Category Archives: Featured

Trend Micro Anti Virus Runs Malware if its called cmd.exe or regedit.exe

Trend Micro Anti Virus Runs Malware if its called cmd.exe or regedit.exe Trend Micro Anti Virus Runs Malware if its called cmd.exe or regedit.exe: Bug hunter “hyp3rlinx” has recently discovered an arbitrary code execution vulnerability in Trend Micro’s Anti-Threat Toolkit (ATTK). CVE-2019-9491 effects versions 1.62.0.1218 and below of Trend Micro’s Anti-Threat Toolkit (ATTK). The vulnerability ... Read moreTrend Micro Anti Virus Runs Malware if its called cmd.exe or regedit.exe

The post Trend Micro Anti Virus Runs Malware if its called cmd.exe or regedit.exe appeared first on HackingVision.

In the Workplace, Safety Is Sexy. And It All Starts With Your HR Department

Maintaining workplace safety can seem like a rare form of torture–videos and quizzes and talks and such. For most of us, it’s a necessary chore. But despite the looks among employees with each new H.R. training session, the work that happens in those conference rooms at least in theory translates to profits.

The inoculation process of onboarding a new hire is profoundly important to the proper functioning of any organization. Never before have there been more actionable sensitivities and special needs, all of them calling for empathy and action in the workplace. Safety is important. People don’t work well when they don’t feel secure.

Creating an environment where employees feel safe takes many forms: It can be as simple as the correct placement of fire extinguishers, smoke detectors and alarms and/or providing employees with tips for monitor placement, or it can involve shock-absorbent flooring. Of course, it also involves the establishment and policing of an organization’s social and cultural norms. Google has taken this to the next level with its steps to ensure psychological safety to prevent employees in teams from feeling insecure or embarrassed. (If the company’s utter dominance in nearly every Internet-related field is any indicator, the strategy seems to be working out for them.)

Notwithstanding the Google example, it would be a stretch–and possibly an actionable H.R. error–to describe as “sexy” the various manifestations of workplace best-practices.

H.R. departments are in the business of minimizing the use of trigger words. When someone in the room says that this or that profitable situation is “sexy” there are other words that can carry the same amount of water–for instance, “exciting” or “awesome.” Basically, that word, for some demographic types, means “super cool,” and can be applied to the purchase of a new car, a new smartphone or bagging a multi-million dollar contract. No champagne, no smoke machine.

Enter Tall, Dark and Cyber Safe

Where cybersecurity is concerned, many employees have a sort of click and pray approach. It is not a method that inspires a great feeling of security. Add to that the reality of doing business today. Businesses and employees alike live under constant threat of the fallout from someone–maybe even the child of an employee that brings their own devices to work–clicking on the wrong link, opening the wrong attachment or mistakenly creating an unsecured database containing sensitive information.

The cause of the next corporation-killing megabreach could be on any machine in the workplace just waiting for an uninformed or distracted employee to activate it. The answer is in the H.R. department: cyber is a cultural issue. One of the norms of any properly functioning organization must be the propagation of a culture of cybersecurity. A growing trend in employment benefits is employee-paid or voluntary cyber awareness programs coupled with identity theft resolution and identity monitoring services.

The numbers are grim. Eighty percent of businesses expect to experience a data breach before the end of 2019, and more than half of small and mid-size businesses were breached last year (and that’s just the organizations that are aware something happened). Meanwhile, the cost of a breach keeps climbing steadily, especially when lost customers, fines, and lawsuits are added to the total.

It’s an all too common scenario: undersized and demoralized IT departments sprint from one crisis to another, while H.R. departments fail to grok that cyber vulnerabilities are an existential threat on par with a gas leak in the office breakroom. The overlap between workplace safety and cyber safety is significant–in fact they belong under the same rubric: Safety. At issue too often is the failure of an organization to identify cyber vulnerabilities and then deploy H.R. to train them into submission, thus minimizing the exposure.

The 3 Ms for Business

Minimize Your Risk of Exposure: Put resources into training your staff to recognize phishing scams and to practice good cyber hygiene. Vet contractors and vendors based on their security practices to minimize supply chain risk. Consider requiring employees to log in to a VPN (virtual private network), especially if they’re connecting to the company network remotely. It’s often the sloppiest of mistakes that give hackers access to your business. Training and sound cybersecurity policies can fill in the gaps where technology often fails.

Monitor Everything: Establish a policy at your business about transferring funds; in the era of deepfakes, it’s important to know who is likely to request access to money, and how it should be handled. Always double check by getting confirmation on the phone. All systems can introduce vulnerabilities, especially the introduction of new technology. Create a culture where employees know that if they see something, they will be rewarded for saying something. Cybersecurity is a team sport.

Manage the Damage: When it comes to a compromise of your company’s identity, honesty is the best policy. Own up to a data breach as quickly as possible (especially if you are subject to the GDPR’s 72 hour requirement), be transparent about lapses in security, and review any policies that allowed the compromise to occur in the first place. Jack Dorsey’s Twitter hack may have been embarrassing, but the company moved quickly to close the security loophole that allowed it to happen. Perhaps most important, have some empathy. Cyber-fails are scary. Remember, your news might be more traumatic for your customers or clients than it is for you, and act accordingly.

If safety isn’t the most exciting thing on earth, profitability is, and any company that doesn’t devote significant resources to keeping employees current on the cyber-front will at some point have to ditch productivity (and with that profits) while their most valuable resource–humans working for them–recover, and bear in mind, that can take a very un-sexy 100-200 hours.

The post In the Workplace, Safety Is Sexy. And It All Starts With Your HR Department appeared first on Adam Levin.

50 Best Hacking & Forensics Tools Included in Kali Linux

50 Best Hacking & Forensics Tools Included in Kali Linux 50 Best Hacking & Forensics Tools Included in Kali Linux: Welcome to HackingVision, in this article we will list the best 50 hacking & forensics tools that are included in Kali Linux. Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains ... Read more50 Best Hacking & Forensics Tools Included in Kali Linux

The post 50 Best Hacking & Forensics Tools Included in Kali Linux appeared first on HackingVision.

BriansClub Hacked Over 26 Million Credit and Debit Cards Leaked

Infamous Website BriansClub Hacked Over 26 Million Credit and Debit Cards Leaked 26 Million Credit Debit Cards Leaked! 26 Million Credit Debit Cards Leaked: BriansClub an infamous underground website that sells stolen credit and debit cards has been hacked and over 26 million credit and debit card dumps have been leaked. Over a period of ... Read moreBriansClub Hacked Over 26 Million Credit and Debit Cards Leaked

The post BriansClub Hacked Over 26 Million Credit and Debit Cards Leaked appeared first on HackingVision.

Rated P for Private? It’s Time to Re-think Privacy

You probably know privacy is a thing of the past, that is unless you spend a lot of time digging for freshwater clams in marshlands of Loon Lake. Mark Zuckerberg said it years ago, but he thought it was a good thing. In the wake of the Equifax breach and Cambridge Analytica, the end of privacy is no longer scary. It’s neutral. We’ve reached a “Now What?” moment.

Is It the Algorithm or the Microphone?

We can all agree paranoia is bad for business, and there’s plenty to go around these days whether you’re on the marketing side of things, the breach side, or the consumer side.

With no expectation of privacy, we’ve become a little numb to the parade of stories–both reported by the media and anecdotal–of connected devices eavesdropping on us–serving ads for things mentioned in casual conversation. But we’re all online every day, and in the process leave a trail of cookie crumbs for marketers to find us. There’s no need for a hidden mic.

While many enjoy the convenience that facial recognition provides in retail micro-targeting products and services, others hate it. We’ve heard the cringe-worthy news about health apps sharing some of the more intimate details of our sex lives with Facebook, Google, and other third parties.

Some of us shrug it off. The convenience made possible by the forfeiture of privacy is worth it to them. For others, it is an unacceptable situation. This is unfortunate, because it’s not a situation. It’s new norm, and none of it inspires a feeling of security.

A worried customer or client is a hesitant customer or client. So, how do you ease that tension? I would argue that, ironically, you can do this by creating a high information environment, where everyone can make informed decisions about how they want to interact with businesses and services.

