Category Archives: Technology

Malicious Apps Uses App Permission to Retrieve information

If you remember in September 2018, we came across a report from Nightwatch Cybersecurity regarding a security vulnerability in Android that allowed malicious apps to bypass permissions checks, and as a result, gain access to reading the information, including the location of the device.

According to Nightwatch Cybersecurity, the vulnerability affects all versions of Android except for the recently-released Pie. The security hole is detailed in CVE-2018-9489 and is unlikely to get any fix, according to the advisory.

That time the vendor solved these issues in Android P / 9. Since this would be a last-minute API change, the vendor did not to fix the flaw in the previous versions of Android, and encouraged the users to upgrade to Android P / 9.

Studies have shown that malicious applications can listen to system transmissions to avoid authorization checks and access device-specific information

Today, in June 2019, we have a similar story. ESET security researchers discovered many malicious applications that used Google’s permissions on Android devices to read app notifications. These applications request the login credentials used for BtcTurk, a Turkish cryptocurrency exchange, and were then able to read notifications from other applications.

The researchers discovered that these malicious applications captured information such as the OTP protocol and could control the notifications displayed on the device. When reporting to Google, all three apps were removed from Google Play.

How it works

ESET researchers discovered three apps, which were developed by attackers who used different aliases, namely “BTCTurk Pro Beta”, “BtcTurk Pro Beta” and “BTCTURK PRO”.

All these applications supplanted the Turkish cryptographic exchange BtcTurk and behaved the same way after the installation. Once installed, applications require the “Access to Notifications” permission. Enabling this permission allowed them to read notifications from other apps on the device, ignore them, or even click the buttons on the notifications. As a result, a fake connection is displayed when you request the user’s BtcTurk credentials. The introduction of the credentials generated a false error message. The researchers suggest that credentials, as well as information about upcoming notifications, be sent to the attacker’s server via this action.

These applications specifically targeted data from other applications using two-factor authentication (2FA) and were looking for keywords such as “gm”, “Yandex”, “mail”, “k9″, ” outlook’ ‘SMS’, ‘messages’, as pointed out in their blog.

The names of the specific applications tell us that the SMS and 2FA emails are of interest to the attackers behind this malware.” In SMS 2FA, the messages are usually short and the OTPs are likely to be integrated into the message. However, in the 2FA email, the length and format of the message are much more varied, which could affect the attacker’s access to the OTP.

Related Resources:

Malicious Apps And Malware Bounce Back Into Google Play

The post Malicious Apps Uses App Permission to Retrieve information appeared first on .

Why API Security is Important for Organizations Today

This is the era of digital business, and companies all across the world seem to be vying with one another to make the most of digital technology. Small companies also are eager to be part of this trend, since it’s the need of the hour. In this context, every single aspect of digital security or cybersecurity is of critical importance for any business organization. Today we discuss one of the very relevant aspects of digital security, namely API security.

API (Application Programming Interface) is something that is intimately connected with the development and deploying of applications. In fact, the API is central to the new development model in which it has become very inexpensive and easy for enterprises to develop or buy applications that earlier would take them months or millions to develop or acquire.

The API works as an intermediary or a digital gateway that enables systems as well as applications to communicate and share data in a simple and easy manner. This is why APIs are central to the development and deployment of applications. But then, in the cyber world, everything that we use -every device, every application, every technology- would come its share of security risks. This applies to APIs also. They provide cybercriminals an easy entry into enterprise networks and systems. In recent times, there have been many reports of API-related vulnerabilities being exploited by cybercriminals to launch massive cyberattacks. Many big companies and many established digital platforms were successfully targeted by cybercriminals who were looking to exploit API vulnerabilities.

Unsecured APIs have led to cyberattacks that have impacted many big business enterprises in a big way in the last few years. Big names like Facebook and SnapChat feature in the list of such firms. Hackers used Facebook’s developer APIs to breach personal data of around 50 million users in 2018 while the SnapChat attack in 2014 was also on account of unsecured APIs. Enterprises all over the world have suffered on account of attacks executed by exploiting API vulnerabilities. The attacks have caused financial loss plus reputation damages and have even had a direct impact on the shares, even for many big companies.

What’s to be done?

API vulnerabilities are thus proving to be security headaches for companies big and small. So, then what’s to be done? How to reduce the number of API-based attacks and save businesses from financial and reputation-based damages?

Well, for any kind of cybersecurity strategy to work out, it’s important for a company to have a clear understanding of the size and nature of the risk involved. This applies to the case of attacks via API as well. A company should have a clear understanding of the nature and size of attacks that could happen via APIs.

To reduce the chances of API-based attacks from happening, to ensure minimal damages due to such attacks, companies must keep track of each and every API across their networks. This, of course, is no small thing; there would be lots of APIs to take care of and hence it is definitely a challenge to any enterprise. Many companies today don’t have clarity regarding the number of APIs in their network.

Regular penetration testing also helps detect and identify vulnerabilities, if any, in the APIs. Another very effective protection technique is having secure authentication and authorization controls as regards APIs. It has to be ensured that only legitimate users access APIs in an enterprise network. API compromise can be prevented to a great extent by ensuring rotation of API keys and getting users to regenerate the keys regularly. Proper encryption of all data using SSL/TLS, using machine learning for automated meta data scanning, user profiling using machine learning, proper detection and flagging of anomalies, effective system and network monitoring etc are effective techniques to ensure maximum protection from API-based threats and attacks. Using advanced cybersecurity solutions and applying them to the API layer could be very helpful.

Related Resources:

The Importance of Application Security Approach in Today’s Computing

The post Why API Security is Important for Organizations Today appeared first on .

Deepfake LinkedIn Profile Shows Espionage Threat

A deepfake account with possible connections to foreign espionage activity has been identified on LinkedIn.

“Katie Jones” purported to be a senior researcher for the Center for Strategic and International Studies (CSIS). Her well-connected profile on the professional social media site seemed legitimate, with connections that included a deputy assistant secretary of state and economist Paul Winfree, currently being considered for a seat on the Federal Reserve.

An investigation conducted by the Associated Press found that Jones doesn’t exist, and that her profile photo–depicting an attractive woman in her 30s–was a deepfake created using generative adversarial networks, or GANs, AI-driven software that can produce believable images of fictitious people.

“For a while now people have been worrying about the threat of ‘deepfakes’, AI-generated personas that are indistinguishable, or almost indistinguishable, from real live humans,” tweeted AP reporter Raphael Satter, who first reported on the story.

“I conducted about 40 interviews, speaking to all but a dozen of Katie’s connections. Overwhelmingly, her connections told me they accepted whoever asked to their network,” Satter wrote in another tweet.

LinkedIn has been called a “spy’s playground” in reference to the site’s functionality, which makes rote the acceptance of connections from strangers with the suggestion that doing do might benefit their own careers. The German spy agency Bundesamt für Verfassungsschutz (BfV) warned of the potential danger of the platform and how “[i]nformation about habits, hobbies and even political interests can be generated with only a few clicks.”

“Instead of dispatching spies to some parking garage in the U.S to recruit a target, it’s more efficient to sit behind a computer in Shanghai and send out friend requests to 30,000 targets,” said William Evanina, director of the U.S. National Counterintelligence and Security Center.

Digital imaging experts warn LinkedIn users to look for telltale signs of GAN-generated profiles, such as those in the below photo. Several more examples can be found on the website thispersondoesnotexist.com, which randomly generates GAN photos.

