Category Archives: Featured

Deepfake LinkedIn Profile Shows Espionage Threat

A deepfake account with possible connections to foreign espionage activity has been identified on LinkedIn.

“Katie Jones” purported to be a senior researcher for the Center for Strategic and International Studies (CSIS). Her well-connected profile on the professional social media site seemed legitimate, with connections that included a deputy assistant secretary of state and economist Paul Winfree, currently being considered for a seat on the Federal Reserve.

An investigation conducted by the Associated Press found that Jones doesn’t exist, and that her profile photo–depicting an attractive woman in her 30s–was a deepfake created using generative adversarial networks, or GANs, AI-driven software that can produce believable images of fictitious people.

“For a while now people have been worrying about the threat of ‘deepfakes’, AI-generated personas that are indistinguishable, or almost indistinguishable, from real live humans,” tweeted AP reporter Raphael Satter, who first reported on the story.

“I conducted about 40 interviews, speaking to all but a dozen of Katie’s connections. Overwhelmingly, her connections told me they accepted whoever asked to their network,” Satter wrote in another tweet.

LinkedIn has been called a “spy’s playground” in reference to the site’s functionality, which makes rote the acceptance of connections from strangers with the suggestion that doing do might benefit their own careers. The German spy agency Bundesamt für Verfassungsschutz (BfV) warned of the potential danger of the platform and how “[i]nformation about habits, hobbies and even political interests can be generated with only a few clicks.”

“Instead of dispatching spies to some parking garage in the U.S to recruit a target, it’s more efficient to sit behind a computer in Shanghai and send out friend requests to 30,000 targets,” said William Evanina, director of the U.S. National Counterintelligence and Security Center.

Digital imaging experts warn LinkedIn users to look for telltale signs of GAN-generated profiles, such as those in the below photo. Several more examples can be found on the website thispersondoesnotexist.com, which randomly generates GAN photos.

AP Deepfake photo
Source: AP Photo

Read the original AP report here.

The post Deepfake LinkedIn Profile Shows Espionage Threat appeared first on Adam Levin.

Evite Experiences Data Breach

Online invitation service Evite notified users about a data breach of user data that included names, usernames, email addresses, passwords, and mailing addresses.

The company disclosed the breach following the release of the affected data on the dark web. A hacker claimed to have access to 10 million user accounts.

“We became aware of a data security incident involving potential unauthorized access to our systems in April 2019. We engaged one of the leading data security firms and launched a thorough investigation. The investigation potentially traced the incident to malicious activity starting on February 22, 2019. On May 14, 2019, we concluded that an unauthorized party had acquired an inactive data storage file associated with our user accounts,” the company announced on its website.

Evite assured users that social security numbers and financial information were not part of the data being sold. The company urged users to reset their passwords and to be on the lookout for suspicious activities.

For some tips for personal information best practices, click here.

Read Evite’s announcement here.

The post Evite Experiences Data Breach appeared first on Adam Levin.

You’re Probably Worse Than You Think at Cybersecurity. You’re Not Alone.

If you’re like most people, you feel confident and well-informed about online security, and if you’re like most people you have absolutely no reason to feel that way.

That was the conclusion of a new survey from Harris Poll and Google, which found that 55% of Americans above the age of 16 graded themselves as an A or B when it comes to online safety, but only 23% could identify a link with “https” as being more secure than “http,” 70% misidentified a secure URL, and a whopping 97% got at least one answer wrong on a basic six-question security test.

But don’t let it get you down–many major companies aren’t very good at online security, either.

First American Financial and Google’s Years-Long Blunder

Take, for example, First American Financial Corp. The company stored customer documents and records pertaining to mortgage deals going back 16 years in a way that was openly accessible to anyone with a web browser: zero authentication or encryption required. All one needed was a guessable URL to view documents related to mortgage deals including bank account numbers, tax records, Social Security numbers, and scans of drivers licenses. There were scads of records involved, like almost 900 million of them.

As Brian Krebs noted, the number of people with access “would potentially include anyone who’s ever been sent a document link via email by First American.”  By extension, it would also include anyone with access to an email fitting that description.

While First American is a Fortune 500 company, it has never demonstrated any interest in being a cybersecurity-forward company. That said, even companies that take cyber security seriously often get it wrong.

Take Google, for instance. The search giant came clean about a similar gaffe earlier this month, revealing that passwords associated with the accounts of an unspecified number of G Suite users had been stored in an unencrypted format on their servers for 14 years.

“To be clear, these passwords remained in our secure encrypted infrastructure,” the company announced in a blog. Considering that the passwords were supposed to be stored in an encrypted format, reassurances about infrastructure seem a bit hollow.

And Many, Many Others

Google and First American are hardly alone. Facebook’s seemingly unending parade of major privacy accidentsmistakes, and gaffes are mind-boggling and too many to list here.

This month alone 49 million Instagram users learned their personal information had been leaked, and 5 million customers of Canada’s fourth largest cellular provider also were potentially exposed. The FEMA leak of 2.3 million disaster victims as well as Meditlab’s accidental exposure of six million medical records in the form of digitized faxes are two other recent indications from news feeds that we are all living in a state of cyber insecurity.

These news items are noteworthy not only because of the danger they pose to the people whose personal information is now almost certainly in the wrong hands. What matters here is that none of them are data breaches. They are all data leaks.

It’s easy to confuse the two, but while a data breach is a failure to keep a hacker or cyber-attacker out of your data, a data leak is a failure to protect it in the first place. It’s the difference between someone breaking into a bank vault and having an employee not bothering to shut and bolt the vault door. And much like data breaches, leaks only seem to be getting more common.

This is where corporate culture comes into play.

If a majority of people have an unrealistically high opinion of their own security savviness, companies need to take that into account. Lax attitudes and faulty assumptions are rife in the workplace. That Google traversed 14 years as a going concern without checking a basic security feature in one of its flagship services is resounding proof of this troubling fact.

What can companies do?

As the old Peter Drucker saying goes, “Culture eats strategy for breakfast.” While it’s extremely difficult, especially for cybersecurity teams, to change pervasive attitudes in a company, that’s the job at hand.

A few basic practices can help get companies headed in the right direction, and cut down on some of the more easily preventable data leaks:

  • Ask simple questions and encourage others to do the same: Reliance on sophisticated tools for determining cyber risk is an easy (and bad) habit to fall into. Tools should never trump basic questions like, “Is that data encrypted?”
  • Map and inventory your data: Data is an important commodity to businesses and hackers alike. Losing track of customer data or information only opens the door for it to be left accidentally unprotected on a server or a network drive. Any time data is collected, have a policy for documenting where it is, how it’s stored, and who has access to it.
  • Review your practices: Most IT departments are overworked and spread thin. Running from one crisis to the next means less time to check and double-check for any security holes or basic errors in how security is handled.

