There’s no doubt that digital technology, in many of its forms, brings everyday tasks much closer-to-hand. From discovering breaking news, to online shopping, to keeping tabs on your home via security cameras—everything is within the touch of a button. Even so, with the growing reach of the Internet of Things (IoT), new and unsuspected threats are just around the corner—or are already here.
For example, in early January of this year, a Western Australian mother voiced her worries when she discovered that the baby monitor she recently purchased was compromised. The monitor allowed her to log in with a QR code and a generic password in order to watch her child through a camera. Though she followed the instructions for installation, upon opening the monitoring website she was greatly alarmed to see a vision of a stranger’s bedroom, rather than her child’s.
Though you might not have prepared for it, it’s increasingly clear you need to take steps to protect yourself, your children, your privacy, and your new smart devices from these kinds of emerging privacy threats, as well as others. As a first precaution, you should always remember to change the default passwords on all your networked devices, starting with your router, creating strong new ones and securing them safely whenever possible with a password manager. You should then pick the best endpoint and network security solutions you can find to protect all the networked devices in your home.
Trend Micro Password Manager provides a password manager that lets you generate and sync strong passwords across your PCs, Macs, Android, and iOS devices.
Finally, Trend Micro Home Network Security is specifically designed to protect all your new “smart” connected devices in the home. It filters incoming and outgoing traffic to provide an extra layer of protection against intrusions or hacking of the home network. It protects your router and a wide range of smart devices, including security cameras, child monitoring devices, smart TVs, refrigerators, smart speakers, and even smart doorbells and thermostats, from emerging IoT threats—and the list goes on.
With our endpoint and network security solutions, we’ve got you covered! Click the links above for more details on our solutions.
Automotive manufacturers have realized the future lies in self-driving cars. We may be taking small steps, yet we would like to be headed to an autonomous driving utopia. Here, every road is safe, smart, connected, fast, reliable.
It may be just a dream right now, but how far are we from achieving this goal?
In this article, we will walk you through the current state of autonomous vehicles, and most importantly, examine how safe driverless cars actually are from a cybersecurity perspective.
A brief history of self-driving cars
Let’s start off with a little bit of history.
You may be amazed to hear people started working on driverless cars prototypes since the 1920s. Back then, a radio-controlled car was invented by Francis Houdina, which he controlled without a person behind the steering wheel on the streets of New York.
Throughout time, there have been multiple attempts to develop the industry and encourage driverless cars’ adoption. You can access this resource to go through a quick timeline of self-driving cars.
Fast forward to more recent days, Waymo, formerly known as Google’s self-driving car project, is the first commercial self-driving car and was launched in December 2018. Through an app, Waymo offers ride-hailing services to people in from the United States, Phoenix area.
Will 2019 be the year of self-driving cars?
Here are a few facts and predictions for 2019:
This year, companies such as General Motors, Uber, Volkswagen, and Intel are competing in the ride-hailing movement and are making promises regarding when their fully autonomous vehicles will be available. The general answer seems to be between 2019 and 2022.
Autonomous vehicle manufacturers promise to deliver a safe, enjoyable, and fast experience, freeing the drivers of the stress of driving, while allowing them to fulfill other tasks.
But what is the general opinion towards autonomous cars?
According to Deloitte’s 2019 Global Automotive Study, consumer perception of the safety of autonomous cars has stalled in the last year. This attitude is predominantly influenced by media reports of accidents involving self-driving cars, many of which were fatal.
Here you can read a report on these type of accidents.
The concern around safety is also reinforced by Perkincoie’s research, which shows that consumers’ perception of safety is the biggest roadblock to the development of self-driving vehicles in the next five years.
As per another study conducted by the American Automobile Association (AAA), almost 3 in 4 Americans are afraid of self-driving cars. According to the same research, only 19% would trust self-driving cars to transport their loved ones.