Moving Right Along…

The need to protect privacy no longer needs an introduction. There’s plenty of legislation. New privacy laws in New York and Nevada law will go into effect October, with California’s CCPA in January 2020. Maine and Vermont already have enacted stronger laws to that effect, and many states are expected to follow.

There’s a big “but” here. Without the right solutions provider navigating privacy law can be prohibitively expensive for small to medium-sized companies. Add to that the possibility of compliance costs in a marketplace with many different laws, and we have a potential company killer on our hands. Google may be able to weather a $170 million fine for non-compliance without flinching; most of us can’t.

A Modest Proposal

Once upon a time, Hollywood was faced with a similar situation. In the beginning, there was no ratings system and it was a problem. There were many family-friendly films and then there were those that would make Mae West blush, but there was no way for the audience to know which was which. The result was an opportunity cost. Some people avoided the movies because they were perceived as scandalous.

Enter the Motion Picture Producers and Distributors of America (MPPDA and later MPAA), which set guidelines later formalized as the movie rating system still used today. It’s not a perfect system, but the benefits outweigh its flaws. First of all, it’s voluntary. The MPAA created an opt-in industry standard, avoiding the need for legislation. The gaming industry also rates product.

Most importantly, it was end-user friendly. You don’t need to know anything about Rambo: Last Blood or Abominable to decide which is better for kids; one is Rated R and one is Rated G. A similar system might work for websites and apps.

Here’s a sketch of what that might look like:

P–Protected User: Data is either not collected or it is protected and in compliance with online standards such as the GDPR, CCPA, SHIELD, HIPAA, COPA or PIPEDA.

ND–Not Distributed: Personally identifying information is collected to personalize an experience (location, ad preferences, etc.) but it is not shared with third parties.

A–Anonymized: Non-identifying usage data is collected and shared with third parties. (Forget for the moment that there’s no such thing as anonymized data that can’t potentially be re-identified in today’s deep data environment).

S–Shared: User data is collected, shared, and/or sold to third parties. (Think: Naked in a glass house.)

If a collection of privacy and data use experts could get together on the creation of this rating system, privacy policies would no longer be so perilous.

Would it work? Online privacy is getting more complex with every new whizbang, regulation, law, court case, breach, compromise, and scandal. Any workable solution needs to counter that with a general approach that can be applied globally.

If this isn’t it, it’s time to figure out what is.

The post Rated P for Private? It’s Time to Re-think Privacy appeared first on Adam Levin.

Majority of Americans Fail Basic Cybersecurity Awareness

A newly released study from the Pew Research Center revealed most Americans are not aware of basic cybersecurity practices.

The study surveyed 4,272 American adults on a variety of technology-related issues and found that most of them struggled with basic cybersecurity concepts. Only 28 percent of respondents were familiar with two-factor authentication, and only 30 percent were aware that “https://” in a web address meant the connection was encrypted. Only 2 percent of those surveyed answered all ten questions correctly.

On privacy-related issues, the survey saw showed significant gaps in basic knowledge. Less than half of the subjects could correctly define privacy policies as “contracts between websites and users about how those sites will use their data,” and only 24 percent were aware that “private browsing” only hides online activities from other people using the same computer.

Adults with bachelor’s or advanced degrees tended to consistently score higher than those with high school educations or less. Respondents aged 18-29 also performed better than those above the age of 65, although the gap was smaller than that of the level of education achieved. 

The lack of awareness regarding https and two-factor authentication is perhaps most troubling since there have been widespread efforts to encourage the usage of https, and recent data released suggesting two-factor authentication protects users against 99.9% of cyberattacks.

The findings of the study paint a bleak picture for cybersecurity in U.S. workplaces, where employee or contractor ignorance and negligence have consistently been one of the largest causes of data breaches for the last several years. 

See the Pew Research report here

 

The post Majority of Americans Fail Basic Cybersecurity Awareness appeared first on Adam Levin.

October is Cybersecurity Awareness Month – Third Certainty #5

October is Cybersecurity Awareness Month. For the fifth episode of Third Certainty, Adam Levin explains how viewers can protect themselves and their accounts by practicing the 3Ms:

  • Minimize Your Exposure
  • Monitor Your Accounts
  • Manage the Damage

The post October is Cybersecurity Awareness Month – Third Certainty #5 appeared first on Adam Levin.

FBI Warns of Cyber Attacks on Multi-Factor Authentication

The FBI is warning businesses about a new series of cyberattacks that can circumvent multi-factor authentication (MFA).

In a Private Industry Notification (PIN), the FBI warned businesses that “cyber actors” had been observed, “circumventing multi-factor authentication through common social engineering and technical attacks.” The report went on to describe several scenarios where hackers bypassed MFA protections, accessing target networks and stored data. The methods used were SIM swapping, phishing, and newer hacking tools such as Muraena and Necrobrowser.

Multi-factor authentication, where a user’s login and password is supplemented with a token, one-time access code, or other means of verification is widely regarded as an effective baseline for enterprise cybersecurity; a recent study by Microsoft stated that, when deployed properly, it can block 99.9% of attacks on businesses. 

While the FBI still recommends multi-factor authentication, calling it a “strong and effective security measure to protect online accounts,” the PIN suggests boosting their effectiveness via workplace training to identify social engineering scams such as email-based phishing links and phony websites, as well as implementing more sophisticated forms of authentication.

Read the PIN here.

The post FBI Warns of Cyber Attacks on Multi-Factor Authentication appeared first on Adam Levin.

Bringing Cybersecurity Home

October is Cybersecurity Awareness Month, reminding us that cyber-attacks know no boundaries between work and home, so we need to be diligent about cyber hygiene across all environments. With the abundance of connected devices we all depend on, protecting your digital footprint is no longer optional. But where do you learn what to do?

People who work for larger corporations may receive cyber information and training from their employer. For instance, at Cisco every employee gets basic cyber training and increasingly advanced training based on your role; we even share educational materials on applying best practices at home. But not all businesses have the resources to dedicate to such training. And in the home, most people have limited cyber knowledge at best, and only pay attention if or when they become victims of an attack.

To get you started, here are a few tips that will help you to “own IT, protect IT and secure IT” to stay safe online.

Recognize we are experiencing radical change. With our busy lives, we take technology for granted. But it’s important to realize that technology is changing society faster than any other advance in human history. Adults need to get smart about the implications and actively discuss “today’s digital reality” with their children. Just as you teach a toddler to avoid a hot stove, teach them from an early age about safe online practices.

Ask questions. When you acquire a new connected device, stop and ask where it came from.  Who connects with it and/or captures data from it? For what purpose do they collect the data and is that important to me? How do they care for the protection of your data and privacy?  The more knowledgeable you become, the smarter your next questions will be.

Maintain your devices. Understand if the device you’re buying has software that will need updated and patched as vulnerabilities are found and fixed. If so, make sure that gets done. Just like not replacing expired batteries in a smoke alarm, using outdated unsecure software won’t keep you safe.

Secure and Protect Passwords. Make your passwords long and complex; change them regularly; don’t use the same password for multiple applications Change default password settings on new devices. We all know multiple passwords can get cumbersome and hard to remember, so use a reputable password manager to keep track for you.  Many businesses and institutions provide Two-factor authentication (2FA) as an added step to protect your on-line identity and data.  If it’s offered, use it.

Embrace technology, but be aware.  If you were walking down a dark street in an unfamiliar city, you’d likely be more aware about who else is around you or may be following you. Treat the internet the same way. Being connected does not mean bad things will happen, but it pays to stay alert and understand best practices and how to apply them. For instance, don’t open email attachments if you’re not completely sure of the sender’s trustworthiness. Don’t click on emailed links that you haven’t asked for. “Stop, think before you click” to avoid the burden of what may come after a malicious attack.

Remember Data Privacy. While security and privacy are different, they’re definitely related. When you’re watching for online threats, also remember that nothing online is really ‘free’ – you’re most likely giving up something (data) to get a “free service/app”.  Ask – is the intrinsic value of the “free” thing worth it? When you download an app or sign up for a new service that collects your data, choose carefully what sharing you allow. And remember, when you put personal information online, it stays around for a long time and may come back to you in unexpected, and unwelcome, ways.

