Over the past year, deepfakes, a machine learning model that is used to create realistic yet fake or manipulated audio and video, started making headlines as a major emerging cyber threat. The first examples of deepfakes seen by the general public were mainly amateur videos created using free deepfake tools, typically of celebrities’ faces superimposed into pornographic videos. Even though these videos were of fairly low quality and could be reasonably distinguished as illegitimate, people … More
In an era of technological transformation and cyber everywhere, the attack surface is exponentially growing as cyber criminals attack operational systems and backup capabilities simultaneously in highly sophisticated ways leading to enterprise-wide destructive cyberattacks, a Deloitte survey reveals. Majority of C-suite and executive poll respondents (64.6%) report that the growing threat of destructive cyberattacks is one of the top cyber risks at their organization. It’s time for senior leadership to modernize risk management programs and … More
The post Are businesses prepared for an extinction-level cyber event? appeared first on Help Net Security.
As state houses and Congress rush to consider new consumer privacy legislation in 2020, Americans expect more control over their personal information online, and are concerned with how businesses use the data collected about them, a DataGrail research reveals. In a OnePoll online survey of 2,000 people aged 18 and above, 4 out of 5 Americans agreed there should be a law to protect their personal data, and 83 percent of people expect to have … More
The post 50% of people would exercise at least one right under the CCPA appeared first on Help Net Security.
The recent high-profile ransomware attack on foreign currency exchange specialist Travelex highlights the devastating results of a targeted cyber-attack. In the weeks following the initial attack, Travelex struggled to bring its customer-facing systems back online. Worse still, despite Travelex’s assurances that no customer data had been compromised, hackers were demanding $6 million for 5GB of sensitive customer information they claim to have downloaded. Providing services to some of the world’s largest banking corporations including HSBC, … More
The post Data breach: Why it’s time to adopt a risk-based approach to cybersecurity appeared first on Help Net Security.
IOActive researchers found that the LoRaWAN protocol – which is used across the globe to transmit data to and from IoT devices in smart cities, Industrial IoT, smart homes, smart utilities, vehicle tracking and healthcare – has a host of cyber security issues that could put network users at risk of attack. Such attacks could cause widespread disruption or in extreme cases even put lives at risk. Session Keys and Functions in LoRaWAN v1.0.3 Vulnerable … More
The post How to detect and prevent issues with vulnerable LoRaWAN networks appeared first on Help Net Security.
Seventy-nine percent of companies store sensitive data in the public cloud, according to a McAfee survey. Anonymized cloud event data showing percentage of files in the cloud with sensitive data While these companies approve an average of 41 cloud services each, up 33 percent from last year, thousands of other services are used ad-hoc without vetting. In addition, 52 percent of companies use cloud services that have had user data stolen in a breach. By … More
The post 52% of companies use cloud services that have experienced a breach appeared first on Help Net Security.
Through 2022, 80% of supply chain blockchain initiatives will remain at a proof-of-concept (POC) or pilot stage, according to Gartner. One of the main reasons for this development is that early blockchain pilots for supply chain pursued technology-oriented models that have been successful in other sectors, such as banking and insurance. However, successful blockchain use cases for supply chain require a different approach. “Modern supply chains are very complex and require digital connectivity and agility … More
The post Benefits of blockchain pilot programs for risk management planning appeared first on Help Net Security.
In this interview, Mark Sangster, VP & Industry Security Strategist at eSentire, talks about the most pressing issues CISOs are dealing with in today’s fast-fast paced threat environment. How has the cybersecurity threat landscape evolved in the past 5 years? What are some of the most notable threats eSentire is seeing that were not an issue in the past? The past five years have seen significant progress in both the recognition of cybercrime, but also … More
The post Recommendations for navigating the dynamic cybercrime landscape appeared first on Help Net Security.
“Doomsday is here! The sky is falling! Windows 7 is out of support and all hell will break loose!” – or, at least, that’s what some cybersecurity experts and press outlets want you to think. In this article, I will offer some advice to businesses of all sizes that may need to continue using Windows 7, while understanding the risk. This is my opinion and should be taken as advice only. Every company is different, … More
The post You can upgrade Windows 7 for free! Why wouldn’t you? appeared first on Help Net Security.