What’s more, there are some people who seem to despise the autonomous vehicle’s technology and even manifest violent behavior towards it. At least 21 attacks against Waymo cars have been reported. People have tried to run the vehicles off the road, thrown rocks at them, slashed the tires, or even yelled at them to leave the neighborhood. This behavior seems to be fueled by people’s concern with safety and even potential job losses.
What is the reason for that, you may be wondering since they were created to simplify traffic movement in the first place?
The autonomous cars could be programmed to aimlessly drive on the streets, without parking, in order to avoid payments. Basically, the price for recharging an electric autonomous car would be much lower than the overall parking fee.
The concerns around data collection and privacy
The same Deloitte 2019 report shows most people are worried about biometric data being collected by self-driving car manufacturers through their connected vehicles and sent to other parties.
In truth, data does need to be collected in order to improve functionalities, but this could also cause the invasion of your privacy.
So the question is where that data ends up and how it’s actually used. Some may argue that it could be shared with the government or used for marketing purposes.
Thus, authorities need to put strict rules and regulations in place.
If you liked this post, you will enjoy our newsletter.
Receive new articles directly in your inbox
Solving the cybersecurity question
Without a doubt, autonomous vehicles need state-of-the-art cybersecurity.
According to a recent study which surveyed auto engineers and IT experts, 84% of respondents were concerned that car manufacturers are not keeping pace with the industry’s constantly increasing cybersecurity threats.
Since self-driving cars have been involved in numerous accidents, this means they still have flaws, which can become exploited by malicious actors. Although taking care of aspects such as having proper navigation systems and avoiding collisions are obvious priorities for manufacturers, cybersecurity should also be top of mind.
According to Skanda Vivek, a postdoctoral researcher at the Georgia Institute of Technology, if people were to hack even a small number of internet-connected self-driving cars on the roads of the United States, the flow of traffic would be completely frozen. And emergency vehicles would not even be able to pass through.
Source: Skanda Vivek/ Georgia Tech
“Compromised vehicles are unlike compromised data,” argues Vivek in the study’s press release. “Collisions caused by compromised vehicles present physical danger to the vehicle’s occupants, and these disturbances would potentially have broad implications for overall traffic flow.”
Around four years ago, researchers Charlie Miller and Chris Valasek remotely hacked a Jeep Cherokee as an experiment. They used a laptop to do it while being at a 10-mile distance and managed to take full control of the vehicle.
Watch below what happened:
This was not even a self-driving vehicle, but the same scenario can be applied to one. In fact, this can even be more plausible in the case of autonomous cars due to their increased internet connectivity.
Right now, you won’t find two identical automation systems in the industry. Yet, according to the University of Michigan’s report, as systems become more generic, or even using open-source software, one attack could spread across every car deploying the same system. Just like it happened with the WannaCryransomware attack, which infected more than 300,000 computers in 150 countries during, at an estimated cost of $4 billion.
But are things really that bad?
On a more positive note, there are cybersecurity experts who believe in the future, fully-autonomous cars will be much harder to be hacked than we might think. This “fully-autonomous” technology (remember Level 5 we were talking about above?), will rely on multiple sensors and communication layers.
At the moment, self-driving cars are only using one or two sensors for object detection, according to Craig Smith, research director of cyber analytics group Rapid7.
In his view, since it’s already quite difficult to hack a single sensor, a malicious criminal will find it even harder to override a complex sensor system.
“If we’re having a discussion about what’s safe, it’s more likely that you’ll get into a car accident today than someone will hack into your car tomorrow”, Smith pointed out.
How can we stop self-driving cars from being hacked?
The good news is that experts are constantly working on developing better security systems.
For instance, just a few weeks ago, SK Telecom announced the launch of a solution based on Quantum Encryption.
As per SK Telecom, this is an “integrated security device that will be installed inside cars and protect various electronic units and networks in the vehicle”.