A sloppy attitude toward data security is ultimately a safety issue. While people affected by a data leak may not be in immediate physical danger, there is potential for lasting harm to customers and a company’s reputation. Much like any other workplace safety issue, a set of rigorous safeguards and workplace training are vital to avoid carelessness.

 

The post You’re Probably Worse Than You Think at Cybersecurity. You’re Not Alone. appeared first on Adam Levin.

Maine Passes Internet Privacy Bill

Maine has passed a bill prohibiting ISPs from using and selling the data of internet users within the state.

The Act to Protect the Privacy of Online Consumer Information is closely modeled on an Obama era FCC rule that prohibits internet service providers from collecting information on their customers. The rule was revoked in 2017.

According to bill, the Maine legislation, “prohibits a provider of broadband Internet access service from using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access…. The bill prohibits a provider from refusing to serve a customer, charging a customer a penalty or offering a customer a discount if the customer does or does not consent to the use, disclosure, sale or access.”

Additional requirements include “reasonable measures” to protect user data from outside access, although there is not much in the way of specifics regarding these measures.

Although the bill passed with broad bipartisan support, tech companies and ISPs strongly opposed the measure.

“Maine should avoid being the first to attempt to regulate an interstate service,” wrote Christina Fisher, a representative for a coalition of 84 technology companies opposing the law.

State Attorney General Aaron Frey disagreed.

“The state has a significant interest in protecting Maine consumers from practices that may compromise their personal data, or which place their financial well-being at risk,” Frey said in a statement in support of the law.

Read more about the law here.

The post Maine Passes Internet Privacy Bill appeared first on Adam Levin.

Revealed: 2016 Russian Troll Activity More Lucrative and Widespread

Online activity by Russian trolls in the lead-up to the 2016 election was significantly more widespread than initially estimated, cybersecurity firm Symantec concluded.

Symantec announced their findings following the analysis of a dataset released by Twitter in October 2018. The data, consisting of 3,900 accounts and 10 million tweets linked to a Russian company known as the Internet Research Agency (IRA), showed a massive and coordinated campaign to target both sides of the U.S. political divide with propaganda relating to wedge issues.

Twitter activity from the IRA was categorized by Symantec. There were 123 “main accounts,” with large numbers of followers and mostly generating new content as well as 3,713 “auxiliary” accounts, which were used to amplify the messaging from those main accounts.  

“Main accounts generally were ‘fake news’ outlets masquerading as regional news outlets, or pretending to be political parties or hashtag games,” stated the report. “The top 20 most retweeted English-language accounts were split evenly between conservative and liberal messages.”

The most successful account in the IRA campaign went by the username TEN_GOP. The handle dubbed itself the “Unofficial Twitter of Tennessee Republicans. Covering breaking news, national politics, foreign policy and more.” It managed to accumulate almost 150,000 followers and 6 million retweets, almost entirely from non-IRA-linked accounts.

Among the IRA fake news accounts were “New York City Today,” “Chicago Daily News,” “San Francisco Daily,” and many others. Their primary function seems to have been the proliferation and adoption of fake or skewed news content to further propagandize targeted audiences.

“It was a highly professional campaign. Aside from the sheer volume of tweets generated over a period of years, its orchestrators developed a streamlined operation that automated the publication of new content and leveraged a network of auxiliary accounts to amplify its impact.”

 

The post Revealed: 2016 Russian Troll Activity More Lucrative and Widespread appeared first on Adam Levin.

Photo Sharing System Leaks More than 11 Million Pics

At least 11 million public and private photographs were found on an unsecured database connected to an online photo sharing service.

Researchers from VPNMentor discovered an online database that they traced back to Theta360, a photo service specializing in panoramic photos taken with Ricoh-brand cameras. The unsecured data contained photographs, usernames, full names, and photo captions, including those marked by users as private.

“We take the security of customer information extremely seriously. It’s important to note that before the resolution, further steps beyond accessing the records would have been necessary and would require a deeper level of expertise to ultimately view the images. Today, private photos are only accessible to those with a direct link, a design feature that is intended to allow customers to share their images,” said Ricoh spokesperson John Greco.

The leaked data was initially indexed by IoT-centric search engine Shodan on May 9, was discovered May 14, and taken offline May 16.

“We want to note that Theta360’s response to our discovery was the most professional of any company that we’ve contacted about a leak,” stated the official VPNMentor blog. “They quickly and efficiently closed the breach to protect their users.”

The post Photo Sharing System Leaks More than 11 Million Pics appeared first on Adam Levin.

Quest Diagnostics Highlights Vendor Vulnerability

Quest Diagnostics, a leading American clinical laboratory company, announced today that 11.9 million patients may have been compromised in a vendor-related incident.

A statement released by Quest revealed that an “unauthorized user” had gained access to a system used by American Medical Collection Agency (AMCA), a billing vendor subcontracted by a Quest contractor called Optum360. Patient Social Security numbers and medical records were potentially compromised. Lab results were not compromised, according to the statement.

On a scale from 1 to 10, this news should elicit a full body wince. Health services rely on a rich ecosystem of interconnected businesses, and there is a vendor “food chain” of sorts. The old truism that you’re only as good as the vendors you choose is made more complex in a vendor-rich environment, because you may be affected by your vendor’s vendor. We have reached the point in our collective cyber insecurity that vendor vetting should extend to, or prohibit, unsupervised and-or undisclosed subcontacts.

News that Quest potentially exposed extremely sensitive PHI (Protected Health Information) as well as the financial information of 12 million patients was the result of a vendor mistake, and that should be met with serious alarm. It was caused by an organization in Quest’s vendor food chain, but it means there is something desperately wrong with the way big business views the perils of big data in general.

Call it vendor vulnerability. Call it an avoidable cyber-fail. But don’t say it isn’t serious. The revelation that specific lab tests may not have been exposed is cold comfort to those who now have a higher likelihood of suffering some sort of identity fraud incident.

Read more here.

The post Quest Diagnostics Highlights Vendor Vulnerability appeared first on Adam Levin.

What Game of Thrones Can Teach You About Data Breaches

HBO’s hit series Game of Thrones is now history, but it will live on in the hearts, minds and social media interactions of its followers for some time to come. Before now the only thing GoT fans wanted besides a juicy spoiler was to know who would take the Iron Throne. How it all ended was something hackers spent significant time and effort trying to find out.

And while many (myself included) will continue to debate what the show “means,” and will continue to speculate and analyze the significance of a misplaced coffee cup, I have for some time been more interested in the cybersecurity ramifications of a spoiler-free finale.

