legal status of the documents as early as Monday,

“Six4Three’s claims are entirely meritless,” Facebook said in a statement.

Last week, Facebook announced it will appeal the fine for failing to protect the privacy of the users in the Cambridge Analytica scandal. Political consultancy firm Cambridge Analytica improperly collected data of 87 million Facebook users and misused it.

Facebook has been fined £500,000 in the U.K., the maximum fine allowed by the UK’s Data Protection Act 1998, for failing to protect users’ personal information.

Facebook- Cambridge Analytica

The social network giant is sustaining that U.K regulators failed to prove that British users were directly affected.

Britain’s Information Commissioner Office also found that the company failed to be transparent about how people’s data was harvested by others.

According to the ICO,  even after the misuse of the data was discovered in December 2015, the company did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. Other companies continued to access Facebook users’data such as the SCL Group, that was able to access the platform until 2018.

Facebook considers the fine as unacceptable because there are many practices online that are commonly accepted even if they threaten the privacy of the users.

Pierluigi Paganini

(Security Affairs – data protection, UK Parliament)

The post UK Parliament seized confidential Facebook docs to investigate its data protection policies. appeared first on Security Affairs.

U.S. Postal Service API Flaw Exposes Data of 60 Million Customers

The United States Postal Service (USPS) has fixed an API flaw that potentially exposed data on 60 million customers. A researcher reported the flaw to USPS more than a year ago; but it wasn't until security blogger Brian Krebs contacted the organization this month that it took any action.

read more

We Need to Talk About NIST’s Dropped Password Management Recommendations

Passwords and their protection are among the most fundamental, essential aspects of enterprise data security. They also make up the bane of most users’ relationships with their enterprise devices, resources and assets. It seems no matter how stringent or lax your password policy is, the directive will be met with dissension from a significant portion of your staff. It’s frustrating for everyone — the IT department, C-suite and employees.

Recently, the National Institute of Standards and Technology (NIST) reversed its stance on organizational password management requirements. The institute now recommends banishing forced periodic password changes and getting rid of complexity requirements.

The reasoning behind these changes is that users tend to recycle difficult-to-remember passwords on multiple domains and resources. If one network is compromised, that’s a potential risk for other domains.

Are password managers the answer? Sure, they help generate great, complex passwords and act as a vault for all of our credentials. But they still require a master password — a risk similar to using one set of credentials across platforms. So where do we go from here? Are password managers safe from compromise, or are we doomed to a future of continued password problems?

Passwords: Can’t Live With ‘Em…

It’s clear that a winning formula for password management and policy isn’t one-size-fits-all. Based on my years of experience drafting and enforcing corporate password policies, most tactics fail to catch on.

Two of the best-known experts in the field — Kevin Mitnick, chief hacking officer for KnowBe4, and security pundit Frank Abagnale, made famous in the film “Catch Me If You Can” — have slightly differing opinions. But at the end of the day, their views generally echo each other.

Abagnale once told CRN that passwords themselves are “the root of all evil.” More recently, he told SecurityIntelligence that passwords “are for treehouses.”

“Many of the security issues we see today stem from passwords,” Abagnale said. “This is a 1964 technology, developed when I was 16 and still being used in 2018 — and I’m 70 years old.”

…Can’t Live Without ‘Em

Mitnick and Abagnale foresee a world in which passwords are no longer part of the security equation. But until that happens, we need to work with them. Mitnick recommended implementing simple, but long passphrases of 25 characters or more, such as “I love it when my cat purrs me to sleep.” But this is only the first step.

“The 25-character password is for the initial login to the user workstation; then you should have another 25-character password for the password,” he said. “The user only has to remember two pass-sentences, and the manager will take those credentials.”

The next step for those responsible for creating and enforcing security policy is to decide how often users must change their passwords. Mitnick recommended at least every quarter, but that depends on the type of company and its risk tolerance. Government and financial institutions, for instance, may want to enforce changes every 60 days.

How to Master the Fine Art of Multifactor Authentication

Both experts advise businesses to incorporate multifactor authentication (MFA) in their login policies. MFA requires users to present at least two credentials to authenticate: something they know (like a password), something they have (like a token) and possibly something they are (like a fingerprint or facial scan).

“I believe that this is the best of both worlds, where the CISO sleeps better at night knowing there is nothing static in the login process, and users are elated to login without passwords,” Abagnale said.

“MFA should be used wherever possible for any type of external access like VPN, Outlook Web Access or Citrix,” Mitnick added. He also warned that if you’re going to use two-factor authentication (2FA), you should implement the First IDentity Online (FIDO) Alliance’s Universal Second Factor (U2F) protocol because it can prevent a type of attack in which a user’s session key can be stolen with a phishing email.

Are Password Managers Safe?

The use of password managers is where the experts disagree. While Abagnale is doubtful about their effectiveness, Mitnick believes password managers are necessary and helpful.

“It is still so important to choose a pass-sentence [for the password manager], and to the best of your ability don’t get malware on your machine,” Mitnick said. “If you get malware on your machine with keylogger ability, it won’t matter if you have a password manager or not.”

For Abagnale, password managers are a great way to mask the issue: addressing the password problem by storing passwords.

“Some of the passwords vaults have been breached already, which emphasizes my former point about why passwords are bad for our security,” he said. “I think that we should move beyond static passwords, and not succumb to password vaults as our solution. It makes me nervous to store all my passwords in one place, and protect that with…a password.”

Never Could Say Goodbye

Finally, both Mitnick and Abagnale are bullish on companies like Trusona, a forward-thinking security business that hopes to crack the code on a password-less internet by focusing on the user experience. Trusona offers a range of MFA processes that don’t require a password. Abagnale is an adviser for the firm.

“Passwords will be here for a while,” said Mitnick. “The challenge companies like Trusona have is early adoption. It’s all about the market. Even though you have a technology out there, it doesn’t matter if nobody’s adopting it.”

According to Abagnale, that day may come in three to five years.

“The technology is already here, and now needs to be implemented,” he said. “There is reason to think that passwords may remain in legacy systems for years to come, as the cost of ripping them out is too high. Nonetheless, password-less logins are the way of the future, and companies would adopt this method once they realize the benefits.”

But passwords aren’t going away anytime soon. We are seeing progress, however, toward a day when authentication is much more secure. Until then, we are stuck with them, and the enterprise must do all it can not only to move the revolution forward, but to ensure that security awareness lives in simpatico with password policy.

Read the IBM Study: The Future of Identity

The post We Need to Talk About NIST’s Dropped Password Management Recommendations appeared first on Security Intelligence.

GDPR’s impact: The first six months

GDPR is now six months old – it’s time to take an assessment of the regulation’s impact so far. At first blush it would appear very little has changed. There are no well-publicized actions being taken against offenders. No large fines levied. So does this mean its yet another regulation that will be ignored? Actually nothing could be farther from the truth. The day GDPR came into law complaints were filed by data subjects against … More

The post GDPR’s impact: The first six months appeared first on Help Net Security.

McAfee Blogs: 8 Ways to Secure Your Family’s Online Holiday Shopping

It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

8 Ways to Secure Your Family’s Holiday Shopping Online

  1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
  2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
  3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
  4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
  5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
  6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Download a free password manager, which auto-saves and enters your passwords, so you don’t have to. The True Key app protects your passwords by scrambling them with AES-256, one of the most robust encryption algorithms available.
  7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
  8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

 

The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.



McAfee Blogs

8 Ways to Secure Your Family’s Online Holiday Shopping

It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

8 Ways to Secure Your Family’s Holiday Shopping Online

  1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
  2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
  3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
  4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
  5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
  6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Download a free password manager, which auto-saves and enters your passwords, so you don’t have to. The True Key app protects your passwords by scrambling them with AES-256, one of the most robust encryption algorithms available.
  7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
  8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

 

The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.

How Cloud Security Architect Andi Hudson Nurtures Today’s Youth to Protect Tomorrow’s Data

There’s rarely a time in the day when Andi Hudson isn’t immersed in technology. When he’s not fulfilling his duties as IBM’s cloud security architecture lead in the U.K., he’s reaching out to the next generation of cyber professionals through volunteer work with universities and colleges. Or, he’s teaching his own young kids how to write in Python, or how to make wacky contraptions, such as an automated irrigation kit and a Tesla coil that plays music.

Simply put, Andi Hudson lives and breathes tech and security, and he’s always happy to chat about anything from cloud security, to artificial intelligence (AI), to the impact of the Internet of Things (IoT) to the neuroscience of privacy denial.

“For me, cybersecurity has to start right at the very beginning,” he said, speaking from his home in South Wales. “Giving kids access to this stuff is important, but even more important is teaching them to use it ethically and responsibly.”

Spreading the Gospel of Data Privacy

No matter what else he’s doing, Andi is always keeping a close eye on the future. He’s particularly interested in artificial intelligence, data privacy and what the C-suite needs to pay more attention to.

Much of it comes down to the data, which Andi classified as “the oil of tomorrow.” He believes that, given the right bits of information, cybercriminals can steal data (including identities) and “really go to town with this information.” He’s also worried about the confirmation bias this level of sharing brings — that our “likes” are collected and we’re grouped with other users who share the same ideas opinions. To quote Andi, quoting author Cory Doctorow: “It’s not about what you have to hide; it’s about what you choose to share.”

“We give away so much information so freely, to a degree I think the horse has already bolted,” he said. “That’s why I invest so much of my own time in educating academia, because they’re the next generation. But it doesn’t just start at universities and colleges; it starts at home in the family, and in primary school and secondary school. Security is not a product — it’s a process.”

Andi is a science, technology, engineering and mathematics (STEM) ambassador, as well as a Barefoot volunteer with Computing at School (CAS). He visits primary schools to nurture the next generation of cyber professionals. Andi shows the faculty how to teach computational science, helps children understand the importance of STEM subjects and exposes them to careers in technology.

Andi Hudson, cloud security architecture lead at IBM

A Nontraditional Approach to Cloud Security

When he’s not nurturing the youth, Andi leads a growing team of architects at IBM Security U.K. Part of his role is to ensure that all the individual skill sets in security keep cloud-based applications front of mind. IBM promoted him to lead after catching wind of the impressive work he did in the London insurance market, building collaborative cross-vendor solutions for a new target operating model that enables 9,000 U.K. financial services companies to work together.

“IBM never really had a cloud team that encompassed a lot of those different skill sets,” he said. “A lot of the traditional architecture always sat in resource pools within somebody else’s data center — but, of course, with the cloud, that’s all different now. They’re not using their own data centers anymore; they’re using ours.”

While Andi primarily works hands-on with clients on cloud-related transformation projects, he also gets to speak at conferences and, of course, engage with the education sector in both his day job and his volunteer work.

A member of the South Wales Cyber Security Cluster, Andi works with Cardiff’s three universities to make courses as relevant as possible according to the latest industry trends. That plays into the work IBM does with Exeter University, and may soon start doing with Warwick University and the University of the West of England.

“It’s about making a difference,” he said before launching into a story from last year when, at the height of the Petya and WannaCry ransomware outbreaks, he found himself in a war room on a weekend trying to reverse-engineer a client out of an attack.

“You know when you feel sick in your stomach, the nerves and anxiety? I’ve had it before when I used to work for a services company; we switched the system off once and it didn’t come back on,” he recalled. “You have this gut-sickness feeling. You’ve just done a lot of work, you’ve had no sleep, and you know you won’t get any sleep or food until this problem’s gone. It was exactly like that — that sick feeling.”

Why Security Leaders Need to Tell It Like It Is

Luckily, Andi was so close to the customer and had been so hands-on with the account that he was able to solve the problem and develop a watertight remediation plan. He even won an award for his work.

The key, he said, is his willingness to have frank discussions about security, even if it means telling clients what they don’t want to hear. Andi has found that this nontraditional approach helps him develop closer relationships with clients and break conversational barriers that would otherwise stymie progress.

“I think that clear, open transparency just resonates with customers,” he emphasized. “A lot of things were always taboo — certain things you didn’t say to certain executives, and certain things you didn’t cover — but if you want a real, secure solution, unfortunately you have to have those conversations.”

This transparency is especially crucial today, given the lightning-quick pace of change in the industry and ever-evolving nature of the cyberthreat landscape.

“The fact is, it keeps changing — and what’s right today might not be right tomorrow.”

That’s why Andi always has his eyes on tomorrow — both in terms of the threats his clients will have to contend with and the next generation of cybersecurity heroes that will defend them.

The post How Cloud Security Architect Andi Hudson Nurtures Today’s Youth to Protect Tomorrow’s Data appeared first on Security Intelligence.

UK MPs Call For A Cyber Security Minister To Defend Critical Infrastructure

The joint committee on national security strategy called the current security leadership ‘wholly inadequate’. A UK parliamentary committee has urged the government to appoint a dedicated cyber security minister to

The post UK MPs Call For A Cyber Security Minister To Defend Critical Infrastructure appeared first on The Cyber Security Place.

Cyber Monday 2018: 5 Best Practices to Protect Consumer Data

Cyber Monday is coming. Last year, the online shopping event generated $6.6 billion, according to Forbes, and marked “the largest online shopping day in U.S. history.” According to CNBC, consumer spending is up strongly this year, suggesting that Cyber Monday 2018 could be another record-breaker.

Given the sheer number of customers, websites and companies that drive Cyber Monday success, consumers and businesses need to make sure security doesn’t get lost in the hustle and bustle. Cybercriminals are hoping that in all the commotion they can compromise user accounts, infect corporate websites and crack business networks.

With customers expecting both great sales and solid security, organizations must improve their data protection practices and implement effective defense strategies ahead of the online onslaught.

Listen to the podcast: The State of Retail Cybersecurity Ahead of the 2018 Holiday Season

Why Retailers Must Adapt to the Evolving Landscape

Although Cyber Monday only started in 2005, the online sales frenzy has almost caught up to Black Friday in sheer sales numbers. Increasing familiarity with e-commerce stores and trust in digital transactions are paving the way. Fortune reported that more than 174 million Americans shoppers participated both online and in-store over the last Black Friday/Cyber Monday weekend — meaning that opportunities abound for attackers across platforms.

It’s up to retailers to justify and preserve the comfort levels that are driving their success. If cybercriminals are able to infiltrate smartphones and desktops with malware and phishing emails, consumers may unwittingly hand over account credentials and financial information. If companies can’t secure e-commerce portals, fraudsters could gain visibility into all transactions or place fraudulent orders and charge them to unsuspecting customers.

For retail companies, the trend is clear: Cyber Monday interest is on the rise among both consumers and criminals, meaning it’s no longer an option to post great deals without great security to back them up. Now, the holiday season calls for greater cybersecurity vigilance than ever, supported by evolving information security best practices for retailers.

Watch for This Year’s Most Common Scams

According to ACI Worldwide, fraud attempts are projected to increase 14 percent between Thanksgiving and Cyber Monday, with the average cost of fraudulent transactions rising 3 percent to $243. Meanwhile, the firm forecast the volume of purchases to increase by 18 percent as values rise by 19 percent.

Since more is at stake than ever for shoppers and retailers this season, cybercriminals are also varying their approaches, opting for omnichannel attacks across e-commerce sites, call centers, email accounts and in-store pickup programs, according to ACI Worldwide.

TechRadar reported that phishing attacks still account for half of all online fraud. That’s simply because they work: Well-crafted emails that convey a sense of urgency and create an emotional response can fool even experienced cybershoppers.

Meanwhile, Security Boulevard reported that threat actors also like to eavesdrop on insecure Hypertext Transfer Protocol (HTTP) sites and Wi-Fi to steal credentials and account information, leverage compromised devices to install keyloggers, and typosquat to create domain names that are very similar to popular Cyber Monday sites to collect and monetize consumer information.

5 Steps to Optimize Cyber Monday 2018 Protection

All the usual advice for consumer protection on Cyber Monday applies: Don’t save financial information on websites, watch out for email scams and avoid deals that are too good to be true. But retailers must hold up their end of the security deal as well.

Here are some security best practices for retailers to implement to keep consumers safe and protect corporate networks during the post-Thanksgiving shopping rush.

1. Account for Time

As noted by Forbes, cyberattackers don’t keep regular business hours. As a result, fraud rates may rise during off-peak traffic hours when there are fewer consumers shopping, but also fewer security personnel on duty.

Retailers should consider adding extra information security staff for the holiday season or implementing additional fraud checks for purchases made from different countries or after usual business hours.

2. Limit Purchase Velocity

Speed is another way malicious actors attempt to defraud Cyber Monday retailers. Instead of making high-value transactions that may be flagged as suspicious, attackers often make high-volume transactions — up to 10 times more quickly than legitimate users — to generate greater revenue.

Here, machine learning tools are invaluable assets to help identify and eliminate rapid-fire transactions.

3. Authenticate Users

Authentication is critical to Cyber Monday security. With many users still using weak passwords across websites — many of which are stolen in phishing scams — retail companies should implement two-factor authentication (2FA) wherever possible. Even low-friction options such as email or mobile codes can significantly reduce fraud and boost consumer confidence.

4. Separate Infrastructure

With many retail merchants now deploying both online and in-store sales to capture customer attention across Thanksgiving weekend, there’s an emerging need to separate point-of-sale (POS) and corporate infrastructure. This ensures that in-store device breaches don’t compromise e-commerce sites, and vice versa.

5. Manage Permissions

Who has access to what, when and why? Threat actors often exploit the chaos associated with Cyber Monday to infiltrate networks, install keyloggers and wait. It’s time for retailers to implement effective identity and access management (IAM) solutions that permit granular, permissions-based assignments of roles and responsibilities to foil criminal attempts to breach corporate systems.

Attackers are gearing up for one of the most lucrative days of their year on Cyber Monday. For retailers, the combination of increased consumer spending and security expectations demands stringent security practices that account for common threat vectors, prioritize user authentication, separate infrastructure and effectively manage permissions inside and outside the enterprise.

Listen to the podcast: The State of Retail Cybersecurity Ahead of the 2018 Holiday Season

The post Cyber Monday 2018: 5 Best Practices to Protect Consumer Data appeared first on Security Intelligence.