AP Deepfake photo
Source: AP Photo

Read the original AP report here.

The post Deepfake LinkedIn Profile Shows Espionage Threat appeared first on Adam Levin.

Cyber Attack Not Ruled-out For 5-Nation Power Outage

Paraguay, Chile, Brazil, Uruguay, and Argentina are having country-wide power outages since June 16, 2019, 7:07 am Argentina time. Labeled by Argentinian authorities as a failure of the power grids that trips one after another, which grew to be 5-country large. Argentinian President, Mauricio Marci went to Twitter to issue a statement that the cause is still unknown.“This morning, a fault in the coastal transmission system caused a power outage in the entire country, whose cause we cannot yet determine precisely. This is an unprecedented case that will be thoroughly investigated,” explained Marci.

His energy secretary, Gustavo Lopetegui made a short but curious comment regarding the incident. “This is an extraordinary event that should never have happened. It’s very serious. We can’t leave the country without power from one moment to another. At this moment we do not rule out any possibilities but … a cyberattack is not within the preliminary alternatives being considered,” said Lopetegui. As of this writing, Edenor, and Edesur, the two top electricity providers in Argentina are hard at work to fully restore power for the whole country. A huge chunk of the power comes from Yacyretá Dam, bordering with Paraguay, the dam generates the majority of the power requirements of Argentina.

“A massive failure in the electrical interconnection system left all of Argentina and Uruguay without power. This is the first time something like this has happened across the entire country,” emphasized Alejandra Martinez, Edesur’s spokeswoman.

University of Buenos Aires Professor, Raul Bertero claimed that the power grid has design and systemic operation errors, which made the power outage more severe than expected. “A localized failure like the one that occurred should be isolated by the same system. The problem is known and there is technology and studies that [work to] avoid it,” said Bertero.

“It is important to clarify that this total disconnection happens automatically. It’s the computers that run the system that does it when they detect imbalances that could cause major harm, and in milliseconds the system disconnects in order to protect itself. There was no alert here. There was no possibility for an alert here because it’s something that a human can’t detect. There is no human intervention,” added Lopetegui.

Argentina’s power grid is linked with Uruguay, Paraguay, Chile and a portion of Brazil, all of them experience power outages all at the same time. Edesur denied that Paraguay and Uruguay experienced country-wide power outages, but only a small percentage of its population without electricity. The heavily affected areas of the outage are Mendoza, Cordoba, La Rioja, Chubut, San Luis, Formosa and Santa Fe in Argentina. Paraguay reported that part of its Villalbin, Ayolas, Misiones, Neembucu and Pilar provinces had experienced the outage as well.

“Everything came to a halt. Elevators, water pumps, everything. We have left adrift. There are some elderly people on the eighth floor but nothing happened, because the power cut was short. If it had gone on for longer it would have been a whole different story,” told Juan Borges, one of the residents in Buenos Aires.

The post Cyber Attack Not Ruled-out For 5-Nation Power Outage appeared first on .

Evite Experiences Data Breach

Online invitation service Evite notified users about a data breach of user data that included names, usernames, email addresses, passwords, and mailing addresses.

The company disclosed the breach following the release of the affected data on the dark web. A hacker claimed to have access to 10 million user accounts.

“We became aware of a data security incident involving potential unauthorized access to our systems in April 2019. We engaged one of the leading data security firms and launched a thorough investigation. The investigation potentially traced the incident to malicious activity starting on February 22, 2019. On May 14, 2019, we concluded that an unauthorized party had acquired an inactive data storage file associated with our user accounts,” the company announced on its website.

Evite assured users that social security numbers and financial information were not part of the data being sold. The company urged users to reset their passwords and to be on the lookout for suspicious activities.

For some tips for personal information best practices, click here.

Read Evite’s announcement here.

The post Evite Experiences Data Breach appeared first on Adam Levin.

Facebook Offers to Pay Users for Sharing Information

Facebook invited lots of criticism earlier this year for having paid users in the 13 to 35 age group for permission to install a “Facebook Research” VPN on their phones. The users were paid up to $20 a month. Upon being widely criticized for accessing data of such users, Facebook had to defend its stand. The project, however, ended and that put an end to the issue for the time being.

Now, Facebook is back with another similar venture. The company has introduced a new app- the Study app, which is reportedly going to be used for “studying” users. The users, in exchange, would get paid.

In an official blog post dated June 11, 2019, Facebook Product Manager Sagee Ben-Zedeff says, “Earlier this year, we announced that we’d be shifting our focus to reward-based market research programs, which means that all research participants are compensated. Today we are launching a new market research app called Study from Facebook.”

He further explains, “We’ve learned that what people expect when they sign up to participate in market research has changed, and we’ve built this app to match those expectations. We’re offering transparency, compensating all participants, and keeping people’s information safe and secure.”

User sign-up and participation

The Facebook blog post explains that ads would be run to encourage people to participate in the Study market research program. People who click on the ad would find the option to register for the program. Once they qualify, they would be invited to download the app. They can download the Study from Facebook app from the Google Play Store and then sign up. Upon signing up, users would be able to see a description of how the app works and what information they would be sharing with Facebook. This helps them confirm if they want to participate or not.

Facebook would also notify users, on the Study from Facebook website as well as through the Play Store description as to what information would be collected and also as to how the information would be used. This would be available for participants to access before they start providing market research information to Facebook via the Study app. The users who contribute to the research program would be compensated and participants would be able to opt out at any time. They can do this by uninstalling the Study app and notifying the vendor about their intention to end the participation.

The Study app would only be available to users in the U.S and India in the first phase. Later, the app would be improved and expanded to other countries as well. As of now, users who are 18 and older would be eligible to participate in the research program.

Facebook collaborates with long-time partner Applause as regards managing the logistics of the market research program. Applause, which collaborates with many companies and is experienced in managing similar kinds of market researches, would manage the registration process, all compensation to participants, and customer support.

How the information is collected

Facebook promises, through the official blog post, that it would be collecting only the minimum amount of information needed to help build better products. The company reassures users that it has a responsibility to keep people’s information safe and secure.

Facebook intends to remind participants periodically that they are part of the research program. The users would also have the option to review the information that they would be sharing with Facebook. The information that’s collected and analyzed as part of the research program includes information pertaining to apps installed on the user’s device, the amount of time spent using the apps, app activity names (which might include the names of app features used by the participants), plus details regarding the participant’s country, device and network type.

Facebook assures participants that it wouldn’t collect user IDs, passwords or any other content added by the participant, including messages, photos and videos. Facebook wouldn’t sell the information collected as part of the research program to third parties or use it for targeting ads. It’s also stated that the information wouldn’t be added to the participant’s Facebook account.

Facebook would, however, be referencing other information that the company has about participants, such as their age, gender and how they use Facebook Company products when analyzing data from the Study app. This, according to the company, would help learn more about how participants use different services.

Product Manager Sagee Ben-Zedeff’s concluding remarks are notable; he says, “Approaching market research in a responsible way is really important. Transparency and handling people’s information responsibly have guided how we’ve built Study from Facebook. We plan to take this same approach going forward with other market research projects that help us understand how people use different products and services.”

Related Resources:

5 Suggestion To Facebook To Gain Users’ Confidence

Facebook Stored User Passwords in Plain Text for Years!

The post Facebook Offers to Pay Users for Sharing Information appeared first on .

