Category Archives: Data Security

New technique keeps your online photos safe from face recognition algorithms

In one second, the human eye can only scan through a few photographs. Computers, on the other hand, are capable of performing billions of calculations in the same amount of time. With the explosion of social media, images have become the new social currency on the internet. An AI algorithm will identify a cat in the picture on the left but will not detect a cat in the picture on the right Today, Facebook and … More

The post New technique keeps your online photos safe from face recognition algorithms appeared first on Help Net Security.

A Boxcryptor audit shows no critical weaknesses in the software

More and more companies, self-employed and private customers are using Boxcryptor to protect sensitive data – primarily in the cloud. Boxcryptor ensures that nobody but authorized persons have access to the data. Cloud providers and their staff, as well as potential hackers are reliably excluded. The audit verified whether this protection is guaranteed. During the audit, Kudelski was given access to the source code of Boxcryptor for Windows and to the internal documentation. “All these … More

The post A Boxcryptor audit shows no critical weaknesses in the software appeared first on Help Net Security.

New privacy-preserving SSO algorithm hides user info from third parties

Over the last few decades, as the information era has matured, it has shaped the world of cryptography and made it a varied landscape. Amongst the myriad of encoding methods and cryptosystems currently available for ensuring secure data transfers and user identification, some have become quite popular because of their safety or practicality. For example, if you have ever been given the option to log onto a website using your Facebook or Gmail ID and … More

The post New privacy-preserving SSO algorithm hides user info from third parties appeared first on Help Net Security.

Data security matters more than ever in the new normal

Even before lockdowns, there was a steady migration toward more flexible workforce arrangements. Given the new normal of so many more people working from home—on top of a pile of evidence showing that productivity and quality of life typically go up with remote work—it is inevitable that many more companies will continue to offer those arrangements even as stay-at-home orders are lifted. Unfortunately, a boom in remote access goes hand-in-hand with an increased risk to … More

The post Data security matters more than ever in the new normal appeared first on Help Net Security.

Remote employees encounter 59 risky URLs per week

Working remotely from home has become a reality for millions of people around the world, putting pressure on IT and security teams to ensure that remote employees not only remain as productive as possible, but also that they keep themselves and corporate data as secure as possible. Achieving a balance between productivity and security is even harder, given that most organizations do not have adequate visibility or control over what their employees are doing on … More

The post Remote employees encounter 59 risky URLs per week appeared first on Help Net Security.

Marred by garbage: Striking a balance for security data

Security applications are subject to the age-old computing axiom of “garbage in, garbage out.” To work effectively, they need the right data. Too much irrelevant data may overwhelm the processing and analytics of solutions and the results they deliver. Too little, and they may miss something crucial. It’s mainly a question of relevance, volume and velocity. How much data? One of the most central questions, then, is how much data is enough? What is the … More

The post Marred by garbage: Striking a balance for security data appeared first on Help Net Security.

Core cybersecurity principles for new companies and products

The rapid increase in cyberattacks and pressures escalating from changes prompted by COVID-19 have shifted consumer behavior. The findings of a report by the World Economic Forum outline core cybersecurity principles and point to how companies and investors must significantly reduce cyber risk to remain competitive. “There is a serious imbalance between the “time to market” pressures and the “time to security” requirements for shiny new products and gadgets,” said Algirde Pipikaite, Cybersecurity Lead, World … More

The post Core cybersecurity principles for new companies and products appeared first on Help Net Security.

Consumer security concerns at an all-time high, but priorities have shifted

31% of Americans are concerned about their data security while working from home during the global health crisis, according to a Unisys Security survey. Consumer security concerns The survey found that overall concerns around internet security (including computer viruses and hacking) have plunged in the last year, falling 13 points from 2019 and ranking the lowest among the four primary areas of security surveyed for the first time since 2010. The findings come despite a … More

The post Consumer security concerns at an all-time high, but priorities have shifted appeared first on Help Net Security.

Privacy and security concerns related to patient data in the cloud

The Cloud Security Alliance has released a report examining privacy and security of patient data in the cloud. In the wake of COVID-19, health delivery organizations (HDOs) have quickly increased their utilization of telehealth capabilities (i.e., remote patient monitoring (RPM) and telemedicine) to treat patients in their homes. These technology solutions allow for the delivery of patient treatment, comply with COVID-19 mitigation best practices, and reduce the risk of exposure for healthcare providers. Remote healthcare … More

The post Privacy and security concerns related to patient data in the cloud appeared first on Help Net Security.

Companies are rethinking their approach to privacy management

TrustArc announced the results of its survey on how organizations are protecting and leveraging data, their most valuable asset. The survey polled more than 1,500 respondents from around the world at all levels of the organization. “There are more than 900 global privacy laws to which organizations must adhere, making privacy management an ongoing and dynamic challenge,” said Chris Babel, CEO, TrustArc. “The TrustArc survey highlights just how difficult it can be to comply with … More

The post Companies are rethinking their approach to privacy management appeared first on Help Net Security.

PCI SSC updates standard for payment devices to protect cardholder data

The PCI Security Standards Council has updated the standard for payment devices to enable stronger protections for cardholder data. Meeting the accelerating changes of payment device technology The PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements 6.0 enhances security controls to defend against physical tampering and the insertion of malware that can compromise card data during payment transactions. Updates are designed to meet the accelerating changes of payment device technology, while providing protections … More

The post PCI SSC updates standard for payment devices to protect cardholder data appeared first on Help Net Security.