Privacy laws do not understand human error

In a world of increasingly punitive regulations like GDPR, the combination of unstructured data and human error represents one of the greatest risks an organization faces. Understanding the differences between unstructured and structured data – and the different approaches needed to secure it – is critical to achieve compliance with the many data privacy regulations that businesses in the U.S. now face. Structured data is comprised of individual elements of information organized to be accessible, … More

The post Privacy laws do not understand human error appeared first on Help Net Security.

Retail Cybersecurity Is Lagging in the Digital Transformation Race, and Attackers Are Taking Advantage

Digital transformation is dominating retailers’ attention — and their IT budgets. As a result, significant gaps in retail cybersecurity are left unfilled just as retail IT faces new challenges, from infrastructure moving to the cloud without clear security policies to an array of new threat vectors focused on personal customer information, ransomware and underprotected business-to-business (B2B) connections.

Just as with line-of-business functions like merchandising and operations, retailers’ cybersecurity functions must undergo a digital transformation to become more holistic, proactive and nimble when protecting their businesses, partners and customers.

Retailers Aren’t Prioritizing Security, and Attackers Are Exploiting the Gaps

According to the retail edition of the “2018 Thales Data Threat Report,” 75 percent of retailers have experienced at least one data breach in the past, with half seeing a breach in the past year alone. That puts retail among the most-attacked industries as ranked by the “2018 IBM X-Force Threat Intelligence Index.”

Underfunded security infrastructure is likely a big reason for this trend; organizations only dedicated an average of around 5 percent of their overall IT budgets to security and risk management, according to a 2016 Gartner report.

While retailers have done a great job addressing payment card industry (PCI) compliance, it has come at a cost to other areas. According to IBM X-Force Incident Response and Intelligence Services (IRIS) research, 78 percent of publicly disclosed point-of-sale (POS) malware breaches in 2017 occurred in the retail sector.

In addition to traditional POS attacks, malicious actors are targeting retailers with new threat vectors that deliver more bang for the buck, such as the following:

  • Personally identifiable information (PII) about customers — Accessible via retailers’ B2C portals, attackers use this information in bot networks to create false IDs and make fraudulent transactions. An increasingly popular approach involves making purchases with gift cards acquired via fraud.
  • Ransomware — Criminals are exploiting poorly configured apps and susceptible end users to access and lock up data, so they can then extract pricey ransoms from targeted retailers.
  • Unprotected B2B vendor connections — Threat actors can gain access to retail systems by way of digital connections to their partners. A growing target is a retailer’s B2B portals that have been constructed without sufficient security standards.

What Are the Biggest Flaws in Retail Cybersecurity?

These new types of attacks take advantage of retailers’ persistent underfunding of critical security defenses. Common gaps include inadequate vulnerability scanning capabilities, unsegmented and poorly designed networks, and using custom apps on legacy systems without compensating controls. When retailers do experience a breach, they tend to address the specific cause instead of taking a more holistic look at their environments.

Retailers also struggle to attract security talent, competing with financial services and other deeper-pocketed employers. The National Institute of Standards and Technology (NIST) reported in 2017 that the global cybersecurity workforce shortage is expected to reach 1.5 million by 2019.

In addition, flaws in governance make retailers more vulnerable to these new types of security threats. To keep up with rapidly evolving consumer demands, many line-of-business departments are adopting cloud and software-as-a-service (SaaS) solutions — but they often do so without any standardized security guidance from IT.

According to the “2017 Thales Data Threat Report,” the majority of U.S. retail organizations planned to use sensitive data in an advanced technology environment such as cloud, big data, Internet of Things (IoT) or containers this year. More than half believed that sensitive data use was happening at the time in these environments without proper security in place. Furthermore, companies undergoing cloud migration at the time of a breach incur $12 per record in additional costs, according to the “2018 Cost of a Data Breach Study.”

To protect their data, retailers need tools to both identify security threats and escalate the response back through their entire infrastructure, including SaaS and cloud services. But many enterprises lack that response capability. What’s more, the “Cost of a Data Breach Study” found that using an incident response (IR) team can reduce the cost of a breach by around $14 per compromised record.

Unfortunately, cybersecurity is not always on the radar in retailers’ C-suites. Without a regularly updated cybersecurity scorecard that reflects an organization’s current vulnerability to attack, senior executives might not regularly discuss the topic, take part in system testing or see cybersecurity as part of business continuity.

3 Steps to Close the Gaps in Your Security Stance

Time isn’t stopping as retailers grapple with these threats. Retail cybersecurity leaders must also monitor the General Data Protection Regulation (GDPR), where compliance requirements are sometimes poorly understood, as well as the emergence of artificial intelligence (AI) in both spoofing and security response. In addition, retailers should keep an eye on the continued uncertainty about the vulnerability of platform-as-a-service (PaaS), microservices, cloud-native apps and other emerging technologies.

By addressing the gaps in their infrastructure, governance and staffing, retailers can more effectively navigate known threats and those that will inevitably emerge. Change is never easy, but the following three steps can help retailers initiate digital transformation and evolve their current approach to better suit today’s conditions:

1. Increase Budgets

According to Thales, 84 percent of U.S. retailers plan to increase their security spending. While allocating these additional funds, it’s important for retailers to take a more holistic view, matching budgets to areas of the highest need. Understanding the costs and benefits of addressing security gaps internally or through outsourcing is a key part of this analysis.

2. Improve Governance

Enacting consistent security guidelines across internally run systems as well as cloud- and SaaS-based services can help retailers ensure that they do not inadvertently open up new vulnerabilities in their platforms. Senior-level endorsement is an important ingredient in prioritizing cybersecurity across the enterprise. Regular security scorecarding can be a valuable tool to keep cybersecurity at the top of executives’ minds.

3. Invest in MSS

A growing number of retailers have realized that starting or increasing their use of managed security services (MSS) can help them achieve a higher level of security maturity at the same price as managing activities in-house, if not at a lower cost. MSS allow retailers’ internal cybersecurity to operate more efficiently, address critical talent shortages and enable retailers to close critical gaps in their current security stance.

Why Digital Transformation Is Critical to Rapid Response

Digital transformation is all about becoming more proactive and nimble to respond to consumers’ rapidly growing expectations for seamless, frictionless shopping. Retailers’ cybersecurity efforts require a similar, large-scale transition to cope with new threat vectors, close significant infrastructure gaps and extend security protocols across new platforms, such as cloud and SaaS. By rethinking their budgets, boosting governance and incorporating MSS into their security operations, retail security professionals can support digital transformation while ensuring the business and customer data remains protected and secure.

Listen to the podcast

The post Retail Cybersecurity Is Lagging in the Digital Transformation Race, and Attackers Are Taking Advantage appeared first on Security Intelligence.

Cyber Security Implementation: Firms Want It, But Less Do It, Finds Survey

Most respondents to a survey says cyber security implementation is critical, but only half think they are resilient enough to protect against cyber attacks. Despite 99% of respondents stating that

The post Cyber Security Implementation: Firms Want It, But Less Do It, Finds Survey appeared first on The Cyber Security Place.

Why the EU Is More Likely to Drive IT and Security Trends Than the US

The General Data Protection Regulation (GDPR) has been a game changer for data privacy, and U.S. companies are beginning to catch up to the EU in data management practices. However, privacy is only one area in which U.S. organizations are falling behind their European counterparts. To promote compliance with data privacy regulations, both current and forthcoming, U.S. companies will have to invest a lot more in advancing security programs.

What Drives Security Trends?

The largest companies tend to drive technology and security trends. However, Europe is pushing the envelope at a greater rate than American companies.

It likely comes down to GDPR. According to Spiceworks, regulatory changes surrounding data privacy — including huge fines surrounding a data breach — have led to a greater emphasis on security enhancements like encryption. This has also likely been the catalyst for EU to adopt security technologies such as artificial intelligence (AI) and machine learning (ML).

Still, Spiceworks found that most companies on either continent turn to relatively inexpensive solutions to implement security — antivirus and security awareness training are the two most popular — as opposed to more aggressive defense strategies such as honeypots. More regulated industries are also more likely to adopt emerging security tools, which could explain why a region under the broadest data protection mandate is so far ahead.

Identify Your Program’s Weak Links

Spiceworks found that American companies tend to prefer security awareness as their primary solution for cybersecurity, as opposed to the EU, which favors technology-based tools. However, according to a study by MediaPro, 85 percent of employees who work in the financial industry, where a data breach can be particularly damaging, fail at basic security tasks such as recognizing personal data. Financial employees were also unable to tell the difference between a phishing scam and legitimate email, and the majority of employees do not alert IT or security staff when they do see a problem.

Relying on security awareness training as the primary security tool is risky. At the same time, even technological tools that improve workplace efficiency expand the organization’s digital attack surface.

Improving IT Starts With Budgeting

Spiceworks looked at the state of IT budgets, which are either staying the same or increasing across both American and European businesses. Primary spending drivers include replacing old tech and preparing for the end of Windows 7 support, which will happen in 2020, according to the survey.

Although security-specific spending is projected to increase in the coming year, according to the report, updating aging infrastructure is also a direct response to ransomware campaigns such as last year’s WannaCry attack and to promote compliance with data privacy regulations such as GDPR.

How Can Companies Budget Differently?

The size of the organization also plays a role in how it budgets. For example, while smaller companies are spending money to replace tech due to the end of its life cycle or for business growth, large enterprises are focused on improving their digital transformation with the latest technologies.

Across organizations, security software makes up about 10 percent of the IT budget. But, as the study noted, large enterprises or 5,000 employees or more are more likely to increase IT budgets due to heightened security concerns, whereas budgets at midsize organizations made up of 500 to 999 employees are more likely to grow due to corporate tax cuts.

American companies tend to be more averse to digital transformation than European ones. According to Spiceworks, one reason goes back to budgeting. To save money, organizations will wait out the life cycle of security technologies, using them until they don’t work anymore. If security leaders can adjust their existing tools to meet new requirements, thereby reducing costs, they likely will.

The cybersecurity skills shortage also comes into play. There aren’t enough skilled IT workers who can implement an automated security system, so it’s easier and cheaper to try and change behaviors of current employees and maintain old networks. This is especially true in small and midsize businesses.

Balance Security Awareness and Tech

The most effective security practices will blend security awareness with emerging security technologies.

People are prone to make errors, but decision-makers too often assume that an hourlong online seminar explaining how to spot a phishing campaign is an effective security training program. Instead, security awareness has to be built into an overall security policy and, like audits and penetration tests, conducted regularly.

Before building awareness training, decision-makers should recognize what they are securing. Is it customer data? Intellectual property? Personal devices connected to the network? Knowing what you are securing will provide a baseline of the type of awareness necessary.

The training itself should be interactive and frequent. Some companies will send out fake phishing emails to random employees to see who takes the bait. Employees who fail are required to do another round of training. Awareness training should explain why this particular information is being secured and, of course, grow with company needs.

Adding emerging security technologies is a bit trickier, because this will depend on budgets and staffing. Implementing a managed security service provider will add continuous monitoring to your network. Tools such as hardware authentication, privileged access and identity management systems, and user behavior analytics can trigger alerts of unauthorized use that even an effectively trained employee may not detect.

Companies Can’t Afford to Be Reactive

Cybersecurity has historically tended to be reactive — responding to an attack that’s already happened and working to prevent it from happening again. In a post-GDPR world, companies can’t afford to remain passive until after an incident.

As North American governments begin to address data privacy issues with their own legislation, companies will need to adapt similarly to their European counterparts. Expect to see more American organizations follow the EU’s example and adopt security technologies to better mitigate potential threats.

The post Why the EU Is More Likely to Drive IT and Security Trends Than the US appeared first on Security Intelligence.

Protect your data… or face the chopping board

Poor security controls that contribute to a security failing and resulting data breach will lead to people losing their jobs. ‘By analysing people’s email behaviour, smart technology can now recognise

The post Protect your data… or face the chopping board appeared first on The Cyber Security Place.

Access to Thousands of Breached Sites Found on Underground Market

By Vitali Kremez, Director of Reasearch at  Flashpoint, Access to approximately 3,000 breached websites has been discovered for sale on a Russian-speaking underground marketplace called MagBo. Access to some of

The post Access to Thousands of Breached Sites Found on Underground Market appeared first on The Cyber Security Place.

What’s keeping Europe’s top infosec pros awake at night?

As the world adapts to GDPR and puts more attention on personal privacy and security, Europe’s top information security professionals still have doubts about the industry’s ability to protect critical infrastructure, corporate networks, and personal information. Black Hat Europe’s new research report entitled, Europe’s Cybersecurity Challenges, details the thoughts that are keeping Europe’s top information security professionals awake at night. The report includes new insights directly from more than 130 survey respondents and spans topics … More

The post What’s keeping Europe’s top infosec pros awake at night? appeared first on Help Net Security.

Critical Flaw in GDPR Plug-In For WordPress

Hackers have been found exploiting a critical security vulnerability that affects a GDPR plug-in for WordPress to take control over vulnerable websites according to security researchers at Wordfence. “These attacks show that

The post Critical Flaw in GDPR Plug-In For WordPress appeared first on The Cyber Security Place.

Why You Should Start Leveraging Network Flow Data Before the Next Big Breach

Organizations tend to end up in cybersecurity news because they failed to detect and/or contain a breach. Breaches are inevitable, but whether or not an organization ends up in the news depends on how quickly and effectively it can detect and respond to a cyber incident.

Beyond the fines, penalties and reputational damage associated with a breach, organizations should keep in mind that today’s adversaries represent a real, advanced and persistent threat. Once threat actors gain a foothold in your infrastructure or network, they will almost certainly try to maintain it.

To successfully protect their organizations, security teams need the full context of what is happening on their network. This means data from certain types of sources should be centrally collected and analyzed, with the goal of being able to extract and deliver actionable information.

What Is Network Flow Data?

One of the most crucial types of information to analyze is network flow data, which has unique properties that provide a solid foundation on which a security framework should be built. Network flow data is extracted — by a network device such as a router — from the sequence of packets observed within an interval between two internet protocol (IP) hosts. The data is then forwarded to a flow collector for analysis.

A unique flow is defined by the combination of the following seven key fields:

  1. Source IP address
  2. Destination IP address
  3. Source port number
  4. Destination port number
  5. Layer 3 protocol type
  6. Type of service (ToS)
  7. Input logical interface (router or switch interface)

If any one of the packet values for these fields is found to be unique, a new flow record is created. The depth of the extracted information depends on both the device that generates the flow records and the protocol used to export the information, such as NetFlow or IP Flow Information Export (IPFIX). Inspection of the traffic can be performed at different layers of the Open Systems Interconnection (OSI) model — from layer 2 (the data link layer) to layer 7 (the application layer). Each layer that is inspected adds more meaningful and actionable information for a security analyst.

One major difference between log event data and network flow data is that an event, which typically is a log entry, happens at a single point in time and can be altered. A network flow record, in contrast, describes a condition that has a life span, which can last minutes, hours or days, depending on the activities observed within a session, and cannot be altered. For example, a web GET request may pull down multiple files and images in less than a minute, but a user watching a movie on Netflix would have a session that lasts over an hour.

What Makes Network Flow Data So Valuable?

Let’s examine some of the aforementioned properties in greater detail.

Low Deployment Effort

Network flow data requires the least deployment effort because networks aggregate most of the traffic in a few transit points, such as the internet boundary, and the changes made to those transit points are not often prone to configuration mistakes.

Everything Is Connected

From a security perspective, we can assume that most of the devices used by organizations, if not all of them, operate on and interact with a network. Those devices can either be actively controlled by individuals — workstations, mobile devices, etc. — or operated autonomously — servers, security endpoints, etc.

Furthermore, threat actors typically try to remove traces of their attacks by manipulating security and access logs, but they cannot tamper with network flow data.

Reliable Visibility

The data relevant to security investigations is typically collected from two types of sources:

  • Logs from endpoints, servers and network devices, using either an agent or remote logging; or
  • Network flow data from the network infrastructure.

The issue with logs is that there will always be connected devices from which an organization cannot collect data. Even if security policies mandate that only approved devices may be connected to a network, being able to ensure that unmanaged devices or services have not been inserted into the network by a malicious user is crucial. Furthermore, history has shown that malicious users actively attempt to circumvent host agents and remote logging, making the log data from those hosts unreliable. The most direct source of information about unmanaged devices is the network.

Finally, network flow data is explicitly defined by the protocol, which changes very slowly. This is not the case with log data, where formats are very often poorly documented, tied to specific versions, not standardized and prone to more frequent changes.

Automatically Reduce False Positives

A firewall or access control list (ACL) permit notification does not mean that a successful communication actually took place. On the other hand, network flow data can be used to confirm that a successful communication took place. Being able to issue an alert unless a successful communication took place can dramatically reduce false positives and, therefore, save precious security analyst time.

Moving Beyond Traditional Network Data

Traditional network flow technology was originally designed to provide network administrators with the ability to monitor their network and pinpoint network congestion. More recently, security analysts discovered that network flow data was also useful to help them find network intrusions. However, basic network flow data was never designed to detect the most sophisticated advanced persistent threats (APTs). It does not provide the necessary in-depth visibility, such as the hash of a file transferred over a network or the detected application, as opposed to the port number, to name a few. By lacking this level of visibility, traditional network flow data greatly limits the ability to provide actionable information about a cyber incident.

Given the increasing level of sophistication of attacks, certain communications, such as inbound traffic from the internet, should be further scrutinized and inspected with a purpose-built solution. The solution must be able to perform detailed packet dissection and analysis — at line speed and in passive mode — and deliver extensive and enriched network flow data through a standard protocol such as IPFIX, which defines how to format and transfer IP flow data from an exporter to a collector.

The resulting enriched network flow data can be used to augment the prioritization of relevant alerts. Such data can also accelerate alert-handling research and resolution.

Why You Should Anaylze Network Flow Data?

Network flow data is a crystal ball into your environment because it delivers much-needed and immediate, in-depth visibility. It can also help security teams detect the most sophisticated attacks, which would otherwise be missed if investigation relied solely on log data. By reconciling network flow data with less-reliable log data, organizations can detect attacks more capably and conduct more thorough investigations. The bottom line is that network flow data can help organizations catch some of the most advanced attacks that exist, and it should not be ignored.