DRM: What Is Digital Rights Management? Is It Useful?

Singers, video game producers, and anyone who creates digital content all dislike one thing: piracy and copyright infringement. Since the creation of digital products, content makers have always experimented with ways to stop users from distributing and selling their product without permission. That’s why digital security experts continue to find ways to improve Digital Rights Management, or DRM systems.

What Is Digital Rights Management? What Does It Protect?

When mentioning DRM to people, there is always a few who ask, “What is Digital Rights Management?” or, “What is DRM?”

In the simplest terms, Digital Rights Management, or “DRM,” is a method of protecting copyrighted material from being used by others in ways that are not permitted by the creator.

When someone creates a digital product, like music or video games, the creator is given special rights by law. These include the right to get paid for the use of their work by another person, the right to decide how others may use their creation, and the right to be paid by others for selling their creation.

But because hundreds of people can buy a digital product online, it’s difficult for creators to monitor how their product is being used. To protect their rights over their creation and to be paid for its use, DRM systems are used.

What Is Digital Rights Management? — Common Process of DRM

DRM is usually a two-phase process: The first phase is the encryption of the digital product, and the second phase is the authentication process.

The authentication process can be software-based or hardware-based, with the latter being a much stricter form of authentication. If users pass the authentication process, the decryption process is used to decrypt the digital product from its security box and enable its usage.

What Is Digital Rights Management? — Kinds of DRMs

Digital Rights Management is not a new creation; it’s been around since the beginning of digital content and digital products. But the forms of DRMs have evolved over time and become even more sophisticated. Here are common forms of DRM used today:

Product key DRM is a commonly used DRM for professional-use software, like Microsoft Office or Adobe Photoshop CS6. These are known to use product key DRMs.

Limited use DRM is mostly used by video or music stream platforms like Netflix and Spotify. Limited use DRMs prevent the number of times a product can be used on multiple devices.

“Trap” DRM is a creative form of DRM that some game developers use to prevent video game piracy. Games like “Serious Sam 3” and “Game Dev Tycoon” are games with this kind of DRM.

Authentication DRM is another DRM form that many game developers and game distributors use to prevent game piracy. This kind of DRM often requires account authentication to check if the product used is authentic or a cracked version.

“Always On” DRM, or “always online” DRM, is the strongest and the most consumer-hated type of DRM, especially when used in video games. This DRM system requires an internet connection to use the digital product or service.

Piracy is a growing industry in the digital age, so knowledge of DRM systems is important not only to digital product makers but also to buyers, since they are most affected by the implementation of DRMs. So, the next time someone asks, “What is Digital Rights Management?” or, “What is DRM used for?”, it will be easy to explain what it is and why it’s being used.

The post DRM: What Is Digital Rights Management? Is It Useful? appeared first on .

What is HIPAA Compliance?

HIPAA Definition

The Health Insurance Portability and Accountability Act (HIPAA) is a bill that was signed by then-President Bill Clinton in 1996. One of this act’s main goals is to update the flow of healthcare information and consequently improve the protection of patient data. Through HIPAA compliance, reducing of health care fraud and abuse is thoroughly addressed.

HIPAA targets to mandate all institutions that deal with PHI (protected health information) to adhere to industry-wide standards. This is structured to guarantee that all healthcare information is protected through implementing physical, network, and process security measures.

What Is HIPAA Compliance? — HIPAA Privacy Rule

The HIPAA Privacy Rule sets principles that aim to protect certain electronic healthcare-related information. Its main objective is to secure patients’ medical records and other personal healthcare data. Medical information that is appended with this HIPAA compliance rule includes:

  • HIV/AIDS.
  • Substance/Alcohol Abuse.
  • Mental Health.

Through the implementation of the HIPAA Privacy Rule, patients can ensure that the privacy of all their sensitive healthcare data is being safeguarded by appropriate protocols. Through HIPAA compliance, they can guarantee that unauthorized disclosure of such data will be strictly monitored.

Patients can also retain their rights over their own medical data. This means that they are entitled to request a copy of their healthcare records and appeal for corrections when deemed necessary.

What Is HIPAA Compliance? — HIPAA Security Rule

The HIPAA Security Rule outlines standards that will assure top-grade protection for all electronic healthcare information. These include any medical data that are created, received, used, or maintained in electronic form.

To ensure proper implementation of the HIPAA Security Rule, the law mandates that all administrative, physical, and technical safeguards must be in place. Here is a brief guide about these required safeguards:

Administrative safeguards are organizational policies and procedures that are set as guidelines to implement and maintain proper medical data security measures. These include proper supervision of employee conduct with regards to sensitive healthcare information security.

Physical safeguards refer to all physical electronic medical data security measures and policies that need to be administered. These include workstation use and security, device and media controls, and full access control to facilities.

Technical safeguards aim to administer the technology and the corresponding policies and procedures for the technology’s usage and implementation.

What Is HIPAA Compliance’s Importance?

With more and more healthcare-related institutions adopting modernized technologies in their operations, almost all healthcare records are now saved in electronic form. This makes HIPAA compliance a standard in today’s healthcare industry landscape.

The good thing with HIPAA compliance is that it is flexible and scalable for any covered institution. Any healthcare industry company will be able to distinguish the appropriate privacy and security measures that they should implement to obtain rigid medical data security.

To better understand HIPAA, here are a few best practices with regards to HIPAA compliance:

What Is HIPAA Compliance? — Best Practices

  1. Security measures must include an up-to-date training program for employees about the proper management and handling of sensitive healthcare records.
  2. Avoid accessing a patient’s record unless given proper authorization or when it is extremely necessary.
  3. All computer programs containing sensitive medical data must be locked down when not in use.
  4. Install a reliable anti-virus software on all computers. This IT solution is designed to keep all malware and other security risks out of your computer systems.

What Is HIPAA Compliance? — Conclusion

Non-compliance to HIPAA can be costly. Depending on the gravity of the violation, penalties can reach up to USD250,000. That is why healthcare industry companies must take HIPAA compliance with the utmost importance. After all, HIPAA aims to improve the protection of all patients’ electronically saved medical records.

Related Resources:

Healthcare Data Security Services and Processes

How Healthcare Organizations Can Solve Cybersecurity Issues

The post What is HIPAA Compliance? appeared first on .

Australian National University hit by huge data breach

Vice-chancellor says hack involved personal and payroll details going back 19 years

The Australian National University is in damage control after discovering a major data breach a fortnight ago in which a “significant” amount of staff and student information was accessed by a “sophisticated operator”.

In a message to staff and students, vice-chancellor Brian Schmidt said someone illegally accessed the university’s systems in late 2018.

Related: Australian security services investigate attempted cyber attack on parliament

Continue reading...

The Guardian view on cybercrime: the law must be enforced | Editorial

Governments and police must take crime on the internet seriously. It is where we all live now

About half of all property crime in the developed world now takes place online. When so much of our lives, and almost all of our money, have been digitised, this is not surprising – but it has some surprising consequences. For one thing, the decline in reported property crimes trumpeted by successive British governments between 2005 and 2015 turns out to have been an illusion. Because banks were not required to report fraud to the police after 2005, they often didn’t. It would have made both banks and police look bad to have all that crime known and nothing done about it. The cost of the resulting ignorance was paid by the rest of government, and by the public, too, deprived of accurate and reliable knowledge. Since then, the total number of property crimes reported has risen from about 6m to 11m a year as the figures have taken computerised crime into account.