How to find out the Best iPhone Keylogger?

Picking up the best match for our needs was never as tough as it is these days. The market is flooded with so many options. To make things worse, each one claims to be the best. This put us in a fix.

If you’re hunting for an iPhone keylogger and fail to make a choice, we might help you.

iPhone keylogger is not any other tool/software that you find around you. It does a special job – the job of recording the keystrokes of the targeted iPhone. So, you can’t take up any chance and pick up a going-for-a-song option.

Here, we are going to help you to pick the best iPhone keylogger and avoid any mess.

Before moving any further, let’s understand some key traits of the best iPhone keylogger. The best iPhone keylogger:

  • Will render quality data
  • Can be monitored easily without getting noticed
  • Will work without heating up the targeted device and making any background noise

Seeing all these traits, we have only one name in our mine viz. Spyier. Spyier fits very well in this. This made us conclude that Spyier is the best iPhone keylogger that you can have in 2020.

Along with Spyier, you can check out the best iPhone keylogger here. Let’s start knowing Spyier a little better and find out what makes it the best choice.

Spyier – Your Lucky Charm

Spying on an iPhone was never an easy job. There is no scope for errors when you’re doing it and Spyier ensures this by all means. Its iPhone keylogger is far better and advanced than any other run-of-the-mill options making rounds in the market.

When a product has been trusted by millions across the 190 nations and has been praised by world-media, it has to be nothing but the best. This Spyier review post will help you become aware of its popularity.

spyier-banner

Now, that you know that Spyier has already won millions of hearts, it’s time to learn about those features that have crowned it with #1 position.

Spyier works flawlessly

At the beginning of the article, we told you that the best iPhone keylogger is the one that is free from flaws like heating up the device and making sound in the background. Well, nothing of this sort is going to happen with Spyier’s iPhone keylogger.

It’s free from these and many other basic flaws that follow the rest of the options. Spyier’s at-work technology is so advanced that the target will never find out about its presence on the targeted device. While Spyier is at service, you don’t have to deal with issues like:

  • Reduced or poor performance of the targeted device
  • Quick battery consumption
  • Reduce speed

This simply indicates that Spyier’s iPhone keylogger is not any ordinary choice. It’s a one-of-its-kind tool that does the job with full perfection and conviction.

spyier

Bringing it into action is easy

If you’re using an iPhone keylogger which is the part of a spying app then you have to make many efforts to bring it into action.

Some may ask you to jailbreak the targeted devices. Taking up this route to deploy the iPhone keylogger would be the worst mistake of your life. Thank God! Spyier doesn’t work that way.

You don’t have to jailbreak the targeted iPhone to bring it into action. Also, you don’t have a tech-savvy soul to start using it. Having basic computing skills is more than enough.

Accessing the data is a cakewalk

Spyier’s developers deserve a pat on their back for the invention of Spyier’s dashboard. It’s nothing but a magnum opus. It’s super interactive and easy-to-access. It comes with a 100% web-based interface. So, there is no download and installation involved.

You can use any device/browser to access it and can find every relevant data meticulously displayed on your screen.

No one ever thought that accessing the keystroke details of an iPhone could be so easy and hassle-free. But, Spyier not only thinks about it but has made it possible as well.

Best doesn’t mean to be a big-ticket

There is no hard and fast rule that only pricy kinds of stuff are the best ones. Sometimes, you can have a best-in-class option at least possible price as well and Spyier is the best example of this category.

As it doesn’t require any other hardware and software, it keeps the operational cost least possible. You can use it for one month’s long time at a mere cost of $10.

At this cost, you will have the facilities to monitor around 35+ phone activities along with the keylogger. We think this is the best deal that anyone can ever have.

Best-in-class and reliable data

All these safety features and facilities will hold no ground if the rendered data is not reliable enough. To be called the best iPhone keylogger, one has to deliver real-time data and this is what Spyier does. Spyier captures data in real-time and renders it to you directly.

Every data is accompanied by a timestamp that further swell-up its viability. It’s so realistic and convincing that no one can ever raise fingers on it. Try cross-checking it and you’ll get to know on your own.

Your secret remains a secret till eternity

No matter how needy you are to use the iPhone keylogger, you will never want to get caught in the act. Will you?

To prevent this, Spyier never let anyone know about your motives and intention. It never sends any notification on the target device and makes things suspicious for the target.

Every data that it records is delivered directly on the dashboard and it remains between you and the dashboard. There is no third involvement.

Reaching at the Conclusion.

Claiming to be the best is one thing and proving it is another. Spyier not only claimed that it’s the best iPhone keylogger that we have today but also proved it with its actions and features.

The way it works without the help of jailbreaking renders real-time data and help the end-user to stay informed with every keystroke made us believe that this is indeed the best-of-breed option.

The post How to find out the Best iPhone Keylogger? appeared first on .

How prepared are SMBs to recover from disaster?

The vast majority of SMBs both expect the unexpected and feel that they’re ready for disaster – though they may not be, Infrascale reveals. Ninety-two percent of SMB executives said they believe their businesses are prepared to recover from a disaster. However, as previously reported, more than a fifth of SMB leaders said they don’t have a data backup or disaster recovery solution in place. The research also indicates that 16% of SMB executives admitted … More

The post How prepared are SMBs to recover from disaster? appeared first on Help Net Security.