The post Why You Should Start Leveraging Network Flow Data Before the Next Big Breach appeared first on Security Intelligence.

How Safe and Secure are Wearables?

The ‘wearable technology’ market has been exponentially growing in recent years and is expected to exceed 830 million devices by 2020. One of the key drivers pushing this rapid expansion are fitness trackers, namely wristband tech and smartwatch apps which monitors our daily activity and health. But as we integrate wearables devices seamlessly into our everyday lives, what are the privacy and security risks they pose? How should wearable manufacturers and app developers be protecting consumers?

245 million wearables will be sold in 2019

Insurance company Vitality offers customers a heavily discounted Apple Watch to customers in return for their fitness routines and health data, the more activity you do each month, the greater your reward through a monthly discount. While this exchange of information for rewards provides a great incentive for consumers to improve their health, the personal data consumers are sharing in return has a tangible value for the insurance company. However, providing an insurance company with a daily data breakdown of one's health is an unacceptable tradeoff for some, regarding such a practice as an invasion of their privacy. 

As of May 2018, all EU citizen's privacy rights are legally protected by the General Data Protection Regulation (GDPR). GDPR compliance is required by all companies which process EU citizen data, including those based outside of the European Union. The privacy regulation requires wearable device and app providers to obtain each EU citizen's explicit consent before collecting their personal information, they must also clearly explain what types of personal information they intend to collect, how they intend to use the data, and inform consumers about any other organisation they intend to share their data with. If they don’t, wearable tech firms and app providers should brace themselves for heavy fines by European Information Commissioners.

For further details about the GDPR requirements and for Wearables Software Development Security Advice, read my IBM developerWorks 3 part guidance "A developer's guide to the GDPR" and my Combating IoT Cyber Threats

Wearable personal data is also of value to hackers and criminals, for instance, your fitness routine provides a clear picture of the best times to burglarise your home. With personal consumer data potentially at stake, fitness wearable manufacturers should incorporate both default privacy and security standards into the infrastructure of the device, to help ensure personal information remains safeguarded from known and future cyber threats.  ULa global safety science company, has developed testing for cybersecurity threats and offers security verification processes to assist manufacturers in assessing security risks and helping mitigate them before the product even goes to market. If the industry takes these steps, wearable consumers will feel safe and secure as they reap the intended benefits of this new innovation, while the wearables industry will be well positioned to meet the promise of its growth projections.

Which Threats had the Most Impact During the First Half of 2018?

One of the best ways for organizations to shore up their data security efforts and work toward more proactive protection is by examining trends within the threat environment.

Taking a look at the strategies for attack, infiltration and infection currently being utilized by hackers can point toward the types of security issues that will continue in the future and enable enterprises to be more prepared with the right data and asset safeguarding measures.

Each year brings both continuing and emerging threats which can complicate security efforts. Awareness of the most impactful threats – including those that might have been popular in the past, as well as the new approaches spreading among cybercriminals – is crucial in the data security landscape.

Recently, Trend Micro researchers examined the data protection and cyberthreat issues prevalent during the first half of 2018 and included these findings in the 2018 Midyear Security Roundup: Unseen Threats, Imminent Losses report.

Let’s take a closer look at this research, as well as top identified threats that impacted businesses during the first six months of this year.

Widespread vulnerabilities and software patching

Back in 2014, the world was introduced to Heartbleed. At the time, it was one of the largest and most extensive software vulnerabilities, impacting platforms and websites leveraging the popular OpenSSL cryptographic software library. The bug made global news because of the vast number of websites it affected, as well as the fact that it enabled malicious actors to access, read and potentially leak data stored in systems’ memory.

Since then, a few additional vulnerabilities have been identified, including two at the beginning of 2018. Design flaws within microprocessing systems – since dubbed Meltdown and Spectre – were identified by researchers. Unfortunately, though, these weren’t the only high-profile vulnerabilities to make headlines this year.

As Trend Micro reported in May, eight other vulnerabilities were uncovered following Meltdown and Spectre, which also impacted Intel processors, including four that were considered “high” severity threats. Because these processors are used by a considerable number of devices within businesses and consumer environments across the globe, the emerging vulnerabilities were significantly worrisome for security admins and individual users alike.

Vulnerabilities that affect such large numbers of devices and users can be a significant challenge for enterprise security postures. Taking a cue from Heartbleed, the Register reported that despite the fact that a patch was released several years earlier, an estimated 200,000 systems were still vulnerable to the bug in early 2017.

Installing software updates in a timely manner is a top facet of patching best practices.

Spectre, Meltdown and the series of other identified vulnerabilities showcase the key importance of proper patching. Even Intel worked to drive this point home in a released statement encouraging users to maintain a beneficial patching strategy.

“We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations,” Intel noted, according to TechSpot. “As a best practice, we continue to encourage everyone to keep their systems up-to-date.”

The mere presence of an identified vulnerability can create security weaknesses, but an unpatched system can boost the chances of an attack or breach incident even further. It’s imperative that, in light of these widespread vulnerabilities, enterprises ensure their patching processes are comprehensive and proactive.

Cryptocurrency mining steals valuable resources

Researchers also noted that while cryptocurrency mining activity became more prevalent in 2017, this trend continued into the first half of 2018. Cryptocurrency mining programs can be more of an issue than many users might realize, as such a malicious initiative can rob enterprise infrastructures of key computing resources required to maintain top performance of their critical systems and applications, not to mention result in increased utility costs.

During the first six months of 2018, researchers recorded a more than 140 increase in cryptocurrency mining activity through Trend Micro’s Smart Protection Network Infrastructure. What’s more, 47 new miner malware families were identified during Q1 and Q2, demonstrating that cryptocurrency mining will continue to be a top initiative for hackers.

“Unwanted cryptocurrency miners on a network can slow down performance, gradually wear down hardware, and consume power – problems that are amplified in enterprise environments,” Trend Micro researchers stated in the Unseen Threats, Imminent Losses report. “IT admins have to keep an eye out for unusual network activity considering the stealthy but significant impact cryptocurrency mining can have on a system.”

Ransomware: No end in sight

For years, ransomware infections have been a formidable threat to organizations within every industry, and the first half of 2018 saw no change in this trend. Researchers again identified an increase in ransomware infection activity – 3 percent. While this may seem small, the current rate at which ransomware attacks take place make this rise significant.

At the same time, Trend Micro discovered a 26 percent decrease in new ransomware families. This means that while hackers are continuing to leverage this attack style to extort money from victims, they are utilizing existing, standby ransomware samples, creating fewer opportunities for zero-day ransomware threats.

Data breaches remain a constant issue for businesses of all shapes and sizes.

Mega breaches: An increasingly frequent issue

As the sophistication and potential severity of hacker activity continue to rise, so too do the consequences of successful attacks.

According to data from the Privacy Rights Clearinghouse, there was a 16 percent increase in data breaches reported in the U.S. during the first half of 2018, including 259 incidents overall. Fifteen of these events were considered “mega breaches,” or those that exposed 1 million records or more over the course of the breach and subsequent fallout.

Such incidents surpass traditional breaches in widespread effects on the victim company, its users and customers and the industry sector at large. Most of these mega breaches (71 percent) took place within the healthcare industry, and when one considers the significant amount of sensitive data healthcare institutions deal with, such threat environment conditions aren’t that surprising.

It’s also important to consider not only the traditional impact of regular and mega breaches – including losses related to company reputation and image, revenue, customer acquisition and retention and more – but the compliance costs that can emerge as well. This is an especially imperative consideration in the age of the EU’s General Data Protection Regulation, which became enforceable in May.

“This regulation … sets a high bar for data security and privacy protection,” Trend Micro’s report stated. “It imposes considerable fines for noncompliant organizations … Moreover, it has quite a long reach since any organization holding EU citizens’ data is affected.”

Check out Trend Micro’s GDPR Resource Center to learn more about maintaining compliance with this standard.

Read Trend Micro’s Unseen Threats, Imminent Losses report for more information about the top threats identified during the first half of this year.

The post Which Threats had the Most Impact During the First Half of 2018? appeared first on .

Hey there! How much are you worth?

Have you ever stopped to think just how much your life is worth? I mean really think about it. For instance, let’s say you wanted to sell everything you have – your house, your car, your job, your private life, photos and home movies from your childhood, your accounts on various social media, your medical history and so on – how much would you ask for it all?

I thought about this myself and just the thought that someone else would be able to, for example, read the personal things I’ve written to friends, family and lovers on Facebook made me realize that those things are priceless. The same goes for someone getting access to my email and basically having the power to reset all my passwords for all the accounts I’ve registered using that email.

In the real non-digital world there are lots of insurance policies that cover things if they get damaged or stolen. If someone steals my car or I break my TV, I can replace them if they were insured. We don’t really have that option in the digital world, and our digital life contains some very personal and sentimental information. The big difference is that our digital lives can never be erased – what we’ve said or written, pictures we’ve sent, or orders we’ve made are basically stored forever in the hands of the service providers.

I decided to investigate the black market and see what kind of information is being sold there. We all know that you can buy drugs, weapons and stolen goods there, but you can also buy online identities. How much do you think your online identity is worth?

Hacked accounts

When investigating hacked accounts from popular services it’s almost impossible to compile valid data because there are so many black-market vendors selling this stuff. It is also difficult to verify the uniqueness of the data being sold. But one thing is certain – this is the most popular type of data being sold on the black market. When talking about data from popular services, I’m referring to things like stolen social media accounts, banking details, remote access to servers or desktops and even data from popular services like Uber, Netflix, Spotify and tons of gaming websites (Steam, PlayStation Network, etc.), dating apps, porn websites.

The most common way to steal this data is via phishing campaigns or by exploiting a web-related vulnerability such as an SQL injection vulnerability. The password dumps contain an email and password combination for the hacked services, but as we know most people reuse their passwords. So, even if a simple website has been hacked, the attackers might get access to accounts on other platforms by using the same email and password combination.

These kinds of attacks are not very sophisticated, but they are very effective. It also shows that cybercriminals are making money from hackers and hacktivists; the people selling these accounts are most likely not the people who hacked and distributed the password dump.

The price for these hacked accounts is very cheap, with most selling for about $1 per account, and if you buy in bulk, you’ll get them even cheaper.

Some vendors even give a lifetime warranty, so if one account stops working, you receive a new account for free. For example, below is a screenshot that shows a vendor selling Netflix accounts.

100 000 email and password combinations

250 000 email and password combinations

Passports and identity papers

When lurking around underground marketplaces I saw a lot of other information being traded, such as fake passports, driving licenses and ID cards/scans. This is where things get a bit more serious – most of the identity papers are not stolen, but they can be used to cause problems in the non-digital world.

People can use your identity with a fake ID card to acquire, for example, phone subscriptions, open bank accounts and so on.

Below is a screenshot of a person selling a registered Swedish passport, and the price is $4000. The same vendor was offering passports from almost all European countries.

Scammers’ toolbox

Most of the items being sold in the underground marketplaces are not new to me; they are all things the industry has been talking about for a very long time. What was interesting was the fact that stolen or fake invoices and other papers/scans such as utility bills were being sold.

People actually steal other people’s mail and collect invoices, for example, which are then used to scam other people. They will collect and organize these invoices by industry and country. The vendors then sell these scans as part of a scammer toolbox.

A scammer can use these scans to target victims in specific countries and even narrow their attacks down to gender, age and industry.

During the research I got to thinking about a friend’s (Inbar Raz) research on Tinder bots and, through my research, I managed to find links between stolen accounts and Tinder bots. These bots are used to earn even more money from stolen accounts. So, the accounts are not just sold on the black market, they are also used in other cybercriminal activities.

What’s interesting about the fake Tinder profiles is that they have the following characteristics in common that make them easy to identify:

  • Lots of matches all at once.
  • Most of the women look like super models.
  • No job title or education info.
  • Stolen Instagram pictures/images but with info stolen from Facebook accounts.
  • Scripted chat messages.

Most of the bots that I’ve researched are related to traffic redirection, clickbait, spam and things like that. So far, I haven’t seen any malware – most of the bots will try to involve you in other crime or to steal your data. Here’s an example of what it might look like.

The first step is that you’re matched with the bot. The bot doesn’t always contact you directly, but waits for you to interact with it before it replies. In some cases the introduction is scripted with some text about how it wants to show you nude photos or something similar and then it posts a link.

When you click on the link you go through several websites redirecting you in a chain. This chain does a lot of things, such as place cookies in your browser, enumerate your settings such as location, browser version and type and probably a lot more. This is done so that when you end up at the landing page they know which page to serve you. In my case, I came from a Swedish IP and the website I was offered was obviously in Swedish, which indicates that they are targeting victims globally.

These websites always have statements and quotes from other users. Most of the information used, including profile photos, name and age, is also taken from stolen accounts. The quote itself is obviously fake, but this approach looks very professional.

This particular website was asking for your email to sign up to a website which basically offered you a job. The actual campaign is called the ‘Profit Formula Scam’ and is a binary option auto-trading scam. It’s been covered in the media before, so I won’t go into any detail here.

Summary

People are generally very naive when it comes to their online identity, especially when it comes to services that don’t appear to affect their privacy in any way. I often hear people say that they don’t care if someone gets access to their account, for example, because they assume that the worst thing that can happen is that their account will be shared with someone they don’t know. But we need to understand that even if it all looks very innocent, we don’t know what the criminals do with the money they earn.

What if they are spending it on drugs or guns, which are then sold to teenagers? What if they finance platforms and servers to spread child porn? We need to understand that criminals often work together with other criminals, which means that maybe drugs are bought from the money they make from selling stolen Netflix accounts on the black market.

One of the most alarming things I noticed was how cheap everything was. Just think about the information someone could gather about you if they got access to your Facebook account – there is surely no way you would be okay with someone selling access to parts of your private life for one dollar.

But people use more than just Facebook. I would assume that most people aged between 15 and 35 have registered for over 20 different services and maybe use about 10 of them frequently. The services that you hardly ever use are a problem because you often forget that you even have an account there.

The most frequently used accounts probably include the likes of Facebook, Instagram, Skype, Snapchat, Tinder (or other dating services) email, and entertainment services such as Spotify, Netflix, HBO and YouTube. Besides this, you may have an account on a governmental or financial website such as your bank, insurance company, etc. We also need to remember that some of these services use Google or Facebook as authentication, which means you don’t use an email and password combination – you simply login with your Facebook or Google account.

SERVICE DESCRIPTION PRICE
Gaming Any type of gaming account, Steam, PSN, Xbox etc. $1 per account
Email Email and Password combination from various leaks. Most likely sold in bulk Various
Facebook Direct access to Facebook account $1 per account
Spotify Spotify premium account $2 per account
Netflix Netflix account $1-5 per account
Desktop Username and password for RDP services, including VNC $5-50 per account
Server Username and password for telnet/ssh $5-50 per account
Ecommerce Access to various ecommerce sites, including Airbnb and similar services $10 per account

When looking at the data it’s quite mind-blowing that you can basically sell someone’s complete digital life for less than $50 dollars. We’re not talking about getting access to bank accounts, but you do get access to services where a credit card might be included such as Spotify, Netflix, Facebook and others.

Besides just taking full control of someone’s digital life, access to these services is used by other criminals, for example, to spread malware or conduct phishing attacks.

The level of availability of these hacked or stolen accounts is very impressive; basically anyone with a computer can get access – you don’t have to be an advanced cybercriminal to know where to find them.

NIST’s Creation of a Privacy Framework

On Tuesday, Oct. 16, the National Institute of Standards and Technology (NIST) held its “Kicking off the NIST Privacy Framework: Workshop #1” in Austin, Texas. I was honored to be asked to participate. This was the first in a series of public workshops focusing on the development of a useful and voluntary Privacy Framework, like the NIST Cybersecurity Framework (CSF).

Event participation was outstanding. NIST’s initial registration for the event was filled in less than 90 minutes. Realizing they needed a bigger room, NIST moved to a space that nearly doubled the potential attendance. When the reopening of the registration was announced, it was filled in less than an hour. Many well-known names in the privacy field attended, with the audience primarily consisting of privacy consultants, lawyers, and other professionals trying to figure out how the Privacy Framework fits into their future.

NIST previously brought together both public and private sector individuals interested in solving problems that face us all. The CSF was a highly successful effort to develop a lightweight, valuable, and adoptable framework focused on improving the “security programs” of organizations. While initially developed in response to presidential executive order 13636, the CSF was never meant to be a government document. Speaking to critical infrastructure and cybersecurity organization representatives at the first Cybersecurity Framework meeting, previous NIST director Dr. Pat Gallagher said, “This is not NIST’s framework, this is yours.” He was absolutely right.

Over the next year, more than 3,000 professionals participated in CSF workshops, responded to requests for information, and provided comments on work-in-progress drafts. The result was something that achieved the CSF’s initial goals: It’s beneficial to all sectors and is usable by a range of organizations from small businesses to some of the largest corporations on the planet. The CSF is having a positive global influence with its adoption by various countries. It’s also assisting in the global alignment of cybersecurity languages and practices.

NIST has established many of the same goals for the Privacy Framework. These goals include:

  1. Developing the Privacy Framework through a consensus-driven, open, and highly transparent process
  2. Establishing a common language, providing for a consistent means to facilitate communication across all aspects of an organization
  3. Ensuring it is adaptable and scalable to many differing types of organizations, technologies, lifecycle phases, sectors, and uses
  4. Developing a voluntary, risk-based, outcome-based, and non-prescriptive privacy framework
  5. Ensuring it is usable as part of any organization’s broader corporate risk management strategy and processes
  6. Taking advantage of and incorporating existing privacy standards, methodologies, and guidance
  7. Establishing it as a living document that is updated as technology and approaches to privacy change and as stakeholders learn from implementations

During the Privacy Framework Kickoff, I was pleased to hear questions that were similar to what I heard during the initial CSF Kickoff. There was real tension in the room during the CSF Kickoff—a sense of not knowing how it was going to impact organizations’ cybersecurity-related responsibilities. The same tension was present during the Privacy Framework Kickoff conversations. We are just beginning to try to understand a solution that doesn’t yet exist.