The indirect costs to society are very much higher than the hundreds of millions that individuals lose. One example is the proliferation of plagiarism software online, which developed an entire industry in poor, English-speaking countries like Kenya, serving idle or ignorant students in England and North America. The effort required by schools and universities to guard against such fraud has been considerable, and its cost entirely disproportionate to the gains made by the perpetrators.

Continue reading...

George Orwell’s dystopia is with us today | Letters

As several Observer stories reveal, individuals are being watched and scrutinised just as the author predicted

Your article on George Orwell’s prescient novel, Nineteen Eighty-Four, coincided with several stories showing that his dystopia is upon us (“Big Brother’s long shadow”, New Review). From tales of people being fined for not showing their face (Kenan Malik, Comment) to accounts of remote surveillance via mobile phones (John Naughton, New Review), it seems we are always under observation. Rachel Cooke’s dispiriting experience in New York, being forced to order her meal via a machine (Observer Food Monthly) is a further sign of the dehumanisation taking place in commerce and at work.

Capital is using technology to eliminate labour and government is using it to control behaviour. Absent a major political movement against this threat, our only choice is to resist as individuals: never shop online, always pay cash, give up Google maps. How many of us are ready to trade convenience for freedom?
Antony Crossley
Chobham, Surrey

Continue reading...

Do You Know When The First Cyber Attack Took Place? Read On

WannaCry, a malicious computer virus that encrypts data and demands ransom, hit thousands of computers across the world, causing several organization to close down. Not a day goes by without a large company admits that its data has been breached. Cyber attacks are more known to be a thing of modern life, but their story goes farther than expected.

Do you know when the first cyber attack occurred? Many attribute this to Robert Morris, a 20-year-old Cornell undergraduate student, in 1988. He was also the first person to be charged under the Fraud and Cyber Abuse Act. Nevertheless, this was not the first cyber attack. The first cyber attack happened when optical telegraphy known as semaphore was used, long before our Internet and computers came into existence. This happened in the year 1834.

The semaphore system included a chain of towers with each tower having a mobile wooden arm in its upper part. Different configurations of these arms have been used to denote different symbols, letters, and numbers. The operators of each tower would use a telescope to verify the configuration of the adjacent tower and then reproduce them in their own tower. This made it possible to deliver messages much faster. The semaphore network was reserved exclusively for government use; however, in 1834, two brothers, François and Joseph Blanc came up with means of hacking into the system for their personal benefit.

François and Joseph Blanc were dealing with government bonds on the Bordeaux stock exchange that kept a close watch on the Paris stock exchange. The Paris stock exchange was the primary market, and the secondary markets always lagged due to the time it took for the information to travel through the post. So if traders could get to know the information in advance, they could make a lot of money by anticipating the market move.

The Blanc brothers’ bribed a telegraph operator who provided information on the stock market, and he had an accomplice in Paris who will help him get the details. The operator would then send the news of Tours to Bordeaux using the semaphore system. However, he breached the message by adding errors such as; codes to government messages that were later deciphered by another operator who was Blanc’s person stationed close to the Bordeaux line.

This lasted for approximately two years until one day the Tours operator became ill. So he shared this misdoing with one of his friends with a hope that he will continue the practice. The friend took a back seat and reported the operator to the authorities. The Blanc brothers were arrested for their cyber attack but were released due to the lack of an adequate law.

“The Blanc brothers’ story is also a reminder that with any new invention, people will always find a way to use it maliciously.” This is a timeless aspect of human nature, and it’s not something technology can or should be designed to solve, “said Tom Standage of The Economist writes. This is still so relevant.

Related Resources:

How to Protect Yourself from Online Cyber Attacks at Work

How A Website Security Scanner Helps Lessen Future Cyber Attacks

The 3 Sectors Most Prone to Cyber Attacks

Businesses Should Be Aware of Growing Cyber Attacks

Artificial Intelligence as the Next Host of Cyber Attacks

The post Do You Know When The First Cyber Attack Took Place? Read On appeared first on .

Nothing but the truth: the legacy of George Orwell’s Nineteen Eighty-Four

Every generation turns to it in times of political turmoil, and this extract from a new book about the novel examines its relevance in the age of fake news and Trump

Read other extracts from the book:
• David Bowie’s Orwell: how Nineteen Eighty-Four shaped Diamond Dogs
• ‘He typed in bed in his dressing gown’: how Orwell wrote Nineteen Eighty-Four

December 1948. A man sits at a typewriter, in bed, on a remote island, fighting to complete the book that means more to him than any other. He is terribly ill. The book will be finished and, a year or so later, so will the man.

January 2017. Another man stands before a crowd, which is not as large as he would like, in Washington DC, taking the oath of office as the 45th president of the United States of America. His press secretary says that it was the “largest audience to ever witness an inauguration – period – both in person and around the globe”. Asked to justify such a preposterous lie, the president’s adviser describes the statement as “alternative facts”. Over the next four days, US sales of the dead man’s book will rocket by almost 10,000%, making it a No 1 bestseller.

Continue reading...

May I have a word about… Pegasus spyware | Jonathan Bouquet

Is the powerful virus that infected WhatsApp a flying horse or a Trojan horse? Don’t ask the woman who developed it

The unsavoury revelations about the hacking of WhatsApp by software developed by Israeli company, NSO Group, raised some interesting imagery. NSO has developed a powerful smartphone virus called Pegasus, described by NSO co-founder Shalev Hulio as the company’s Trojan horse that could be sent “flying through the air” to infiltrate devices.

Right, let’s get this straight. Pegasus was the son of mortal Medusa and Poseidon, god of the sea. Pegasus and his brother Chrysaor were born from the blood of their beheaded mother, who was tricked and killed by Perseus. Pegasus was represented as a kind-hearted, gentle creature, somewhat naive but always eager to help.

Continue reading...

Israeli firm linked to WhatsApp spyware attack faces lawsuit

Amnesty International fears its staff may be ‘surveilled via NSO Pegasus software’

The Israeli firm linked to this week’s WhatsApp hack is facing a lawsuit backed by Amnesty International, which says it fears its staff may be under surveillance from spyware installed via the messaging service.

Related: WhatsApp urges users to update app after discovering spyware vulnerability

Related: WhatsApp spyware attack was attempt to hack human rights data, says lawyer

Related: WhatsApp hack: have I been affected and what should I do?

Continue reading...

Fundamental Need For A Productive ITSM (IT Service Management)

It is true that many business departments have introduced various cloud services that realize advanced IT and those do not require the power of the information system department. But the information systems department itself has to change too. It is necessary to move away from the concept of managing IT systems as before and shift its mission to a business partner who provides useful IT services as customers to all users in the company. IT service management holds the key. It standardizes, visualizes and automates each business process that has been made based on personal judgment or occasional judgment from time to time, improves the quality of IT services, eliminates unnecessary work, and eliminates the unnecessary work. Streamline your work.

So how can we introduce and practice proper IT service management? If you do not have experience or knowledge in your company, you do not know where to start, what to do, and what to do. A useful tool in such a situation is to learn and reference best practices in the world’s leading companies. As a guideline, a framework called the Information Technology Infrastructure Library (ITIL) is well known. From a different point of view, applying the concept of IT service management based on ITIL to all business divisions will enable information systems division to regain its leadership again. This is a great opportunity.