It’s time to bring cybersecurity into the greater social consciousness and constructive discussions about changing norms. As new capabilities keep coming to market faster, we should and can have the right social adaptation to embrace technology safely.

 


Additional Resources

Tips to help improve your cyber-hygiene (Infographic)

Trust.cisco.com

 

Google Allegedly Used Deceptive Tactics for Facial Recognition

A Google-funded facial recognition project used deceitful methods to get people to agree to have their faces scanned.

According to a Daily News report, contractors working for Google through an external company were instructed to target dark-skinned people, college students, and the homeless to amass data for the company’s smartphone facial recognition technology. 

The contractors were allegedly instructed by a Netherlands-based staffing company called Randstad to use misleading or deceptive practices to get their subjects to agree to have their faces scanned in exchange for $5 gift cards.

“We were told not to tell (people) that it was video, even though it would say on the screen that a video was taken,” one contractor told the Daily News. 

“It was a lot of basically sensory overloading the person into getting it done as quickly as possible and distracting them as much as possible so they didn’t even really have time to realize what was going on,” another contractor said.

Another contractor spoke of being deployed to Atlanta and to the BET Awards in Los Angeles to specifically target African-Americans. 

A spokesperson for Google defended the initiative as being critical to have a “diverse sample, which is an important part of building an inclusive product.” 

Other reports have described contractors misleading potential subjects as to the use and the retention of the data itself. While Google was initially quote as saying their facial scans would be held for 18 months, a photo obtained by the Daily News shows a significantly more open-ended agreement:

“Research Data will be retained for as long as needed to fulfill the Purposes, which is expected to be about 5 years, but it may be as long as necessary for the Purposes due to the extended time needed for collection analysis, or other logistical considerations…. There is no limit to how long or in what manner Google may retain, use of share the Aggregate Data,” says the official consent agreement for the project.

Several students reported contractors approaching them for facial scans under the guise of college students.

“They said they wanted us to test out a new phone, an Android. I put in my email. My guy told me to do it all really quick. He kept saying, ‘Hit next and upload. Next and upload.’ I thought they were students. We’re new here and trying to make friends,” said a college freshman.

“They said it was a survey and we thought they were students. I don’t think I even realized there was a consent form,” said another student.

Google’s stated purpose for the data is for a facial recognition-based security measure for its upcoming Pixel 4 smartphone, but it has also pursued facial recognition technology in several other product lines and initiatives. 

The post Google Allegedly Used Deceptive Tactics for Facial Recognition appeared first on Adam Levin.

This Common Mistake You May Be Making Right Now Exposed an Entire Nation to Identity Theft

A routine data project revealed that the personally identifying information of the entire nation of Ecuador might be online for all to see–just like, potentially, your data.

The information included records belonging to deceased citizens and more than 7 million minors. It was discovered by researchers from the security firm vpnMentor while conducting “a wide-scale Web mapping project.”

According to vpnMentor’s report, the ongoing project made the discovery possible by scanning ports “to find known IP blocks.” It then searches for “vulnerabilities in the system that would indicate an open database.” When a compromise is discovered, the company then traces the data back to its source and delivers the bad news.

While the full extent of the damage done here is not clear, it’s sure sounds like a potentially Titanic-meets-iceberg level event.

What We (and the Bad Guys May) Know

The extremely granular personal information of more than 20 million people was exposed. Ecuador’s population is 16.5 million, which means nearly 4 million of the individuals affected may be deceased.

The data included personal and corporate tax ID numbers and bank account information–including current balance in the account, amounts financed, credit types, and the location of a bank branch used by an individual. The same information about family members was also available, as well as how people in the data set were related to each other.

All the essential information needed for account authentication and/or takeover were there, too. A short list of the available data included full name (first, middle, last); gender; date and place of birth; home and work addresses; email addresses; home, work, and cell phone numbers; marital status; date of marriage (where applicable); date of death (where applicable); and the highest level of education achieved.

WikiLeaks founder Julian Assange was even in there, Ecuador’s most famous asylum seeker.

Describing itself as an organization of ethical hackers, vpnMentor said in its statement about the discovery that it never sells, stores, or exposes compromised information, but rather uses the existence of a compromise or leak as a teachable moment.

Teachable Moments Are Expensive

Sponsored by IBM Security and independently conducted by the Ponemon Institute, the 13th-annual Cost of Data Breach Study found that the average per-record cost of a breach was $148 last year. That would put the cost of this compromise at nearly $3 billion.

So, what can we learn from this data debacle? The compromise was caused by–wait for it–a third-party vendor. According to CNN, the breach was found on an unsecured server in Miami, which appeared to be owned by an Ecuadorian consulting and analytics company called Novaestrat. While it remains unclear as to how Novaestrat gained access to the government database, it is presumed that someone currently, or formerly, in the Ecuadorian government handed over the data–no matter the reason–and in the process potentially exposed it to criminals around the world.

The first takeaway should be that you are only as secure as your least secure vendor and/or collaborator. In the realm of cyber-liability, that and three bucks will get you a cup of coffee to sip while you wait for the submarine to the unemployment line at the bottom of Loon Lake.

This sort of mistake keeps happening because people continue to doubt the persistent and pervasive threats we face in the business community and beyond.

It matters because the information exposed in this incident was sufficient for a competent identity thief to commit every imaginable identity-related crime. There’s gold and endless liability in them thar hills of data.

What You Can Do

Practice the 3Ms.

Minimize your exposure: Vet your vendors! Foster a culture where everyone from the mailroom to the boardroom is invested in privacy and data security. Train your employees from their first day and have an ongoing discussion about best security practices. Create a map of information access, and make sure your most sensitive data is only available to those who need to have access and practice proper cybersecurity protocols to keep the data safe. Have a sensible BYOD (Bring Your Own Device) policy, and remind employees about the importance of installing updates on connected devices. Hire a chief information security officer–never leave your security solely to the IT department.

Monitor your networks and your assets: Make sure regular assessments are conducted on the security of all your data assets–and don’t wait for a call from a “white hat” hacker.

Manage the damage: How an organization responds to a breach or compromise is a defining moment. It is crucial that you act urgently, transparently, and empathetically. In order to avoid an extinction-level event, have a robust incident response plan. Have a media plan, and consider putting a crisis management firm on retainer. Game various scenarios and have a team in place to help your clients, as well as both in-house and third-party experts who understand the timing and notification requirements in each state for various regulators, law enforcement officials, insurance companies, employees, and customers. Can your company really afford to roll the dice on cybersecurity?

The post This Common Mistake You May Be Making Right Now Exposed an Entire Nation to Identity Theft appeared first on Adam Levin.

Hacker Claims to Have Compromised 200 Million Words with Friends Accounts

The hacker allegedly behind the Collection #1 and Collection #2 data breaches has claimed responsibility for the compromise of more than 200 million users of a popular iOS and Android gaming app.

Online cybersecurity site the Hacker News reported earlier this week that Pakistani hacker Gnosticplayers had gained access to the player database of Zynga’s Scrabble clone called Words with Friends, and the personal information of 218 million users.

Gnosticplayers shared a data sample that included user names, email addresses, logins, passwords, phone numbers, Facebook IDs, and Zynga account IDs.

Zynga released a statement saying only that, “certain player account information may have been illegally accessed by outside hackers. But since that announcement on September 12, it has declined to comment further. 

The Collection #1 and Collection #2 hacks made the information of 747 million stolen accounts from over 20 websites available on the dark web earlier in 2019.

Words with Friends users should update their passwords and practice good cyber-hygiene, including not re-using passwords, and checking online services like haveibeenpwned.com to determine if any of their other accounts have been affected.

The post Hacker Claims to Have Compromised 200 Million Words with Friends Accounts appeared first on Adam Levin.

Learn Kali Linux The Easy Way Getting Started With Kali Linux

Learn Kali Linux The Easy Way Getting Started With Kali Linux Learn Kali Linux: Welcome to HackingVision, you have installed Kali Linux and you’re wondering how to use some of the popular and powerful tools included in the Kali Linux Operating System. Don’t worry we have put together some tips and tutorials to help you ... Read moreLearn Kali Linux The Easy Way Getting Started With Kali Linux

The post Learn Kali Linux The Easy Way Getting Started With Kali Linux appeared first on HackingVision.