It’s hard to see the result of a Privacy Framework from where we sit today. How can we develop and position a framework like this to be valuable for both U.S. and global businesses? What is intended for this effort? What are potential definition needs? What is harm? What new technology could influence this? How do we position this for the next 25 years of privacy, not just the past five?

We have started down a path that will likely take more than a year to complete. I envision the emerging Privacy Framework as addressing best practices in privacy while being compatible with and supporting an organization’s ability to operate under the various domestic and international legal or regulatory regimes. The Privacy Framework should not be focused on the legal aspects of privacy, but rather on what organizations need to consider in their own privacy programs. This is a journey just begun. From my perspective, the workshop on Oct. 16 was an outstanding start to the development of a consensus-driven Privacy Framework. I look forward to the active discussions and work ahead.

The post NIST’s Creation of a Privacy Framework appeared first on McAfee Blogs.

Ghouls of the Internet: Protecting Your Family from Scareware and Ransomware

scareware and ransomwareIt’s the middle of a workday. While researching a project, a random ad pops up on your computer screen alerting you of a virus. The scary-looking, flashing warning tells you to download an “anti-virus software” immediately. Impulsively, you do just that and download either the free or the $9.99 to get the critical download.

But here’s the catch: There’s no virus, no download needed, you’ve lost your money, and worse, you’ve shared your credit card number with a crook. Worse still, your computer screen is now frozen or sluggish as your new download (disguised malware) collects the data housed on your laptop and funnels it to a third party to be used or sold on the dark web.

Dreadful Downloads

This scenario is called scareware — a form of malware that scares users into fictitious downloads designed to gain access to your data. Scareware bombards you with flashing warnings to purchase a bogus commercial firewall, computer cleaning software, or anti-virus software. Cybercriminals are smart and package the suggested download in a way that mimics legitimate security software to dupe consumers. Don’t feel bad, a lot of intelligent people fall for scareware every day.

Sadly, a more sinister cousin to scareware is ransomware, which can unleash serious digital mayhem into your personal life or business. Ransomware scenarios vary and happen to more people than you may think.

Malicious Mayhem

Ransomware is a form of malicious software (also called malware) that is a lot more complicated than typical malware. A ransomware infection often starts with a computer user clicking on what looks like a standard email attachment only that attachment unlocks malware that will encrypt or lock computer files.

scareware and ransomware

A ransomware attack can cause incredible emotional and financial distress for individuals, businesses, or large companies or organizations. Criminals hold data ransom and demand a fee to release your files back to you. Many people think they have no choice but to pay the demanded fee. Ransomware can be large-scale such as the City of Atlanta, which is considered the largest, most expensive cyber disruption in city government to date or the WannaCry attack last year that affected some 200,000+ computers worldwide. Ransomware attacks can be aimed at any number of data-heavy targets such as labs, municipalities, banks, law firms, and hospitals.

Criminals can also get very personal with ransomware threats. Some reports of ransomware include teens and older adults receiving emails that falsely accuse them or browsing illegal websites. The notice demands payment or else the user will be exposed to everyone in his or her contact list. Many of these threats go unreported because victims are too embarrassed to do anything.

Digital Terrorists

According to the Cisco 2017 Annual Cybersecurity Report, ransomware is growing at a yearly rate of 350% and, according to Microsoft,  accounted for roughly $325 million in damages in 2015. Most security experts advise against paying any ransoms since paying the ransom is no guarantee you’ll get your files back and may encourage a second attack.

Cybercriminals are fulltime digital terrorists and know that a majority of people know little or nothing about their schemes. And, unfortunately, as long as our devices are connected to a network, our data is vulnerable. But rather than living anxiously about the possibility of a scareware or ransomware attack, your family can take steps to reduce the threat.

Tips to keep your family’s data secure:

Talk about it. Education is first, and action follows. So, share information on the realities of scareware and ransomware with your family. Just discussing the threats that exist, sharing resources, and keeping the issue of cybercrime in the conversation helps everyone be more aware and ready to make wise decisions online.

Back up everything! A cybercriminal’s primary goal is to get his or her hands on your data, and either use it or sell it on the dark web (scareware) or access it and lock it down for a price (ransomware). So, back up your data every chance you get on an external hard drive or in the cloud. If a ransomware attack hits your family, you may panic about your family photos, original art, writing, or music, and other valuable content. While backing up data helps you retrieve and restore files lost in potential malware attack, it won’t keep someone from stealing what’s on your laptop.scareware and ransomware

Be careful with each click. By being aware and mindful of the links and attachments you’re clicking on can reduce your chances of malware attacks in general. However, crooks are getting sophisticated and linking ransomware to emails from seemingly friendly sources. So, if you get an unexpected email with an attachment or random link from a friend or colleague, pause before opening the email attachment. Only click on emails from a trusted source. 

Update devices.  Making sure your operating system is current is at the top of the list when it comes to guarding against malware attacks. Why? Because nearly every software update contains security improvements that help secure your computer from new threats. Better yet, go into your computer settings and schedule automatic updates. If you are a window user, immediately apply any Windows security patches that Microsoft sends you. 

Add a layer of security. It’s easy to ignore the idea of a malware attack — until one happens to you. Avoid this crisis by adding an extra layer of protection with a consumer product specifically designed to protect your home computer against malware and viruses. Once you’ve installed the software, be sure to keep it updated since new variants of malware arise all the time.

If infected: Worst case scenario, if you find yourself with a ransomware notice, immediately disconnect everything from the Internet. Hackers need an active connection to mobilize the ransomware and monitor your system. Once you disconnect from the Internet, follow these next critical steps. Most security experts advise against paying any ransoms since paying the ransom is no guarantee you’ll get your files back and may encourage a second attack.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

 

The post Ghouls of the Internet: Protecting Your Family from Scareware and Ransomware appeared first on McAfee Blogs.

Have You Talked to Your Kids About a Career in Cybersecurity?

career in cybersecurityHere’s some cool trivia for you: What profession currently has a zero-percent unemployment rate, pays an average of $116,000 a year, and is among the top in-demand jobs in the world? A lawyer? A pharmacist? A finance manager, perhaps?

Nope. The job we’re talking about is a cybersecurity specialist and, because of the increase in cyber attacks around the world, these professionals are highly employable.

Job Security

According to numbers from the Bureau of Labor and Statistics, a career in cybersecurity is one of the most in-demand, high-paying professions today with an average salary of $116,000, or approximately $55.77 per hour. That’s nearly three times the national median income for full-time wage and salary workers. How’s that for job security?

Why is the demand so high? Sadly, because there are a lot of black hats (bad guys) out there who want our data — our user IDs, passwords, social security numbers, and credit card numbers. Every month it seems banks, hospitals, and major corporations are reporting security breaches, which has put the global cybersecurity talent an estimated deficit of two million professionals.career in cybersecurity

It’s exciting to see gifts and passions emerge in our kids as they grow and mature. If a child is good at math and sciences, we might point them toward some the medical field. If they a child shows an affinity in English and communication skills, maybe a law, teaching, or media career is in their future.

But what about a cybersecurity expert? Have you noticed any of these skills in your kids?

Cybersecurity skills/traits:

Problem-solving
Critical thinking
Flexible/creative problem solving
Collaborative, team player
Continual learner
Gaming fan
A sense of duty, justice
Persistent, determined
Works well under pressure
Curious and perceptive
Technology/tech trend fan
Verbal and written communications

Education

Most jobs in cybersecurity require a four-year bachelor’s degree in cybersecurity or a related field such as information technology or computer science. Students take coursework in programming and statistics, ethics, and computer forensics, among other courses.

Conversation Starters

First, if your child has some of the skills/personality traits mentioned, how do you start directing him or her toward this field? The first place to begin is in the home. Model smart cybersecurity habits. Talk about digital safety, the importance of protecting personal data and the trends in cybercrimes. In short, model and encourage solid digital citizenship and family security practices. career in cybersecurity

Second, bring up the possibility, or plant the seed. Be sure to encourage both boys and girls equally. Help your child find answers to his or her questions about careers in computer and data science, threat research, engineering and information on jobs such as cybersecurity analyst, vulnerability analyst, and penetration tester.

Third, read and share takeaways from the Winning The Game a McAfee report that investigates the key challenges facing the IT Security industry and the possible teen gaming link to a successful cybersecurity career.

Additional resources*

CyberCompEx. A connection point for everything cybersecurity including forums, groups, news, jobs, and competition information.

CyberCorps® Scholarship for Service. SFS is a program providing scholarships and stipends to undergraduate and graduate students studying cybersecurity at participating institutions. Great for those who want to work in government.

CyberPatriot. This site is created by the Air Force Association (AFA) to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM).

GenCyber. This is a summer cybersecurity camp for K-12 students and teachers that focuses on inspiring kids to direct their talents toward cybersecurity skills and closing the security skills gap.

career in cybersecurityNational CyberWatch Center. The National CyberWatch Center is a consortium of higher education institutions, public and private businesses, and government agencies focused on advancing cybersecurity education and strengthening the workforce.

National Initiative for Cybersecurity Careers and Studies. NICCS provides information on cybersecurity training, formal education, and workforce development.

National Initiative for Cybersecurity Education. NICE is an initiative to energize and promote a robust network and an ecosystem of cybersecurity education, cybersecurity careers, training, and workforce development.

*Resource list courtesy of Stay Safe Online.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post Have You Talked to Your Kids About a Career in Cybersecurity? appeared first on McAfee Blogs.

Working Together to Ensure Better Cybersecurity

For many, it’s hard to picture a work environment that doesn’t revolve around the use of technology. Digital, cloud-based services coupled with access through mobile and IoT devices have completely reshaped organizations by streamlining business processes and enabling people to work anywhere, anytime. Thanks to these advances, there have also been a variety of recent shifts in how employers and employees interact with each other, ranging from liberal remote work policies companies asking employees to bring their own devices to work.

Often these changes feel remarkable, efficient and convenient, as they make our work lives much more efficient – but these advancements also create concerns around cybersecurity. Many devices contain both personal and professional data , and when we take our work home or on the go with us, we’re not constantly protected by a company firewall, safe Wi-Fi, or other standard cybersecurity measures. Regardless of what industry you are in, online safety is no longer just IT’s problem. Cybersecurity is now a shared responsibility between an organization and its employees.

Naturally, these changes require education and communication around cybersecurity best practices in order to develop positive habits that will keep both employers and employees safe. Getting a habit to stick also requires an organization to develop culture of security in tandem, in which every individual and department is accountable for cybersecurity and bands together with the shared objective of staying secure.

October is National Cybersecurity Awareness Month, which is a great time to look at how everyone can be a part of the cybersecurity solution within their organization. If cybersecurity has not historically not been a priority within an organization, starting a conversation about it can be difficult, whether you’re an employee or an employer. Consider using these tips to start thinking about personal cybersecurity and how that translates into an overall cybersecurity plan within your organization.

Employers can take the following steps:

  • Identify which company assets are of greatest value, then ensure security measures are in place. Employee, customer, and payment data are all assets that cybercriminals could leverage via phishing, malware, password breaches, and denial-of-service (DoS) attacks. Begin to develop a formal cybersecurity plan based on your specific needs.
  • Set up an alert system. Put a system into place that will alert employees and your organization of an incident. This also includes an avenue for employees to report problems they might notice before they become widespread. The sooner people know about a vulnerability, the faster they can respond and take action.
  • Develop a response plan. Practice an incident response plan to contain an attack or breach. Keep in mind the goal of maintaining business operations in the short term while assessing the long-term effects of the cyber incident.

Employees can follow these guidelines:

  • Regularly update your device’s software. This is the easiest way to ensure your devices are equipped with vital patches that protect against flaws and bugs that cybercriminals can exploit.
  • Take security precautions, even if your company isn’t there yet. Professional and personal information is often intertwined on our devices – especially our mobile phones. Keep all your data secure with comprehensive mobile security, such as McAfee® Mobile Security. Then work within your organization to develop a cybersecurity plan that works for all.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Working Together to Ensure Better Cybersecurity appeared first on McAfee Blogs.

As Search Engines Blacklist Fewer Sites, Users More Vulnerable to Attack

Turns out, it’s a lot harder for a website to get blacklisted than one might think. A new study found that while the number of bot malware infected websites remained steady in Q2 of 2018, search engines like Google and Bing are only blacklisting 17 percent of infected websites they identify. The study analyzed more than six million websites with malware scanners to arrive at this figure, noting that there was also a six percent decrease in websites being blacklisted over the previous year.

Many internet users rely on these search engines to flag malicious websites and protect them as they surf the web, but this decline in blacklisting sites is leaving many users just one click away from a potential attack. This disregard of a spam attack kit on search engine results for these infected sites can lead to serious disruption, including a sharp decline in customer trust. Internet users need to be more vigilant than ever now that search engines are dropping the ball on blacklisting infected sites, especially considering that total malware went up to an all-time high in Q2, representing the second highest attack vector from 2017-2018, according to the recent McAfee Labs Threats Report.

Another unsettling finding from the report was that incidents of cryptojacking have doubled in Q2 as well, with cybercriminals continuing to carry out both new and traditional malware attacks. Cryptojacking, the method of hijacking a browser to mine cryptocurrency, saw quite a sizable resurgence in late 2017 and has continued to be a looming threat ever since. McAfee’s Blockchain Threat Report discovered that almost 30,000 websites host the Coinhive code for mining cryptocurrency with or without a user’s consent—and that’s just from non-obfuscated sites.

And then, of course, there are just certain search terms that are more dangerous and leave you more vulnerable to malware than others. For all of you pop culture aficionados, be careful which celebrities you digitally dig up gossip around. For the twelfth year in a row, McAfee researched famous individuals to assess their online risk and which search results could expose people to malicious sites, with this year’s Most Dangerous Celebrity to search for being “Orange is the New Black’s” Ruby Rose.

So, how can internet users protect themselves when searching for the knowledge they crave online, especially considering many of the most popular search engines simply aren’t blacklisting as many bot malware infected sites as they should be? Keep these tips in mind:

  • Turn on safe search settings. Most browsers and search engines have a safe search setting that filters out any inappropriate or malicious content from showing up in search results. Other popular websites like iTunes and YouTube have a safety mode to further protect users from potential harm.
  • Update your browsers consistently. A crucial security rule of thumb is always updating your browsers whenever an update is available, as security patches are usually included with each new version. If you tend to forget to update your browser, an easy hack is to just turn on the automatic update feature.
  • Be vigilant of suspicious-looking sites. It can be challenging to successfully identify malicious sites when you’re using search engines but trusting your gut when something doesn’t look right to you is a great way of playing it safe.
  • Check a website’s safety rating. There are online search tools available that will analyze a given URL in order to ascertain whether it’s a genuinely safe site to browse or a potentially malicious one infected with bot malware and other threats.
  • Browse with security protection. Utilizing solutions like McAfee WebAdvisor, which keeps you safe from threats while you search and browse the web, or McAfee Total Protection, a comprehensive security solution that protects devices against malware and other threats, will safeguard you without impacting your browsing performance or experience.

To keep abreast of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post As Search Engines Blacklist Fewer Sites, Users More Vulnerable to Attack appeared first on McAfee Blogs.

#CyberAware: Teaching Kids to Get Fierce About Protecting Their Identity

Identity ProtectionIt wasn’t Kiley’s fault, but that didn’t change the facts: The lending group denied her college loan due to poor credit, and she didn’t have a plan B. Shocked and numb, she began to dig a little deeper. She discovered that someone had racked up three hefty credit card bills using her Social Security Number (SSN) a few years earlier.

Her parents had a medical crisis and were unable to help with tuition, and Kiley’s scholarships didn’t cover the full tuition. With just months left before leaving to begin her freshman year at school, Kiley was forced to radically adjusted her plans. She enrolled in the community college near home and spent her freshman year learning more than she ever imagined about identity protection and theft.

The Toll: Financial & Emotional

Unfortunately, these horror stories of childhood identity theft are all too real. According to Javelin Strategy & Research, more than 1 million children were the victim of identity fraud in 2017, resulting in losses of $2.6 billion and more than $540 million in out-of-pocket costs to the families.

The financial numbers don’t begin to reflect the emotional cost victims of identity theft often feel. According to the 2017 Identity Theft Aftermath report released by the Identity Theft Resource Center, victims report feeling rage, severe distress, angry, frustrated, paranoid, vulnerable, fearful, and — in 7% of the cases — even suicidal.

Wanted: Your Child’s SSNIdentity Protection

Sadly, because of their clean credit history, cyber crooks love to target kids. Also, identity theft among kids often goes undiscovered for more extended periods of time. Thieves have been known to use a child’s identity to apply for government benefits, open bank or credit card accounts, apply for a loan or utility service, or rent a place to live. Often, until the child grows up and applies for a car or student loan, the theft goes undetected.

Where do hackers get the SSN’s? Data breaches can occur at schools, pediatrician offices, banks, and home robberies. A growing area of concern involves medical identity theft, which gives thieves the ability to access prescription drugs and even expensive medical treatments using someone else’s identity.