In recent years, all companies are accelerating transformation, such as the manufacturing industry, which has been focused on making a limit on manufacturing, accelerating its conversion to a service model. In order to be competitive in the wave of this digital transformation, it is possible to quickly launch strategic IT services even if the future cannot be seen and to improve operation and correct the trajectory according to environmental changes. In some cases, it will be necessary to take flexible measures like never before, such as linking with other companies’ services and promoting co-creation without hesitation. As a support role for business departments and managers, the information systems department has had unprecedented expectations. The first step of ITIL introduction is from the service desk.

In the previous version of V2 , ITIL centered on two major guidelines:

  • Service support that describes daily operation methods
  • Service delivery that describes medium- and long-term service management methods.

In the latest V3 , while following these two ideas, the classification is a concept based on five core principles:

  1. Service strategy
  2. Service design
  3. Service transition
  4. Service operation
  5. Continuous service improvement.

Each indicates the ideal state of each process of IT service, but among these:

  • Service Desk
  • Incident Management
  • Problem Management
  • Change Management Release Management
  • Configuration Management
  • Service Level Management
  • IT Service Financial Management
  • Capacity Management
  • IT Service Continuity Management
  • Availability Management

The above-mentioned parts of ITSM are important concepts for a well-oiled IT organization for any size business. The starting point of these processes is the service desk. Among the Fortune 500 companies, ITIL began to spread in the early 2000s, but more than half of them started the service desk. The reason is that it is the fastest and most visible effect on improving the quality of IT services.

In fact, looking at the current state of the service desk, it’s not uncommon to find workflows that use email or phone interaction. Users can not even see what their request status is now. On the other hand, the manager or head of each department cannot grasp what is stumped by the person in charge at the business site, and the fact is that even if you prioritize the issues, the information to judge them is not gathered. Establishing a workflow for IT service management that is optimal for the entire company by introducing measures to improve the operational workflows of inefficient service desks first, while looking ahead of the system operation management corresponding to the latest technology, user satisfaction.

All providers of ITSM services boast their SLA levels and competitive price points for their potential customers. Companies need to do their homework of researching about the track records of firms that are competing, check reviews from current clients to determine the capability of the service provider. There are lots of things beyond the scope of this article, but there is one thing in common for all ITSM service providers, those are also “for-profit” businesses. These organizations are profit-seeking endeavors as well, which seeks to earn as much profit and do its best to reduce cost as much as possible. A clear understanding of the pros and cons of available competing service providers need to be done by a competent IT team within the organization.

Source: https://www.itproportal.com/features/eight-steps-to-ensure-it-service-management-success/

Related Resources:

The 10 Best Managed Security Service Providers in 2019

Managed Service Providers in the Era of Ransomware

 

The post Fundamental Need For A Productive ITSM (IT Service Management) appeared first on .

Feds Break Up Major SIM-Hijacking Ring

The U.S. Department of Justice announced that it has arrested and charged members of a major cybercriminal ring in connection with $2.4 million worth of wire fraud and identity theft.

The hacking group, called “The Community” primarily used social engineering (trickery) and SIM card hijacking to steal funds and cryptocurrency from their victims.

SIM swapping or hijacking is an attack that often deploys personal information gleaned from other sources (such as social engineering) to authenticate a fraudster to a mobile phone company. Once authenticated, the mobile phone number of the target victim is moved to the criminal’s phone. Possession of the target’s phone number allows the criminal to access calls and texts intended for the target, therefore making it possible to bypass his or her 2-Factor authentication and thus gain access to the victim’s financial accounts.

Members of The Community face charges of wire fraud and aggravated identity theft. Three former mobile provider employees are also charged with accepting bribes to facilitate SIM-card hijacks for the group.

Read more about the story here.

 

 

 

The post Feds Break Up Major SIM-Hijacking Ring appeared first on Adam Levin.

How do you retaliate against a WhatsApp attack? | James O’Malley

Cyberwarfare is on the march, but there is nothing in the Geneva conventions to cover it

We don’t yet know for sure who used Israeli company NSO’s software to hack WhatsApp users – the messaging service’s parent company Facebook has said only that the culprit is an “advanced cyber actor” – but all signs point to it being a government. According to one analysis, NSO has 45 governments as clients including, amazingly, Saudi Arabia and the United Arab Emirates, even though officially these states don’t recognise Israel.

Whoever the culprit, the WhatsApp attack will surely be added to a long list of state-backed attacks that includes Russia’s 2015 takedown of Ukraine’s power grid, China’s persistent intellectual property thefts and North Korea’s attack on Sony Pictures over the film The Interview. And yes, the west does it too – the United States used a cyber-weapon to take down Iran’s nuclear programme in 2010 – the so-called Stuxnet attack.

Related: WhatsApp spyware attack was attempt to hack human rights data, says lawyer

Related: The Guardian view on hacking: a dangerous arms trade | Editorial

Continue reading...

The Guardian view on hacking: a dangerous arms trade | Editorial

Cyberweapons are dangerous in themselves. Their proliferation makes them much more harmful

NSO Group, an Israeli firm that has risen to a billion-dollar valuation on the strength of the aggressive hacking tools it sells to authoritarian governments across the Arab world, is being sued by lawyers and activists who claim to be victims of its software. One of the lawyers involved in the suit was targeted some weeks ago by mysterious WhatsApp calls to his phone in the middle of the night. When he contacted technical experts, they discovered Pegasus 3, an aggressive virus that can apparently install itself on a phone without the victim taking any action at all. Once installed, it takes control of the device, recording conversations and video. It can destroy the evidence of its own arrival and existence, and control any files on the device. In effect, it turns a smartphone into the perfect spying device, which the victim will carry everywhere with them.

Similar programs are widely available to abusers of all sorts, which is one reason why many domestic violence shelters ban the use of smartphones. But the ones that can easily be bought require some action from the victim, usually a misplaced click, or else a few moments’ access to their phone. The NSO malware targeting WhatsApp is different in that it could install itself without the victim doing anything at all. To discover and exploit the programming mistakes that opened this vulnerability would take years and cost millions of dollars. That is why it’s assumed that only states, or state-backed actors, have the resources to produce them.

Continue reading...

WhatsApp spyware attack was attempt to hack human rights data, says lawyer

NSO Group technology reportedly used against lawyer involved in civil case against the Israeli surveillance firm

The UK lawyer whose phone was targeted by spyware that exploits a WhatsApp vulnerability said it appeared to be a desperate attempt by someone to covertly find out the details of his human rights work.

The lawyer, who asked not to be named, is involved in a civil case brought against the Israeli surveillance company NSO Group whose sophisticated Pegasus malware has reportedly been used against Mexican journalists, and a prominent Saudi dissident living in Canada.

Related: WhatsApp urges users to update app after discovering spyware vulnerability

Users are strongly advised to check for WhatsApp updates manually through the Apple App Store on an iPhone, Google Play or similar on an Android device, the Microsoft Store on Windows Phones and the Galaxy app store on Tizen devices.

Related: Mexico accused of spying on journalists and activists using cellphone malware

Continue reading...

Twitter Bug Carelessly Shared Location Data of Some iOS Users

According to Twitter, a bug that revealed the user’s location information, and shared it with an unnamed Twitter partner has been fixed.

“We have discovered that we inadvertently collect and shared iOS location data with one of our trusted partners in certain circumstances,” the company said.