Also, the gateway, which was developed together with the controller maker GINT, will be used to secure the all the vehicle systems: Vehicle-2-Everything (V2X) and Bluetooth communication systems, car’s driver assistance, radar, and smart keys. Drivers will also be alerted of any suspicious behavior.
The gateway basically transfers a quantum random number generator and Quantum Key along with the vehicle’s data that will “fundamentally prevent hacking and make the cars unhackable”, according to SK Telecom. The company also added that this move was to facilitate security in the 5G era.
This is not the first initiative of this kind. In another project, the cyber-security group at Coventry University’s Institute for Future Transport and Cities (FTC) teamed up with the quantum experts at cybersecurity start-up Crypta Labs and they also reportedly worked on this quantum technology that can prevent hacking.
Here’s a bonus
We stumbled upon a great video that we’d like to share with you, in which Victor Schwartz, a partner at Shook, Hardy & Bacon, talks about the potential risks of driverless cars – privacy issues and cybersecurity.
You can watch the full video here:
At the moment, concerns around the self-driving technology clearly outweigh the benefits. It’s now crucial for manufacturers to focus on autonomous cars cybersecurity problems, employing dedicated staff to work on these issues. However, with proper security measures in place, hacking risks can be, in time, dramatically reduced.
Would you trust a self-driving car? What’s your opinion on the overall security of autonomous vehicles? We would love to hear your thoughts in the comments section below.
For years, many organisations – and their users – have
struggled with the challenge of password management. The technology industry
has toiled on this problem by trying to remove the need to remember passwords
at all. Recent developments suggest we might finally be reaching a (finger)
At Mobile World Congress this year, Google and the FIDO Alliance announced that most devices
running Android 7.0 or later can provide password-less logins in their browsers.
To clarify, the FIDO2 authentication standard is sometimes called password-less
web authentication. Strictly speaking, that’s a slightly misleading name
because people still need to authenticate
to their devices a PIN, or a using a biometric identifier like a fingerprint.
It’s more accurate to say FIDO2 authentication, but not surprisingly, the term ‘password-less’
seems to have caught the imagination.
that web developers can now make their sites work with FIDO2, which would mean
people can log in to their online accounts on their phones without a password. This
feature will be available to an estimated
one billion Android devices, so it’s potentially a significant milestone on the
road to a password-less future. Last November, Microsoft announced
password-less sign-in for its account users, with the same FIDO2 standard. One caveat: Microsoft’s
option requires using the Edge browser on Windows 10 1809 build. So, the true
number of users is likely to be far lower than the 800 million Microsoft had
been promising. But this is just the latest place where Microsoft has inserted
FIDO technology into its products.
It’s not what you know
I spoke to Neha Thethi, BH Consulting’s senior
information security analyst, who gave her reaction to this development. “Through
this standard, FIDO and Google pave way for users to authenticate primarily using
‘something they have’ – the phone – rather than ‘something they know’ – the password. While a fingerprint or PIN
would typically be required to unlock the device itself, no shared secret or
private key is transferred over the network or stored with the website, as it is
in case of a password. Only a public key is exchanged between the user and the
From the perspective of improving security, Google’s
adoption of FIDO2 is a welcome development, Neha added. “Most of the account compromises
that we’ve seen in past few years is because of leaked passwords, on the likes
of Pastebin or through phishing, exploited by attackers. The HaveIbeenpwned
website gives a sense of the scale of this problem. By that measure, going
password-less for logging in to online accounts will definitely decrease the
attack surface significantly,” she said.
“The technology that enables this ease of authentication is
public key cryptography, and it has been around since the 1970s. The industry has
recognised this problem of shared secrets for a long time now. Personally, I welcome
this solution to quickly and securely log in to online accounts. It might not
be bulletproof, but it takes an onerous task of remembering passwords away from
individuals,” she said.
Don’t try to cache me
Organisations have been using passwords for a long time to
log into systems that store their confidential or sensitive information.