Organizations are creating the perfect storm by not implementing security basics

European organizations have a false sense of security when it comes to protecting themselves, with only 68% seeing themselves as vulnerable, down from 86% in 2018, according to Thales. Problems with implementing security basics This confidence flies in the face of the findings of the survey of 509 European executives which reveals 52% of organizations were breached or failed a compliance audit in 2019, raising concerns as to why 20% intend to reduce data security … More

The post Organizations are creating the perfect storm by not implementing security basics appeared first on Help Net Security.

Why NHS, UK Healthcare Orgs Need to Boost Their Security in Age of COVID-19

All National Health Service (NHS) and social care organisations in the United Kingdom have always been and will always be a target for bad actors. The nature of their business and the sensitive data they hold make these entities appealing to bad actors who know that legacy systems, and/or, not regularly patched systems, such as […]… Read More

The post Why NHS, UK Healthcare Orgs Need to Boost Their Security in Age of COVID-19 appeared first on The State of Security.

Cybercriminals exposed 5 billion records in 2019, costing U.S. organizations over $1.2 trillion

Cybercriminals exposed over 5 billion records in 2019, costing over $1.2 trillion to U.S. organizations, according to ForgeRock. Coupled with breaches in 2018 costing over $654 billion, breaches over the last two years have cost U.S. organizations over $1.8 trillion. Healthcare: The most targeted industry Healthcare emerged as the most targeted industry in 2019, accounting for 382 breaches and costing over $2.45B, an increase from 164 incidents costing over $633 million in 2018. Despite healthcare … More

The post Cybercriminals exposed 5 billion records in 2019, costing U.S. organizations over $1.2 trillion appeared first on Help Net Security.

How do industry verticals shape IAM priorities?

IAM priorities differ by industry vertical, and a one-size-fits-all approach to IAM doesn’t work when every industry and business within that industry is unique, according to LastPass and Vanson Bourne. Each industry vertical has unique business needs, and as a result has different areas of focus when it comes to their IAM program. Finance focused on reducing risk, while integrating IAM infrastructure Financial service organizations deal with higher stakes than most verticals, which inevitably impacts … More

The post How do industry verticals shape IAM priorities? appeared first on Help Net Security.

Employees abandoning security when working remotely

48% of employees are less likely to follow safe data practices when working from home, a report from Tessian reveals. The global shift to remote working poses new security challenges for businesses and traditional security solutions are failing to curb the problem of the insider threat and accidental data loss. Remote work compounds insider threats While 91% of IT leaders trust their staff to follow best security practices when working remotely, 52% of employees believe … More

The post Employees abandoning security when working remotely appeared first on Help Net Security.

Protecting Fleet Data from Security Threats

Big data is revolutionizing fleet management — specifically in the form of telematics. From engine diagnostics that track fuel efficiency and mileage to sensors that detect aggressive driving behavior and interior vehicle activity, this information is so valuable that we’re quickly approaching the point where connected technology will come standard in every vehicle. Telematics is […]… Read More

The post Protecting Fleet Data from Security Threats appeared first on The State of Security.

Breached Mathway App Credentials Offered on Dark Web

Over 25 million user logins and passwords from a popular math app are being offered for sale on the dark web following a data breach.

Mathway, a popular app for iOS and Android devices, recently uncovered evidence of the breach after a hacking group announced it was selling Mathway user data on the dark web for roughly $4,000 in Bitcoin. 

ShinyGroup, a hacking group notorious for selling compromised data, announced that they had breached Mathway in January 2020. It is currently unknown if the salts and hashes used to encrypt the passwords can be deciphered, but if they are the value of the data to hackers would increase significantly.

“We recently discovered that certain Mathway customer account data–emails and hashed and salted passwords–was acquired by an unauthorized party.  Upon learning of this, we retained a leading data security firm to investigate, address any vulnerabilities and remediate the incident,” Mathway announced after discovering the breach.

Mathway users are urged to update their account passwords and monitor their accounts for suspicious activity.

The post Breached Mathway App Credentials Offered on Dark Web appeared first on Adam Levin.

The GDPR, Year II

With children, reaching the age of two is usually the change from a beautiful newborn to a moving creature that has reached the terrible twos.

It may be that the same is happening to the General Data Protection Regulation as it approaches the mark of its second year of enforcement: Data Protection Authorities (DPAs) seem to be paralyzed by limited budgets, a lack of resources, and most DPAs consider that the GDPR is not fully enforced. The Brave report issued by the Brave Community, a forum where people who care about the internet and their browsing experience come to discuss with each other, typically shows that only five of Europe’s 28 national GDPR enforcers have more than 10 tech specialists.  Half of EU GDPR enforcers have limited budgets (under €5 million), leading some/many/advocates? to believe that European governments have failed to properly equip their national regulators to enforce the GDPR. Recently, Brave even called on the European Commission to launch an infringement procedure against EU Member State Governments for failing to implement Article 52(4) of the GDPR, which provides that “Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers […]”.

Beyond enforcement challenges, the GDPR has gone through some major crises: first with Brexit and then with the outbreak of the COVID-19.

Though terrifying for many people, Brexit was handled relatively easily through a transition period, which goes until 31st December 2020, during which UK organisations are bound by two laws: the EU GDPR and the UK DPA (Data Protection Act 2018).