Because I own a cybersecurity firm and write about cyber issues every week, I tend to see most things through that lens. That said, I found it easy to draw a number of parallels (and/or object lessons) from the show’s plot to the not-exactly-obvious realm of cybersecurity. (And, I am not alone at all.)

Consider the similarities: On the one hand, you’ve got a massive wall of ice that serves to protect the realm against hostile invaders and zombies defended by an underappreciated force of guardians who are doing all they can to hold the line. On the other, enterprise firewalls assailed by cyber-attackers and botnets, and there’s an equally beleaguered staff tasked with keeping out the bad guys.

You don’t need to be a GoT fan to grok the parallel. As for the implied cyber situation here, I was less concerned about the plot than I was with the production of that plot (specifically the protection of its secrets). GoT’s finale was, rightly so, one of the most tightly-guarded secrets in the entertainment industry.

Without underestimating the lure of intrigue, violence, and gratuitous nudity, the series became a hit in large part because of its wild unpredictability: major and minor characters alike were often and unceremoniously killed in shocking plot twists. After the first season saw the show’s protagonist beheaded, each successive season one-upped the unpredictability factor with fan-favorites and villains alike being stabbed, burned alive, executed, hanged, poisoned, and even resurrected once or twice. This became even more the case once the show outpaced its source material, a series of novels by author George R. R. Martin, at which point even long-time readers had no idea what was coming next.

This unpredictability is arguably what turned the GoT into HBO’s flagship series, which made the need to keep plot twists secret positively pivotal to the show’s ongoing success and survival. And as with any company’s most sensitive data, an illegal market emerged for any information that could spoil the next big twist.

Hackers and Leakers​

Hackers gain prestige (and can earn a king’s ransom) by displaying their ability to break into networks. Like a severed head, stolen data is the proof of success in this arena. Case in point: the hacking group Lulzsec’s 2011 hack of the U.S. Senate web serve: rudimentary information was posted to prove they had penetrated the network. They even left a message referring to their activities (that carried penalties between 5 and 20 years in prison) as being “a small, just-for-kicks release.”

This obviously isn’t the case for hackers who engage in nation-state espionage or hold hospital networks hostage for ransom (for them we should reserve a special place in Hell), but when it comes to your garden-variety hackers and leakers, they share the same DNA: It doesn’t matter what data is being released (compromised databases, celebrity cell phone photos, pre-released films, plot spoilers) so much as who managed to gain access to it first.

A Market for Leaked Data

It shouldn’t come as a surprise that HBO has been fighting a losing battle for years to keep a tight lid on its upcoming plot twists. The market to get the proverbial goods on the show means instant attention for the successful hacker, and meteoric traffic for the website that manages to feed the insatiable demand for more details on what’s to come. Spoilers from consistently reliable sources immediately hit the front page of major websites, that in turn want the attention (and ad traffic) reserved for whoever is first on the scene.

The object lesson is that it’s hard to protect data when there’s a strong demand for it. This applies as much to a business’s confidential information as it does to whichever character doesn’t live to see the end of a television series.

The Supply Chain

A large part of the appeal for the GoT series has been the spectacle of it; each season boasted exotic locales, elaborate costumes, magical creatures, and epic battles between massive armies. A legion of people made it happen, including film crews in different countries, thousands of extras, CGI animators, editors, writers, producers, and countless other logistical players.

Each person on the job represented a potential source for compromise. Every step of a season, from its planning to its execution, is at some point vulnerable to this or that detail getting into the wrong hands and from there going viral. The more people involved, the greater the likelihood of that happening. Welcome to the world of supply chain vulnerabilities.

If the number of people working on Game of Thrones sounds daunting, consider the number of people with access to information or data at a small- to mid-sized company. Every single employee, ex-employee, freelancer, or contractor at one point or another has access to at least a piece of its data. Consider then, the number of people involved in the development of any software used by that organization. The attackable surface of a company grows exponentially with all these vectors of vulnerability. Every access point has the potential for a breach, be it from an unprotected drive, a re-used password, an irresponsible click, a compromised cell phone or a bad player. The longer the chain of employees, the more vulnerable a company becomes.

A company’s data might not have a Game of Thrones-sized target on its back, but as we’ve seen from near-daily breaches and leaks, there’s always a market for data.

What HBO Has Done Right

Given the scope of the show and the near-feverish demand for details about it, it’s surprising that it hasn’t had more leaks. While protecting data is a pass/fail proposition, businesses could benefit from a consideration of what HBO has done to protect against spoilers.

The network has made a point of making anyone with any kind of access to information sign an extremely restrictive non-disclosure agreement. This even extended to the fiancé of one of the actresses on the show. While the average business has neither the time nor resources to deal NDAs willy-nilly to its employees, the takeaway is that HBO turned nearly everyone with access into stakeholders, and placed a premium on keeping data secure. It put culture before strategy. Being held personally accountable for carelessness when it comes to data is strong motivation, and emphasizing the importance of keeping it secure in the first place is a hallmark of good cyber leadership.

When push came to shove, GoT operated in a zero-trust environment, with actors learning their lines in real time through an earpiece.

A Losing Battle?

The valuable data for this Game of Thrones had an expiration date, i.e., when the final credits rolled. And that’s where it differs from the information many companies are tasked with protecting. While the stakes might not always be as high for a small to medium sized company as it was for HBO, there are lessons to be learned from its paranoia. The most important one: there really are people out there who are out to get you.

The post What Game of Thrones Can Teach You About Data Breaches appeared first on Adam Levin.

AI, the Mandatory Element of 5G Mobile Security

The complexity and scale of the 5G ecosystem, combined with a lack of skills and training in software-centric security, will be important drivers for AI deployment in the carrier space.

Was Your Mortgage Deal One of Nearly 900 Million Recently Exposed?

First American Financial Corp. left hundreds of millions of sensitive financial documents unprotected on its website dating back as far as 2003.

The security hole, discovered by Washington real estate developer Ben Shoval and reported by security expert Brian Krebs, allowed anyone with a web browser full access to digitized records related to mortgage deals. Among the leaked information were bank account numbers, Social Security numbers, and scans of driver licenses.

The documents on the site were accessible by simply changing a single digit on a verified URL. The company used a simple nine-digit number in every document on its site starting with 000000075, with every successive number corresponding to another person’s document.

“As of the morning of May 24, firstam.com was returning documents up to the present day (885,000,000+), including many PDFs and post-dated forms for upcoming real estate closings,” Krebs reported on his findings.

“The title insurance agency collects all kinds of documents from both the buyer and seller, including Social Security numbers, driver licenses, account statements, and even internal corporate documents if you’re a small business,” Shoval said. “You give them all kinds of private information and you expect that to stay private.”