According to the blog posts, the bug only affects iOS users who are using the Twitter app who had a second account on their phone. If a user allows Twitter to access the accurate location information for an account, the settings will automatically be applied to other account, even if they do not share location data

Twitter also finds that the information collected is passed on to trusted partners to serve ads through a process known as real-time bidding. However, privacy issues have been resolved by stating that site data is “fuzzed” to reduce accuracy to the nearest zip code or city.

“We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process,” it stated on the help site.

Although Twitter did not announce when the data exchange took place, the social media company said it had notified affected users and asked users to review their privacy settings in the face of security incidents.

It should also be noted that this security issue is Twitter’s fourth mistake in the past year.

Last September, a bug in the Twitter API accidentally published a private message and protected tweets for developers who were not allowed to read.

In December, it was said that government-sponsored actors could have exploited the vulnerability in an online support form to retrieve the user’s country code and determine whether the Twitter account was suspended or not.

In January this year, Twitter found a security flaw in its Android app causing private tweets of an unspecified number of users to be publicly available since 2014.

In January of this year, Twitter experienced a vulnerability in its Android application that caused personal tweets to be publicly available to a number of unspecified users since 2014.

Source: https://www.zdnet.com/article/twitter-bug-shared-location-data-for-some-ios-users/

Related Resources:

Twitter Rolls Out Key Cybersecurity Improvement Vs. Hacking

Twitter to Stop Hackers from Spreading Secrets of 9/11 Attacks

Twitter’s Mobile Phone Integration Is Insecure

The post Twitter Bug Carelessly Shared Location Data of Some iOS Users appeared first on .

WhatsApp urges users to update app after discovering spyware vulnerability

The spyware, developed by Israeli cyber intelligence company, used infected phone calls to take over the functions of operating systems

WhatsApp is encouraging users to update to the latest version of the app after discovering a vulnerability that allowed spyware to be injected into a user’s phone through the app’s phone call function.

The spyware was developed by the Israeli cyber intelligence company NSO Group, according to the Financial Times, which first reported the vulnerability.

Related: WhatsApp 'deleting 2m accounts a month' to stop fake news

Users are strongly advised to check for WhatsApp updates manually through the Apple App Store on an iPhone, Google Play or similar on an Android device, the Microsoft Store on Windows Phones and the Galaxy app store on Tizen devices.

Continue reading...

Email Is the Biggest Threat to Business, So Why Is Everyone Using It?

Microsoft’s Outlook.com service suffered a major breach earlier this year. The compromise allowed hackers to potentially access user email accounts, and that was the case for more than six months. This news was no shocker. Outlook has always been, and continues to be a perennial target.

Saying that email is a major service of the Internet is a bit like saying Donald Trump doesn’t like CNN. Email is foundational. In fact, it pre-dates the Internet by decades. (Lest we forget, the first email was sent in 1971).

Email currently has a 90.1% penetration rate among Internet users in the United States, compared to 68% for Facebook and 23% for Twitter. It’s the main communication tool for 95% of businesses. Email addresses are still the main way we authenticate ourselves to do business online, and because of that email as a category represents an extremely weak link in our collective cybersecurity. It doesn’t have to be this way, but as Yogi Berra once said, “We made too many wrong mistakes.”

It’s this familiarity and this reliance on email that has made it the target of choice for hackers, and with that a major liability for businesses and consumers alike. If you think social media networks and data mining organizations have juicy digital assets, consider for a moment the El Dorado of information transmitted daily via email, ranging from intimate correspondences to tax information, travel plans, financial transactions, photos, and shopping lists to real-time data on a user’s emotional state and how their important relationships are going.

Because email isn’t deleted from most servers by default, this target-rich digital information environment is often accessible to anyone with a login and password–something that is regularly served up to hackers by the billions.

The cybersecurity threat posed by email isn’t limited to sensitive data sitting passively on account servers. Email is the preferred tool hackers use to access their targets’ networks: 83% of organizations reported phishing attacks in 2018, up from 76% in 2017. Fully two thirds of malware is installed by clicking on an email attachment.

Email is equal parts Achilles heel and Trojan Horse, so why are we still using it?

“Just Because” Isn’t a Good Answer

It’s not an original thought to say that email is problematic, or that a replacement of some sort would be welcome. Its obsolescence, if not demise, has been predicted repeatedly over the years. A murderers’ row of newer technologies like SharePoint, Slack, Skype, Messenger, and many, many others have seemed like contenders, but email still dominates in the realm of communication.

The reason for email’s ongoing existence despite its obvious shortcomings and major security issues is counter-intuitive. People use it because it’s insecure. That’s why it doesn’t matter that Bill Gates didn’t come through with the promise of eradicating spam by 2006. Spam is something we’re willing to accept to stay Internet nativists. It is the digital equivalent of gnats in nature.

True story: The Internet was not made with security in mind. It was made to communicate fast. While the underlying structures seem naïve, none of it was designed for the general public. Domain names were initially intended as a means of identifying remote academic, military, and government locations. Their corresponding numerical (IP) addresses were limited to roughly 4 billion possible variations. That was more than enough for every single person on the planet at the time of its creation. That this structure didn’t anticipate the rise of Internet-enabled telephones, vacuum cleaners, nuclear reactors, or personal assistants is as much a part of the problem as the fact that they didn’t anticipate every small-time crook switching from convenience store stick-ups and smash and dash crimes to the much less risky practice of email phishing campaigns with the cornucopia of identity-related crimes made possible by them.

Email has none of the strings-attached vibe that the Mark Zuckerbergs of the world have attached to our information, no terms and conditions or privacy policies subject to change, and it doesn’t rely on any specific hardware or software to be able to access it as a service. Looking at its liabilities without understanding its appeal is one of the key factors that has made it a communication mainstay, seemingly against all odds and to the consternation of IT departments around the world.

In this way, email is an object lesson in the cybersecurity quagmire: We’re over-reliant on the idea of technology providing a silver bullet instead of changing our behavior. No Slack or Messenger or any other killer app is going to solve the email problem (although traffic may continue to migrate from email to other modes of communication). The only thing that will change the situation, Yogi Berra might have said, is to change the situation. Meanwhile, he did say this: “If the world were perfect, it wouldn’t be.”

This article originally appeared on Inc.com.

The post Email Is the Biggest Threat to Business, So Why Is Everyone Using It? appeared first on Adam Levin.

Access and Source Code to Samsung Apps Left Unprotected on Public Server

The source code and security keys associated with a number of Samsung apps and projects have been discovered on unprotected server. Samsung’s SmartThings home automation platform was among the projects exposed in the compromise.

The exposed server contained a code repository that was misconfigured and publicly available. In addition to the underlying code of several major Samsung apps was a security token that allowed unfettered access to 135 projects and applications.

“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” said Mossab Hussein, the cybersecurity researcher who discovered the server.

Samsung is one of the world’s biggest technology manufacturers, and the ability to compromise its software would represent a cyber threat of monumental proportions. The company’s SmartThings app alone boasts 100 million installs worldwide. Alerted to the data compromise by Hussein April 10th, 20 days went by before the company revoked access to its security keys.

“[W]hile we have yet to find evidence that any external access occurred, we are currently investigating this further,” a spokesman for the company said.

Read more about the story here.

 

The post Access and Source Code to Samsung Apps Left Unprotected on Public Server appeared first on Adam Levin.

U.S. Energy Grid Experiences Possible Cyberattack

An apparent denial of service attack caused a disruption in a segment of the U.S. energy grid affecting Utah, Wyoming, and Southern California.