The EU GDPR will no longer apply directly in the UK at the end of the transition period. However, in reality, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit, and with insignificant differences between the EU GDPR and the proposed UK GDPR. In short, organisations that process personal data should continue to comply with the requirements of the EU GDPR and doing so will meet the obligations in the UK as well. The only thing left to consider is to what extent the EU Commission will issue an adequacy decision in favour of the UK.

The second major crisis is the COVID 19 pandemic, which presented new challenges, among them new tracing apps,  the explosion of the use of remote workers at controllers, processors, and subprocessors, and questions about how employers ensure the health and safety of their workforce without compromising a data subjects privacy rights.  Additionally, hacker activity has been unprecedented, causing a sudden “mass exodus” home and (personal) data protection risks. “It’s like we’ve kicked over a hornet’s nest,” says Raj Samani, chief scientist at McAfee.

Data breaches are not limited to the ones resulting from hackers, but also by a simple data loss such as a corporate USB stick. Remote working weakens IT security for unprepared companies; vendors in some jurisdictions and in some roles did not have infrastructure in place to properly continue to offer their services after stay-at-home orders.

    • using inadequately secured private or mobile devices (lack of antivirus software, out-of-date operating system software, no encryption solutions, etc.) or using an unsecured Wi-Fi network;
    • using popular free messaging and meeting applications;
    • using social media platforms for business purposes;
    • not using VPN and other corporate solutions;
    • having no back-up plan;
    • lack of video surveillance
    • the proliferation of other people, Siri and Alexa and other listening/sensing devices

With respect to physically securing data

  • risk of loss during transfer of documents;
  • not adapting space at home for remote work purposes, making it possible to damage equipment or have sensitive documents stolen

With respect to the organization

  • having no fundamental business continuity measures in place and having no back-up equipment;
  • low awareness of employees where threats related to personal data protection were previously focused on risks present in normal work.

The threats are numerous, but mitigating the risk is not impossible and can still be done:

  • Draft (or update) a remote work policy and make sure there are processes around remote working. This might be a part of an existing Acceptable Use Policy or it might be a standalone document.
  • Inform your employees of the minimal security requirements for devices and networks they use, and have technical measures to ensure that your workforce is adhering to these requirements
  • Limit your employees to sanctioned messaging and meeting software and train your employees about how many popular applications may not provide for an adequate level of data protection and are usually not intended for business purposes.
  • Train your employees about why privacy and security are important generally.
  • Make sure the devices use the latest antivirus software and that employees have a VPN solution available when required by policy or their activities.

COVID-19 has marked the end of the World as we knew it before. Our lives may be impacted forever with new work styles, unprecedented cybersecurity issues, innovative policies, new hygiene rules and so on. The fight against COVID-19 is not just for the organisation, employees or customers but a joint effort from everyone. Obviously, organizations will need to rethink their cyber risk management in the Post COVID-19 and should not forget along the road the rules and the frame set by the GDPR whilst rebuilding the World After.

The GDPR has proved to be a robust tool to guide companies, officials and public health authorities in the response to the COVID-19 crisis and allocating the DPAs across the EU with increased financial and human resources will allow them to address the large number of complaints whilst it is up to the European Commission to ensure no human rights are violated.

 

The post The GDPR, Year II appeared first on McAfee Blogs.

Shifting responsibility is causing uncertainty and more security breaches

Data security is creating fear and trust issues for IT professionals, according to a new Oracle and KPMG report. The study of 750 cybersecurity and IT professionals across the globe found that a patchwork approach to data security, misconfigured services and confusion around new cloud security models has created a crisis of confidence that will only be fixed by organizations making security part of the culture of their business. Data security is keeping IT professionals … More

The post Shifting responsibility is causing uncertainty and more security breaches appeared first on Help Net Security.

Hackers Double Ransom Demands, Implicate Trump in Celebrity Law Firm Hack

The hackers who attacked a major entertainment and media law firm have now doubled the sum they’re demanding, and have included a threat to reveal compromising data on President Donald Trump.

Grubman Shire Meiselas & Sacks represents high-profile clients including U2, Madonna, Lizzo, Drake, and Lady Gaga among many others. The firm was targeted with ransomware earlier this month, which led to the reported exfiltration of 756 gigabytes of data, including contracts and client correspondence. REvil, the hacking group claiming responsibility for the attack, initially demanded $21 million in ransom and released contracts relating to a recent Madonna tour as proof of their access to the firm’s data. They have since doubled their demand.

“The ransom is now $42,000,000,” the hackers announced in a statement on the dark web. “The next person we’ll be publishing is Donald Trump… Grubman, we will destroy your company down to the ground if we don’t see the money.”

Donald Trump is not a client of the firm, which raises questions as to what data, if any, they have access to.

Grubman Shire Meiselas & Sacks has refused to cooperate with the hackers’ demands.

“The leaking of our clients’ documents is a despicable and illegal attack by these foreign cyberterrorists who make their living attempting to extort high-profile U.S. companies, government entities, entertainers, politicians, and others,” the firm said in an announcement.

The post Hackers Double Ransom Demands, Implicate Trump in Celebrity Law Firm Hack appeared first on Adam Levin.

New software enables existing sensors to detect ransomware

Engineers from SMU’s Darwin Deason Institute for Cybersecurity have developed software to detect ransomware attacks before attackers can inflict catastrophic damage. Ransomware is crippling cities and businesses all over the world, and the number of ransomware attacks have increased since the start of the coronavirus pandemic. Attackers are also threatening to publicly release sensitive data if ransom isn’t paid. The FBI estimates that ransomware victims have paid hackers more than $140 million in the last … More

The post New software enables existing sensors to detect ransomware appeared first on Help Net Security.