First American took the exposed website offline on the afternoon of Friday, May 24th, and a spokesperson released the following statement:

“First American has learned of a design defect in an application that made possible unauthorized access to customer data.  At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

You can read more about the data leak here.

The post Was Your Mortgage Deal One of Nearly 900 Million Recently Exposed? appeared first on Adam Levin.

Google Glitch Left Passwords Unprotected for 14 Years

Google announced a glitch that stored unencrypted passwords belonging to several business customers, a situation that had been exploitable since 2005.

In a blog post released this week, the company admitted the passwords of “some” of its G Suite customers had been stored on internal servers without cryptographic protection, also known as a hash.

“This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords. We will continue with our security audits to ensure this is an isolated incident,” announced the blog.

While the unprotected passwords were, according to Google, still protected within their “secure encrypted infrastructure,” the amount of time the issue went undetected is cause for concern for many security experts.

“[E]ven if it’s only internal it still creates a substantial privacy and security concern,” said TrustedSec CEO David Kennedy to Wired Magazine.

Google has begun contacting system administrators whose organizations would have been affected by the glitch to encourage them to change their passwords.

The post Google Glitch Left Passwords Unprotected for 14 Years appeared first on Adam Levin.

Data Security in the Cloud: How to Lock Down the Next-Gen Perimeter

Enjoy the video replay of the recent Threatpost cloud security webinar, featuring a panel of experts offering best practices and ideas for managing data in a cloudified world.

Data Leak Exposes Instagram Influencers

A leaked database has compromised the personal information of more than 49 million Instagram users, including celebrities and “influencers.”

The information was found on an unsecured database hosted on an Amazon cloud server and includes public-facing information from Instagram accounts as well as personal details, including email addresses and phone numbers. Techcrunch, the website that initially broke the story, traced the database back to Chtrbox, a social media marketing firm based in Mumbai.

The database appears to have been initially compiled to determine relative costs and overall influence of each Instagram account.

The chief executive of Chtrbox declined to comment on the story.

See the initial Techcrunch news article here.

 

The post Data Leak Exposes Instagram Influencers appeared first on Adam Levin.

7 Steps to Strengthen Your Cybersecurity Program Today

Managing a security program in today’s ever-changing cyber threat landscape is no small feat. Many administrators struggle with knowing where to even start. Cybersecurity programs must be continually evaluated and should evolve as cyber threats and company risk changes; however, these steps can guide you in the right direction to begin strengthening your security program today.

 1.  Assess your current security program.

The best way to assess a security program is to first choose a framework best for your company. A good framework to follow is the NIST Cybersecurity Framework, which is a comprehensive guide to baseline security requirements and controls any company can implement to strengthen a security program. For companies of all sizes, implementing a security control or practice must be evaluated from a business standpoint to determine if the benefit to the business outweighs the cost of the security control. Following a framework for this evaluation will help you prioritize cybersecurity initiatives and give your company a clear roadmap for the way you want to develop a cybersecurity program.

2.  Identify what data you have and where it lives.

Data cannot be protected if the custodians don’t know it exists, or where it exists. Identification of the data stored, created, or controlled by a company is crucial to understanding your cybersecurity and data protection priorities. Further, identifying whether sensitive data is stored in cloud services, on hard drives, or in file servers can drastically change the strategy needed in order to protect that data. Even Data Loss Prevention (DLP) tools are less effective if the tool is not looking in the right locations to determine whether data is being accessed or is leaving the protected network in some way. Identifying data locations can also help you to ensure your proprietary or confidential data is moved from less secure locations, such as private cloud storage accounts, to secure, company-controlled environments like an enterprise cloud account.

3.  Implement and enforce policies to combat insider threat.

Policies and procedure are essential to combat the human element of cybersecurity. Employees often do not understand what they can and cannot do with a company’s documents, hardware, and system access if there are no policies in place to guide them. Insider threat isn’t necessarily a nefarious actor out to steal company data; it often presents itself in examples such as a well-meaning employee who shares a document with a partner in an insecure way – exposing the data to unauthorized access.

4.  Implement a security awareness training program.

Continuing with the theme of well-meaning employees, phishing attacks are the cause of data breaches in 98% of the cases reported (Verizon DBIR). Anti-phishing measures can only go so far to detect phishing attacks, so it’s up to the employee to know how to recognize a phishing email, and to know what to do with that email. Security awareness training can teach an employee to recognize the signs of phishing emails and may prevent the employees and the company from falling victim to a phishing attack.

5.  Talk to your IT team for multi-factor authentication and anti-phishing measures.

Multi-factor authentication (MFA) is one of the best security controls you can implement to prevent unauthorized access to company systems.  Simply put, MFA works by adding not only something the user knows (i.e. a password) but also something the user has (i.e. a texted code to a cell phone, or better yet, a hardware key an employee has to interact with) to system access. Many instances of unauthorized system access could have been thwarted by a company’s use of MFA on their critical systems. In addition, as mentioned above, phishing attacks are responsible for a large majority of data breaches and anti-phishing measures should be taken to protect corporate email systems.

6.  Implement a third party vendor risk management program.

Many companies work with third party vendors and service providers and in some cases, these providers need access into corporate infrastructure and IT systems.  You can invest millions or even billions into your cybersecurity program, but it can be for nothing if a trusted service provider becomes compromised. As is the case in many high profile breaches, it was the service provider who suffered the breach, in turn causing their partners to suffer the same fate.  Implement a third party risk management program in which new and existing service providers must show proof of their internal security program practices and controls, before allowing them access into a corporate system.

7.  Implement onboarding and offboarding policies that integrate HR and IT.

When onboarding a new employee, a policy needs to be in place that allows for your HR and IT departments to work together to determine what information the new hire needs access to in order to do their job.  Equally important, you must also have a policy in place for offboarding.  Without proper offboarding policies, former employees or contractors may still be able to access certain IT systems well after the they’ve left the organization. Cases where former contractors or employees retained access to a company’s IT systems for months or even years after that access should have been revoked are not uncommon. And in many cases, an employee leaves a company involuntarily, and decides to use their company access to destroy documents, steal company intellectual property, and can be as destructive as deleting entire servers and infrastructure, leaving the company to pick up the pieces. Access to systems should be approved by HR (to prevent extra accounts and backdoors from being created without company knowledge), and departed employees should be immediately deprovisioned from all systems.

Implementing any cybersecurity controls or program initiatives requires a company culture shift and executive buy-in. However, organizations of any size simply cannot afford to ignore security, nor can they wait for a breach to occur before security is taken seriously. The steps outlined in this post will be an excellent start to a strong security program and will help you gain traction for future program changes and improvements.

Download the Checklist to Share.