Little is currently known about the incident. It occurred March 5th, disabling several security devices. An unnamed utility company reported the incident to the Department of Energy.

“There was a denial-of-service attack…and that basically led operators to not be able to see what was going on in the grid,” said journalist Blake Sobczak, who initially reported the story. “As long as nothing crazy happens, you should be fine, but it certainly constitutes a disruption and a reportable event here to the Department of Energy.”

While the potential cyberattack did not lead to any known outages or interruptions in service and used a relatively unsophisticated method, it is noteworthy for being the first known incident to successfully target the nation’s energy infrastructure. Hackers targeting the U.S. energy grid have been theoretical up to this point, but security experts have long maintained that the infrastructure is poorly secured and that many utility companies are unprepared when it comes to cyber defense.

Fears of an attack on utilities have increased in the wake of Russian infiltration of U.S. critical infrastructure announced in 2018 by the Department of Homeland Security.

The post U.S. Energy Grid Experiences Possible Cyberattack appeared first on Adam Levin.

Putin Signs Nationwide Internet Censorship Into Law

Russian President Vladimir Putin has signed a bill to create a separate Russian national internet.

The legislation is primarily focused on establishing an autonomous national system, separate from the internet used globally, which would have its own DNS system and would require all traffic in the country to pass through online government monitoring. Putin has justified the move as being due to mitigating the threats of interference from foreign governments in Russian politics.

The bill comes on the heels of several other measures passed by Putin’s government, largely aimed at curtailing internet freedom, including one passed in March that granted it the power to punish Russian citizens for insulting public officials, and another targeting “unreliable socially significant information.”

Civil libertarians and security experts alike say Putin’s project mirrors China’s massive censorship of the Internet, which is called the “Golden Shield Project” and the “Great Firewall.”

“It’s about being able to cut off certain types of traffic in certain areas during times of civil unrest,” said Russian author Andrei Soldatov.

The intended separation from the wider internet has also proven unpopular with Russians. A recent poll conducted showed only 23% approve of the legislation, and thousands of protestors demonstrated in Moscow in opposition to it earlier this year.

Read more about the story here.

 

The post Putin Signs Nationwide Internet Censorship Into Law appeared first on Adam Levin.

The privacy paradox: why do people keep using tech firms that abuse their data? | John Naughton

Despite privacy scandals, Facebook is more profitable than ever – journalists must use the tools of tech to understand why

A dark shadow looms over our networked world. It’s called the “privacy paradox”. The main commercial engine of this world involves erosion of, and intrusions upon, our privacy. Whenever researchers, opinion pollsters and other busybodies ask people if they value their privacy, they invariably respond with a resounding “yes”. The paradox arises from the fact that they nevertheless continue to use the services that undermine their beloved privacy.

If you want confirmation, then look no further than Facebook. In privacy-scandal terms, 2018 was an annus horribilis for the company. Yet the results show that by almost every measure that matters to Wall Street, it has had a bumper year. The number of daily active users everywhere is up; average revenue per user is up 19% on last year, while overall revenue for the last quarter of 2018 is 30.4% up on the same quarter in 2017. In privacy terms, the company should be a pariah. At least some of its users must be aware of this. But it apparently makes no difference to their behaviour.

Related: Secretive hard-Brexit Facebook campaign got 1m responses

Continue reading...

German police shut down one of world’s biggest dark web sites

Arrests in Germany, Brazil and US relate to sale of drugs, stolen data and malicious software

German police have shut down one of the world’s largest illegal online markets in the so-called dark web and arrested the three men allegedly running it, prosecutors said on Friday.

The “Wall Street Market” (WSM) site enabled trade in cocaine, heroin, cannabis and amphetamines as well as stolen data, fake documents and malicious software.

Related: Dark web blamed for rise in drugs sent by post from Netherlands

Continue reading...

Adam Levin Discusses Mobile Banking and Security with TicToc

Adam Levin was featured on a short video on TicToc by Bloomberg, where he discussed the trade-offs between security and convenience for mobile banking and payment apps.

“As business tries in its technological innovation to make things more convenient, you end up with the conundrum between convenience and security.” Levin said.

See the video below, or on Bloomberg.com:

The post Adam Levin Discusses Mobile Banking and Security with TicToc appeared first on Adam Levin.

Fallout from Gavin Williamson sacking | Letters

Readers respond to the sacking of the defence secretary Gavin Williamson over accusations of leaking

While I am delighted that Gavin Williamson (May tells defence secretary: ‘You leaked, you are fired’, 2 May) has been removed from the government – remember he said that all British jihadists should be hunted down and killed in the Middle East rather than returned for trial here – I am sorry that as a result Rory Stewart no longer has responsibility for prisons. His is a deserved promotion, but as prisons minister he was the first member of the government to make any attempt to get to grips with the problems of our criminal justice system and offered to resign if things did not improve. How sad that there are not more of that ilk in public life these days.
Maureen Panton
Malvern, Worcestershire

• Is the Gavin Williamson who has just been sacked as defence secretary for allegedly leaking plans discussed in the National Security Council to allow Huawei to be involved in building the UK’s 5G network the same Gavin Williamson who told us last year that it’s Jeremy Corbyn that “cannot be trusted”?
Sasha Simic
London

Continue reading...

What This Report on Cyber Risk Gets Wrong

The Marsh brokerage unit of Marsh and McLennan recently announced a new evaluation process called Cyber Catalyst designed to determine the usefulness of enterprise cyber risk tools.

The goal of the new offering is to identify and implement industry-wide standards to help cyber insurance policyholders make more informed decisions about cyber-related products and services; basically, what works and what doesn’t. Other major insurers participating in Cyber Catalyst include Allianz, AXA XL, AXIS, Beazley, CFC, and Sompo International.

While this collaboration between insurance companies is unusual, it’s not entirely surprising. Cyber insurance is a $4 billion market globally. While it’s difficult to accurately gauge how many hacking attempts were successfully foiled by the products targeted here, data breaches and cyber attacks on businesses continue to increase in frequency and severity. The 2019 World Economic Forum’s Global Risks Report ranks “massive data fraud and theft” as the fourth greatest global risk, followed by “cyber-attacks” in the five slot.

Meanwhile, cybersecurity products and vendors have been, to be charitable, a mixed bag.

Good in Theory

From this standpoint, Cyber Catalyst seems like not just a good idea, but an obvious one. A standardized metric to determine which cybersecurity solutions are no better than a fig leaf and which ones provide real armor to defend against cyberattacks is sorely lacking in the cybersecurity space. By Marsh’s own estimates, there are more than three thousand cybersecurity vendors amounting to a $114 billion marketplace. Many of them don’t inspire confidence on the part of businesses.

Insurers have a vested interest in determining the effectiveness of cybersecurity products, weeding out buggy software and promoting effective solutions that can help address risk aggregation issues. Businesses and their data are in turn better protected, and at least in theory, they would pay less for coverage. Everyone wins.

Insurance companies did something similar in the 1950s with the creation of the Insurance Institute for Highway Safety. In the face of rising traffic collisions and fatalities, the insurance industry collaborated to establish a set of tests and ratings for vehicles, and the result has been a gold standard for automotive safety for decades. Using a similar strategy for cybersecurity would at least in theory help mitigate the ever-increasing costs and risks to companies and their data.