It’s Google’s World. Your Business Is Just Living in It

Fifty attorneys general announced earlier this month that Google is the target of an antitrust probe. Any business owner who has happened to find themselves stuck in the company’s orbit–that would be any company with a digital presence–won’t hesitate to tell you such a move is long overdue.

Case in point: I just did a Google search for Basecamp, an online project management tool. The first two hits were for different companies–Smartsheet and Monday.com. Not too long ago, the same search resulted in a first hit featuring Basecamp, but it was an ad. The copy: “We don’t want to run this ad.”

“We’re the #1 result,” Basecamp’s ad copy continued, “but this site lets companies advertise against us using our brand. So here we are. A small, independent co. forced to pay ransom to a giant tech company.”

Basecamp founder and CEO Jason Fried doubled down on this sentiment on his Twitter feed, stating “[Y]ou’re forced to pay up if you want to be found. It’s a shakedown. It’s ransom.”

An Offer Businesses Can’t Refuse

Fried is by no means alone. Any business with an online presence has at one time or another played by Google’s rules to stay competitive. For most, it’s a daily reality. The reason is simple. Most businesses need websites, and websites need to follow Google’s best practices to be found in online searches, terms Google can force because it currently has 92 percent worldwide market share on search.

Google can make drastic changes to these best practices that have effectively buried companies overnight. A business that finds itself out of Google’s good graces, or in the case of Basecamp, finds itself nestled one or two slots beneath competitor ads in search results, would need to create a paid campaign via Google Ads (38.2 percent of the online advertising market) and pay to show up in search results.

A business with a physical location that wants to show up in local search results needs to create an account for Google My Business, so it can show up in Google Maps (which accounts for 67 percent of navigation app usage), but also needs to keep an eye on Google Reviews left on its business listing. The performance of ads, search traffic, and app usage can all be tracked via Google Analytics (over 70 percent of the analytics market), which provides business owners (and Google, of course) detailed information about who’s visiting their websites or using their apps. Most of these users will be using Google’s Chrome web browser (64 percent of users worldwide), on a device running Android (76 percent of mobile users worldwide), which was, of course, developed by Google.

Per Bob Dylan, “It doesn’t take a weatherman to tell which way the wind blows.” It would seem that Google has a monopoly, but that’s for the court to decide. On the face of it, it’s not necessarily bad news; anyone who remembers the days of phone books, mail order catalogs, and paper maps is most likely glad for the convenience of the services Google provides–businesses and consumers alike.

What’s problematic is the necessity of it all. It’s all but impossible for a business to opt out of Google’s services. Even taco trucks have websites. It’s equally difficult for us as consumers to opt out entirely, although alternatives (e.g., iOS, Apple Maps, and Bing) do exist. The fact is that businesses and industries that don’t in some way rely on at least one of Google’s services to be discovered are few and far between.

Our Data Is Valuable

However much value our data has, the fact remains that Google charges us to share it with Google. Nice work if you can get it, right?

When companies use Google’s services to make themselves known to the world, they have to share data on themselves, and also on their customers and clients. Every search query leading to a site, every ad click, every map search, and every visit tracked by analytics is actively helping Google build its library of information on as many people as possible–even people who have never actually used the internet.

As Google continues to expand its services, its ecosystem is oozing into businesses that have no choice but to pony up and participate or be lost in cyberspace. The evolution thus far points to the possibility of increasingly Orwellian methods in the realm of advertising and data collection.

What do I mean by Orwellian? Google Home and Nest products are aggressively moving into the field of facial recognition, and, of course, the company is thus far characteristically coy about the intended uses for the data thus collected.

“We can never say never,” said Google’s general manager of Home and Nest products when asked if data from face scanning would be used to target consumers for advertising. He added that it is not being used for that purpose now.

It’s far too soon to tell how the antitrust probe of Google will turn out, and it’s guaranteed to take a long time to play out. One thing is certain: The stakes are just as high, if not higher, for businesses as they are for consumers, and we all would be better served were we not being served by Google’s tentacular array of services.

The post It’s Google’s World. Your Business Is Just Living in It appeared first on Adam Levin.

5G and IoT: How to Approach the Security Implications

Experts from Nokia, iboss and Sectigo talk 5G mobile security for internet of things (IoT) devices in this webinar YouTube video (transcript included).

EU Court Limits “The Right to Be Forgotten”

The European Court of Justice ruled that the E.U.’s “right to be forgotten” privacy law only applies within the borders of its member states.

“Currently, there is no obligation under E.U. law, for a search engine operator who grants a request for de-referencing made by a data subject… to carry out such a de-referencing on all the versions of its search engine,” stated the ruling.

The court’s decision stemmed from a legal battle between online search giant Google and French privacy regulator CNIL. CNIL had called for Google to remove any references containing potentially damaging or libelous information worldwide, and attempted to impose a €100,000 fine for non-compliance.

This is the first major court decision to challenge the “right to be forgotten” online since it became effective in 2014. The right, also called the “right to erasure” grants E.U. citizens the ability to have data collected about them to be deleted. Google reports that it has received over 840,000 such requests, and has removed 45% of the referenced links. 

“Courts or data regulators in the U.K., France or Germany should not be able to determine the search results that internet users in America, India or Argentina get to see,” said the executive director of privacy group Article 19 in a statement.

 

The post EU Court Limits “The Right to Be Forgotten” appeared first on Adam Levin.

Malicious Browser Push Notifications – HackingVision

Malicious Browser Push Notifications Browser Push Notifications: Push notifications are small permission based notification messages that notify users of new messages or updated content and have the ability to reach large audiences anywhere at any time. Desktop notifications are visual notifications that appear on your screen alerting you to new messages from visitors in an ... Read moreMalicious Browser Push Notifications – HackingVision

The post Malicious Browser Push Notifications – HackingVision appeared first on HackingVision.

WanaCry Ransomware still a threat two years on – HackingVision

WanaCry Ransomware still a threat two years on – HackingVision Widely infamous WanaCry Ransomware is still a threat two years on. WanaCry Ransomware and the EternalBlue exploit are still causing problems two years on.     In May of 2017 Cryptoworm Ransomeware WanaCry started to target systems worldwide, the Ransomeware was targeting computers and devices ... Read moreWanaCry Ransomware still a threat two years on – HackingVision

The post WanaCry Ransomware still a threat two years on – HackingVision appeared first on HackingVision.

Court Rules in Favor of Mining LinkedIn User Data

A federal appellate court ruled that mining and aggregating user data publicly posted to social media sites is allowable by law.

In an opinion released earlier this month, the 9th Circuit U.S.Court of Appeals upheld an injunction against employment-centric social network LinkedIn from blocking access to hiQ, a data mining company that sells aggregated user information. 

LinkedIn sent a cease-and-desist letter to hiQ in 2017 requesting that the company stop accessing and copying data from its servers. The letter warned hiQ that further aggregation activity would violate state and federal laws, including the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), California Penal Code § 502(c), and the California common law of trespass. HiQ responded with a suit against LinkedIn and requested a temporary restraining order against them, which was granted by the district court and upheld by the 9th Circuit.

While the court’s ruling was a response to the potential for “irreparable harm” to hiQ caused by depriving them of access to data, the decision as it pertains to the collection and dissemination of data could have major implications for online privacy:

“[T]here is little evidence that LinkedIn users who choose to make their profiles public actually maintain an expectation of privacy with respect to the information that they post publicly, and it is doubtful that they do,” stated the court’s opinion. 

The opinion went on to assert that the CFAA didn’t apply to hiQ, since “the CFAA’s prohibition on accessing a computer ‘without authorization’ is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer.”

As things stand now with this legal battle, information displayed publicly on a website is fair game for third parties seeking to aggregate their user data, regardless of whether their activities conflict with a web service’s user license agreement or the wishes of their users. It also limits the definition of “unauthorized access” to content protected behind a password or some other means of authorization. 

It is unclear how this ruling would apply in states with more stringent privacy requirements, or how it impacts data accidentally exposed to the public because of poor cybersecurity or human error, but the case does raise several questions about the ownership of and access to user data. 

The post Court Rules in Favor of Mining LinkedIn User Data appeared first on Adam Levin.

Companies Can Have Their Identities Stolen, Too. Here’s What to Do About It.