However, even today, many of these organisations don’t have a systematic way of
managing passwords for their staff. If an organisation or business wants to
become certified to the ISO 27001 security standard, for example, they will
need to put in place measures in the form of education, process and technology,
to ensure secure storage and use of passwords. Otherwise, you tend to see less
than ideal user behaviour like storing passwords on a sticky note or in the web
browser cache. “I discourage clients from storing passwords in the browser cache
because if their machine gets hacked, the attacker will have access to all that
information,” said Neha.
That’s not to criticise users, she emphasised. “If an
organisation is not facilitating staff with a password management tool, they
will find the means. They try the best they can, but ultimately they want to
get on with their work.”
The credential conundrum
The security industry has struggled with the problem of
access and authentication for years. It hasn’t helped by shifting the burden
onto the people least qualified to do something about it. Most people aren’t
security experts, and it’s unfair to expect them to be. Many of us struggle to
remember our own phone numbers, let alone a complex password. Yet some
companies force their employees to change their passwords regularly. What
happens next is the law of unintended consequences in action. People choose a
really simple password, or one that barely changes from the one they’d been
For years, many security professionals followed the advice of the US National Institute of Standards and Technology (NIST) for secure passwords. NIST recommended using a minimum of seven characters, and to include numbers, capital letters or special characters. By that measure, a password like ‘Password1’ would meet the recommendations even if no-one would think it was secure.
Poor password advice
Bill Burr, the man who literally wrote the book on
passwords for NIST, has since walked back on his own advice. In 2017, he told
the Wall Street Journal, “much of
what I did I now regret”. He added: “In the end, it was probably too
complicated for a lot of folks to understand very well, and the truth is, it
was barking up the wrong tree”. NIST has since updated its password advice, and
you can find the revised recommendations here.
As well as fending off cybercrime risks, another good reason for implementing good access control is GDPR compliance. Although the General Data Protection Regulation doesn’t specifically refer to passwords, it requires organisations to process personal data in a secure manner. The UK’s Information Commissioner’s Office has published useful free guidance about good password practices with GDPR in mind.
Until your organisation implements the password-less login, ensure you protect your current login details. Neha recommends using a pass phrase instead of a password along with two factor authentication where possible. People should also use different pass phrases for each website or online service we use, because using the same phrase over and over again puts us at risk if attackers compromised any one of those sites. Once they get one set of login credentials, they try them on other popular websites to see if they work. She also recommends using a good password manager or password keeper in place of having to remember multiple pass phrases or passwords. Just remember to think of a strong master password to protect all of those other login details!
RSA Security latest search reveals over half (57%) of consumers blame companies ahead of hackers if their data is stolen. Consumer backlash in response to the numerous high-profile data breaches in recent years has exposed one of the hidden risks of digital transformation: loss of customer trust.
The RSA Data Privacy & Security Survey 2019 identified that companies have lost the trust of customers as a disconnect has formed between how companies are using customer data and how consumers expect their data to be used.
Key takeaways from the RSA Data Privacy study, include:
Context matters: Individuals across all demographics are concerned about their financial/banking data, as well as sensitive information such as passwords, but other areas of concern vary dramatically by generation, nationality and even gender. For example, younger demographics are more comfortable with their data being used and collected than older survey respondents.
Privacy expectations are cultural: Consumers respond to data privacy differently based on their nationality due to cultural factors, current events and high-profile data breaches in their respective countries. For example, in the months of the GDPR being implemented, German attitudes shifted in favour of stricter data privacy expectations, with 42% wanting to protect location data in 2018 versus only 29 percent in 2017.
Personalisation remains a puzzle: Countless studies have demonstrated that personalised experiences increase user activity and purchasing. However, the survey results showed that respondents do not want personalized services at the expense of their privacy. In fact, a mere 17% of respondents view tailored advertisements as ethical, and only 24% believe personalisation to create tailored newsfeeds is ethical.