Patients and consumers deserve better access to personalized, actionable health care information to empower them to make better, more informed decisions – but it should not drive up health care costs or compromise the privacy of their personal health data, according to a poll of patients and consumers from Morning Consult and America’s Health Insurance Plans (AHIP). Personal privacy outweighs increased transparency A strong majority (62%) of patients want their data and privacy protected more … More
The post Patients believe stronger privacy protections are more important than easier health data access appeared first on Help Net Security.
The 10 top trends that will drive the most significant technological upheavals this year have been identified by Access Partnership. “Shifts in tech policy will disrupt life for everyone. While some governments try to leverage the benefits of 5G, artificial intelligence, and IoT, others find reasons simply to confront Big Tech ranging from protectionism to climate urgency. “Techlash trends highlighted in our report lay bare the risks of regulatory overreach: stymied innovation and economic growth … More
The post Top 10 policy trends to watch for globally in 2020 appeared first on Help Net Security.
Researchers have discovered six critical and high-risk vulnerabilities – collectively dubbed MDhex – affecting a number of patient monitoring devices manufactured by GE Healthcare. The flaws may, according to GE Healthcare, allow an attacker to make changes at the device’s OS level that may render the device unusable or interfere with its function, make changes to alarm settings on connected patient monitors, and utilize services used for remote viewing and control of multiple devices on … More
The post MDhex vulnerabilities open GE Healthcare patient monitoring devices to attackers appeared first on Help Net Security.
Microsoft has one of the best security teams and capabilities of any organization in the technology industry, yet it accidentally exposed 250 million customer records in December 2019. The data was accessible to anyone with a browser, who knew the server location, for about a month in total before an external researcher detected the problem. The database held records of customer support engagements dating back to 2005. Once alerted, Microsoft quickly closed the hole, investigated … More
The post Lessons from Microsoft’s 250 million data record exposure appeared first on Help Net Security.
While cybersecurity professionals are certainly aware of the growing threat posed by sharing data with third parties, many seem to lack the urgency required to address this challenge. If there is one work-related New Year’s resolution I’d like CISOs to make as we enter 2020, it’s to give the challenge of third-party cyber risk the attention it needs. In fact, I no longer see this as optional or as an extension of an enterprise risk … More
The post CISOs: Make 2020 the year you focus on third-party cyber risk appeared first on Help Net Security.
The proliferation of real-time payments platforms, including person-to-person (P2P) transfers and mobile payment platforms across Asia Pacific, has increased fraud losses for the majority of banks. FICO recently conducted a survey with banks in the region and found that 4 out of 5 (78 percent) have seen their fraud losses increase. Further to this, almost a quarter (22 percent) say that fraud will rise significantly in the next 12 months, with an additional 58 percent … More
The post More authentication and identity tech needed with fraud expected to increase appeared first on Help Net Security.
Citrix and FireEye have teamed up to provide sysadmins with an IoC scanner that shows whether a Citrix ADC, Gateway or SD-WAN WANOP appliance has been compromised via CVE-2019-19781. Finding evidence of compromise By now it should be widely known that CVE-2019-19781 – aka “Shitrix” – is a real and present danger: exploits for it abound and attackers are using them, while we wait for fixes for all affected devices to be released. Though the … More
The post IoC Scanner shows if Citrix appliances have been compromised via CVE-2019-19781 appeared first on Help Net Security.
Cisco has released another batch of security updates and patches for a variety of its offerings, including many of its security solutions. Security fixes for security solutions Among the security holes plugged is CVE-2019-16028, a critical authentication bypass vulnerability affecting the Cisco Firepower Management Center – a device that provides visibility into an organization’s network and allows admis to centrally manage critical Cisco network security solutions. “The vulnerability is due to improper handling of Lightweight … More
The post It’s time to patch your Cisco security solutions again appeared first on Help Net Security.