When Twitter CEO Jack Dorsey’s account was hacked for roughly 20 minutes, we all got a glimpse of corporate identity theft, and why it matters. While the takeover was by no means a major cyberevent (and the account was quickly recovered), the fact remained that the CEO of a major company lost control of his account on a service that he literally controls.

Around the same time, an Instagram phishing scheme was circulating where users were prompted via a spoofed Instagram email to enter their logins and passwords after they were sent a 2-Factor authentication code. Instead of logging into their actual Facebook-hosted accounts, they found themselves on a replica of a legit Instagram page hosted in the Central African Republic. It was exactly the kind of attack that makes hacks like the one perpetrated against Jack Dorsey possible, and, more to the point, it’s why they happen literally every day. 

Need more evidence? How about the unnamed CEO who was recently scammed to the tune of a couple hundred thousand dollars thanks to an audio deepfake that convincingly mimicked the voice of his boss–the CEO of a parent company–including the most subtle nuances of his German accent. The money was wired to Hungary, quickly transferred to Mexico and then dispersed amongst an untraceable number of other accounts. 

Getting hacked is a fact of life, right up there with death and taxes. If you think you’re somehow above this third certainty in life, you’re all the more imperilled.  

I could provide countless other examples, but they all boil down to a lesson that businesses are learning the hard way and what their customers already know: it’s easier to fall prey to identity theft than it is to prevent it. 

The Goals of Business Identity Theft

If stealing an individual’s identity is lucrative, stealing a company’s identity can be the motherlode. Even a midsized company often have in their possession the data of thousands of customers, contacts, and contractors; a single official-looking email can open the door to innumerable types of fraud, both internally and externally. 

The attack doesn’t need to focus directly on monetary prizes: the hijacking of Twitter’s CEO’s account garnered a lot of the wrong kind of publicity–and there is such a thing as bad publicity. In the hacking world, the prestige of making Jack Dorsey look foolish for twenty minutes most likely exceeds an anonymous hack of 100,000 accounts. Reputation is a powerful currency, and compromising the leadership of any company with an online presence represents a potent boost. 

Consider what would happen were someone to hire that hacker to compromise a more important account–for saying’s sake, President Trump’s account. That control could actually affect world markets. The same could be said for hacks of any major leader in the public or private sectors. There is a huge financial upside to such hacking. It is crucial to bear this in mind at every moment of the day, and behave accordingly. 

That said, data leaks, account takeovers and breaches start to look positively quaint in light of the potential sabotage represented by deepfakes. 

People wire money on the basis of a phone call all the time. The harm caused by a phony corporate communication to shareholders or the general public could represent a catastrophic loss of money and confidence. Erratic behavior in the C-Suite can tank stock prices (just ask Elon Musk), and even crudely faked videos have gone viral (just ask Nancy Pelosi or Mark Zuckerberg). 

We’ll be seeing deliberate attempts to damage the reputations of businesses and their leadership as deepfake technology becomes more ubiquitous, and with that in mind it’s time to level up. 

What Businesses Can Do:

My advice for businesses faced with having their identities hijacked is similar to my advice for individuals–practice The Three Ms.

Minimize Your Risk of Exposure: Put resources into training your staff to recognize phishing scams and to practice good cyber hygiene. Vet contractors and vendors based on their security practices to minimize supply chain risk. Consider requiring employees to log in to a VPN (virtual private network), especially if they’re connecting to the company network remotely. It’s often the sloppiest of mistakes that give hackers access to your business. Training and sound cybersecurity policies can fill in the gaps where technology often fails. 

Monitor Everything: Establish a policy at your business about transferring funds; in the era of deepfakes, it’s important to know who is likely to request access to money, and how it should be handled. Always double check by getting confirmation on the phone. All systems can introduce vulnerabilities, especially the introduction of new technology. Create a culture where employees know that if they see something, they will be rewarded for saying something. Cybersecurity is a team sport. 

Manage the Damage: When it comes to a compromise of your company’s identity, honesty is the best policy. Own up to a data breach as quickly as possible (especially if you are subject to the GDPR’s 72 hour requirement), be transparent about lapses in security, and review any policies that allowed the compromise to occur in the first place. Jack Dorsey’s Twitter hack may have been embarrassing, but the company moved quickly to close the security loophole that allowed it to happen. Perhaps most important, have some empathy. Cyber-fails are scary. Remember, your news might be more traumatic for your customers or clients than it is for you, and act accordingly.

 

The post Companies Can Have Their Identities Stolen, Too. Here’s What to Do About It. appeared first on Adam Levin.

New Nevada Privacy Regulation Goes Into Effect Oct. 1

New provisions to Nevada’s online privacy law will be effective on October 1, 2019.

Nevada Senate Bill 220, signed into law earlier this year, will require operators of websites and online services to allow consumers within the state to opt out of the sale of their personal data. Online businesses will be expected to provide a designated means of communication through which consumers can request that their data not be sold and will need to respond within 60 days of receiving that request.

Exemptions include entities covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), as well as automobile manufacturers and mechanics that meet specific requirements.

SB 220 is considerably narrower in its scope than California’s Consumer Privacy Act (CCPA), which will be effective January 1, 2020. The Nevada law doesn’t require businesses to include an opt-out feature on a website’s homepage, applies only to data collected via online form, and doesn’t establish a private right of action for consumers. 

The CCPA also broadly defines “consumers” as residents of, and households within the state of California, whereas SB 220 more specifically applies to “a person who seeks, or acquires, by purchase or lease, any good, service, money, or credit for personal, family, or household purposes from the Internet website or online service of an operator.”

In the absence of federal regulations, at least eight other states are currently expected to pass similar laws to Nevada and California addressing consumer data privacy. 

The post New Nevada Privacy Regulation Goes Into Effect Oct. 1 appeared first on Adam Levin.

Public WiFi Networks: Potential risks and how to work around them

Public WiFi Networks: Potential risks and how to work around them Public WiFi Networks: Potential risks and how to work around them: Chances are that most people get excited when they see their device prompting to connect to public Wi-Fi when they visit a common area like a restaurant, cafe, an airport or even certain ... Read morePublic WiFi Networks: Potential risks and how to work around them

The post Public WiFi Networks: Potential risks and how to work around them appeared first on HackingVision.

New Breach Exposes an Entire Nation: Living and the Dead

A misconfigured database has exposed the personal data of nearly every Ecuadorian citizen, including 6.7 million children.

The database was discovered by vpnMentor and was traced back to Ecuadorean company Novaestra. It contained 20.8 million records, well over the country’s current population of 16 million. The data included official government ID numbers, phone numbers, family records, birthdates, death dates (where applicable), marriage dates, education histories, and work records.

“One of the most concerning parts about this data breach is that it includes detailed information about people’s family members,” stated a blog from vpnMentor announcing the discovery of the leak. “Most concerningly, the leaked data seems to include national identification numbers and unique taxpayer numbers. This puts people at risk of identity theft and financial fraud.”

The leaked data also included financial information for individuals and businesses including bank account status, account balance, credit type, job details, car models, and car license plates.

“The information in both indexes would be as valuable as gold in the hands of criminal gangs,” wrote ZDNet reporter Catalin Cimpanu. “Crooks would be able to target the country’s most wealthy citizens (based on their financial records) and steal expensive cars (having access to car owners’ home addresses and license plate numbers).” 

The exposed database was on a server running Elasticsearch, a software program that enables users to query large amounts of data. Elasticsearch has been involved in several high profile data leaks, mostly due to configuration mistakes. Other recent Elasticsearch leaks included a Canadian data mining firm’s records for 57 million US citizens, a medical database storing the data on 85 percent of Panamanian citizens, and a provincial Chinese government database that contained 90 million personal and business records. 

The post New Breach Exposes an Entire Nation: Living and the Dead appeared first on Adam Levin.

Prediction: 2020 election is set to be hacked, if we don’t act fast

Since 1993, hackers have traveled to Las Vegas from around the world to demonstrate their skills at DefCon’s annual convention, and every year new horrors of cyber-insecurity are revealed as they wield their craft. Last year, for example, an eleven-year-old boy changed the election results on a replica of the Florida state election website in under ten minutes.