“With a growing number of high-profile data breaches, questions around the ethical use of data and privacy missteps, consumers increasingly want to know how their data is being collected, managed and shared,” said Nigel Ng, Vice President of International, RSA. “Now is the time for organisations to evaluate their growing digital risks, doubling down on customer privacy and security. Today’s leaders must be vigilant about transforming their cybersecurity postures to manage today’s digital risks in a way that ensures consumer trust and confidence in their business.
The first month of 2019 was a relatively slow month for cyber security in comparison with the steady stream of cyber attacks and breaches throughout 2018. On Saturday 26th January, car services and repair outfit Kwik Fit told customers its IT systems had been taken offline due to malware, which disputed its ability to book in car repairs. Kwik Fit didn't provide any details about the malware, but it is fair to speculate that the malware outbreak was likely caused by a general lack of security patching and anti-virus protection as opposed to anything sophisticated.
A guest article authored by Bernard Parsons, CEO, Becrypt Whilst I am sure more details behind the Marriott data breach will slowly come to light over the coming months, there is already plenty to reflect on given the initial disclosures and accompanying hypotheses.
With the prospects of regulatory fines and lawsuits looming, assimilating the sheer magnitude of the numbers involved is naturally alarming. Up to 500 million records containing personal and potentially financial information is quite staggering. In the eyes of the Information Commissioner’s Office (ICO), this is deemed a ‘Mega Breach’, even though it falls short of the Yahoo data breach. But equally concerning are the various timeframes reported.
Marriott said the breach involved unauthorised access to a database containing Starwood properties guest information, on or before 10th September 2018. Its ongoing investigation suggests the perpetrators had been inside the company’s networks since 2014.
Starwood disclosed its own breach in November 2015 that stretched back to at least November 2014. The intrusion was said to involve malicious software installed on cash registers and other payment systems, which were not part of its guest reservations or membership systems.
The extent of Marriott’s regulatory liabilities will be determined by a number of factors not yet fully in the public domain. For GDPR this will include the date at which the ICO was informed, the processes Marriott has undertaken since discovery, and the extent to which it has followed ‘best practice’ prior to, during and after breach discovery. Despite the magnitude and nature of breach, it is not impossible to imagine that Marriott might have followed best practice, albeit such a term is not currently well-defined, but it is fairly easy to imagine that their processes and controls reflect common practice.
A quick internet search reveals just how commonplace and seemingly inevitable the industry’s breaches are. In December 2016, a pattern of fraudulent transactions on credit cards were reportedly linked to use at InterContinental Hotels Group (IHG) properties. IHG stated that the intrusion resulted from malware installed at point-of-sale systems at restaurants and bars of 12 properties in 2016, and later in April 2017, acknowledging that cash registers at more than 1,000 of its properties were compromised.
According to KrebsOnSecurity other reported card breaches include Hyatt Hotels (October 2017), the Trump Hotel (July 2017), Kimpton Hotels (September 2016) Mandarin Oriental properties (2015), and Hilton Hotel properties (2015).
Therefore perhaps, the most important lessons to be learnt in response to such breaches are those that seek to understand the factors that make data breaches all but inevitable today. Whilst it is Marriott in the news this week, the challenges we collectively face are systemic and it could very easily be another hotel chain next week.
Reflecting on the role of payment (EPOS) systems and cash registers within leisure industry breaches is illustrative of the challenge. Paste the phrase ‘EPOS software’ into your favourite search engine, and see how prominent, or indeed absent, the notion of security is. Is it any wonder that organisations often unwittingly connect devices with common and often unmanaged vulnerabilities to systems that may at the same time be used to process sensitive data? Many EPOS systems effectively run general purpose operating systems, but are typically subject to less controls and monitoring than conventional IT systems.
So Why is This? Often the organisation can’t justify having a full blown operating system and sophisticated defence tools on these systems, especially when they have a large number of them deployed out in the field, accessing bespoke or online applications. Often they are in widely geographically dispersed locations which means there are significant costs to go out and update, maintain, manage and fix them.