Be extra careful when looking for a job online, the Internet Crime Complaint Center (IC3) warns: cybercriminals are using fake job listings to trick applicants into sharing their personal and financial information, as well as into sending them substantial sums of money. “While hiring scams have been around for many years, cyber criminals’ emerging use of spoofed websites to harvest PII and steal money shows an increased level of complexity. Criminals often lend credibility to … More
The post Cybercriminals using fake job listings to steal money, info from applicants appeared first on Help Net Security.
As the Zero Trust approach to cybersecurity gains traction in the enterprise world, many people have come to recognize the term without fully understanding its meaning. One common misconception: Zero Trust is all about access controls and additional authentication, such as multi-factor authentication. While these two things help organizations get to a level of Zero Trust, there is more to it: a Zero Trust approach is really an organization-wide architecture. Things aren’t always as they … More
Artificial intelligence – more specifically, the machine learning (ML) subset of AI – has a number of privacy problems. Not only does ML require vast amounts of data for the training process, but the derived system is also provided with access to even greater volumes of data as part of the inference processing while in operation. These AI systems need to access and “consume” huge amounts of data in order to exist and, in many … More
There’s a widening gap between IT resources and the demands of managing the increasing scale and complexity of enterprise cloud ecosystems, a Dynatrace survey of 800 CIOs reveals. IT leaders around the world are concerned about their ability to support the business effectively, as traditional monitoring solutions and custom-built approaches drown their teams in data and alerts that offer more questions than answers. CIO responses in the research indicate that, on average, IT and cloud … More
The post CIOs using AI to bridge gap between IT resources and cloud complexity appeared first on Help Net Security.
Two years ago, Apple abandoned its plan to encrypt iPhone backups in the iCloud in such a way that makes it impossible for it (or law enforcement) to decrypt the contents, a Reuters report claimed on Tuesday. Based on information received by multiple unnamed FBI and Apple sources, the report says that the decision was made after Apple shared its plan for end-to-end encrypted iCloud backups with the FBI and the FBI objected to it. … More
The post Did Apple drop end-to-end encrypted iCloud backups because of the FBI? appeared first on Help Net Security.
Honeywell’s Maxpro VMS and NVR, network video recorders and video management systems deployed in commercial, manufacturing and energy facilities around the world, sport critical vulnerabilities that may allow attackers to take control of them. Patches available for the Honeywell Maxpro vulnerabilities Two vulnerabilities have been discovered and reported by Joachim Kerschbaumer: CVE-2020-6959, stemming from an unsafe deserialization of untrusted data, which could allowed an attacker to remotely modify deserialized data using a specially crafted web … More
The post Honeywell Maxpro VMS/NVR systems vulnerable to hijacking appeared first on Help Net Security.
When Jordan Liggitt at Google posted details of a serious Kubernetes vulnerability in November 2018, it was a wake-up call for security teams ignoring the risks that came with adopting a cloud-native infrastructure without putting security at the heart of the whole endeavor. For such a significant milestone in Kubernetes history, the vulnerability didn’t have a suitably alarming name comparable to the likes of Spectre, Heartbleed or the Linux Kernel’s recent SACK Panic; it was … More
The post Container security requires continuous security in new DevSecOps models appeared first on Help Net Security.
While a majority of CEOs express strong confidence in the effectiveness of their current IT systems, most are struggling to close the innovation achievement gap to drive growth and revenue, according to a global study by Accenture. The is based on Accenture’s largest enterprise IT study conducted to date, including survey data from more than 8,300 organizations across 20 countries and 885 CEOs. Innovation achievement gap: Adopting new technologies The research, which analyzed the adoption … More
The post Companies risk revenue growth due to innovation achievement gap appeared first on Help Net Security.
Email security miss rates are definitely a huge issue. Malicious files regularly bypass all of today’s leading email security products, leaving enterprises vulnerable to email-based attacks including ransomware, phishing and data breaches, according to BitDam. BitDam conducted an empirical study to measure leading email security products’ ability to detect unknown threats at first encounter. Unknown threats are produced in the wild, sometimes hundreds in a day. The study employs the retrieval of fresh samples of … More
The post Email security industry miss rates when encountering threats are higher than 20% appeared first on Help Net Security.