6 Ways to Build #CyberAware Kids

  1. Talk, act, repeat. Identity theft isn’t a big deal until it personally affects you or your family only, then, it’s too late. Discuss identity theft with your kids and the fallout. But don’t just talk — put protections in place. Remind your child (again) to keep personal information private. (Yes, this habit includes keeping passwords and personal data private even from BFFs!)
  2.  Encourage kids to be digitally savvy. Help your child understand the tricks hackers play to steal the identities of innocent people. Identity thieves will befriend children online and with the goal of gathering personal that information to steal their identity. Thieves are skilled at trolling social networks looking at user profiles for birth dates, addresses, and names of family members to piece together the identity puzzle. Challenge your kids to be on the hunt for imposters and catfishes. Teach them to be suspicious about links, emails, texts, pop up screens, and direct messages from “cute” but unknown peers on their social media accounts. Teach them to go with their instincts and examine websites, social accounts, and special shopping offers.Identity Protection
  3. Get fierce about data protection. Don’t be quick to share your child’s SSN or secondary information such as date of birth, address, and mothers’ maiden name and teach your kids to do the same. Also, never carry your child’s (or your) physical Social Security card in your wallet or purse. Keep it in a safe place, preferably under lock and key. Only share your child’s data when necessary (school registration, passport application, education savings plan, etc.) and only with trusted individuals.
  4. File a proactive fraud alert. By submitting a fraud alert in your child’s name with the credit bureaus several times a year, you will be able to catch any credit fraud early. Since your child hasn’t built any credit, anything that comes back will be illegal activity. The fraud alert will remain in place for only 90 days. When the time runs out, you’ll need to reactivate the alert. You can achieve the same thing by filing an earnings report from the Social Security Administration. The report will reveal any earnings acquired under your child’s social security number.
  5. Know the warning signs. If a someone is using your child’s data, you may notice: 1) Pre-approved credit card offers addressed to them arriving via mail 2) Collection agencies calling and asking to speak to your child 3) Court notices regarding delinquent bills. If any of these things happen your first step is to call and freeze their credit with the three credit reporting agencies: Equifax, Experian, and TransUnion.
  6. Report theft. If you find a violation of your child’s credit of any kind go to  IdentityTheft.gov to report the crime and begin the restoring your child’s credit. This site is easy to navigate and takes you step-by-step down the path of restoring stolen credit.

Building digitally resilient kids is one of the primary tasks of parents today. Part of that resilience is taking the time to talk about this new, digital frontier that is powerful but has a lot of security cracks in it that can negatively impact your family. Getting fierce about identity protection can save your child (and you) hours and even years of heartache and financial loss.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post #CyberAware: Teaching Kids to Get Fierce About Protecting Their Identity appeared first on McAfee Blogs.

Aussie Ruby Rose is McAfee’s Most Dangerous Celebrity

Keeping up to date with celebrity gossip is a sport for many of us. Staying on top of what your favourite celebrity wore to the latest Hollywood shindig and, of course who they were with can be very time consuming and often require extensive searching! But did you know that searching for your favourite celebrity can actually put your personal security at risk?

Every year McAfee, the device-to-cloud cybersecurity company, undertakes global research, entitled Most Dangerous Celebrities, to identify which celebrities generate the riskiest search results which could potentially expose fans to malicious websites and risky downloads. And in 2018, the top spot was filled for the first time ever by an Australian celebrity: actress and television presenter Ruby Rose.

The very talented Ruby Rose kicked off her career as a hugely popular VJ (video jockey) on MTV. Before long, she went on to enjoy great success as a model, television presenter and then actress with her role as Stella Carlin in the cult series Orange Is The New Black. Ruby’s casting as Batwoman in the upcoming television series would have no doubt assisted in propelling her to first position.

Who Are the Most Dangerous Celebrities to Search For in 2018?

In the global list of Most Dangerous Celebrities, American reality TV star, Kristin Cavallari finished behind Rose at No. 2, followed by French actress Marion Cotillard (No. 3), the original Wonder Woman Lynda Carter (No. 4), Aussie actress Rose Byrne (No. 5), star of Will and Grace Debra Messing (No. 6), reality TV star Kourtney Kardashian (No. 7), actress Amber Heard (No. 8), American morning TV show host Kelly Ripa (No. 9), and finally Orange Is The New Black actor, Brad William Henke round out the top 10.

American actress Lucy Liu topped Australia’s list of the Most Dangerous Celebrities to search for. The top 10 list was littered with Aussie celebrities as well, including Naomi Watts (No. 2), Cate Blanchett (No 4.), Elle Macpherson (No.9) and Margot Robbie (No.10).

Interestingly, Aussie morning TV show host Sonya Kruger came in at number 17 on the list, a notable mention after appearing alongside other Australian TV stars, such as Carrie Bickmore and Georgie Gardiner in the recent fake Facebook ads scamming unsuspecting victims into purchasing face cream subscriptions. The recent Facebook scam demonstrates how cybercriminals capitalise on our love of celebrity when trying to trap unsuspecting consumers into scams.

Cybercriminals Capitalise on our ‘Celebrity Culture’

Online scammers and cybercriminals are always looking at new ways to get their hands on our private information with the aim of making big bucks. Tapping into our love of celebrity, cybercriminals will create professional looking websites that contain downloads which contain spyware or malware. These malicious celebrity sites may also require users to set up an account. Unsuspecting visitors will then provide their email addresses and passwords to the site not realising that their details have been compromised.

Our fast-paced modern lives mean that we often cut corners in the name of speed and convenience. Some of us are just so keen to view the promised content about our favourite celebrity that we drop our guard and don’t take the time to ensure the site is legitimate.

But not taking the time to ensure a link is safe means fans are not only putting their devices at risk of infection from viruses, but themselves at risk of identity theft.

How to Avoid Being Targeted by a Cyber Criminal

One of the best ways of staying safe online and avoiding falling victim to a scam is to adopt safe searches practices. Here are my top tips to ensure you stay out of trouble!

1. Think Before You Click

Users looking for a sneak-peek of Ruby Rose’s upcoming Batwoman series should be cautious and only download directly from a reliable source. The safest thing to do is to wait for the official release instead of visiting a third-party website that could contain malware.

2. Apply Updates as Soon as they are Available

Device and app updates will often include security fixes. Applying updates is an important step to help ensure devices stay protected.

3. Browse with Security Protection

Searching and browsing without security software is a little like navigating a foreign city with any guidelines. McAfee Total Protection is a comprehensive security solution that can help keep devices protected against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor which can help identify malicious websites – very helpful!

4. Use Parental Control Software

Kids are fans of celebrities too, so ensure that limits are set on the child’s device and use software that can help minimise exposure to potentially malicious or inappropriate websites.

Whether you celebrity watch because you are enamoured, envious or inspired, please don’t let your hobby put you at risk of identity theft. Ensure you (and your kids) search safely so you can stay out of the way of cybercrims and their scams!

Alex x

 

The post Aussie Ruby Rose is McAfee’s Most Dangerous Celebrity appeared first on McAfee Blogs.

Cyber Security Roundup for September 2018

September 2018 started with a data breach bang, with British Airways disclosing a significant hack and data loss. 380,000 of the airlines' website and mobile app customers had their debit and credit card details lifted via a maliciously injected script.  The breach even caused BA owners, IAG, to drop in value 4%. And to compound matters, there were several claims made that the BA website wasn't PCI DSS compliant, implying if they were PCI DSS compliant, their customer's personal and payment card information would still be safe.  For further details about this breach see my blog posts; British Airways Customer Data Stolen in Website and Mobile App Hack and British Airways Hack Update: Caused by Injected Script & PCI DSS Non-Compliance is Suspected.

Facebook continues to make all the wrong kind of privacy headlines after a massive user data breach was confirmed by the social media giant at the end of the month. Facebook said at least 50 million users’ data was at risk after hackers exploited a vulnerability the Facebook code. Facebook CEO Mark Zuckerberg said he doesn’t know who is behind the cyber attack, however, the FBI are investigating. 

There was a good measure of embarrassment at the Tory Conference after a flaw in the conference App revealed the personal data of senior UK government cabinet ministers, with Boris Johnson, Michael Gove, Gavin Williamson among those whose their personal information and phones numbers made available.

There was a number of large data breach fines handed out in September, Tesco Bank was hit by a whopping £16.4 by the Financial Conduct Authority (FCA), the fine would have been doubled if it weren't for Tesco's good co-operation with the FCA investigation. The FCA said Tesco had security deficiencies which left their bank account holders vulnerable to a cyber attack in November 2016. The attack netted the bad guys, via 34 transactions, a cool £2.26 million. The FCA report said the cyber criminals had exploited weaknesses in the bank's design of its debit card, its financial crime controls and in its financial crime operations team, to carry out the attack over a 48-hour period. 

Equifax was fined the maximum pre-GDPR law amount of £500K by the Information Commissioner's Office (ICO) after the US-based credit reference agency failed to protect the personal data of 15 million UK citizens. The ICO ruled Equifax's UK branch had "failed to take appropriate steps" to protect UK citizens' data. It added that "multiple failures" meant personal information had been kept longer than necessary and left vulnerable.

The ICO also fined Bupa £175K, for not having good enough security to prevent the theft of 547,000 customer records by an employee.  Uber has paid £133m to settle legal claims to customers and drivers, as a result of trying to cover up a huge breach which occurred in 2016 from their regulators. The ride-hailing company admitted to paying off hackers to the tune of $100,000 to delete the data they robbed from Uber's cloud servers. The personal data stolen was from 57 million Uber accounts, also included information about 600,000 driving license numbers. 

Looks like the MoD and GCHQ are looking to beef up Britan's Cyber Offense capabilities, announcing a plan to recruit a 2,000 strong 'cyber force' to take on the Russian threat. Meanwhile across the pond, the Mirai creators have done a deal to keep themselves out of jail in return for helping the FBI catch cybercrooks, which has echoes of the approach the FBI took with con artist and cheque fraud expert Frank Abagnale, the subject of book and movie "Catch me if you Can".

Bristol Airport was impacted by a ransomware attack, which took down their arrival and departure screens for a couple of days, and a Scottish Brewery was also hit by ransomware attack through infected CV it had received through an online job advertisement

Europol warned of 15 ways you could become a Cyber Crime Victim, and there was an excellent article in the New York Times on the Bangladesh’s Central Bank Cyber Theft

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

#CyberAware: Will You Help Make the Internet a Safe Place for Families?

National Cyber Security Awareness MonthDon’t we all kinda secretly hope, even pretend, that our biggest fears are in the process of remedying themselves? Like believing that the police will know to stay close should we wander into a sketchy part of town. Or that our doors and windows will promptly self-lock should we forget to do so. Such a world would be ideal — and oh, so, peaceful — but it just isn’t reality. When it comes to making sure our families are safe we’ve got to be the ones to be aware, responsible, and take the needed action.

Our Shared Responsibility

This holds true in making the internet a safe place. As much as we’d like to pretend there’s a protective barrier between us and the bad guys online, there’s no single government entity that is solely responsible for securing the internet. Every individual must play his or her role in protecting their portion of cyberspace, including the devices and networks they use. And, that’s what October — National Cyber Security Awareness Month (NCSAM) — is all about.

At McAfee, we focus on these matters every day but this month especially, we are linking arms will safety organizations, bloggers, businesses, and YOU — parents, consumers, educators, and digital citizens — to zero in on ways we can all do our part to make the internet safe and secure for everyone. (Hey, sometimes the home team needs a huddle, right!?)

8 specific things you can do!

National Cyber Security Awareness Month

  1. Become a NCSAM Champion. The National Cyber Security Alliance (NCSAM) is encouraging everyone — individuals, schools, businesses, government organizations, universities — to sign up, take action, and make a difference in online safety and security. It’s free and simple to register. Once you sign up you will get an email with a toolbox packed with fun, shareable memes to post for #CyberAware October.
  2. Tap your social powers. Throughout October, share, share, share great content you discover. Use the hashtag #CyberAware, so the safety conversation reaches and inspires more people. Also, join the Twitter chat using the hashtag #ChatSTC each Thursday in October at 3 p.m., ET/Noon, PT. Learn, connect with other parents and safety pros, and chime in.National Cyber Security Awareness Month
  3. Hold a family tech talk. Be even more intentional this month. Learn and discuss suggestions from STOP. THINK. CONNECT.™ on how each family member can protect their devices and information.
  4. Print it and post it: Print out a STOP. THINK. CONNECT.™ tip sheet and display it in areas where family members spend time online.
  5. Understand and execute the basics. Information is awesome. But how much of that information do we truly put into action? Take 10 minutes to read 10 Tips to Stay Safe Online and another 10 minutes to make sure you take the time to install a firewall, strengthen your passwords, and make sure your home network as secure as it can be.National Cyber Security Awareness Month
  6. If you care — share! Send an email to friends and family informing them that October is National Cybersecurity Awareness Month and encourage them to visit staysafeonline.org for tips and resources.
  7. Turn on multi-factor authentication. Protect your financial, email and social media accounts with two-step authentication for passwords.
  8. Update, update, update! This overlooked but powerful way to shore up your devices is crucial. Update your software and turn on automatic updates to protect your home network and personal devices.

Isn’t it awesome to think that you aren’t alone in striving to keep your family’s digital life — and future — safe? A lot of people are working together during National Cyber Security Awareness Month to educate and be more proactive in blocking criminals online. Working together, no doubt, we’ll get there quicker and be able to create and enjoy a safer internet.

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post #CyberAware: Will You Help Make the Internet a Safe Place for Families? appeared first on McAfee Blogs.

Feature, Bug or Just a Huge Security Risk? Skype for Business, Examined

Here at Heimdal Security, we spread our time between providing security tools to prevent serious attacks like ransomware or next-gen malware and providing the education necessary to keep personal data safe across various platforms and devices.

Sometimes, it becomes obvious that tools and education alone won’t keep users truly safe online, nor will they enforce their privacy. Sometimes, ubiquitous, extremely popular services release some features that truly boggle the mind. Skype for Business is one.

This week, we discovered a serious security risk and privacy breach with the Skype for Business app. It was not related to hacking and other cyber-attacks but a pure “feature”, whose purpose and value we haven’t yet been able to decipher.

If you do a Skype for Business call with “screen-sharing” turned on, be prepared to share more than what you wanted.

Once the person who started screen-sharing hangs up, the desktop-sharing function will continue. The people at the other end of the line will still see what’s happening there.

If the person who had hosted the session does not notice the tiny warning at the top, they will continue sharing whatever they’re doing on the screen. Spreadsheets with sensitive financial data, inbox contents, private messages on Facebook, all of them will be seen by the other person.

Had a cybercriminal participated in a conversation like this, they would have had a field day with the info obtained. In some areas, a competitor could do seriously damage with how much information they are able to see.

We thought that we had stumbled upon a serious security flaw. Imagine our surprise when, after a few seconds of Googling the issue and thinking about contacting Microsoft, we came across this thread. No, screen sharing after ending a call is a “feature, not a bug”. Never mind the fact that a regular Skype user first calls someone to start a meeting, then opens a presentation, then closes the call and assumes that the entire interaction ended.

Why would someone possibly want for their screen to still be visible to the other person, even though the dialogue ended? Even if, by chance, that was the case, the tiny ribbon that lets you know screen-sharing has such an unobtrusive design, a regular user will definitely miss it. For such a security-sensitive feature, you’d think neon colors were in order. Certainly, a pleasant design should not be the only priority for Skype for Business.

After all, the people using it do have plenty of sensitive information that should not leak.

Here is what the caller who initiated screen-sharing can see once he/she hangs up.

skype for business screen share issue

Here is what’s visible to the ones that just left that call. Spoiler: it’s everything the initial caller is currently doing.

skype for business share screen issue

And, finally, this is the placement of the ribbon that was designed to let the user know their screen is still being broadcast. It’s almost black, on top of a browser bar of the same color. If someone had a secondary display and they were to continue working on the screen with the Skype for Business window, it would have been almost impossible to spot that message.

skype for business screen sharing issue

What’s worse is that this is something that’s been signaled plenty of times.

Microsoft’s response? “It’s an expected behavior,” said a customer representative. He followed that an invitation to “vote for this feedback” at another link. And a recommendation to “close the Skype for Business chat window to end Skype call and screen sharing at the same time.”

Yes, the official suggestion is to close the entire window, not press the button that’s for ending the call.

Give it a bit more time, and instead of customer support signaling a bad UI design (user interface) and the developers fixing it, someone will tell you to put a sticker on your webcam if you want to stop broadcasting. This is not to mention what a huge GDPR infringement this Skype for Business bug is. Some experts point out that even sharing usernames in unencrypted communications or on screens can be against the General Data Protection Regulation.

 

Microsoft is not alone in this and could probably pin this one on miscommunication, not bad intentions.

What users have to do is to secure their device with the essential security layers and remain updated with current news, so they can act swiftly and protect themselves and their valuable data.

The post Feature, Bug or Just a Huge Security Risk? Skype for Business, Examined appeared first on Heimdal Security Blog.

Mobile and Digital Payments: Worth the Risk?

Thanks in part to the convenience that our mobile devices provide for us, much of the world operates now on instant gratification. From accessing information on the web to doing work –and now sending and receiving digital payments– our devices and applications support us while we’re on the go. Whether we’re paying a friend for dinner, our roommate for rent, or otherwise, many of us use peer-to-peer (P2P) mobile and digital payment apps rather than cash to settle our bills.

P2P mobile and digital payment apps like Cash App, PayPal, Venmo, and Zelle have changed the way we transfer money; today it’s faster, simpler, and easier than ever. In fact, they’re so popular that it’s estimated that in 2018, $700 billion will be transferred in this manner. With so much money being sent and received in this way, the ease of transfer begs the question, how secure are these apps?

While some have turned to using cryptocurrency and blockchain to curtail the known dangers of traditional mobile payment apps, recent cryptojacking incidents have proven that even this new technology is not foolproof when it comes to cybersecurity and the determination of cybercriminals. And while the convenience of digital payments can’t be denied, we seem to be prioritizing ease of use over security. Let’s take a look at how digital payments work, as well as their security implications.

How Digital Payments Work

P2P apps like Venmo, Cash App, and others essentially all work in the same way.  Functioning as a digital wallet, users link the app to their bank accounts or credit and debit cards. Then the app adds or subtracts money based on when users receive or send a payment. From there, users can “cash out” their balance to their preferred digital property, such as the account attached to a card or bank account.

P2P Money Transfer Apps and Cybersecurity Concerns

On the surface, digital money transfers may seem harmless, when in fact, they could lead to a headache of unforeseen cybersecurity concerns. The good news is that most money transfer apps will reimburse you for fraudulent charges. However, if someone has physical access to your phone and you don’t keep it locked, they can send money to themselves or others and you won’t get that money back.

Aside from the obvious concern of losing your phone, if you use an unsecured network to transfer money, it’s easier for someone to launch a phishing attack to gain access to your data. That’s because some payment apps will send request links from other users to download the app on their device. These links can be manipulated by cybercriminals and often contain just a letter or number off so that these changes go unnoticed by day-to-day users. When clicked on, a user can be redirected to a web page and presented with malware or a virus and might be prompted to download it– giving an unfriendly host access to your financial information. Thankfully, leveraging your data plan or a VPN rather than an unsecured or pubic Wi-Fi network can help create an extra layer of protection, making it more difficult for cybercriminals to access your sensitive data.