This year was no exception. Participants revealed all sorts of clever attacks and pathetic vulnerabilities. One hack allowed a convention attendee to commandeer control of an iPhone with a non-Apple-issue charging cord, one that is identical to the Apple version. Another group figured out how to use a Netflix account to steal banking information. But for our purposes, let’s focus on election security because without it democracy is imperiled. And if you think about it, what are the odds of something like DefCon being permitted in the People’s Republic of China?

Speaking of China (or Russia or North Korea or Iran or…) will the 2020 election be hacked?

In a word: Yes.

In 2016 Russia targeted elections systems in all 50 states.

A CNN article about DefCon’s now annual Voting Village, described the overall problem: Many election officials and key players in the election business are not sufficiently worried to anticipate, recognize and meet the challenges ahead.

While many organizations welcome the hijinks of DefCon participants — including the Pentagon — the voting machine manufacturers don’t generally seem eager to have hackers of any stripe show them where they are vulnerable… and that should worry you.

DefCon participants are instructed to break things, and they do just that. This year, Senator Ron Wyden (D-Ore.) toured DefCon’s Voting Village and he left with these words: “We need paper ballots, guys.”

Was the Senator right? It’s the easiest solution, but not the only one. Because elections machines are thus far preeminently breakable, we still need audited paper trails.

Paper trails are mission critical

After railing against previous findings of DefCon participants, Election Systems and Software (ES&S) CEO Tom Burt reversed his position in a Roll Call op-ed that called for paper records and mandatory machine testing in order to secure e-voting systems. It’s a welcome move as far as cybersecurity experts are concerned.

After a midterm election featuring irregularities in GeorgiaNorth Carolina and other smaller hacks, and warnings from the likes of Special Prosecutor Robert Mueller, there has been no meaningful action nationwide when it comes to election security, while the specter of serious interference remains. Senate Majority Leader Mitch McConnell (R-Ky.) has steadfastly refused to allow even bi-partisan election security legislation to come to the floor for a vote, much less a debate, and for that reason he and the Republican party are blameworthy for placing politics above protecting our most cherished democratic right.

While the news is on overheated cycles covering every tweet, or sound bite, uttered by President Trump, critical issues like cybersecurity are not being addressed, and this matters — given recent DefCon news of election machines connected to the internet when they shouldn’t be, and the persistent threat of state-sponsored attacks on our democracy.

Think DARPA’s $10 million un-hackable election machine proves all is well? Not quite. Bugs during the set up of the DARPA wonder machine meant that DefCon’s participants didn’t have enough time to properly break the thing. In the absence of definitive proof to the contrary, we have to assume it can be hacked.

What Now?

Instead of discussing the nation’s Voter ID laws, we need to focus on securing the vote.

It is well-established fact that Russia attempted to interfere in the 2016 election in all 50 states, and Israel — an ally of the president — recently disclosed that the Russian government identified President Trump as the candidate most likely to benefit Russia, and used cyberbots to help him win. The fact that President Trump won the election on the strength of just 80,000 votes spread across three key swing states shows how important it is to address the issue. We’re not talking about a blunderbuss approach to hacking the election here. Plausible outcomes can be constructed. It’s been known to happen before.

Some experts think it may soon be too late to secure 2020 against the threat of state-sponsored hacks. I do not. But I think the time to delay to score political points has passed, and now is the time for action.

The post Prediction: 2020 election is set to be hacked, if we don’t act fast appeared first on Adam Levin.

More than 50 U.S. Businesses Call For Federal Privacy Law

Fifty-one CEOs representing U.S.-based businesses sent an open letter to Congress requesting a comprehensive federal consumer privacy law.

Signed by the CEOs AT&T, Comcast, General Motors, Mastercard, and Wal-Mart, among others, the letter requested “a comprehensive consumer data privacy law that strengthens protections for consumers and establishes a national privacy framework to enable continued innovation and growth in the digital economy.”

The cosignatories of the letter are members of the Business Roundtable, an association of executives focuses on “working to promote a thriving U.S. economy… through sound public policy.”  

Attached to the letter was a proposal for a consumer policy framework that encompasses the need for federal legislation to override state privacy laws, a definition of personal data, the creation of a federal standard for data breach notifications, and the assignment of primary enforcement responsibilities to the FTC. The framework also calls for “no private right of action,” meaning that consumers would be unable to bring lawsuits for violations of the law. 

While the Business Roundtable requests a more uniform law to “ensure that consumers are not faced with confusion about their rights and protections based on a patchwork of inconsistent state laws,” many critics suggest that the ulterior motive is to pass a weaker set of privacy protections to supercede more stringent state laws currently in place in Maine and California. 

The post More than 50 U.S. Businesses Call For Federal Privacy Law appeared first on Adam Levin.

Rogue Toolkit – Extensible toolkit providing easy-to-deploy Access Points

Rogue Toolkit – Extensible toolkit providing easy-to-deploy Access Points Rouge Toolkit: An extensible toolkit providing penetration testers an easy-to-use platform to deploy Access Points during penetration testing and red team engagements. The Rogue Toolkit is an extensible toolkit aimed at providing penetration testers an easy-to-use platform to deploy software-defined Access Points (AP) for the purpose ... Read moreRogue Toolkit – Extensible toolkit providing easy-to-deploy Access Points

The post Rogue Toolkit – Extensible toolkit providing easy-to-deploy Access Points appeared first on HackingVision.

How I Learned to Stop Worrying and Love Vendor Risk

Insider risk, supply chain vulnerability and vendor risk all boil down to the same thing: the more people have access to your data, the more vulnerable it is to being leaked or breached.

This summer brought an interesting twist to that straight-forward situation: Can data leaked by an employee or a contractor be a good thing?

In July, a Belgian contractor who had been hired to transcribe Google Home recordings shared several of them with news outlet VRT. The leak revealed that customers were being recorded without their consent, often times after unintentionally triggering their devices. Google’s response was immediate. They went after the contractor. (Never mind that they were doing something that they had denied. The leaked recordings were for research!!!)

“Our Security and Privacy Response teams have been activated on this issue, are investigating, and we will take action. We are conducting a full review of our safeguards in this space to prevent misconduct like this from happening again,” the company said in a press release.

Translation: We’re not sorry we got caught doing whatever we want, but we are sorry we hired the wrong vendor and will try not to do that again.

An Apple contractor shared a similar story with the Guardian a short time later. Recordings taken from the company’s audio assistant Siri were also being transcribed by third-party contractors. This time the news was worse. The company’s watch was consistently recording users without any explicit prompting. Weeks later, a contractor for Microsoft went to Vice with what at this point had become a familiar story, this time in connection with both Skype and Cortana.

Whistleblower or Data Leak?

The typical narrative is that someone with inside knowledge of a company or its technology is able to exploit it to some sort of ill purpose. The accused hacker behind the recent Capital One data breach had previously worked for Amazon Web Services and was able to exploit her knowledge of a common firewall misconfiguration to steal customer data: more than 100 million records. Anthem and Boeing similarly suffered large-scale breaches perpetrated by insiders.

What makes the rash of recent data leaks noteworthy is that external contractors had access to data that they didn’t think they should have, and they did something about it. With the exception the leaked data in question was passed along to press outlets for the express purpose of preserving customer data. And it worked, at least in the short term. Apple and Google suspended their use of human transcribers, and Microsoft has made their privacy policy more explicit.

HR or IT?

What’s interesting here (other than the revelation that just about every major IoT speech-recognition product on the market has been spying on us without telling us) is what it reveals about insider risk.

It seems increasingly apparent that risk has as much to do with a company’s HR department as it does its cybersecurity policy. A single disgruntled employee with an axe to grind is a familiar scenario, and one that can be mitigated through careful data management, but widespread unhappiness with a company’s ethical practices is significantly more difficult to manage. It brings to mind that semi-old adage, now-defunct company motto at Google: Don’t be evil. Or rather, be nicer to make yourself less of a target.

Google has had to contend with internal protests ranging from its involvement with Chinese censorship to its work with U.S. border and immigration agencies. Both Amazon and Microsoft experienced similar unrest among employees for their contracts with ICE. While none of these have led to large-scale data breaches yet, knowing that there are potentially thousands of employees and contractors with access to sensitive information and a motive to leak, it is a matter of serious concern.