Most state CIOs see innovation as a major part of their job – 83% said innovation is an important or very important part of their day-to-day leadership responsibilities – while only 14% reported extensive innovation initiatives within their organizations, Accenture and the National Association of State Chief Information Officers (NASCIO) reveal. Previously, NASCIO had highlighted innovation as a top ten current issue facing state CIOs. “The pace of technological change keeps accelerating, bringing new challenges … More
The post State CIOs see innovation as critical priority, only 14% report extensive innovation appeared first on Help Net Security.
ACROS Security has released a micropatch that implements the workaround for a recently revealed actively exploited zero-day RCE flaw affecting Internet Explorer (CVE-2020-0674). Remote code execution vulnerability affecting IE Last Friday, Microsoft released an out-of-band security advisory notifying Internet Explorer users of a remote code execution vulnerability affecting IE 11, 10 and 9 on various versions od Windows and Windows Server, which they know is being exploited in “limited targeted attacks”. Flagged by researchers from … More
The post Micropatch simulates workaround for recent zero-day IE flaw, removes negative side effects appeared first on Help Net Security.
As attackers continue to hit vulnerable Citrix (formerly Netscaler) ADC and Gateway installations, Citrix has released permanent fixes for some versions and has promised to provide them for other versions and for two older versions of SD-WAN WANOP by January 24. A short timeline before the situation update CVE-2019-19781, a critical vulnerability affecting Citrix ADC and Gateway that may allow unauthenticated attackers to achieve remote code execution and obtain direct access to an organization’s local … More
The post First patches for the Citrix ADC, Gateway RCE flaw released appeared first on Help Net Security.
Trend Micro announced the results of research featuring a honeypot imitating an industrial factory. The highly sophisticated Operational Technology (OT) honeypot attracted fraud and financially motivated exploits. Hardware equipment that ran the factory Complex investigation The six-month investigation revealed that unsecured industrial environments are primarily victims of common threats. The honeypot was compromised for cryptocurrency mining, targeted by two separate ransomware attacks, and used for consumer fraud. “Too often, discussion of cyber threats to industrial … More
The post Researchers create OT honeypot, attract exploits and fraud appeared first on Help Net Security.
Japanese multinational Mitsubishi Electric has admitted that it had suffered a data breach some six months ago, and that “personal information and corporate confidential information may have been leaked.” The company, though, claims that “sensitive information on social infrastructure such as defense, electric power, and railways, highly confidential technical information, and important information concerning business partners have not been leaked.” What was compromised in the Mitsubishi Electric data breach? Mitsubishi Electric is a manufacturer of … More
The post Mitsubishi Electric discloses data breach, possible data leak appeared first on Help Net Security.
Companies are increasingly building smart products that are tailored to know the individual user. In the automotive world, the next generation passenger vehicle could behave like a personal chauffeur, sentry and bodyguard rolled into one. Over the next decade, every car manufacturer that offers any degree of autonomy in a vehicle will be forced to address the security of both the vehicle and your data, while also being capable of recognizing and defending against threats … More
Seemingly every day news drops that a popular site with millions of users had been breached and its user database leaked online. Almost without fail, attackers try to use those leaked user credentials on other sites, making password stuffing one of the most common attacks today. Users often use the same username/email and password combination for multiple accounts and, unfortunately, enterprise accounts are no exception. Attackers can, therefore, successfully use leaked credentials to access specific … More
Five security best practices for DevOps and development professionals managing Kubernetes deployments have been introduced by Portshift. Integrating these security measures into the early stages of the CI/CD pipeline will assist organizations in the detection of security issues earlier, allowing security teams to remediate issues quickly. Kubernetes as the market leader The use of containers continues to rise in popularity in test and production environments, increasing demand for a means to manage and orchestrate them. … More
The post Techniques and strategies to overcome Kubernetes security challenges appeared first on Help Net Security.
Vendor revenue from sales of IT infrastructure products (server, enterprise storage, and Ethernet switch) for cloud environments, including public and private cloud, declined in the third quarter of 2019 (3Q19) as the overall IT infrastructure market continues to experience weakening sales following strong growth in 2018, IDC reveals. The decline of 1.8% year over year was much softer than in 2Q19 as the overall spend on IT infrastructure for cloud environments reached $16.8 billion. IDC … More
The post Revenue from cloud IT infrastructure products declines appeared first on Help Net Security.