The post 7 Steps to Strengthen Your Cybersecurity Program Today appeared first on GRA Quantum.

Feds Break Up Major SIM-Hijacking Ring

The U.S. Department of Justice announced that it has arrested and charged members of a major cybercriminal ring in connection with $2.4 million worth of wire fraud and identity theft.

The hacking group, called “The Community” primarily used social engineering (trickery) and SIM card hijacking to steal funds and cryptocurrency from their victims.

SIM swapping or hijacking is an attack that often deploys personal information gleaned from other sources (such as social engineering) to authenticate a fraudster to a mobile phone company. Once authenticated, the mobile phone number of the target victim is moved to the criminal’s phone. Possession of the target’s phone number allows the criminal to access calls and texts intended for the target, therefore making it possible to bypass his or her 2-Factor authentication and thus gain access to the victim’s financial accounts.

Members of The Community face charges of wire fraud and aggravated identity theft. Three former mobile provider employees are also charged with accepting bribes to facilitate SIM-card hijacks for the group.

Read more about the story here.

 

 

 

The post Feds Break Up Major SIM-Hijacking Ring appeared first on Adam Levin.

WhatsApp Compromised by Spyware

WhatsApp disclosed a major security vulnerability that allowed hackers to remotely install spyware on mobile devices.

The vulnerability, discovered earlier this month, allowed third parties to see and intercept encrypted communications. The spyware deployed has been traced back to NSO Group, an Israeli cyber company alleged to have enabled Middle East governments to surveil its citizens.

“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” WhatsApp announced in a statement.

NSO Group has denied involvement.

“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said in a press release.

WhatsApp, which is owned by Facebook, has released a patch to fix the vulnerability and urges all users to update as soon as possible.

“Given the limited information we collect, it is hard for us to say with certainty the impact to specific users,” WhatsApp said in a statement. “Out of an abundance of caution we are encouraging all users to update WhatsApp as well as keep their mobile OS up to date.”

The post WhatsApp Compromised by Spyware appeared first on Adam Levin.

Email Is the Biggest Threat to Business, So Why Is Everyone Using It?

Microsoft’s Outlook.com service suffered a major breach earlier this year. The compromise allowed hackers to potentially access user email accounts, and that was the case for more than six months. This news was no shocker. Outlook has always been, and continues to be a perennial target.

Saying that email is a major service of the Internet is a bit like saying Donald Trump doesn’t like CNN. Email is foundational. In fact, it pre-dates the Internet by decades. (Lest we forget, the first email was sent in 1971).

Email currently has a 90.1% penetration rate among Internet users in the United States, compared to 68% for Facebook and 23% for Twitter. It’s the main communication tool for 95% of businesses. Email addresses are still the main way we authenticate ourselves to do business online, and because of that email as a category represents an extremely weak link in our collective cybersecurity. It doesn’t have to be this way, but as Yogi Berra once said, “We made too many wrong mistakes.”

It’s this familiarity and this reliance on email that has made it the target of choice for hackers, and with that a major liability for businesses and consumers alike. If you think social media networks and data mining organizations have juicy digital assets, consider for a moment the El Dorado of information transmitted daily via email, ranging from intimate correspondences to tax information, travel plans, financial transactions, photos, and shopping lists to real-time data on a user’s emotional state and how their important relationships are going.

Because email isn’t deleted from most servers by default, this target-rich digital information environment is often accessible to anyone with a login and password–something that is regularly served up to hackers by the billions.

The cybersecurity threat posed by email isn’t limited to sensitive data sitting passively on account servers. Email is the preferred tool hackers use to access their targets’ networks: 83% of organizations reported phishing attacks in 2018, up from 76% in 2017. Fully two thirds of malware is installed by clicking on an email attachment.

Email is equal parts Achilles heel and Trojan Horse, so why are we still using it?

“Just Because” Isn’t a Good Answer

It’s not an original thought to say that email is problematic, or that a replacement of some sort would be welcome. Its obsolescence, if not demise, has been predicted repeatedly over the years. A murderers’ row of newer technologies like SharePoint, Slack, Skype, Messenger, and many, many others have seemed like contenders, but email still dominates in the realm of communication.

The reason for email’s ongoing existence despite its obvious shortcomings and major security issues is counter-intuitive. People use it because it’s insecure. That’s why it doesn’t matter that Bill Gates didn’t come through with the promise of eradicating spam by 2006. Spam is something we’re willing to accept to stay Internet nativists. It is the digital equivalent of gnats in nature.

True story: The Internet was not made with security in mind. It was made to communicate fast. While the underlying structures seem naïve, none of it was designed for the general public. Domain names were initially intended as a means of identifying remote academic, military, and government locations. Their corresponding numerical (IP) addresses were limited to roughly 4 billion possible variations. That was more than enough for every single person on the planet at the time of its creation. That this structure didn’t anticipate the rise of Internet-enabled telephones, vacuum cleaners, nuclear reactors, or personal assistants is as much a part of the problem as the fact that they didn’t anticipate every small-time crook switching from convenience store stick-ups and smash and dash crimes to the much less risky practice of email phishing campaigns with the cornucopia of identity-related crimes made possible by them.

Email has none of the strings-attached vibe that the Mark Zuckerbergs of the world have attached to our information, no terms and conditions or privacy policies subject to change, and it doesn’t rely on any specific hardware or software to be able to access it as a service. Looking at its liabilities without understanding its appeal is one of the key factors that has made it a communication mainstay, seemingly against all odds and to the consternation of IT departments around the world.

In this way, email is an object lesson in the cybersecurity quagmire: We’re over-reliant on the idea of technology providing a silver bullet instead of changing our behavior. No Slack or Messenger or any other killer app is going to solve the email problem (although traffic may continue to migrate from email to other modes of communication). The only thing that will change the situation, Yogi Berra might have said, is to change the situation. Meanwhile, he did say this: “If the world were perfect, it wouldn’t be.”

This article originally appeared on Inc.com.

The post Email Is the Biggest Threat to Business, So Why Is Everyone Using It? appeared first on Adam Levin.

Access and Source Code to Samsung Apps Left Unprotected on Public Server

The source code and security keys associated with a number of Samsung apps and projects have been discovered on unprotected server. Samsung’s SmartThings home automation platform was among the projects exposed in the compromise.

The exposed server contained a code repository that was misconfigured and publicly available. In addition to the underlying code of several major Samsung apps was a security token that allowed unfettered access to 135 projects and applications.

“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” said Mossab Hussein, the cybersecurity researcher who discovered the server.

Samsung is one of the world’s biggest technology manufacturers, and the ability to compromise its software would represent a cyber threat of monumental proportions. The company’s SmartThings app alone boasts 100 million installs worldwide. Alerted to the data compromise by Hussein April 10th, 20 days went by before the company revoked access to its security keys.