The new law of the cyber jungle: Widespread disapproval exponentially increases one’s attackable surface.

While employee whistleblowers are nothing new (just ask Enron or Big Tobacco), it’s semi-terra incognita in our era of massive data breaches. We’re used to thinking of any kind of data breach and any kind of data leak as being a bad thing, and it usually is. But there is a grey area when companies are not playing by the rules in an environment where people are highly motivated to call them out for bad behavior.

What’s the Takeaway?

From a strictly technical perspective, even a well-intentioned data leak has the unfortunate side effect of showing where in the supply chain companies are most vulnerable. If hackers weren’t aware that organizations were entrusting intimate customer data to external contractors, they most certainly know it now.

The post How I Learned to Stop Worrying and Love Vendor Risk appeared first on Adam Levin.

More than 50% of Canadians Affected by Data Breaches

19 million Canadians are estimated to have been affected by data breaches between late 2018 and 2019, slightly more than half the population of the country. 

The news was released by the Office of the Privacy Commissioner of Canada after the passage of the Personal Information and Electronic Documents Act (PIPEDA). Data breach reports have nearly sextupled since PIPEDA went into effect, with 446 incidents between November 2018 and June 2019.

One notable exception to the PIPEDA reporting requirements is Canadian political parties, which are not required to report data breaches, and often compile large amounts of data on voters. 

Hacking or “internal bad actors” account for the majority of the data breaches reported, with unintentional data leaks and the loss or theft of equipment comprising the bulk of the remainder.

Read more here.

The post More than 50% of Canadians Affected by Data Breaches appeared first on Adam Levin.

Seeker – Accurately Locate Smartphones using Social Engineering

Seeker – Accurately Locate Smartphones using Social Engineering Locate Smartphones: Seeker comes preinstalled in BlackArch Linux. If you are using Kali Linux, Parrot OS or another Linux based distribution see install information below.   Seeker is developed by thewhiteh4t. Seeker is a Proof of Concept and is for Educational Purposes Only, Seeker shows what data ... Read moreSeeker – Accurately Locate Smartphones using Social Engineering

The post Seeker – Accurately Locate Smartphones using Social Engineering appeared first on HackingVision.

Expect More Spam Calls and SIM-Card Scams: 400 Million Phone Numbers Exposed

As much as I love this one friend of mine, nothing is private when we’re together. You probably have a friend like this. The relationship is really great so you stay friends despite all, but this particular friend simply cannot know something about you without sharing it with others no matter how hard you try to get them to understand it’s totally uncool. 

Facebook Is an Open Book

They did it again this week with news that 419 million records, including phone numbers and user IDs, were scraped from Facebook and stored in a database that was just sitting online accessible to anyone who might like to peruse it. More than 130 million of those compromised by the discovery were American users. Another 18 million were UK users. A whopping 50 million hailed from Vietnam. 

Facebook later claimed about half that number were affected, or 220 million records. 

The information is at least a year old, which was when Facebook stopped allowing developers to have user phone numbers. So, we can call this a Facebook privacy facepalm legacy attack. It’s a sad state of Facebook privacy news fatigue that the urge is so strong to create privacy fail sub-categories—but there you have it. Introducing the legacy fail. 

Why It Matters

Some of the information out there was granular enough to allow a variety of scams, but the most serious is SIM-card swapping scams, where a criminal, armed with enough information about you, and most crucially your phone number, arranges to have your number moved to a phone in the criminal’s possession. 

Once the number has been transferred, the criminal has control of any accounts that are identified by caller ID (including many financial institutions) as well as any accounts protected by two-factor authentication. It is believed this was the method used to recently hack Jack Dempsey’s Twitter account. 

What You Can Do

Assume that you are a target, and tighten your protections. Your phone provider will have tips on the best practices to avoid SIM-card attacks, and common sense can be your guide regarding any unexpected phone calls, and practice the Three Ms:

Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t over-share on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and freeze your credit.

Monitor your accounts. Check your credit report religiously, keep track of your credit score, review major accounts daily if possible. (You can check two of your credit scores for free every month on Credit.com.) If you prefer a more laid back approach, see No. 5 above.

Manage the damage. Make sure you get on top of any incursion into your identity quickly and/or enroll in a program where professionals help you navigate and resolve identity compromises–oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions and employers.

The post Expect More Spam Calls and SIM-Card Scams: 400 Million Phone Numbers Exposed appeared first on Adam Levin.

Voice Deepfake Scams CEO out of $243,000

The CEO of a UK-based energy firm lost the equivalent of $243,000 after falling for a phone scam that implemented artificial intelligence, specifically a deepfake voice.

The Wall Street Journal reported that the CEO of an unnamed UK energy company received a phone call from what sounded like his boss, the CEO of a German parent company, telling him to wire €220,000 (roughly $243,000) to a bank account in Hungary. The target of the scam was convinced that he was speaking with his boss due to a “subtle German accent” and specific “melody” to the man’s voice and wired the money as requested. 

According to a representative of Euler Hermes Group SA, the firm’s insurance company, the CEO was targeted by a new kind of scam that used AI-enhanced technology to create an audio deepfake of his employer’s voice. While the technology to generate convincing voice recordings has been available for a few years, its remains relatively uncommon in the commission of fraud.

Security experts worry the exploit could spark a new trend. 

“[W]e’re seeing more and more artificial intelligence-based identity fraud than ever before,” said David Thomas, CEO of identity verification company Evident in an article on Threatpost. “Individuals and businesses are just now beginning to understand how important identity verification is. Especially in the new era of deep fakes, it’s no longer just enough to trust a phone call or a video file.”

Read the Wall Street Journal article here (subscription required).

The post Voice Deepfake Scams CEO out of $243,000 appeared first on Adam Levin.

If You Have to Ask How Much a Data Breach Costs, You Can’t Afford One

According to IBM Security’s 2019 Cost of a Data Breach Report, the average time to identify and contain a breach was a whopping 279 days, and it took even longer to discover and deal with a malicious attack. The average cost of an incident was $3.9 million, and the average cost per record, $150.

A malicious hacker can do serious damage to an organization. Breaches are not a cheap date. Capital One estimated the first-year cost of its recent breach would be $100-150 million. Add to that figure the aggregate cost of as many as 30 other companies suspected hacker Paige Thompson may have hit, and it should be abundantly clear that the damage that can be racked up by just one sociopath is astounding. Equifax was recently ordered to pay $700 million in damages for its megabreach, a figure many derided as a wrist slap.

By now, it shouldn’t be news that the probability of a breach or data compromise hitting your company, or one you do business with, is right up there with two more familiar likelihoods; namely, death and taxes. Likewise, the particular cause of a data breach or compromise is about as predictable as our individual approaches to death and taxes.

You need look no further than very recent news to illustrate the point.

U.K.-based Suprema sells a security tool used by organizations worldwide, including law enforcement. It allows users to control access in high security environments. It’s called Biostar 2, and it failed, leaking fingerprints, photographs, facial recognition data, names, addresses, passwords, and employment history records. Reports say 23 gigabytes of data containing 30 million records were in the wind, including data used by London’s Metropolitan Police, Power World Gyms, Global Village and Adecco Staffing. The cause, human error. The cost here is twofold. Fingerprints in the wind stay in the wind. They can’t be changed. There is no way to put a price on that, but at $150 per record, we might spitball and put it around $4.5 billion.

In other news, an FDNY employee flouted department data security policy by downloading data on a personal, unencrypted hard drive that subsequently went missing. The drive contained sensitive personal information and protected health information associated with more than 10,000 people treated or taken to the hospital by the department’s EMS. It was reported there were also nearly 3,000 Social Security numbers possibly exposed. This leak “only” comes in at a potential cost of around $1.5 million using the $150 a record estimate in the 2019 Cost of a Data Breach Report published by IBM Security. The cost of this unnecessary diversion is of course unknowable.

Another all too familiar way companies get got is by proxy. Choice Hotels recently reported the compromise of 700,000 guest records, which were exposed when a vendor copied their data. The mismanaged data was subsequently discovered by a hacker and held for a ransom, a request the hotel reportedly ignored. Ironically, the data had been on the server to test a “security offering” so there was nothing to ransom since the data was only copied from a server that was still controlled by the company. (That said, ransomware continues to be a very real threat, and it relies for the most part on employee error.)