Educational organizations use cloud apps to share sensitive data outside of IT control

Many educational organizations are at risk of data security incidents during the current period of working from home and virtual learning, a Netwrix report reveals. Weak data security controls According to the survey, even before the COVID-19 pandemic, the majority of educational organizations had weak data security controls. In particular, 54% of IT professionals in the educational sector confessed that employees put data at risk by sharing it via cloud apps outside of IT knowledge. … More

The post Educational organizations use cloud apps to share sensitive data outside of IT control appeared first on Help Net Security.

How to Secure Your Data Everywhere? It’s Easy With Unified Cloud Edge

The need to protect sensitive data has two main drivers, privacy legislation and protection of intellectual property against external breaches and insider threat. 58% of the countries worldwide now have legislation in place; these will become more onerous over time.  Breaches and insider theft of data is a frequently reported topic in the media due to the steady stream of brand impacting, high-profile cases.  Breaches are expensive due to fines, loss of revenue and remediation costs.

Historically data protection via DLP was implemented on the end point and in the business’s network.  Both approaches have strengths and weaknesses; network DLP is unable to monitor the movement of sensitive data to USB memory sticks and end point DLP doesn’t offer some of the more sophisticated DLP capabilities that require a lot of memory and compute power.  Many customers deployed both enterprise DLP solutions.

Other vendors without enterprise DLP offerings have added “DLP-lite” capabilities to their products, predominantly email and web security products and some businesses have chosen those over enterprise DLP solutions.

This approach was sustainable before widespread adoption of the cloud.  95% of companies have or are adopting cloud services and 79% of them admit to storing sensitive data there.  Data is now everywhere, on laptops, servers, in sanctioned apps, in unsanctioned Shadow IT apps and moving from cloud to cloud.  Protecting data within the four walls of an organization is no longer sufficient.

Businesses, particularly those with a Cloud First strategy have responded to this challenge by introducing a CASB solution such as McAfee’s MVISION Cloud product.  Dependent on the product this can address some, or all, of these cloud adoption challenges – MVISION Cloud addresses them all.

The problem however is that some businesses are living with gaps in their protection as they don’t deploy multiple products.  Endpoint DLP can’t solve for cloud, neither can cloud DLP solve for endpoint and web DLP can’t effectively solve for sanctioned apps allowing online collaboration, or endpoint.  When looking at common use cases along with potential DLP leak vectors you’ll appreciate why a single product isn’t a complete solution:

To attempt to address this, businesses deploy multiple products.  Doing so closes all the gaps but has downsides.  Multiple products are expensive to license, have higher IT management overheads and complexity due to subtly implementations.  These differences are due to different DLP policies, data classifications and content extraction engines which makes it difficult to ensure consistency of detection across products, as data classifications that have been fine-tuned over time have to be re-implemented from scratch with each additional product, leading to a reduction of efficacy.

McAfee’s Unified Cloud Edge (UCE) solution solves these problems.  UCE is a combination of endpoint DLP, web SaaS proxy and CASB, covering all the potential data leak vectors: endpoint, unsanctioned shadow IT apps, sanctioned apps (including email) and cloud to cloud transfers.  UCE is managed via a single console and uses the same DLP technology everywhere, such as policy and content extraction engines to maximize efficacy through consistent results.  Businesses can retain their investment in those carefully crafted data classifications, allowing use across all vectors and easy extension to the cloud.  UCE is a cloud native, highly scalable solution with industry leading uptime and availability.

Want to find out more?  Then head over to https://www.mcafee.com/enterprise/en-us/solutions/unified-cloud-edge.html

The post How to Secure Your Data Everywhere? It’s Easy With Unified Cloud Edge appeared first on McAfee Blogs.

Magellan Health Ransomware Attack Exposes Customer Data

In the wake of an April ransomware attack, Fortune 500 healthcare company Magellan Health announced that a hacker exfiltrated customer data.

The ransomware attack was first detected by Magellan Health April 11, 2020, and was traced back to a phishing email that had been sent and opened five days earlier. Subsequent investigation revealed that customer data had been exfiltrated prior to the deployment of the ransomware.

“The exfiltrated records include personal information such as name, address, employee ID number, and W-2 or 1099 details such as Social Security number or Taxpayer ID number and, in limited circumstances, may also include usernames and passwords,” stated the company in a letter sent to affected individuals.

This incident comes months after the company announced several of its subsidiaries had been targeted by phishing attacks that resulted in the compromise of the health information of more than 55,000 members.

 

The post Magellan Health Ransomware Attack Exposes Customer Data appeared first on Adam Levin.

Celebrity Data Stolen in Major Data Breach

A major entertainment and media law firm experienced a massive data breach that may have compromised the data of many celebrities including Bruce Springsteen, Lady Gaga, Madonna, Nicki Minaj, Christina Aguilera, and others.

Grubman Shire Meiselas & Sacks, a New York-based law firm, was hit by a ransomware attack that compromised at least 756 gigabytes of client data, including contracts, non-disclosure agreements, contact information and personal correspondence. The hackers appear to have used REvil, or Sodinkobi, a ransomware strain behind several high-profile cyberattacks on targets including Kenneth Cole, Travelex, and Brooks International.