Lastly, there are often unforeseen holes in software that provide backdoor access to your financial information. Meticulously updating the software on your mobile device can help patch up known security issues, also making it easier to protect your data.

Tips to Stay Safe While Using Peer-to-Peer Money Transfer Apps

If you already use a peer-to-peer money transfer app or are on the fence about downloading one, here are some tips to take into account. By practicing multiple security habits simultaneously, your financial information is much more likely to remain safe on your devices and apps:

  • Set up additional security measures. P2P payment platforms require access to sensitive financial information. Check your account settings to see if you can enable multi-factor authentication, PIN/Password requirement, or use fingerprint recognition.
  • Check your preferred app’s permission or settings. Some might share information about your transactions on social media or on the platform itself, like Venmo. Make adjustments to these settings if and when you see fit.
  • Update your software and apps. It’s a best practice to update software and apps when prompted to help seal vulnerabilities when they’re found.
  • Be aware of where you are conducting your money transfers. Opt to use your data plan or a secure, private Wi-Fi network when using a P2P payment app. If you connected to public Wi-Fi, cybercriminals could use the holes in these networks to access your personal banking information and possibly access your P2P app account. If you must use public Wi-Fi, then it’s a good idea to use a Virtual Private Network (VPN).
  • Confirm the deposit went through. When you receive a payment, that money is added to your in-system balance. This is where it will remain until you initiate the transfer to your bank account or use it for another transaction within the app. If you transfer the balance to your bank, confirm it went through. This could take anywhere from a few days to a week. If it takes longer, it’s worth investigating to stop suspicious behavior in its tracks.
  • Be wary of scammers and cybercriminals. If you don’t know the person to which you are sending a digital transfer (say to purchase tickets to an event), look for poor spelling or grammar from them and read links carefully. If something doesn’t look right, that’s often a tell-tale sign that you’re being led astray. Try to find an alternative way to pay, or better yet – find someone who is more trustworthy.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Mobile and Digital Payments: Worth the Risk? appeared first on McAfee Blogs.

Could the Photos You’re Sharing Online Be Putting Your Child at Risk?

sharing photos risksConfession time. I’m a mom that is part of the problem. The problem of posting photos of my kids online without asking for their permission and knowing deep down that I’m so excited about sharing, I’m not paying much attention at all to the risks.

Why do I do it? Because I’m madly in love with my two wee ones (who aren’t so wee anymore). Because I’m a proud parent who wants to celebrate their milestones in a way that feels meaningful in our digital world. And, if I’m honest, I think posting pictures of my kids publically helps fill up their love tank and remind them they are cherished and that they matter. . . even if the way I’m communicating happens to be very public.

Am I that different than most parents? According to a recent McAfee survey, I’m in the majority.

Theoretically, I represent one of the 1,000 interviewed for McAfee’s recent Age of Consent survey* that rendered some interesting results.

Can you relate?

  • 30% of parents post a photo of their child to social media daily.
  • 58% of parents do not ask for permission from their children before posting images of them on social media.
  • 22% think that their child is too young to provide permission; 19% claim that it’s their own choice, not their child’s choice.

The surprising part:

  • 71% of parents who share images of their kids online agree that the images could end up in the wrong hands.
  • Parents’ biggest concerns with sharing photos online include pedophilia (49%), stalking (48%), and kidnapping (45%).
  • Other risks of sharing photos online may also be other children seeing the image and engaging in cyberbullying (31%), their child feeling embarrassed (30%), and their child feeling worried or anxious (23%).

If this mere sampling of 1,000 parents (myself included) represents the sharing attitudes of even a fraction of the people who use Facebook (estimated to be one billion globally), then rethinking the way in which we share photos isn’t a bad idea.

We know that asking parents, grandparents, friends, and kids themselves to stop uploading photos altogether would be about as practical as asking the entire state of Texas to line up and do the hokey pokey. It’s not going to happen, nor does it have to.

But we can dilute the risks of photo sharing. Together, we can agree to post smarter, to pause a little longer. We can look out for one another’s privacy, and share in ways that keep us all safe.

Ways to help minimize photo sharing risks:

  • Pause before uploading. That photo of your child is awesome but have you stopped to analyze it? Ask yourself: Is there anything in this photo that could be used as an identifier? Have I inadvertently given away personal information such as a birthdate, a visible home addresses, a school uniform, financial details, or potential passwords? Is the photo I’m about to upload something I’d be okay with a stranger seeing? sharing photos risks
  • Review your privacy settings. It’s easy to forget that when we upload a photo, we lose complete control over who will see, modify, and share that photo again (anywhere they choose and in any way they choose). You can minimize the scope of your audience to only trusted friends and family by customizing your privacy settings within each social network.  Platforms like Facebook and Instagram have privacy settings that allow you to share posts (and account access) with select people. Use the controls available to boost your family privacy.
  • Voice your sharing preferences with others. While it may be awkward, it’s okay (even admirable) to request friends and family to reign in or refrain from posting photos of your children online. This rule also applies to other people’s public comments about your vacation plans, new house, children’s names or birthdates, or any other content that gives away too much data. Don’t hesitate to promptly delete those comments by others and explain yourself in a private message if necessary.
  • Turn off geotagging on photos. Did you know that the photo you upload has metadata assigned to it that can tell others your exact location? That’s right. Many social networks will tag a user’s location when that user uploads a photo. To make sure this doesn’t happen, simply turn off geotagging abilities on your phone. This precaution is particularly important when posting photos away from home.
  • Be mindful of identity theft. Identity theft is no joke. Photos can reveal a lot about your lifestyle, your habits, and they can unintentionally give away your data. Consider using an identity theft protection solution like McAfee Identity Theft Protection that can help protect your identity and safeguard your personal information.

* McAfee commissioned OnePoll to conduct a survey of 1,000 parents of children ages one month to 16 years old in the U.S.

The post Could the Photos You’re Sharing Online Be Putting Your Child at Risk? appeared first on McAfee Blogs.

Trending: IoT Malware Attacks of 2018

Since January 1st of 2018, a barrage of cyberattacks and data breaches have hit almost every industry, targeting businesses large and small, many of which are now from IoT devices. By 2025, it is estimated that there will be approximately 75 billion connected devices around the world. With more IoT devices ­–from wearables and pacemakers to thermometers and smart plugs–on the market and in the home, cybercriminals are keen to leverage them in attacks. This heightened interest is due to the vulnerabilities in many IoT devices, not to mention their ability to connect to each other, which can form an IoT botnet.

In a botnet scenario, a network of internet-connected devices is infected with malware and controlled without the users’ knowledge, in order to launch ransomware and DDoS attacks (distributed denial-of-service). Once unleashed, the consequences of botnet attacks can be devastating. This possible reality sounds like the plot of a science fiction movie, one which we hypothesized in our 2018 Threats Prediction Report. As we head into this year’s final months, we take a look at how this year’s threats compared to our predictions for you, the consumer.

At the end of 2017, we predicted that the convenience and ease of a connected home could lead to a decrease in privacy. Our devices already transmit significant data, with or without the knowledge of the consumer, back to the corporations the devices are made. This unprecedented access to consumer data is what is driving cybercriminals to become more familiar with IoT botnet attacks. Just in 2018 alone, we’ve seen smart TVs, virtual assistants, and even smart plugs display detrimental security flaws that could be exploited by bad actors. Some IoT devices were used to facilitate botnet attacks, like an IoT thermometer and home Wi-Fi routers. In 2017, these security concerns were simply predictions- but now they are very much a reality. And while the window to get ahead of these attacks is closing, consumers need to be prepared in case your IoT devices go haywire.

Be the difference in your home when it comes to security and IoT devices. Protect both you and your family from these threats with these tips:

  • When buying an IoT device, make security a priority. Before your next IoT purchase, do your research. Prioritize purchasing devices that have been on the market for a while, have a name brand, or have a lot of online reviews. If you follow this protocol, the chances are that the device’s security standards will be higher, due to being vetted by the masses.
  • Change default device passwords. As soon as you bring a new device into your home, change the password to something difficult to guess. Cybercriminals often know the default settings and can use them to access your devices. If the device has advanced security options, use them.
  • Keep your software up-to-date. To protect against potential vulnerabilities, manufacturers often release software updates. Set your device to auto-update, if possible, so you always have the latest software.
  • Use a comprehensive security program. It’s important to think about security holistically. Not all IoT devices are restricted to the home; many are mobile (such as smart watches). If you’re out and about, you may need to connect to an unsecured network – say an airport with public Wi-Fi. Your kids may have devices. The scenarios may be different, but the risk is the same. Protect your network of connected devices no matter where you are and consider a suite of security products to protect what matters.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Trending: IoT Malware Attacks of 2018 appeared first on McAfee Blogs.

Here Are The Essential Security Tips To Stay Safe On Social Media

When you say “social media”, the first thing that comes to mind is fun and entertainment. Social media is mostly about this.

Everyone has a social account on at least one platform. Whether it is Facebook, Twitter, Instagram or LinkedIn, we can easily stay in touch with friends and family, share memorable moments of our lives, follow experts from our professional area, or just read the news.

Social media habits may differ from one person to another, but the reality is we spend a lot of time on these networks. This is why we should ask ourselves more often:

“Do we really know how to stay safe on social media and avoid becoming easy targets for cyber criminals?”

Nowadays, privacy and security should be top priorities for us.

In this guide, you will find actionable and useful security tips to help you stay safe on social media.

You will also learn about the best security practices you need to apply to protect your most valuable data.

How to better secure your Facebook account

There’s no doubt that Facebook is one of the most used and popular social networks out there with over 2 billion people using the platform on a daily basis. Who doesn’t have a Facebook account these days?

It is the platform that helps us better connect with friends and family, and keep up with what they’re doing. But it’s also the place where we share a lot of personal information, so securing our online accounts need to be of utmost importance.

In light of the recent scandal between Cambridge Analytica and Facebook that involved a massive amount of personal information of about 50 million Facebook users, it raised lots of questions on how data is controlled and managed by this platform. I want to believe it was actually a wake-up call suggesting that privacy and security should have serious attention from us.

Follow these basic security tips so you can stay safe on the platform:

  • Do not share your password with others and make sure you always set a unique and strong one. Use this security guide that will teach you how to easily manage passwords like a pro and keep malicious actors away.
  • If you’ve logged in from a different computer/device you’ve shared with others, remember to always log out and don’t check “Keep me logged in”
  • Use two-factor authentication feature which can be activated by clicking the Setup button from Settings. Confirm this action by enabling it and re-enter your password, and then you will receive an email or a code via your mobile phone saying that two-factor authentication has been activated
  • Strongly advise you to accept friend requests from people you know in real life, or at least, verify if you have a few friends in common. There are many Facebook fake accounts used by malicious people who might spam or impersonate you
  • If you notice something suspicious on Facebook, report it immediately. You can do this here.

If you care about your data (and we know you do), make sure you got all covered in terms of security by reading this useful Facebook privacy and security guide.

Apply these security measures to better secure your Twitter account

I don’t know about you, but I am a big fan of this platform and love to tweet :-), look out for cyber security specialists and inspiring people, or read news from people and brands I follow.

Whether it’s for personal use or business reasons, this network is a great option to promote yourself, your company, as well as to reach out to someone and stay up to date with various topics you may be interested in.

We strongly recommend to apply these basic security and privacy tips to strengthen your Twitter account:

  • Always use strong and unique passwords for your Twitter account, and consider choosing a password manager to encrypt and better secure them. This rule should be followed to ensure safety for every social platform;
  • Use two-factor authentication system as a second layer of protection to enhance safety and verify your identity each time you sign in;
  • Activate the option “Protect my tweets” from Settings and Privacy -> Privacy and safety module, if you want to get some control over the info shared and who is following you;
  • Do not click on suspicious links you receive via private messages, because you could be exposed to phishing attacks used by cyber criminals or malicious persons who want to obtain your Twitter credentials or any other personal information;
  • Revise and pay attention to third-party apps that connect to your account, and implicitly have access to your personal data.
  • if you ever connect to your Twitter account from someone else’s computer, do not forget to log out and delete all the data of the browser or app.

We have a dedicated article on how you can secure your Twitter account in 10 basic steps that we recommend to check out so you can be one step ahead of scammers.


These actionable tips help me better secure my social media accounts
Click To Tweet


Privacy and security tips for your LinkedIn account

LinkedIn, the largest professional social network has more than 562 million users and is focused on bringing together professionals from all over the world. It keeps you connected with people you’ve worked or with whom you want to collaborate at some point in the future. It is also the place where you can find freelance projects, and, why not, your future dream job, could be one click or message away 🙂

Given the increase of phishing attacks which are still one of the most widespread and effective methods used by cybercriminals, it is essential to be aware of these scams on LinkedIn too. You don’t want to see your sensitive data exposed out there, right?

Follow these pro security tips to boost your LinkedIn security and privacy today and keep your data away from prying eyes:

  • Do not use generic and easy to crack passwords such as “Abcd123” or “Password123” like the Western Australian government employees did, because malicious actors can easily break them. Secure them by using a password manager that generates complex and unique passwords, and stores them in an encrypted database.
  • Choose wisely what information you share in your public profile and limit the data you make visible by reviewing and editing your sensitive data.
  • Have a look at those third-party apps you authorized to connect to your LinkedIn account because they get access to all your data. Make sure you authorize only the trusted ones and remember to deactivate those you are not using anymore.
  • Be very careful about potential phishing messages that might request sharing personal or sensitive information. Don’t! For that, you need to understand how phishing works and this in-depth guide is exactly what you are looking for.

Keep in mind that all our social accounts are very vulnerable to data privacy breaches and other malicious methods. The bad guys will always find creative ways to steal any personal information, including your valuable data from LinkedIn. Do not forget that when you share private information.

Follow these pro tips to better secure your Instagram account

Instagram is the photo and video-sharing social media network where you can explore beautiful places and images. For visual artists, it is also an excellent platform where they can share and promote their work and projects.

However, it is in our best interest to keep in mind the risks we could be exposed to when we share personal information. Especially now that it has become such a popular platform, with more than 1 billion monthly active users.

Security wise, Instagram seems to make efforts to enhance protection for its users. Recently, the company announced its plans to boost security and privacy by adding new security tools: support for third-party two-factor authentication (2FA) instead of traditional text-based 2FA, account verification and “about this account” new feature.

Besides these new security tools, here are some great tips that will help you keep your account safe:

  • Activate two-factor authentication feature as an extra layer of protection for your Instagram account. This way, you are one step ahead of cyber criminals who won’t be able to take over your account.
  • Change your passwords regularly and make sure you use strong and unique ones, so no one can break them. If you want to change it, use these simple steps.
  • Think twice before you give access to third-party apps and revoke access to those you don’t use anymore, appear suspicious or you simply can’t remember them
  • Do not share sensitive data in your photos or captions, because you don’t want to expose personal information to everyone following you on Instagram, especially, if your account is public
  • Don’t reveal your location to others and make sure the service is turned off, especially for the check-ins made at home, at work or while on a vacation.
  • Make your account private, so you can share your photos and videos with people you only approve to see them, like your friends and family.

We have an essential guide on how to secure your Instagram account and increase it, so no cyber criminals and scammers get access to it.

Security tips to keep your Snapchat account safe 

Snapchat is both a social media network and a messaging platform which is more popular among teenagers and young people. According to a new report, analysts forecast that by 2019 Snapchat will have almost 5 million regular users aged 18-24 years, half a million more than Facebook.

Bill Fisher, senior analyst at eMarketer stated:

Many younger social network users are forgoing Facebook altogether in favor of more appealing mobile-first alternatives, such as Snapchat.

Snapchat shows instant messages, photos or videos that are deleted instantly, after they’ve been viewed by all recipients, but oh, snap! “How secure is your data on this social platform?”

Here’s how you can add extra levels of security to avoid seeing your data in the hands of hackers:

  • Enable two-factor authentication feature to make the account more secure and add double security layer when logging in. You can do this using an SMS verification code or an authenticator app. Here’s how to activate it.
  • Do not accept friend requests from people you don’t know, and stick to friends-only. For security measures, Snapchat has the option “friends-only” set by default, which means only those that follow you back can see your Snaps and vice versa.
  • Make your videos and stories posted to the “My Story” section are visible only for people you know or customize them from the Setting menu, but avoid making them available to prying eyes.
  • For more privacy, hide your profile from the “See me in quick add” section which can show your profile to random people who might want to add you. You can disable it from the Settings menu.
  • If you want to keep your Snapchat activity more private, don’t share screenshots or photos of your Snapcodes with others!
  • We keep saying this piece of advice until everyone understands its importance that applies to every online account or service used: Make sure you use only strong and unique passwords for Snapchat too. You don’t realize how easily malicious actors can hack them.

How do you secure your social media accounts?

All of these security and privacy tips may not be new to any of you, but we live in a world of oversharing on social media and it helps remind you how to stay safe on the most important and used networks: Facebook, Twitter, LinkedIn, Instagram or Snapchat.

Have you applied any of these security measures? Do you have others we should add? Let us know, we’d love to know your thoughts!

The post Here Are The Essential Security Tips To Stay Safe On Social Media appeared first on Heimdal Security Blog.

Cyber Security Roundup for August 2018

The largest data breach disclosed this month was by T-Mobile, the telecoms giant said there had been "unauthorised access" to potentially 2 million of their 77 million customer accounts. According to the media, a hacker took advantage of a vulnerability in a T-Mobile API (application programming interface). It was a vulnerable API used by Air Canada mobile App which was also exploited, resulting in the compromise of 20,000 Air Canada customer accounts. Air Canada promptly forced a password change to all of its 77 million customer accounts as a result, however, the airline faced criticism from security experts for advising a weak password strength. Namely, a password length of 8, made up of just characters and digits. Both of these hacks underline the importance of regularly penetration testing Apps and their supporting infrastructure, including their APIs.