Waterfall Security Solutions announced a major expansion into new markets and industry verticals. In support of this expansion, Waterfall has secured a significant new funding round to enable aggressive growth. We caught up with Lior Frenkel, CEO and co-founder of the company, to find out more. So Lior, you folks just announced a big new expansion and investment. What are your main priorities for Waterfall Security in the next 5 years? Well, let me first … More
Our data-driven society has a tricky balancing act to perform: building innovative products and services that use personal data while still protecting people’s privacy. To help organizations keep this balance, the National Institute of Standards and Technology (NIST) is offering a new tool for managing privacy risk. Version 1.0 of the NIST Privacy Framework The agency has just released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. … More
The post NIST Privacy Framework 1.0: Manage privacy risk, demonstrate compliance appeared first on Help Net Security.
Over the next two years, 50% of organizations will experience increased collaboration between their business and IT teams, according to Gartner. The dispute between business and IT teams over the control of technology will lessen as both sides learn that joint participation is critical to the success of innovation in a digital workplace. “Business units and IT teams can no longer function in silos, as distant teams can cause chaos,” said Keith Mann, senior research … More
The post Business units and IT teams can no longer function in silos appeared first on Help Net Security.
Want to know what’s in an open source software component before you use it? Microsoft Application Inspector will tell you what it does and spots potentially unwanted features – or backdoors. About Microsoft Application Inspector “At Microsoft, our software engineers use open source software to provide our customers high-quality software and services. Recognizing the inherent risks in trusting open source software, we created a source code analyzer called Microsoft Application Inspector to identify ‘interesting’ features … More
The post Microsoft Application Inspector: Check open source components for unwanted features appeared first on Help Net Security.
By improving access to data and taking advantage of them in fundamentally different ways to drive profitability, IT security executives are rapidly changing perceptions of their office. Although making better sense of and use of data may be standard fare in other areas of the enterprise, who knew that modern IoT cybersecurity solutions would become network security’s newest professional lever? Actually, we should have seen it coming, because digital transformation always starts with visibility and … More
Masergy Shadow IT Discovery: Automatically identify unauthorized SaaS applications Masergy Shadow IT Discovery immediately scans and identifies all applications, providing clients visibility through the SD-WAN management portal. Until now, IT departments have had to rely on a variety of endpoint security solutions and guesswork to access this information. The time savings and decreased threat exposure will help IT organizations increase their security posture and keep up with the blind spots created by unsanctioned usage. STEALTHbits … More
The post New infosec products of the week: January 17, 2020 appeared first on Help Net Security.
Rapidly evolving cybersecurity threats are now commanding the attention of senior business leaders and boards of directors and are no longer only the concern of IT security professionals. A report from University of California, Berkeley’s Center for Long-Term Cybersecurity (CLTC) and Booz Allen Hamilton uses insights gleaned from board members with over 130 years of board service across nine industry sectors to offer guidance for boards of directors in managing cybersecurity within large global companies. … More
The post How to govern cybersecurity risk at the board level appeared first on Help Net Security.
Worldwide IT spending is projected to total $3.9 trillion in 2020, an increase of 3.4% from 2019, according to the latest forecast by Gartner. Global IT spending is expected to cross into $4 trillion territory next year. “Although political uncertainties pushed the global economy closer to recession, it did not occur in 2019 and is still not the most likely scenario for 2020 and beyond,” said John-David Lovelock, distinguished research vice president at Gartner. “With … More
The post Worldwide IT spending to total $3.9 trillion in 2020 appeared first on Help Net Security.
Facebook will (finally!) explicitly tell users who use Facebook Login to log into third-party apps what information those apps are harvesting from their FB account. At the same time, users will be able to react quickly if someone managed to compromise their Facebook accounts and is using their credentials to access other apps and websites. Login Notifications The new feature, called Login Notifications, will deliver notifications to users via the Facebook app and user’s associated … More
The post Facebook users will be notified when their credentials are used for third-party app logins appeared first on Help Net Security.