Likewise, organisations don’t always have the local IT resource in many of these locations to maintain the equipment and its security themselves.
Whilst a light is currently being shone on Marriott, perhaps our concerns should be far broader. If the issues are systemic, we need to think about how better security is built into the systems and supply chains we use by default, rather than expecting hotels or similar organisations in other industries to be sufficiently expert. Is it the hotel, as the end user that should be in the headlines, or how standards, expectations and regulations apply to the ecosystem that surrounds the leisure and other industries? Or should the focus be on how this needs to be improved in order to allow businesses to focus on what they do best, without being quite such easy prey?
It was the last item on my list and Christmas was less than a week away. I was on the hunt for a white Northface winter coat my teenage daughter that she had duly ranked as the most-important-die-if-I-don’t-get-it item on her wishlist that year.
After fighting the crowds and scouring the stores to no avail, I went online, stressed and exhausted with my credit card in hand looking for a deal and a Christmas delivery guarantee.
Mistake #1: I was under pressure and cutting it way too close to Christmas.
Mistake #2: I was stressed and exhausted.
Mistake #3: I was adamant about getting the best deal.
Gimme a deal!
It turns out these mistakes created the perfect storm for a scam. I found a site with several name brand named coats available lower prices. I was thrilled to find the exact white coat and guaranteed delivery by Christmas. The cyber elves were working on my behalf for sure!
Only the coat never came and I was out $150.
In my haste and exhaustion, I overlooked a few key things about this “amazing” site that played into the scam. (I’ll won’t harp on the part about me calling customer service a dozen times, writing as many emails, and feeling incredible stupidity over my careless clicking)!
Stress = Digital Risk
I’m not alone in my holiday behaviors it seems. A recent McAfee survey, Stressed Holiday Online Shopping, reveals, unfortunately, that when it comes to online shopping, consumers are often more concerned about finding a deal online than they are with protecting their cybersecurity in the process.
Here are the kinds of risks stressed consumers are willing to take to get a holiday deal online:
53% think the financial stress of the holidays can lead to careless shopping online.
56% said that they would use a website they were unfamiliar with if it meant they would save money.
51% said they would purchase an item from an untrusted online retailer to get a good deal.
31% would click on a link in an email to get a bargain, regardless of whether they were familiar with the sender.
When it comes to sharing personal information to get a good deal: 39% said they would risk sharing their email address, 25% would wager their phone number, and 16% percent would provide their home address.
3 Tips to Safer Online Shopping:
Connect with caution. Using public Wi-Fi might seem like a good idea at the moment, but you could be exposing your personal information or credit card details to cybercriminals eavesdropping on the unsecured network. If public Wi-Fi must be used to conduct transactions, use a virtual private network (VPN) to help ensure a secure connection.
Slow down and think before you click. Don’t be like me exhausted and desperate while shopping online — think before you click! Cybercriminal love to target victims by using phishing emails disguised as holiday savings or shipping notification, to lure consumers into clicking links that could lead to malware, or a phony website designed to steal personal information. Check directly with the source to verify an offer or shipment.
Browse with security protection. Use comprehensive security protection that can help protect devices against malware, phishing attacks, and other threats. Protect your personal information by using a home solution that keeps your identity and financial information secure.
Take a nap, stay aware. This may not seem like an important cybersecurity move, but during the holiday rush, stress and exhaustion can wear you down and contribute to poor decision-making online. Outsmarting the cybercrooks means awareness and staying ahead of the threats.
I learned the hard way that holiday stress and shopping do not mix and can easily compromise my online security. I lost $150 that day and I put my credit card information (promptly changed) firmly into a crook’s hands. I hope by reading this, I can help you save far more than that.
Here’s wishing you and your family the Happiest of Holidays! May all your online shopping be merry, bright, and secure from all those pesky digital Grinches!