Hackers stole up to 34,000 Butlin guest records, reportedly breaching the UK holiday camp firm through a phishing email. Dixons Carphone upped the estimated number of customer records breached in a hack last year from 1.2 million to 10 million, which includes 5.9 million payment cards. There was no explanation offered by Dixons to why it had taken so long to get a grip on the scale of the data breach, which was reported as occurring in July 2017.

Huawei continues to face scrutiny over the security of their products after the UK National Cyber Security Centre (NCSC) issued a warning about using the Chinese tech manufacturing giant's devices in a security report. Huawei recently took over from Apple as the world's second largest provider of smartphones. A 16 year old Australian 'Apple fanboy' found himself in court after hacking into Apple's network.

On the international scene, Microsoft announced it had thwarted Russian data-stealing attacks against US anti-Trump conservative groups, by taking down six domains which hosted mimicked websites, which were likely to be used in future phishing campaigns. The Bank of Spain's website was taken out by a DDoS attack, and a Chinese Hotel Group's 140Gb customer database was found for sale on the dark web. The PGA golf championship was hit by a ransomware, and the FBI arrested three key members of the notorious FIN7 hacking group, the group is said to be responsible for stealing millions of credit card and customer details from businesses across the world.

On the personal front, the EC-Council confirmed my Computer Hacking Forensic Investigation (CHFI) certification had been renewed until 2021. I dropped into B-Sides Manchester this month, the highlight was a demonstration of a vulnerability found by Secarma researches, namely a PHP flaw which places CMS sites at risk of remote code execution

There was plenty of critical security patches released by the usual suspects, such as Microsoft, Cisco, and Adobe, the latter firm released several out-of-band patches during August. A critical update was released for Apache Struts (popular web server) and a reminder that Fax machines and all-in-one devices network devices could be used as a way into corporate networks by hackers.

Finally, there were a couple of interesting cybercrime articles posted on the BBC's news website this month,  Cyber-Attack! Would your firm handle it better than this? and Unpicking the Cyber-Crime Economy

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Family Tech: How Safe is Your Child’s Personal Data at School?

Kids and Personal DataRight about now, most kids are thinking about their chemistry homework, the next pep rally, or chiming in on their group text. The last thing on their minds as they head back to school is cybersecurity. But, it’s the one thing — if ignored — that can wreck the excitement of a brand new school year.

You’ve done a great job, parent. You’ve equipped their phones, tablets, and laptops with security software. And, you’ve beefed up safeguards on devices throughout your home. These efforts go a long way in protecting your child’s (and family’s) privacy from prying eyes. Unfortunately, when your child walks out your front door and into his or her school, new risks await.

No one knows this season better than a cybercriminal. Crooks know there are loopholes in just about every school’s network and that kids can be easy targets online. These security gaps can open kids up to phishing scams, privacy breaches, malware attacks, and device theft.

The school security conversation

Be that parent. Inquire about your school’s security protocols.  The K-12 Cybersecurity Resource Center reports that 358 school breaches have taken place since January of 2016.  Other reports point to an increase in hackers targeting school staff with phishing emails and seeking student social security numbers to sell on the dark web.

A few questions to consider:Kids and Personal Data

  • Who has physical and remote access to your student’s digital records and what are the school’s protection practices and procedures?
  • How are staff members trained and are strong password protocols in place?
  • What security exists on school-issued devices? What apps/software is are being used and how will those apps collect and use student data?
  • What are the school’s data collection practices? Do data collection practices include encryption, secure data retention, and lawful data sharing policies?
  • What is the Bring Your Own Device (BYOD) policy?

The data debate

As K-12 administrators strive to maintain secure data collection practices for students, those same principles may be dubious as kids move on to college. As reported by Digiday, one retailer may be quietly disassembling privacy best practices with a bold “pay with data” business model. The Japanese coffee chain Shiru Café offers students and faculty members of Brown University free coffee in exchange for entering personal data into an online registry. Surprisingly, the café attracts some 800 customers a day and is planning on expanding its business model to more college campuses.

The family conversation

Keep devices close. Kids break, lose, lend, and leave their tech unattended and open to theft. Discuss responsible tech ownership with your kids. Stolen devices are privacy gold mines.

Never share passwords. Kids express their loyalty to one another in different ways. One way that’s proving popular but especially unsafe nowadays is password sharing. Remind kids: It’s never okay to share passwords to devices, social networks, or school platforms. Never. Password sharing opens up your child to a number of digital risks.

Safe clicking, browsing practices. Remind kids when browsing online to watch out for phishing emails, fake news stories, streaming media sites, and pop-ups offering free downloads. A bad link can infect a computer with a virus, malware, spyware, or ransomware. Safe browsing also includes checking for “https” in the URL of websites. If the website only loads with an “http,” the website may not be enforcing encryption.Kids and Personal Data

Be more of a mystery. Here is a concept your kids may or may not latch on to but challenge them to keep more of their everyday life a mystery by posting less. This includes turning off location services and trying to keep your whereabouts private when sharing online. This challenge may be fun for your child or downright impossible, but every step toward boosting privacy is progress!

Discuss the risk of public Wi-Fi. Kids are quick to jump on Wi-Fi wherever they go so they can use apps without depleting the family data plan. That habit poses a big problem. Public Wi-Fi is a magnet for hackers trying to get into your device and steal personal information. Make sure every network your child logs on to requires a password to connect. Go a step further and consider using a Virtual Private Network (VPN) for added security for your whole family.

Want to connect more to digital topics that affect your family? Stop by ProtectWhatMatters.online, and follow @McAfee_Family on Twitter. Also, join the digital security conversation on Facebook.

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post Family Tech: How Safe is Your Child’s Personal Data at School? appeared first on McAfee Blogs.

How to Avoid Falling Prey to Sextortion

When it comes to the world of online scams, sextortion is one of the most common ones and a threat that’s not going away anytime soon. Because this threat is so pervasive and can take so many forms, we thought it would be best to do a write-up and offer you ways to protect yourself online and avoid sextortion scams.

What is sextortion?

It’s a form of blackmail in which a cybercriminal or a former friend or romantic partner tries to extract favors or financial gain from a victim.

Ever since the web became a daily destination for a majority of people, there have been cases of sextortion through the use of webcams, the threat of intimate pictures leaking and hundreds and thousands of victims. We believe that, with proper education, such damaging attacks could be averted or, at the very least mitigated.

Even though most people exercise caution in sending potentially compromising pictures and videos, sometimes even the best of us could be exposed to sextortion. A survey of 1,631 victims of sextortion revealed how every online user is, at one point or the other, potentially liable to become a sextortion victim.

Here’s why:

  • They were in a wanted romantic or sexual relationship—72% of those who knowingly provided images
  • Perpetrators pressured them to provide images or made them feel bad—51%
  • Perpetrators tricked them into providing images—15%
  • Perpetrators threatened or forced them to provide images—13%
  • They expected to be paid for the images—2%
  • They thought the pictures would be used for purposes such as modeling or acting—2%

But what if no one actually has compromising pictures of you?

Sextortion that demands a Bitcoin payment

Enter 2018’s most popular sextortion scam. It circulates via email and the cybercriminal will send you one of your own passwords to prove they have compromising images of you. Of course, they don’t, but some people have been fooled. Cybercriminals obtain stolen passwords and then simply fire off a flurry of emails to their owners, making threats and demanding hefty payments.

Here is one such email received by the mom of one Heimdal Security team member. After laughing for a bit at the sheer audacity of it, we had to investigate a bit further and see if anyone fell victim to it.

jpegbase6459dac5475d80ed0f

What’s worse is the fact that, in this case, 24 hours before the email above was sent, someone already fell victim to this scam. A simple search of the bitcoin address provided by the cybercriminal shows that someone sent 0.26 BTC there.

pngbase6476bc82bd3ccfdf39

On July 17, one Bitcoin traded for around $7,500, which means a sextortion victim paid almost $2,000 after receiving a bogus email. If this scam were to circulate back in December 2017, that same victim would have paid around $5000.

This type of sextortion scam demanding payment in bitcoin is so widespread, it’s unbelievable. Just hours after Reddit officially announced they had a breach, due to the fact that employees relied on SMS-based two-factor authentication, plenty of users found threatening emails in their inbox. Why? The Reddit data breach exposed quite a few old usernames and passwords. Cybercriminals took those passwords to provide some “legitimacy” to their common online scam. Even one of Reddit’s employees received the sextortion message, pointing out the ways cybercriminals try to monetize stolen email databases.

Other types of scams and how to steer clear of online scams

As long as people will continue to have digital lives, sextortion will, in one way or another, remain one of the most common types of online scams. Whether it will come from a known person, after a phishing attack or as part of a spray-and-pray email scam campaign, there’s no question about it, it will happen time and time again.

As a regular user, you can’t prevent or anticipate all the tactics a cybercriminal might adopt. What you can do is remain vigilant and spend a bit of time educating yourself on the various types of online scams.

We gathered here quite a few resources:

How to proactively stop scams from even reaching you

As we said in our analysis over what happened at Facebook and how your privacy was breached, the best way to stop online scams (sextortion included) is to make sure your own defenses are up.

Here are the five essential steps to protect your privacy:

  1. Always consider the type of information or pictures you post or share online. Ask yourself: “What would I do if someone threatened to show this to everyone I know?” (more on this here and here, in our guide to protecting yourself against doxxing)
  2. Keep your devices and PC updated and protected not just with antivirus, but with a tool that can block infected links (more on this here)
  3. Use strong passwords and, to avoid reusing them, consider trying a password manager that can generate unique ones for every account
  4. Go on every social media account you have and review the privacy settings. Also, take the time to consider what friends and followers you have.
  5. Learn how to spot phishing attempts that could lead to a criminal obtaining your passwords and other sensitive information.

Here are a few quick tips to avoid phishing, one of the most common ways in which scammers can get to you:

  • Be careful what you click on in emails, especially when it comes to attachments.
  • Consider having an email just for subscriptions and another one for actually important stuff. Both of them should be secured strong (and different!) passwords.
  • Always hover your mouse over links and check where they go (a misspelled letter almost always means a compromised link)
  • Always check the sender and, if you don’t know the person, it’s probably best to not click on any attachments.
  • Secure your valuable accounts with two-factor authentication that relies on unique codes, not texts messages (it avoids the risk of SMS-hijacking). That way, even if someone gets your password, they’ll still be unable to login into your account.
  • Periodically check if your email addresses were compromised in a data breach (unfortunately, they happen quite often) using a tool like this.

If you want to know more, we have a mega-guide with phishing prevention tips here.

We want to know if you’ve been exposed to scams like these or ever received threatening messages of this type. It would be great if you’d comment below (and even include a screenshot!) to help others better spot scams.

Do you have another tip for staying safe? Let us know.

Spend time with your family, not updating their apps!
Let THOR FREE Silently and automatically update software Close security gaps Works great with your favorite antivirus

INSTALL IT, FORGET IT AND BE PROTECTED

Download Thor FREE

The post How to Avoid Falling Prey to Sextortion appeared first on Heimdal Security Blog.

Back to School: Cybersecurity in the Classroom

It’s hard to believe that summer is coming to an end and that back-to-school time is around the corner. For some kids, that means cyberbullies are traded in for school bullies and social engagement will turn into in-person interactions. But for others — dubbed Extreme Internet Users — the screen stays. When it comes time to go back to the classroom, the six hours or more a day these kids spent online during summer may be curtailed in favor of educational screen time instead.

Every year around this time, I reflect on how much has changed for children, especially when it comes to mobile devices in the classroom. This trend has become increasingly popular and, on the rise, as technology has improved, education adapts to rapid changes, and our world becomes more interconnected. Either these devices are given to kids or their classrooms by their school, or parents are encouraged to purchase one for their child to help support internet research and to digitize note-taking and homework.

Regardless of whether you’re a technophile or technophobe when it comes to leveraging screens in education, one thing is for sure – their presence in learning environments is here to stay. And with this shift, security is of the utmost importance.

Since January 2016, there have been 353 cybersecurity incidents in the United States related to K-12 public schools and districts. These attacks range include phishing, ransomware, DoS attacks and breaches that have exposed personal data. However, the question – what motivates cybercriminals to target schools? – still persists. The answer is complex, because what cybercriminals could exploit depends on what they want to accomplish.  Extorting school faculty, hacking private student data, disrupting school operations, or disabling, compromising, or re-directing school technology assets are all regular tools of the trade when it comes to hacking schools.

You may not be able to control how your child’s school thinks about cybersecurity, but you can take matters into your own hands. There are steps you can take to make sure your child is ready to face the school year head-on, including protecting their devices and their data.

  • Start a cybersecurity conversation. Talk with school faculty about what is being done in terms of a comprehensive cybersecurity plan for your child’s school. It’s worth starting the conversation to understand where the gaps are and what is being done to patch them.
  • Install security software on all devices. Don’t stop at the laptop, all devices need to be protected with comprehensive security software, including mobile devices and tablets.
  • Make sure all device software is up-to-date. This is one of the easiest and best ways to secure your devices against threats.
  • Teach your child how to connect securely on public Wi-Fi networks. Public Wi-Fi networks are notoriously used as backdoors by hackers trying to gain access to personal information. If Wi-Fi is absolutely necessary, ensure the network is password protected. However, if you want a secure encrypted connection, consider using a virtual private network (VPN).
  • Designate a specific date and time for regular data back-ups. If ransomware hits, you won’t have to pay to get your child’s information back. You can back up that personal data to a physical external hard drive or use an online backup service, such as Dropbox or Google Drive. That way you can access your files even if your device gets compromised.
  • Understand your child’s school bring your own device (BYOD) policy. Each school is different when it comes to BYOD and understanding your child’s school policy will save you a headache down the road. Some schools buy devices for students to rent, with parents having to pay for any incidentals, and some ask parents to buy the devices outright. Take the time to understand your child’s school policy before accidents happen.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Back to School: Cybersecurity in the Classroom appeared first on McAfee Blogs.

Millions of iOS and Android Users Could Be Compromised by Bluetooth Bug

Similar to smartphones and computers, Bluetooth is one of the modern-day pieces of tech that has spread wide and far. Billions of devices of all types around the world have the technology woven into their build. So when news about the BlueBorne vulnerabilities broke back in late 2017, everyone’s ears perked up. Fast forward to present day and a new Bluetooth flaw has emerged, which affects devices containing Bluetooth from a range of vendors—including Apple, Intel, Google, Broadcom, and Qualcomm.

Whether it’s connecting your phone to a speaker so you can blast your favorite tunes, or pairing it with your car’s audio system so you can make phone calls hands-free, the pairing capabilities of Bluetooth ensures the technology remains wireless. And this bug affects precisely that — Bluetooth’s Secure Simple Pairing and Low Energy Secure Connections, which are capabilities within the tech designed to assist users with pairing devices in a safe and secure way.

Essentially, this vulnerability means that when data is sent from device to device over Bluetooth connections, it is not encrypted, and therefore vulnerable. And with this flaw affecting Apple, Google and Intel-based smartphones and PCs, that means millions of people may have their private data leaked. Specifically, the bug allows an attacker that’s within about 30 meters of a user to capture and decrypt data shared between Bluetooth-paired devices.

Lior Neumann, one of the researchers who found the bug, stated, “As far as we know, every Android—prior to the patch published in June—and every device with a wireless chip from Intel, Qualcomm or Broadcom is vulnerable.” That includes iPhone devices with a Broadcom or Qualcomm chip as well.

Fortunately, fixes for this bug within Apple devices have already been available since May with the release of iOS 11.4. Additionally, two Android vendors, Huawei and LG, say they have patched the vulnerability as well. However, if you don’t see your vendor on this list, or if you have yet to apply the patches – what next steps should you take to secure your devices? Start by following these tips:

  • Turn Bluetooth off unless you have to use it. Affected software providers have been notified of these vulnerabilities and are working on fixing them as we speak. But in the meantime, it’s crucial you turn off your Bluetooth unless you absolutely must use it. To do this on iOS devices, simply go to your “Settings”, select “Bluetooth” and toggle it from on to off. On Android devices, open the “Settings” app and the app will display a “Bluetooth” toggle button under the “Wireless and networks” subheading that you can use to enable and disable the feature.
  • Update your software immediately. It’s an important security rule of thumb: always update your software whenever an update is available, as security patches are usually included with each new version. Patches for iOS and some Android manufacturers are already available, but if your device isn’t on the list, fear not – security patches for additional providers are likely on their way.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Millions of iOS and Android Users Could Be Compromised by Bluetooth Bug appeared first on McAfee Blogs.

Cyber Security Roundup for July 2018

The importance of assuring the security and testing quality of third-party provided applications is more than evident when you consider an NHS reported data breach of 150,000 patient records this month. The NHS said the breach was caused by a coding error in a GP application called SystmOne, developed by UK based 'The Phoenix Partnership' (TTP). The same assurances also applies to internally developed applications, case-in-point was a publically announced flaw with Thomas Cook's booking system discovered by a Norwegian security researcher. The research used to app flaw to access the names and flights details of Thomas Cook passengers and release details on his blog. Thomas Cook said the issue has since been fixed.

Third-Third party services also need to be security assured, as seen with the Typeform compromise. Typeform is a data collection company, on 27th June, hackers gained unauthorised access to one of its servers and accessed customer data. According to their official notification, Typeform said the hackers may have accessed the data held on a partial backup, and that they had fixed a security vulnerability to prevent reoccurrence. Typeform has not provided any details of the number of records compromised, but one of their customers, Monzo, said on its official blog that is was in the region of 20,000. Interestingly Monzo also declared ending their relationship with Typeform unless it wins their trust back. Travelodge one UK company known to be impacted by the Typeform breach and has warned its impacted customers. Typeform is used to manage Travelodge’s customer surveys and competitions.