Whoever is behind the hack has threatened to publish the stolen data in nine installments unless the law firm pays an undisclosed ransom. They have since released documents belonging to Madonna and Christina Aguilera on the dark web to prove they have the goods and are willing to make them public.

Grubman Shire Meiselas & Sacks has yet to issue a statement on the breach. As of May 12, their website is still currently offline. 

The post Celebrity Data Stolen in Major Data Breach appeared first on Adam Levin.

Do Password Managers Make You More or Less Secure?

It’s World Password Day, and much like every other day of the year, the state of password security is terrible. 

Despite repeated warnings from security experts and IT departments, “123456” is still the most common password for the last seven years, narrowly edging out “password.”

The problem isn’t limited to easily guessed passwords: a recent study of remote workers found that 42 percent of employees physically write passwords down, 34 percent digitally capture them on their smartphones, and at least 20 percent admit to using the same password across multiple work accounts. 

Enter the password manager: an application or service that consolidates the credentials for all a user’s accounts. If you stop reading here: Password managers are not failsafe. 

While password managers provide a convenience to users, they are hackable. So while it provides a convenient place to store your long and complex passwords, the whole collection of access data is protected by a single, hackable password. 

If you’re in the habit of using the same or similar passwords across your universe of accounts, a password manager with a very strong password offers more security.

The issue with password managers from a security point of view is that they trade one of the biggest threats to account security–credential stuffing through the re-use of leaked or hacked passwords, for a potentially more serious one: The skeleton key for all of your accounts. Because password managers offer a one-for-all proposition, they make an appealing target for hackers who wouldn’t otherwise try to crack a unique password.

Additionally, password managers are not immune to the security issues that plague any other online service. A number of well-known password managers have either been breached or found to have severe vulnerabilities. 

Take away: While password managers add a layer of protection for online accounts, they’re not a silver bullet, and have the potential to open the door to even greater online threats. Regardless of the method to keep track of passwords, any account should also be protected with other measures such as multi-factor authentication, up-to-date security software, and a close eye on account activity.

 

The post Do Password Managers Make You More or Less Secure? appeared first on Adam Levin.

Indecent Exposure: 7TB of Adult Streaming User Data Unsecured on Server

Users on an adult streaming platform may have experienced the wrong kind of exposure when over seven terabytes of data was found on an unprotected database online. The damage done could include the dissemination of amateur pornographic user images. 

CAM4, a video streaming service primarily for adult amateur webcam content, reportedly left more than 11 million user records online on an unprotected Elasticsearch server. The error was unintentional. The data was discovered by researchers at Safety Detectives, a security review website.

Leaked customer data potentially included, but was not limited to, names, email addresses, countries of origin, gender preferences, sexual orientation, user names, credit card types, user conversations, payment logs, email correspondence transcripts, token information, password hashes, IP addresses.

“The fact that a large amount of email content came from popular domains…that offer supplementary services such as cloud-storage and business tools — means that compromised CAM4 users could potentially see huge volumes of personal data including photographs, videos and related business information leaked to hackers — assuming their accounts were eventually hacked via phishing as one example,” wrote Safety Detectives in a blog describing their findings.

The post Indecent Exposure: 7TB of Adult Streaming User Data Unsecured on Server appeared first on Adam Levin.

68% of Pharma Executives Have Had Credentials Breached Online

The online credentials for 68% of pharmaceutical executives analyzed for a study have been compromised recently.

The study, conducted by cybersecurity firm Blackcloak, found that the email accounts of over two-thirds of pharmaceutical executives had been compromised within the last five to ten years. Of the compromised emails, 57% were found on the dark web and had been either cracked or stored in plaintext format.

While the primary source (85%) of the email account information was a 2015 data breach of the professional social network LinkedIn, Blackcloak CEO Dr. Chris Pierson assigns much of the blame to weaker cybersecurity via personal devices and accounts belonging to executives, referring to it as “the path of least resistance” for hackers.

“Hackers and cybercriminals spot the opportunity to effortlessly gain access and control over the executives’ home network, enabling them to migrate into the company network from that point. Every day the executive brings their company home, where the security controls are nonexistent and weak ‒ so every night, their corporate networks and company are at risk for a cyberattack,” wrote Pierson.

C-suite executives have been a frequent target for hackers and scammers, but Pierson identified some vulnerabilities specific to the pharmaceutical industry.

“In the pharmaceutical world, executives appeared to move from job to job across a tier of companies and with this they brought their old passwords with them and showed consistent use over a period of sometimes 15 years of same and/or similar passwords,” wrote Pierson.

 

The post 68% of Pharma Executives Have Had Credentials Breached Online appeared first on Adam Levin.

Ghost Blogging Platform Hacked To Mine Cryptocurrency

Hackers successfully breached the servers of a popular blogging platform and used them to mine cryptocurrency.

Ghost, a Singapore-based blogging platform with 2,000,000 installations and 750,000 active users, announced that hackers had breached their systems. 

“The mining attempt… quickly overloaded most of our systems which alerted us to the issue immediately,” the company announced May 3, adding that “[t]here is no direct evidence that private customer data, passwords or other information has been compromised. 

The hackers compromised Ghost’s servers by exploiting two major vulnerabilities in SaltStack, a network automation tool typically used by IT support and system administrators. Ghost is just one of several companies and organizations that have been compromised since the vulnerabilities were disclosed, including LineageOS, an Android-based operating system, and Digicert, a security certificate authority. 