“[W]hile we have yet to find evidence that any external access occurred, we are currently investigating this further,” a spokesman for the company said.

Read more about the story here.

 

The post Access and Source Code to Samsung Apps Left Unprotected on Public Server appeared first on Adam Levin.

Customers Deserve Transparency to Manage Risk

Our commitment to customers is to be open and transparent, especially as it relates to issues that could negatively impact their business. At Cisco, our leadership made the decision over twenty years ago that we would clearly communicate with customers about technical or other issues that could potentially expose their organizations to risk. It is one of the many ways we act as a trusted partner to our customers. Over those last twenty years, our team and security vulnerability process has evolved to meet customers’ needs. Ultimately, we want our customers to have the information they need to protect their networks.

We get called out from time to time about vulnerability disclosures we make. Yet… our policy remains unchanged: when security issues arise, we handle them openly and as a matter of top priority, so our customers understand the issue and how to address it. To fulfill this promise we follow a strict process to manage the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco solutions and networks.

With that in mind, we’d like to address some of the most common questions and misconceptions we hear from our customers and the media about our vulnerability disclosure process.

What is a vulnerability and how are they identified?

A security vulnerability is an unintended weakness in a product or service that could allow an attacker to compromise the confidentiality, integrity or availability. Cisco invests significantly to proactively discover vulnerabilities, and as a result, two out of every three vulnerabilities disclosed in a Security Advisory are found internally. However, that leaves one out of three still on the table, which is why we have a Product Security Incident Response Team (or PSIRT), a global team dedicated to investigating and reporting vulnerabilities around the clock. In addition to our own teams, Cisco collaborates with independent researchers, industry organizations, vendors, customers, and other sources related to solution or network security. Regardless of how they are found, all vulnerabilities are investigated and publicly reported per our policies.

How is the severity of a vulnerability classified and reported to the public?

If a vulnerability is found, we follow a well-established, trusted disclosure process for public reporting. There are several ways our customers can receive the latest security vulnerability information from Cisco. To classify vulnerabilities, Cisco uses a vendor neutral, industry standard method to evaluate the potential severity, determine the urgency, and priority for response. With vulnerability types ranging from informational to critical, we take a conservative approach when it comes to disclosing vulnerabilities that may heighten risk for our customers. What may be considered medium to the industry could be business critical to some of our smaller customers in different verticals.

Why does Cisco disclose so many security vulnerabilities?

We recognize security vulnerability publication and remediation is disruptive, and our goal is always focused on reducing the number of vulnerabilities (more on that below). With that acknowledgement, it is vital to remember a few factors that drive the purpose behind our vulnerability disclosures. Most importantly, we have a high bar for transparency. It may appear that we disclose more vulnerabilities than our industry peers…because we do. We publish internally found, medium security vulnerabilities with a goal of helping customers understand and manage their risk. This is different than nearly every peer in the industry because we believe it is in the best interest of our customers.

What does Cisco do after it fixes a vulnerability?

We tag every vulnerability with a Common Weakness Enumeration, a category system for software weaknesses and vulnerabilities. This tagging system helps us spot trends across our broad portfolio of over 600 product lines. We use this information, and root cause analysis, to build specific programs that add either technology, process or policy enhancements to our Cisco Secure Development Lifecycle. This cycle of continuous improvement is central to doing better by our customers.

Over the last twenty years, Cisco has demonstrated that we walk the walk when it comes to the handling and disclosing of vulnerabilities that effect those who use our solutions. We will continue to do our part. We will continue to use a holistic security approach beginning when a solution is conceived, developed, manufactured, and deployed. We will continue to provide the resources necessary, so our customers know what they need to do to safeguard against cyber criminals. Regardless of how the world of cyber threats evolve, our customers can count on our commitment to be transparent. In this manner, we can manage risk together.

Do your part.

  • Ask your technology vendors their policy on vulnerability disclosure. Do they disclose internally found vulnerabilities that might jeopardize your security? Do they have an incident response team that aligns to industry standards?
  • Any person or organization that is experiencing a product security issue should contact the Cisco Product Security Incident Response Team. We highly recommend all our customers be aware of Security Advisories and stay current to protect their networks. For more details on Cisco’s commitment to transparency, be sure to visit the Trust Center.
  • The security landscape is constantly evolving. That is why organizations should have a strategy for cyber resilience in place to regularly safeguard their assets and data from threats.

 

The post Customers Deserve Transparency to Manage Risk appeared first on Cisco Blog.

U.S. Energy Grid Experiences Possible Cyberattack

An apparent denial of service attack caused a disruption in a segment of the U.S. energy grid affecting Utah, Wyoming, and Southern California.

Little is currently known about the incident. It occurred March 5th, disabling several security devices. An unnamed utility company reported the incident to the Department of Energy.

“There was a denial-of-service attack…and that basically led operators to not be able to see what was going on in the grid,” said journalist Blake Sobczak, who initially reported the story. “As long as nothing crazy happens, you should be fine, but it certainly constitutes a disruption and a reportable event here to the Department of Energy.”

While the potential cyberattack did not lead to any known outages or interruptions in service and used a relatively unsophisticated method, it is noteworthy for being the first known incident to successfully target the nation’s energy infrastructure. Hackers targeting the U.S. energy grid have been theoretical up to this point, but security experts have long maintained that the infrastructure is poorly secured and that many utility companies are unprepared when it comes to cyber defense.

Fears of an attack on utilities have increased in the wake of Russian infiltration of U.S. critical infrastructure announced in 2018 by the Department of Homeland Security.

The post U.S. Energy Grid Experiences Possible Cyberattack appeared first on Adam Levin.

Putin Signs Nationwide Internet Censorship Into Law

Russian President Vladimir Putin has signed a bill to create a separate Russian national internet.

The legislation is primarily focused on establishing an autonomous national system, separate from the internet used globally, which would have its own DNS system and would require all traffic in the country to pass through online government monitoring. Putin has justified the move as being due to mitigating the threats of interference from foreign governments in Russian politics.

The bill comes on the heels of several other measures passed by Putin’s government, largely aimed at curtailing internet freedom, including one passed in March that granted it the power to punish Russian citizens for insulting public officials, and another targeting “unreliable socially significant information.”

Civil libertarians and security experts alike say Putin’s project mirrors China’s massive censorship of the Internet, which is called the “Golden Shield Project” and the “Great Firewall.”

“It’s about being able to cut off certain types of traffic in certain areas during times of civil unrest,” said Russian author Andrei Soldatov.

The intended separation from the wider internet has also proven unpopular with Russians. A recent poll conducted showed only 23% approve of the legislation, and thousands of protestors demonstrated in Moscow in opposition to it earlier this year.