Other companies known to be impacted by the Typeform breach include:

The Information Commissioner's Office (ICO) fined Facebook £500,000, the maximum possible, over the Cambridge Analytica data breach scandal, which impacted some 87 million Facebook users. Fortunately for Facebook, the breach occurred before the General Data Protection Regulation came into force in May, as the new GDPR empowers the ICO with much tougher financial penalties design to bring tech giants to book, let's be honest, £500k is petty cash for the social media giant.
Facebook-Cambridge Analytica data scandal
Facebook reveals its data-sharing VIPs
Cambridge Analytica boss spars with MPs

A UK government report criticised the security of Huawei products, concluded the government had "only limited assurance" Huawei kit posed no threat toUK national security. I remember being concerned many years ago when I heard BT had ditched US Cisco routers for Huawei routers to save money, not much was said about the national security aspect at the time. The UK gov report was written by the Huawei Cyber Security Evaluation Centre (HCSEC), which was set up in 2010 in response to concerns that BT and other UK companies reliance on the Chinese manufacturer's devices, by the way, that body is overseen by GCHQ.

Banking hacking group "MoneyTaker" has struck again, this time stealing a reported £700,000 from a Russia bank according to Group-IB. The group is thought to be behind several other hacking raids against UK, US, and Russian companies. The gang compromise a router which gave them access to the bank's internal network, from that entry point, they were able to find the specific system used to authorise cash transfers and then set up the bogus transfers to cash out £700K.


NEWS

Cyber Security Roundup for May 2018

I'm sure the release of the GDPR on 25th May hasn't escaped anyone's attention. After years of warnings about the EU parliament's intended tough stance on enforcing the human right to privacy in the digital realm, a real 'game changer' of a global privacy regulation has finally landed, which impacts any organisation which touches EU citizen personal data. 

The GDPR's potential hefty financial penalties for breaching its requirements is firmly on the radar of directors at large enterprises and small businesses alike, hence the massive barrage of emails we have all have received in recent weeks, on changes to company privacy statements and requesting consent, many of which I noted as not being GDPR compliant as obtaining "explicit consent" from the data subject. So there is a long way to go for many organisations before they become truly GDPR compliant state based on what I've seen so far in my mailbox.

Cybercriminals have been quick to take advantage of the GDPR privacy emails deluge, using the subject matter in their phishing attacks to cheat access to accounts and con victims.
On a positive GDPR note, also on 25th May, IBM developerWorks released a three-part guidance series written by myself, aimed at helping Application Developers to develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

Overshadowed by the GDPR coming in force, was the release of new NHS Data Security and Protection Toolkit, aimed at the NHS and their service providers, and the European NIS Directive (for telecom providers) went under the radar, but they are significant to those working in those industries.

Always make sure your Broadband Router\Hub does not permit remote administrative access (over the internet) and is always kept up-to-date with the latest security patches, otherwise, it will be at serious risk of being hacked and remotely controlled by cyber-criminals. As evidenced with month, after a DNS flaw in over 800,000 Draytek Routers has allowed hackers to take them over, malware called VPNFilter has infected 500,000 routers, and serious vulnerabilities has been reported in TP-Link EAP controllers.

IBM made headlines after banning its workers from using USB sticks, which I think is a good and reasonable policy. As quite frankly any modern enterprise, whether large or small, with a decent IT infrastructure and cloud services, staff shouldn't need to use USB devices to move data either internally or externally with third parties, so I see this as a rather smart business and security move to ban all USB devices, as it forces staff to use the more secure and more efficient technology made available.

As my @securityexpert twitter account crossed the 10,000 follower threshold Twitter advised 300 million users to reset their passwords after internal error. Apparently, the passwords for the Twitter accounts were accidentally stored in a database in their "plain text" value instead of using a hashed value for the password, as per best practice. I always strongly recommend Twitter users to take advantage and use the multi-factor authentication system Twitter provides, which reduces the risk of account hacking.

Breaches of note in May included a T-Mobile website bug which exposed personal customer data, Coca-Cola said an insider breached 8,000 accounts, and BMW cars were found to have over a dozen security vulnerabilities.

As always a busy month of new security patch releases, with Microsoft, Adobe, PHP, PGP, Google, Git, and Dell all releasing critical security updates to fix significant security flaws. Click the links for the full details.

Analysis of DDoS Attacks at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacks
Some interesting articles about the Welsh Cyber Security Revolution and a review of the NHS a year on from the WannaCry outbreak

Reports of interest this month include the Thales Data Threat Report, which found UK businesses to be the most breached in Europe. The LastPass Psychology of Passwords Report which found 59% of people surveyed used the same passwords across multiple accounts, despite 91% of them knowing that using the same password for multiple accounts is a security risk. The 2017 Cylance Report stated the number of cyber-attacks on industries such as healthcare, manufacturing, professional services, and education rose by about 13.4% between 2016 and 2017.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Application Development GDPR Compliance Guidance

Last week IBM developerWorks released a three-part guidance series I have written to help 
Application Developers develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

The GDPR
The General Data Protection Regulation (GDPR) was created by the European Commission and Council to strengthen and unify Europe's data protection law, replacing the 1995 European Data Protection Directive. Although the GDPR is a European Union (EU) regulation, it applies to any organizations outside of Europe that handle the personal data of EU citizens. This includes the development of applications that are intended to process the personal information of EU citizens. Therefore, organizations that provide web applications, mobile apps, or traditional desktop applications that can indirectly process EU citizen's personal data or allow EU citizens sign in are subject to the GDPR's privacy obligations. Organizations face the prospect of powerful sanctions should applications fail to comply with the GDPR.

Part 1: A Developer's Guide to the GDPR
Part 1 summarizes the GDPR and explains how the privacy regulation impacts and applies to developing and supporting applications that are intended to be used by European Union citizens.

Part 2: Application Privacy by Design
Part 2 provides guidance for developing applications that are compliant with the European Union’s General Data Protection Regulation. 

Part 3: Minimizing Application Privacy Risk

Part 3  provides practical application development techniques that can alleviate an application's privacy risk.

Cyber Security Roundup for March 2018

In the wake of the global political fallout over the Salisbury nerve agent attack, there are reports of a growing threat of Russian state or Russian state-affiliated hacking groups conducting cyber attack reprisals against UK organisations, government officials have directly warned bosses at electricity, gas and water firms, Whitehall departments and NHS hospitals to prepare for a state-sponsored cyber assault


Large-scale data breaches were disclosed with Under Armour’s Fitness App MyFitnessPal (1.5 million personal records compromised), Orbitz (880k payment cards at risk), and at a Walmart partner (1.3 million personal records compromised). The latter was caused when an AWS S3 bucket holding a Walmart database was left with open access, which isn't the first time a cloud service misconfiguration has caused a major data breach.

TalkTalk were warned about their website’s poor security after a hacker known as 'B' disclosed a cross-site scripting vulnerability on the talktalk.co.uk website to Sky News. TalkTalk was given a record £400,000 fine by the Information Commissioner's Office following a major website breach in October 2015, which 157,000 customer details were stolen. And the company were told to "be more diligent and more vigilant” and was fined a further £100,000 after data belonging to 21,000 customers were exposed to "rogue" staff at an Indian call centre.

GitHub survived the largest ever DDoS attack recorded thanks to Akamai DDoS protection, which peaked at a massive 1.35 terabytes of data per second.

UK schools were warned they were soft targets for cybercriminals, experts believe many schools are ill-equipped to prevent cyber thefts, with sensitive data such as children’s medical records said to be lucrative on the dark web. There has been a number of security incidents disclosed involving UK schools in recent months.
Gwent Police are facing scrutiny by the Information Commissioner's Office for not informing 450 people that hackers may have accessed their personal information, after discovering the breach over a year ago.

A hacker alleged to be behind a gang the ran the Carbanak and Cobalt bank target malware has been arrested. The gang is reported to be responsible for the theft of up to billion euros through bank transfers and from cash machines, from over 100 banks since 2013


NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

How prepared is your business for the GDPR?

The GDPR is the biggest privacy shakeup since the dawn of the internet and it is just weeks before it comes into force on 25th May. GDPR comes with potentially head-spinning financial penalties for businesses found not complying, so it really is essential for any business which touches EU citizen's personal data, to thoroughly do their privacy rights homework and properly prepare.

Sage have produced a nice GDPR infographic which breaks down the basics of the GDPR with tips on complying, which is shared below.

I am currently writing a comprehensive GDPR Application Developer's Guidance series for IBM developerWorks, which will be released in the coming weeks.


The GDPR: A guide for international business - A Sage Infographic

GDPR Material and Territorial Scopes

The new EU General Data Regulation will enter into force 25 May of this year. The GDPR contains rules concerning the protection of natural persons when their personal data are processed and rules on the free movement of personal data. The new regulation is not revolutionary but an evolution from the previous Data Protection Act 1998 […]

Cyber Security Roundup for January 2018

2018 started with a big security alert bang after Google Security Researchers disclosed serious security vulnerabilities in just about every computer processor in use on the planet. Named 'Meltdown' and 'Spectre’, when exploited by a hacker or malware, these vulnerabilities disclose confidential data. As a result, a whole raft of critical security updates was hastily released for computer and smartphone operating systems, web browsers, and processor drivers. While processor manufacturers have been rather lethargic in reacting and producing patches for the problem, software vendors such as Microsoft, Google and Apple have reacted quickly, releasing security updates to protect their customers from the vulnerable processors, kudos to them.

The UK Information Commission's Office (ICO) heavily criticised the Carphone Warehouse for security inadequacies and fined the company £400K following their 2015 data breach, when the personal data, including bank details, of millions of Carphone Warehouse customers, was stolen by hackers, in what the company at the time described as a "sophisticated cyber attack", where have we heard that excuse before? Certainly the ICO wasn't buying that after it investigated, reporting a large number Carphone Warehouse's security failures, which included the use of software that was six years out of day,  lack of “rigorous controls” over who had login details to systems; no antivirus protection running on the servers holding data, the same root password being used on every individual server, which was known to “some 30-40 members of staff”; and the needless storage of full credit card details. The Carphone Warephone should thank their lucky stars the breach didn't occur after the General Data Protection Regulation comes into force, as with such a damning list of security failures, the company may well have been fined considerably more by ICO, when it is granted vastly greater financial sanctions and powers when the GDPR kicks in May.

The National Cyber Security Centre warned the UK national infrastructure faces serious nation-state attacks, stating it is a matter of a "when" not an "if". There also claims that the cyberattacks against the Ukraine in recent years was down to Russia testing and tuning it's nation-state cyberattacking capabilities. 

At the Davos summit, the Maersk chairman revealed his company spent a massive £200m to £240m on recovering from the recent NotPeyta ransomware outbreak, after the malware 'totally destroyed' the Maersk network. That's a huge price to pay for not regularly patching your systems.

It's no surprise that cybercriminals continue to target cryptocurrencies given the high financial rewards on offer. The most notable attack was a £290k cyber-heist from BlackWallet, where the hackers redirected 700k BlackWallet users to a fake replica BlackWallet website after compromising BlackWallet's DNS server. The replica website ran a script that transferred user cryptocurrency into the hacker's wallet, the hacker then moved currency into a different wallet platform.

In the United States, 
the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.

It was reported that a POS malware infection at Forever21 and lapses in encryption was responsible for the theft of debit and credit card details from Forever21 stores late last year. Payment card data continues to be a high valued target for cyber crooks with sophisticated attack capabilities, who are willing to invest considerable resources to achieve their aims.

Several interesting cybersecurity reports were released in January,  the Online Trust Alliance Cyber Incident & Breach Trends Report: 2017 concluded that cyber incidents have doubled in 2017 and 93% were preventable. Carbon Black's 2017 Threat Report stated non-malware-based cyber-attacks were behind the majority of cyber-incidents reported in 2017, despite the proliferation of malware available to both the professional and amateur hackers. Carbon Black also reported that ransomware attacks are inflicting significantly higher costs and the number of attacks skyrocketed during the course of the year, no surprise there.  

Malwarebytes 2017 State of Malware Report said ransomware attacks on consumers and businesses slowed down towards the end of 2017 and were being replaced by spyware campaigns, which rose by over 800% year-on-year. Spyware campaigns not only allow hackers to steal precious enterprise and user data but also allows them to identify ideal attack points to launch powerful malware attacks. The Cisco 2018 Privacy Maturity Benchmark Study claimed 74% of privacy-immature organisations were hit by losses of more than £350,000, and companies that are privacy-mature have fewer data breaches and smaller losses from cyber-attacks.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

Cyber Security Roundup for December 2017

UK supermarket giant Morrisons, lost a landmark data breach court case in December after a disgruntled Morrisons employee had stolen and posted the personal records of 100,000 co-workers online, the supermarket chain was held liable for the data breach by the UK High Court. The High Court ruling now allows those affected to claim compensation for the "upset and distress" caused. Morrisons said it believed it should not have been held responsible and would be appealing against the decision. If the appeal is lost it could open up the possibility of further class action lawsuits cases by individuals. Pending the GDPR becoming law in May 2018, such a court ruling sets a legal precedent for individuals to claim damages after personal data losses by companies through the courts as well. After May 2018, the GDPR grants individuals the right sue companies for damages following personal data breaches. So we can expect 'ambulance chasers' lawyers to pick up on this aspect of the GDPR, with class action lawsuits following data breaches, it well could become the new "P.P.I. industry"

Any businesses or individuals using Kaspersky should be aware the UK National Cyber Security Centre has warned government agencies against using the Russian supplier’s products and services, which follows a ban by US government departments in November. Barclays responded to the warning by stopping their free offering of Kaspersky anti-virus products to its customers. 2017 saw Cyber Security become a political football, so it is no real surprise that the UK and US once again blamed North Korea for the devasting WannaCry attacks earlier in the year, personally, I blame poor patch management and hackers, not the North Korea cyber army!

Nadine Dorries MP got herself in hot water after trying to defend now former political colleague Damian Green, following claims of Mr.Green accessed porn on his Parliment computer. This was activity was reported by a retired Police officer, which was said to be a breach of the data protection act. Nadine tweeted "my staff log onto my computer on my desk with my login everyday" to suggest anyone could have used Damian Green's PC to access the illicit websites. This led to widespread condemnation and a warning by ICO to MPs on password sharing. 

The fact illicit websites were not blocked by Parliament systems is one concerning lack security issue, but the flagrant disregard for basic cybersecurity by government MPs is gobsmacking, especially when you consider they are supposed to be understanding the risk and setting laws to protect UK citizens from cyber attacks and data breaches. Its another "slap palm on head" after the last UK Prime Minister announced he wanted to ban encryption.

2017 has seen huge rises in cryptocurrencies values, which has placed cryptocurrency brokers and user crypto coin wallets in the sights of cybercriminals. This month mining platform NiceHash was breached by hackers, who stole £51 million worth of Bitcoin and Bitcoin exchange Youbit, which lets people buy and sell Bitcoins and other virtual currencies, shut down and filed for bankruptcy after losing 17% of its assets in the cyber-attacks. I think we can expect further cryptocurrencies attacks in 2018 given the cryptocurrency bubble is yet to burst.

Faked LinkedIn profiles are nothing new, however, the German Intelligence Agency (BfV) said it had spotted China were using faked LinkedIn profiles to connect with and gather information on German officials and politicians, which is an interesting development.

Finally, Hackers were reported as taking advantage of poorly secured systems at UK private schools, and it was claimed hackers could turn off heating systems at UK schools and military bases.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen. Uber revealed around 2.7 million of the stolen records were British riders and drivers. As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet. The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had "huge concerns" about the breach and was investigating.

Jewson, Cash Converters, and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of personal customer data. Equifax reported their net income had dropped by £20 million due to the hack, and their breach bill was coming in at a whopping £67 million.

November was a very busy month for security patches releases, with Microsoft, Apple, Adobe, Oracle, Cisco and Intel releasing a raft of patches to fix critical vulnerabilities. Apple even had to quickly release an emergency patch at end of November to fix a root access flaw reported in macOS High Sierra version 10.13.1. So just keep patching everything IT to ensure you and your business stays ahead of enterprising cybercriminals, the Equifax breach is a prime example of what can go wrong if system patching is neglected.

November also saw Open Web Application Security Project (OWASP) finally released an updated version to its Top Ten application vulnerabilities list, which is a ‘must know’ secure coding best practice for all software developers and security testers, especially considering that Akamai reported web application attacks had increased by 69% in the third quarter of 2017. Look out for an updated OWASP Top Ten IBM DeveloperWorks Guidance from me in December to reflect the updated list.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

What is Data Privacy and why is it an important issue?

The question of whether privacy is a fundamental right is being argued before the honorable Supreme Court of India. It is a topic to which a young India is waking up too. Privacy is often equated with Liberty, and young Indians wants adequate protection to express themselves.

Privacy according to Wikipedia is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. There is little contention over the fact that privacy is an essential element of Liberty and the voluntary disclosure of private information is both part of human relationships and a digitized economy.

The reason for debating data privacy is due to the inherent potential for surveillance and disclosure of electronic records which constitute privacy such as sexual orientation, medical records, credit card information, and email.

Disclosure could take place due to wrongful use and distribution of the data such as for marketing, surveillance by governments or outright data theft by cyber criminals. In each case, a cybercitizens right to disclosure specific information to specific companies or people, for a specific purpose is violated.

Citizens in western countries are legally protected through data protection regulation. There are eight principles designed to prevent unauthorized use of personal data by government, organizations and individuals

Lawfulness, Fairness & Transparency
Personal data need to be processed based on the consent given by data subjects. Companies have an obligation to tell data subjects what their personal data will be used for. Data acquired cannot be sold to other entities say marketers.
Purpose limitation
Personal data collected for one purpose should not be used for a different purpose. If data was collected to deliver an insurance service, it cannot be used to market a different product.
Data minimization
Organizations should restrict collection of personal data to only those attributes needed to achieve the purpose for which consent from the data subject has been received.
Accuracy
Data has to be collected, processed and used in a manner which ensures that it is accurate. A data subject has to right to inspect and even alter the data.
Storage limitation
Personal data should be collected for a specific purpose and not be retained for longer than necessary in relation to this purposes.
Integrity and confidentiality
Organizations that collect this data are responsible for its security against data thefts and data entry/processing errors that may alter the integrity of data.
Accountability
Organizations are accountable for the data in their possession
Cross Border Personal information
Requirements.
Personal information must be processed and stored  in secured environment which must be ensured if the data is processed outside the border of the country

It is important for cybercitizens to understand their privacy rights particularly in context of information that can be misused for financial gain or to cause reputational damage.