As of May 4, Ghost announced that it had successfully purged the cryptocurrency mining malware from its systems. The company also stated that they would be notifying their customers, which include NASA, Mozilla, and DuckDuckGo.

 

The post Ghost Blogging Platform Hacked To Mine Cryptocurrency appeared first on Adam Levin.

Cybercriminals Are Exploiting the Covid-19 Pandemic

Cybercriminals are actively targeting Covid-19 hotspots with malware and phishing campaigns, according to a new report from Bitdefender.

The report, “Coronavirus-themed Threat Reports Haven’t Flattened the Curve,” shows a direct correlation between confirmed Covid-19 cases and malware attacks exploiting the crisis.

These findings confirm a similar report that showed a 30000% increase in Covid-19-themed attacks from January to March.

“Countries that have reported the largest number of Coronavirus-themed [scams] seem to have also been those hit hardest by the pandemic,” the report stated, showing a concurrent increase in both confirmed cases and malware attacks in South Africa in April as an example.

Data from the Bitdefender report also indicated a connection between an increase in phishing campaigns in areas where testing for Covid-19 has become available.

“[W]e can safely infer that people who get tested are interested in learning more about potential treatments, medicine, medical best practices, and maybe even other patient’s experiences… those spending more time online looking for information about COVID-19 are more likely to fall prey to scams and malware related to Coronavirus,” the report stated. “Receiving an email claiming to have new and interesting information about the pandemic with more exclusive information embedded within the attachment is the perfect lure.”

Read the full report here.

The post Cybercriminals Are Exploiting the Covid-19 Pandemic appeared first on Adam Levin.

What E-Commerce Sites Can Learn from the Covid-19 Pandemic

For the last few years, cybersecurity experts have been sounding the alarm on something called e-skimming. In this kind of attack, hackers intercept payment card data and personal information from e-commerce sites by exploiting the architectural complexity of those e-commerce sites. 

While there have been several major breaches that were the result of e-skimming, including Macy’s and British Airways, the bulk of these hacking campaigns have been attributed to an individual or a group of hackers called Magecart. S/he or they usually target the Magento platform, often by injecting rogue code into outdated plugins and extensions for websites.

Magento isn’t the Covid moment here. E-skimming is. 

Enter WooCommerce 

Security researchers discovered what could be a game changer in e-skimming attacks earlier this month, one that exponentially expands our collective attackable surface.

Magento has about a 12% market share and represents less than 1% of the entire assemblage of code that comprises the Internet. 

The discovery I mentioned is that a new e-skimming hack has been targeting WooCommerce, which is a far more ubiquitous online shopping plugin used in 26% of all e-commerce sites. WooCommerce is native to and powered by WordPress, a platform that represents over 35% of websites currently online. It would be hard to find a larger attackable surface on the Internet.

The threat posed by a hack targeting WooCommerce isn’t bad only because of the technology’s ubiquity. The issue has to do with who uses it. The quick answer is: Anyone. Contrast that with Magento, which is designed for enterprise-level sites that have detailed inventory needs and other layers of complexity. Magento requires installation, development, and maintenance by trained web professionals certified by the company to understand its many nuances. 

WooCommerce, on the other hand, is easy to use and install; a user with little to no experience building websites—and even less knowledge of cybersecurity best practices—can use it to get an e-commerce site up and running with ease. 

This would be a bad situation in normal times, but with the Covid-19 pandemic making many businesses more reliant on e-commerce and virtual transactions, the potential for an increase in poorly secured websites built on the fly is a matter for concern. 

That said, the bigger issue may be the nature of the hack itself. While e-skimming attacks have usually involved the compromise of vulnerable third-party software, e-skimming injects malicious code into the core source code of WooCommerce which makes it much harder to detect–particularly for non-expert site builders.

“With credit card swipers it’s common for attackers to simply include/append malicious javascript from a third-party website,” said Sucuri researcher Ben Martin, who first wrote about the attack. “The fact that the malware lodged itself within an already existing and legitimate file makes it a bit harder to detect.”

There are parallels with the early days of the Covid-19 pandemic. A relatively familiar threat has surfaced in a more dangerous form that is harder to detect and has the potential to impact a significantly larger number of victims. 

Like Covid-19 in January, the current WooCommerce hack is a nascent threat, but unlike the virus, you can prepare for the threat and mitigate the potential damage. 

A good place to start is for businesses and consumers to use a system I call the 3 Ms:

Minimize the Threat: Businesses doing e-commerce need to keep their website and security software up-to-date. Those companies that have the technical know-how should run regular scans for the presence of rogue code on their websites. If they don’t have that resource in house, they would be well advised to hire a cybersecurity expert to do it for them. Most important is to practice good data hygiene, especially when relying on a remote workforce. A single login and password hooked by a phishing email could provide hackers with the necessary credentials to compromise a website, as well as its customer and payment data. 

When making payments online, consumers should use credit cards instead of debit/bank cards, which can provide hackers a direct conduit to their bank accounts.

Monitor Accounts: Keep track of your bank and credit card accounts to know as quickly as possible when something isn’t right. The most effective way to do this is to sign up for transaction monitoring—offered for free by banks, credit unions and credit card companies— which notifies you of any activity in your credit or bank accounts.