Read more about the story here.

 

The post Putin Signs Nationwide Internet Censorship Into Law appeared first on Adam Levin.

Adam Levin Discusses Mobile Banking and Security with TicToc

Adam Levin was featured on a short video on TicToc by Bloomberg, where he discussed the trade-offs between security and convenience for mobile banking and payment apps.

“As business tries in its technological innovation to make things more convenient, you end up with the conundrum between convenience and security.” Levin said.

See the video below, or on Bloomberg.com:

The post Adam Levin Discusses Mobile Banking and Security with TicToc appeared first on Adam Levin.

The Government Claims a Private Sector Fail, But It Just Doesn’t Know How to Pick a Vendor

The Government Accountability Office recently released a report that analyzed the results as well as the relative effectiveness of the identity theft services, including insurance, provided to victims of data breaches and other forms of digital compromise.

The report is entitled, “Range of Consumer Risks Highlights Limitations of Identity Theft Services,” and it largely reiterates the GAO’s 2017 assertion that the identity theft insurance provided to agencies in the wake of a data breach were both unnecessary and largely ineffective. The findings also included a conclusion that credit monitoring, identity monitoring, and identity restoration services were of questionable value. The GAO recommended that Congress should explore whether government agencies should be, or indeed are, at present, legally required to offer victims of federal data breaches any of the services examined in the report.

At the center of the report’s finding was $421 million set aside by the Office of Personnel Management for the purchase of a suite of identity protection products and services following the 2015 data breach that exposed extremely sensitive personal information of 22 million individuals. According to the report, the “obligated” money expended was largely squandered.

“3 million had used the services and approximately 61 individuals had received payouts from insurance claims, for an average of $1,800 per claim… GAO’s review did not identify any studies that analyzed whether consumers who sign up for or purchase identity theft services were less subject to identity theft or detected financial or other fraud more or less quickly than those who monitored their own accounts for free…” To be clear, there is a jump in logic here. Just because the GAO was unable to find data to support these services does not mean the services are ineffective. In fact, it could just as easily be that the services work.

Then there was the GAO’s observation that, “The services also do not prevent or directly address risks of nonfinancial harm such as medical identity theft.” When millions of Social Security Numbers have been exposed, prevention of identity theft is purely aspirational. Frankly, this assertion would not pass muster with the FTC, since it is actually frowned upon to suggest that any service provider can prevent identity theft. The goal is awareness and targeted action, and medical fraud, in particular, is an area where detection is, at best, difficult and resolution is often complicated and requires professional assistance.

While the report raises an important point, it is too limited in scope to pinpoint it effectively. Not all identity theft services are the same. Those offered by the OPM to victims of its massive breach may or may not have been ineffective, but if they were, mostly likely it was because they were inadequate to the task or “mis-underestimated” during on-boarding, not because they’re unnecessary. In other words, it’s not a question of how much money changed hands, it’s how those funds were spent.

Misunderstanding?

In the case of the services offered to victims of the OPM breach, the results do look damning: 61 paid insurance claims out of 3 million service users is the kind of figure unworthy of rounding error status. The above result must not, however, be mistaken for a demonstration of why identity theft insurance isn’t useful, but rather should be understood as a real-life metric of the usefulness of the specific plan provided, and the applicability of that’s plan provisions to the majority of the individuals covered by it.

Consider this counterpoint: If the services provided worked, little to no insurance payments would be necessary. (See above.)

Rather than scrapping the requirement, policies should either be expanded to cover more of the expenses associated with identity theft (there are many), or they should prioritize more robust monitoring tools and full identity fraud remediation solutions with the funds available.

Lack of Participation

Another issue raised by the report is participation on the part of those affected by data breaches. According to data from OPM, only 13 percent of those affected took advantage of the services made available to them–at least as of September 30, 2018. While the number may seem low, anecdotally it’s not really. Regardless, the question remains: Were those services made available in an accessible way that encouraged action on the part of users?

History suggests that paltry participation figures are due in no small part to a lack of awareness among consumers of the dangers posed by the exposure of personal information and the often free (to the consumer) availability of products and services that help manage the damage. Workplace education in this area is lacking, for sure, but that alone doesn’t explain it. Beyond breach fatigue, a larger factor may be lack of confidence in or clarity about the services provided–and that is an issue that belongs to vendor selection, because it’s their job to make clear what’s at risk and how the proffered solutions can help.

As described elsewhere in the report: Organizations that offer services, don’t do it based on what should be the pivotal question here: “how effective these services are.” Instead, “some base their decisions on federal or state legal requirements to offer such services and the expectations of affected customers or employees for some action on the breached entities’ part.” If the standard is to offer a certain amount of protection, they do that. Does it matter what kind? Can it be a generic? That’s the crux of the matter here.

Spoiler alert: It matters what service provider you choose. If you take nothing else away here let it be this: identity protection services and insurance are useless in a low-information environment. Indeed, if the service provider doesn’t produce an ocean of content that explains to users why they need to use the services, then it’s probably not right for mass allocation.

Data breaches have become so commonplace and the threat of identity fraud so widespread that token offerings to those affected are increasingly viewed as a B.S. attempt at better optics while a company is in disaster mode. A vicious cycle ensues: lack of confidence in a breach response leads to lack of participation in identity theft protection offered, and lack of participation is used to justify offering less comprehensive protection–all while identity theft incidents and data breaches increase.

The GAO report raises many salient points about the services offered in the wake of data breaches. The current legislation and its requirements for both identity theft protection services and insurance can rightly be viewed as an expensive boondoggle with little to show when it comes to actual results, but the conclusion of the GAO–to pull back instead of getting the right services in place to protect against future breaches and assist their victims when they can’t be avoided–is worrisome.

We need to focus now more than ever on high-information, robust solutions that provide greater protection as well as more guidance and assistance–not less.

This article originally appeared on Inc.com.

The post The Government Claims a Private Sector Fail, But It Just Doesn’t Know How to Pick a Vendor appeared first on Adam Levin.

What This Report on Cyber Risk Gets Wrong

The Marsh brokerage unit of Marsh and McLennan recently announced a new evaluation process called Cyber Catalyst designed to determine the usefulness of enterprise cyber risk tools.

The goal of the new offering is to identify and implement industry-wide standards to help cyber insurance policyholders make more informed decisions about cyber-related products and services; basically, what works and what doesn’t. Other major insurers participating in Cyber Catalyst include Allianz, AXA XL, AXIS, Beazley, CFC, and Sompo International.