As organizations proceed to move their processes from the physical world into the digital, their risk profile changes, too – and this is not a time to take risks. By not including security into DevOps processes, organizations are exposing their business in new and surprising ways. DevOps DevOps has accelerated software development dramatically, but it has also created a great deal of pain for traditional security teams raised up on performing relatively slow testing. Moving … More
The vast majority of nationally sponsored cybersecurity incidents take the form of espionage through data exfiltration, with frequent employment of remote access tool Plug-X, according to the annual threat report by eSentire. Emotet is the leader The report found that Emotet accounted for almost 20% of confirmed malware incidents, reinforcing its role in the black market as the preferred delivery tool. Emotet was the most observed threat both on networks and on endpoints, achieving this … More
The post Emotet remains the dark market leader for delivery-as-a-service appeared first on Help Net Security.
Organizations around the world will accelerate enterprise technology investment in 2020, leveraging digital improvements to make them more competitive, improve connections with consumers, and keep up with the increasing demands of privacy regulation and security needs. Hyland has identified six technology trends that will drive these improvements and demand the attention of CIOs CTOs in the coming year and beyond. Prioritize cloud control Organizations will opt for managed cloud services to increase security and efficiency. … More
The post Six trends attracting the attention of enterprise technology leaders appeared first on Help Net Security.
The global security services industry is poised to experience spend growth of more than $80 billion between 2019-2024 at a CAGR of over 8% during the forecast period, according to SpendEdge. Factors such as the increase in the instances of IP infringement, the frequency of economic and sporting events are exposing masses to significant security risks. This is creating a pressing requirement to engage security services across the domestic and business sectors across the globe … More
The post Global security services industry to experience spend growth of more than $80 billion appeared first on Help Net Security.
Google users who opt for the Advanced Protection Program (APP) to secure their accounts are now able to use their iPhone as a security key. About Google’s Advanced Protection Program Google introduced the Advanced Protection Program in late 2017, to help high-risk users – journalists, human rights activists, IT admins, executives, etc. keep their Google accounts safe from targeted attacks. APP is available to both consumer (Google Account) and enterprise users (G Suite). It initially … More
The post High-risk Google account owners can now use their iPhone as a security key appeared first on Help Net Security.
The Cloud Native Computing Foundation is inviting bug hunters to search for and report vulnerabilities affecting Kubernetes. Offered bug bounties range between $100 to $10,000. What is Kubernetes? Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. It was designed by Google but has been open sourced and handed over to the Cloud Native Computing Foundation to continue its maintenance and has become a community project. The Kubernetes bug bounty program … More
The post Kubernetes bug bounty program open to anyone, rewards up to $10,000 appeared first on Help Net Security.
More than one in four security managers attribute attacks against their organization to cyberwarfare or nation-state activity, according to Radware. Nation-state intrusions soaring In 2018, 19% of organizations believed they were attacked by a nation-state. That figure increased to 27% in 2019. Companies in North America were more likely to report nation-state attribution, at 36%. “Nation-state intrusions are among the most difficult attacks to thwart because the agencies responsible often have significant resources, knowledge of … More
The post Companies increasingly reporting attacks attributed to foreign governments appeared first on Help Net Security.
Over the course of 2019, 36% of the incidents that CrowdStrike investigated were most often caused by ransomware, destructive malware or denial of service attacks, revealing that business disruption was often the main attack objective of cybercriminals. Another notable finding in the new CrowdStrike Services Report shows a large increase in dwell time to an average of 95 days in 2019 — up from 85 days in 2018 — meaning that adversaries were able to … More
The post Cyber attackers turn to business disruption as primary attack objective appeared first on Help Net Security.
Information Technology spending by Department of Defense (DOD) and Intelligence Community (IC) agencies will continue to grow as they work to keep pace with the evolution of both the threat landscape and technology development, according to Deltek. Intelligence community The increasing sophistication of adversaries, expanding threat landscape, rapid pace of technology advancement and data proliferation continue to fuel the IC’s demand for tools and resources to meet mission objectives. IT solutions such as cloud computing, … More
The post Budgetary, policy, workforce issues influencing DOD and intelligence community IT priorities appeared first on Help Net Security.