Manage the Damage: If a business falls prey to an e-skimming campaign, it’s crucial to act as quickly as possible to alert the authorities, notify consumers and identify the source of the hack. Customers affected by an e-skimming breach should immediately contact their payment card companies, request new cards, and lock down any potentially impacted accounts.

Malware and viruses are opportunistic. With more businesses relying on e-commerce to make up for shuttered physical storefronts, newly remote workers struggling to secure their home offices from cyberthreats, and more customers using e-tailers for their day-to-day shopping, the circumstances are ideal for a new strain of malware to spread. 

The post What E-Commerce Sites Can Learn from the Covid-19 Pandemic appeared first on Adam Levin.

Ensuring Data Security with Business Process Outsourcing Companies

The business processing outsourcing industry is known for generating savings and top-quality services for their clients. Enterprises in the West started the trend and has since relied on the East for their operations. 

From its beginnings in manufacturing and call centres, the industry has widened its offerings to accounting, human resources, and even professional services. This gives way to the rise of high-value outsourcing, including research and development and other innovation strategies getting outsourced. Affordable high-quality technology also made it possible for small and medium businesses to try it.

Despite its popularity, many businesses worry about the risks of outsourcing their projects to a low-cost country. This includes data and cybersecurity concerns and how these companies handle it. 

Most BPO companies follow the data and compliance standards set by institutions such as ISO and HIPAA. Even when working remotely, they make sure that these standards and processes are followed.

The COVID-19 pandemic, which causes disruptions to businesses worldwide, continues to prove the flexibility of these companies in continuing their operations. This article tackles how BPO companies ensure data and cybersecurity when working from home due to the pandemic.

BPO companies and in-house employment

BPO companies value data and cybersecurity by following strict security measures in their daily operation. They keep employment in-house to monitor and ensure the security of their data. Most service providers, meanwhile, invest in high-quality infrastructures and backups in case of an electric outage and data breach.

Compliance is also mandatory for its operation. BPOs in India and the Philippines, the top outsourcing countries, apply for ISO and HIPAA standards to ensure that their operation meets the international standards. Keeping employees in-house helps process and compliance monitoring easier since the operation is done in a single location.

The impact of COVID-19 to in-house work

The global pandemic has affected the majority of businesses and in-house employment. Lockdowns in different countries have forced them to either halt operations or put their employees on remote work. The outsourcing industry also felt the challenges brought by this. 

Several countries have taken measures to continue their operations and stay business as usual. Work-from-home (WFH) employees are provided with equipment and internet connection to continue their work. Skeletal workforce and those who cannot render WFH are provided with accommodations in nearby hotels and lodging.

How remote work affects security for BPOs

According to Concentrix, a distributed workforce setup in the BPO industry is highly unusual since most of the operations are kept in-house

These companies know that remote working imposes risks in the cybersecurity of a business. An employee using a shared public network can pose a vulnerable threat to their client’s information. Without a VPN and strong firewall settings, their IP address, location, and data are exposed to malicious activities online. 

Encryptions are also important in protecting the company identity. Storages with weak encryptions also give way for hackers to steal critical information and use it for fraudulent transactions online or in the real world.

How to keep up with data security

The outsourcing industry is a flexible one. With the help of technology, BPO companies maintain the security of their data and processes remotely. The flexible arrangement has been a part of their business continuity plan in these unusual times. These examples show how BPO companies in the Philippines made a solution for working from home.

Data security

Letting their employees use a personal computer or a laptop may be ideal for creative, programming, and design roles. However, it won’t work for accounting and other roles that deal with critical customer and business information. 

With this, most companies provided the equipment for their tasks. Their data is either stored in the desktop’s hard disk or a cloud drive with encrypted security. Each storage is password-protected which only the employee and their employers can access.

Cybersecurity

Another risk of using a personal device for work is cybersecurity. A personal laptop does not have the adequate tools to protect their system from suspicious activities online. Using a shared connection even poses more threat to this. 

Desktops provided by the companies have secured VPN and firewall that protects them for their entire operation. For employees with slow or shared connections, companies provide a portable broadband connection for a smoother workflow.

Streamlined processes

Even in remote work, BPOs imply strict measures to ensure that their processes are streamlined. Employers have mastered using work collaboration tools and other online services while in the office so they can keep track of their work in real-time. 

Call centres, for instance, have a single CRM system used to record customer issues, capture information, and track issues via tickets.

The skeletal workforce, meanwhile, will supervise and monitor the progress of the deployed teams. They are also tasked to check the work quality of their employees, process transactions, close sales deals, and report to the client about their tasks.

Work collaboration

Deployed teams have little to no worries in work collaboration online. Many employees already use several tools such as Slack and Skype for communication, G Suite for documentation, and CRM apps for capturing and encoding data.

Employers also use screen monitoring software to track employees’ attendance and activities. This helps them have an overview of their performance, the total hour of their work, and the websites they have visited. Project monitoring tools, meanwhile, helps them keep track of the progress of the entire project and delegate tasks through their team.

Author Bio

Derek Gallimore is as passionate about outsourcing as he is for business and entrepreneurial-ism. Outsourcing is a booming industry. Derek believes that every business owner should be fully aware, and utilise this incredible opportunity. In response to a general lack of information, he has founded Outsource Accelerator. Outsource Accelerator is the world’s foremost independent and unbiased source of outsourcing information advisory and education.

The post Ensuring Data Security with Business Process Outsourcing Companies appeared first on Heimdal Security Blog.