While this collaboration between insurance companies is unusual, it’s not entirely surprising. Cyber insurance is a $4 billion market globally. While it’s difficult to accurately gauge how many hacking attempts were successfully foiled by the products targeted here, data breaches and cyber attacks on businesses continue to increase in frequency and severity. The 2019 World Economic Forum’s Global Risks Report ranks “massive data fraud and theft” as the fourth greatest global risk, followed by “cyber-attacks” in the five slot.

Meanwhile, cybersecurity products and vendors have been, to be charitable, a mixed bag.

Good in Theory

From this standpoint, Cyber Catalyst seems like not just a good idea, but an obvious one. A standardized metric to determine which cybersecurity solutions are no better than a fig leaf and which ones provide real armor to defend against cyberattacks is sorely lacking in the cybersecurity space. By Marsh’s own estimates, there are more than three thousand cybersecurity vendors amounting to a $114 billion marketplace. Many of them don’t inspire confidence on the part of businesses.

Insurers have a vested interest in determining the effectiveness of cybersecurity products, weeding out buggy software and promoting effective solutions that can help address risk aggregation issues. Businesses and their data are in turn better protected, and at least in theory, they would pay less for coverage. Everyone wins.

Insurance companies did something similar in the 1950s with the creation of the Insurance Institute for Highway Safety. In the face of rising traffic collisions and fatalities, the insurance industry collaborated to establish a set of tests and ratings for vehicles, and the result has been a gold standard for automotive safety for decades. Using a similar strategy for cybersecurity would at least in theory help mitigate the ever-increasing costs and risks to companies and their data.

Or Maybe Not

Where the analogy to the Insurance Institute for Highway Safety breaks down is here: The threats to car drivers and passengers have ultimately stayed the same since its inception. Everything we’ve learned over the years about making cars has progressively led to safer vehicles. Information technology is vastly different in that iterative improvements in one specific area doesn’t necessarily make an organization as a whole safer or better protected against cyber threats–in fact sometimes it can have the opposite effect when a new feature added turns out to be a bug.

Cyber defenses are meaningless in the presence of an unintended, yet gaping, hole in an organization’s defenses. Then there is the march of sound innovation. Products that provided first-in-class protection for a business’s network a few years ago may no longer be so great where cloud computing and virtual servers, or BYOD are concerned. The attackable surface of every business continues to increase with each newly introduced technology, and it seems overly optimistic to assume the standard evaluation process (currently twice a year) would be able to keep pace with new threats.

There’s also the risk of putting too many eggs into one basket. While the diffuse nature of the cybersecurity market causes headaches for everyone involved, establishing a recommended solution or set of solutions effectively makes them an ideal target for hackers. While it’s important to keep consumers and businesses informed of potential risk to their information, cybersecurity issues require a certain amount of secrecy until they have been properly addressed. Compromising, or even identifying and reporting on a vulnerability before it’s been patched in an industry standard security product, process or vendor practice could cause a potentially catastrophic chain reaction for cyber insurers and their clients.

Culture Eats Strategy for Breakfast

Where the Cyber Catalyst program seems to potentially miss the mark is by overlooking the weakest link in any company’s security (i.e., its users). An advanced cybersecurity system or set of tools capable of blocking the most insidious and sophisticated attack can readily be circumvented by a spear phishing campaign, a compromised smartphone, or a disgruntled employee. Social engineering cannot be systematically addressed. Combatting the lures of compromise requires organizations to foster and maintain a culture of privacy and security.

The risk of employee over-reliance on tools and systems at the expense of training, awareness, and a company culture where cybersecurity is front and center must not be underestimated. While it is easier to opt for the quick and easy approach of purchasing a recommended solution, companies still need a comprehensive and evolving playbook to meet the ever-changing tactics of persistent, sophisticated and creative hackers.

While industry-wide cooperation may be a good thing, it’s vital for companies and insurers alike to recognize that any security program or service is fallible. Without an equal investment in functional cybersecurity, which places as much store in training employees and keeping aware of new threats, the rise in breaches and compromises will continue.

This article originally appeared on Inc.com.

The post What This Report on Cyber Risk Gets Wrong appeared first on Adam Levin.

Facebook Braces for Multibillion Dollar Fine

Facebook announced that it was preparing for a massive fine from the Federal Trade Commission for its mishandling of user privacy. The fine could be as much as $5 billion.

The social media giant revealed the fine as a one-time expense in its annual earnings statement, explaining a 51% decline in income, “in connection with the inquiry of the FTC into our platform and user data practices.”

“We estimate that the range of loss in this matter is $3.0bn to $5.0bn,” the company’s statement explained. “The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.”

Facebook has been the target of an FTC investigation to determine if it had violated a 2011 consent decree following the 2018 revelation that it improperly shared data with Cambridge Analytica.

Despite the size of the fine, the company showed continuous growth and an expansion of its ecosystem of apps.

Read more about the story here.

The post Facebook Braces for Multibillion Dollar Fine appeared first on Adam Levin.

French Government App Shows Difficulties with Secure Communications

A messaging app released by the French government to secure internal communications has gotten off to a troubled start.

Tchap was released in beta earlier this month as a secure messaging app exclusively for government officials. Its development and release was made to address security concerns and data vulnerabilities in more widely used apps including WhatsApp and Telegram (a favorite of French Prime Minister Emmanuel Macron).

WhatsApp Meet “What Were You Thinking?”

Tchap was built with security in mind, and was initially touted as being “more secure than Telegram.” Man plans and God laughs. The app was hacked within less than a day of its release. Elliot Alderson, the hacker who discovered the initial security vulnerability, subsequently found four more major flaws in its code, and confirmed with the app’s developer that no security audit was performed on the app prior to release.

DINSIC, the government agency responsible for Tchap, issued a press release stating that the software “will be subject to continuous improvement, both in terms of usability and security,” and has since announced a bug bounty for further vulnerabilities.

The French government’s attempts at creating a secure messaging alternative highlights a cybersecurity conundrum. Recent incidents including the allegations of Chinese government “backdoors” in telecom giant Huawei’s hardware and confirmed NSA backdoors in Windows software have left governments and businesses increasingly wary of using software or hardware developed or data stored internationally. At the same time, development of in-house or “proprietary” solutions are significantly more resource-intensive and not necessarily more secure than their more widely used counterparts.

 

The post French Government App Shows Difficulties with Secure Communications appeared first on Adam Levin.

DMitry Deepmagic information Gathering Tool Kali Linux

DMitry Deepmagic information Gathering Tool Kali Linux   DMitry (Deepmagic Information Gathering Tool) is a open source Linux CLI tool developed by James Greig. Coded in C. DMitry is a powerful information gathering tool that aims to gather as much information about a host that is possible. Features include subdomains search, email addresses, uptime information, […]

The post DMitry Deepmagic information Gathering Tool Kali Linux appeared first on HackingVision.