Honda had a comprised database with more than 134 million records, and the Electronic Entertainment Expo, or E3 as it is popularly known, leaked press badge information that included names, phone numbers and home addresses of attendees, and do you know what these entities as well as all of the aforementioned organizations did not do? They didn’t do cyber right.

We all need to listen to the wisdom of The Office’s Dwight Schrute who said, “Whenever I’m about to do something, I think, ‘Would an idiot do that?’ And if they would, I do not do that thing.” True that’s easier said than done, and Schrute is a fictionalized proof of that. Human error is not the only threat to a company, but it is the most persistent one. Many of the hit parade of hacks were avoidable, but without an organizational culture predicated on staying safe, it’s hard to make must progress in the war against stupid mistakes.

Data breaches and compromises are expensive, result in an enormous amount of collateral everyday life damage and are more common than inter-relationship bickering. As with love spats and their aftermaths, there is always room for improvement. While it is folly to believe that any company can be made 100% hack or leak proof, they can become harder-to-hit targets. Security can be baked into all processes–from onboarding to new product launches to the storing of key data. They are more avoidable than one might be led to believe, but it requires a sea change in attitude and more importantly a complete change in the way everything digital is done with security always foremost in any given process.

The post If You Have to Ask How Much a Data Breach Costs, You Can’t Afford One appeared first on Adam Levin.

Google Discovers Massive iPhone Hack

Researchers at Google announced the discovery of a hacking campaign that used hacked websites to deliver malware to iPhones.

Project Zero, Google’s security research team, discovered fourteen previously unknown vulnerabilities, called zero day exploits, that were capable of compromising iPhones. Further research revealed a small collection of hacked websites capable of delivering malware to iPhone users visiting those sites.

“There was no target discrimination; simply visiting the hacked site was enough for the exploited server to attack your device, and if it was successful, installing a monitoring implant. We estimate that these sites receive thousands of visitors per week,” wrote Project Zero member Ian Beer in a blog post announcing their findings.

The data accessible on the compromised phones included the user’s location, their passwords, chat histories, contact lists, and full access to their Gmail accounts. 

“Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services… even after they lose access to the device,” said Beer.

The hacking campaign was active for at least two years before it was discovered by Project Zero. The research team informed Apple of their findings, and the targeted vulnerabilities were patched in an update in February 2019. 

The post Google Discovers Massive iPhone Hack appeared first on Adam Levin.

SniffAir – Wireless security framework for wireless pentesting

SniffAir – Wireless security framework for wireless pentesting SniffAir is an open-source wireless security framework which provides the ability to easily parse passively collected wireless data as well as launch sophisticated wireless attacks. SniffAir takes care of the hassle associated with managing large or multiple pcap files while thoroughly cross-examining and analyzing the traffic, looking ... Read moreSniffAir – Wireless security framework for wireless pentesting

The post SniffAir – Wireless security framework for wireless pentesting appeared first on HackingVision.

PACK (Password Analysis and Cracking Kit) – HackingVision

PACK (Password Analysis and Cracking Kit)   Credits: iphelix   Password Analysis and Cracking Kit by Peter Kacherginsky (iphelix) ================================================================== PACK (Password Analysis and Cracking Toolkit) is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password ... Read morePACK (Password Analysis and Cracking Kit) – HackingVision

The post PACK (Password Analysis and Cracking Kit) – HackingVision appeared first on HackingVision.

7 Steps to Building a Cybersecurity Strategy from Scratch

When your organization is young and growing, you may find yourself overwhelmed with a never-ending to-do list.  It can be easy to overlook security when you’re hiring new employees, finding infrastructure, and adopting policies.  Without a proper cybersecurity strategy, however, the business that you’ve put your heart and soul into, or the brilliant idea that you’ve spent years bringing to life, are on the line. Every year, businesses face significant financial, brand, and reputational damage resulting from a data breach, and many small businesses don’t ever recover.

Not only that, but as you grow you may be looking to gain investors or strategic partners.  Many of these firms are not willing to give organizations that don’t take security seriously a chance. A strong security stance can be your differentiator among your customers and within the Venture Capital landscape.

One thing’s for sure: you’ve spent a great deal of time creating a business of your own, so why throw it all away by neglecting your security?  You can begin building your own cybersecurity strategy by following these steps:

1.  Start by identifying your greatest business needs.

This understanding is critical when determining how your vulnerabilities could affect your organization.  Possible business needs could include manufacturing, developing software, or gaining new customers. Make a list of your most important business priorities.

2.  Conduct a third-party security assessment to identify and remediate the greatest vulnerabilities to your business needs.

 The assessment should evaluate your organization’s overall security posture, as well as the security of your partners and contractors.

Once you understand the greatest risks to your business needs, you can prioritize your efforts and budget based on ways to remediate these.

3.  Engage a Network Specialist to set-up a secure network or review your existing network.

A properly designed and configured network can help prevent unwanted users from getting into your environment and is a bare necessity when protecting your sensitive data.

Don’t have a set office space?  If you and your team are working from home or communal office spaces, be sure to never conduct sensitive business on a shared network.

4.  Implement onboarding (and offboarding) policies to combat insider threat, including a third-party vendor risk management assessment.

 Your team is your first line of defense, but as you grow, managing the risk of bringing on more employees can be challenging.  Whether attempting to maliciously steal data or clicking a bad link unknowingly, employees pose great threats to organizations.

As part of your onboarding policy, be sure to conduct thorough background checks and monitor users’ access privileges.  This goes for your employees, as well as any third parties and contractors you bring on.

5.  Implement a security awareness training program and take steps to make security awareness part of your company culture.

Make sure your training program includes topics such as password best practices, phishing identification and secure travel training.  Keep in mind, though, that company-wide security awareness should be more than once-a-year training.  Instead, focus on fostering a culture of cybersecurity awareness.

6.  Set-up multi-factor authentication and anti-phishing measures.

Technology should simplify your security initiatives, not complicate them.  Reduce the number of administrative notifications to only what is necessary and consider improvements that don’t necessarily require memorizing more passwords, such as password managers and multi-factor authentication for access to business-critical data.

7.  Monitor your data and endpoints continuously with a Managed Security Services Provider.

As you grow, so does the amount of endpoints you have to manage and data you have to protect. One of the best ways to truly ensure this data is protected is to have analysts monitoring your data at all hours. A managed security services provider will monitor your data through a 24/7 security operations center, keeping eyes out for any suspicious activity such as: phishing emails, malicious sites, and any unusual network activity.

You’re not done yet: revisit your security strategy as you evolve.  

It’s important to remember that effective cybersecurity strategies vary among organizations. As you grow, you’ll want to consider performing regular penetration testing and implementing an Incident Response Plan.  

And, as your business changes, you must continually reassess your security strategy and threat landscape.

For more information, get the Comprehensive Guide to Building a Cybersecurity Strategy from Scratch.

The post 7 Steps to Building a Cybersecurity Strategy from Scratch appeared first on GRA Quantum.

fsociety Hacking Tools Pack – A Penetration Testing Framework

Fsociety Hacking Tools Pack A Penetration Testing Framework, you will have every script that a hacker needs   Fsociety Contains All Tools Used in Mr. Robot Series     Menu Information Gathering Password Attacks Wireless Testing Exploitation Tools Sniffing & Spoofing Web Hacking Private Web Hacking Post Exploitation Contributors Install & Update Information Gathering: Nmap ... Read morefsociety Hacking Tools Pack – A Penetration Testing Framework

The post fsociety Hacking Tools Pack – A Penetration Testing Framework appeared first on HackingVision.

DMitry Deepmagic information Gathering Tool Kali Linux

DMitry Deepmagic information Gathering Tool Kali Linux   DMitry (Deepmagic Information Gathering Tool) is an open-source Linux CLI tool developed by James Greig. Coded in C. DMitry is a powerful information gathering tool that aims to gather as much information about a host that is possible. Features include subdomains search, email addresses, uptime information, system ... Read moreDMitry Deepmagic information Gathering Tool Kali Linux

The post DMitry Deepmagic information Gathering Tool Kali Linux appeared first on HackingVision.