Or Maybe Not

Where the analogy to the Insurance Institute for Highway Safety breaks down is here: The threats to car drivers and passengers have ultimately stayed the same since its inception. Everything we’ve learned over the years about making cars has progressively led to safer vehicles. Information technology is vastly different in that iterative improvements in one specific area doesn’t necessarily make an organization as a whole safer or better protected against cyber threats–in fact sometimes it can have the opposite effect when a new feature added turns out to be a bug.

Cyber defenses are meaningless in the presence of an unintended, yet gaping, hole in an organization’s defenses. Then there is the march of sound innovation. Products that provided first-in-class protection for a business’s network a few years ago may no longer be so great where cloud computing and virtual servers, or BYOD are concerned. The attackable surface of every business continues to increase with each newly introduced technology, and it seems overly optimistic to assume the standard evaluation process (currently twice a year) would be able to keep pace with new threats.

There’s also the risk of putting too many eggs into one basket. While the diffuse nature of the cybersecurity market causes headaches for everyone involved, establishing a recommended solution or set of solutions effectively makes them an ideal target for hackers. While it’s important to keep consumers and businesses informed of potential risk to their information, cybersecurity issues require a certain amount of secrecy until they have been properly addressed. Compromising, or even identifying and reporting on a vulnerability before it’s been patched in an industry standard security product, process or vendor practice could cause a potentially catastrophic chain reaction for cyber insurers and their clients.

Culture Eats Strategy for Breakfast

Where the Cyber Catalyst program seems to potentially miss the mark is by overlooking the weakest link in any company’s security (i.e., its users). An advanced cybersecurity system or set of tools capable of blocking the most insidious and sophisticated attack can readily be circumvented by a spear phishing campaign, a compromised smartphone, or a disgruntled employee. Social engineering cannot be systematically addressed. Combatting the lures of compromise requires organizations to foster and maintain a culture of privacy and security.

The risk of employee over-reliance on tools and systems at the expense of training, awareness, and a company culture where cybersecurity is front and center must not be underestimated. While it is easier to opt for the quick and easy approach of purchasing a recommended solution, companies still need a comprehensive and evolving playbook to meet the ever-changing tactics of persistent, sophisticated and creative hackers.

While industry-wide cooperation may be a good thing, it’s vital for companies and insurers alike to recognize that any security program or service is fallible. Without an equal investment in functional cybersecurity, which places as much store in training employees and keeping aware of new threats, the rise in breaches and compromises will continue.

This article originally appeared on Inc.com.

The post What This Report on Cyber Risk Gets Wrong appeared first on Adam Levin.

How do I buy a laptop with an encrypted hard drive?

Derek needs to find a laptop with Windows 10 Home’s device encryption to keep his data safe

I want to buy a new Windows 10 laptop for home use, and I want one with device encryption capability, so that the boot drive is encrypted. Until recently, this has only been possible with Windows Professional editions using BitLocker. I now see that if a laptop has the right specification, all versions of Windows 10 can have device encryption turned on.

The problem is that it’s difficult, if not impossible, to get information from mainstream laptop vendors as to whether a specific model supports device encryption. Recent MacBooks are capable of using FileVault and Apple spells out which models support it, so why is this information so hard to find for Windows laptops? Derek

I’m glad you asked because you’re right: there’s a shocking lack of information about device encryption on laptops, and this applies to Microsoft, to PC manufacturers, and to retailers. It’s also something that laptop PC reviewers rarely seem to mention, which makes it hard, if not impossible, to tell how many laptops are compatible with Windows 10’s device encryption.

Continue reading...

Marcus Hutchins: UK ransomware ‘hero’ pleads guilty to US hacking charges

Hutchins says he regrets his actions and will continue ‘keeping people safe from malware attacks’

A British computer security researcher once hailed as a “hero” for helping stem a ransomware outbreak and later accused of creating malware to attack the banking system said on Friday he had pleaded guilty to US criminal charges.

Marcus Hutchins, whose arrest in 2017 stunned the computer security community, acknowledged in a statement pleading guilty to criminal charges linked to his activity in 2014 and 2015.

Related: UK hacker jailed for six years for blackmailing pornography site users

Continue reading...

How do I stop old USB drives from infecting my new Windows PC?

Jason wants to protect his new high-end laptop from viruses but needs data on old SD cards

I’ve just bought a high-end Windows laptop for video editing while travelling around Europe. What steps can I take to prevent any possible infections from being passed on from previous machines on SD cards and external hard drives? Some of the external hard drives go back to machines from 2004 but I have never plugged any of them into any computers other than my own previous Macs and PCs. I work professionally with video, photography and coding, so all of this data is vital.

I have a five-machine Bitdefender licence but I’d be prepared to use another protection system, and I’ve looked at Sophos Intercept X. Jason

There are at least three things to think about. First, there’s the threat level: how at risk are you? Second, there’s provenance: how much do you know about your devices? Third, how can you mitigate any risks revealed by the answers to the first two questions?

Continue reading...

Parenting club Bounty fined £400,000 for selling users’ data

Company illegally shared 34.4m records with 39 companies, information commissioner finds

The parenting club Bounty has been fined £400,000 – one of the largest penalties possible – for sharing its data with marketing agencies without users’ permission.

Bounty offers support and advice to new parents who sign up through its website and mobile app, or are directly recruited on maternity wards. Without securing consent from those parents, the company sold their information to data brokers including Acxiom, Equifax and Sky, the Information Commissioner’s Office (ICO) said.

Continue reading...

UK hacker jailed for six years for blackmailing pornography site users

Zain Qaiser targeted millions of computers with ransomware demanding large sums

A hacker who blackmailed users of pornography websites in what investigators say is the UK’s most serious cybercrime case has been jailed for six years and five months.

Zain Qaiser targeted millions of computers with malicious browser-locking software that demanded payment of up to $1,000 (£765) to unfreeze screens, Kingston crown court heard.

Continue reading...

Facebook stored hundreds of millions of passwords unprotected

Company admits to mistake and says it has no evidence of abuse – but the risk was huge

Facebook mistakenly stored “hundreds of millions” of passwords in plaintext, unprotected by any encryption, the company has admitted.

The mistake, which led to user passwords being kept in Facebook’s internal servers in an insecure way, affects “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”, according to the social networking site. Facebook Lite is a version of Facebook created for use in nations where mobile data is unaffordable or unavailable.

Related: Facebook's security is so bad it's surprising Zuckerberg hasn't deleted his account

Continue reading...

Why it’s too easy to manipulate voters – and steal the EU elections | Eleonora Nestola

It’s time to act, as personal data is being used to target voters – and the EU commission isn’t doing enough to stop this

On 11 July last year the UK Information Commissioner’s Office (ICO) published its first report on the Cambridge Analytica scandal. This is a date I will never forget, a date that substantially changed my vision of the current threats to our democratic society. It is a day that became a call to arms for me – and, for once, I had the understanding, the knowledge and the expertise to support the fight. I felt it was time to put all of this to good use for civil society, and so I set out to discover how online electoral campaigning works. And let me tell you, the system is not in good health and we Europeans should all be made more aware of that.

Related: This is Europe: stay close with the Guardian’s email updates

Voters become unaware they are receiving political messages based on bias. The risks are enormous

Related: Data protection laws are shining a needed light on a secretive industry | Bruce Schneier

Continue reading...

Optus privacy breach: names, addresses and details revealed in sim card glitch

Some mobile users were able to see records of others when logging on to the phone service

Optus has scrambled to contact customers whose personal details were revealed in a system glitch, affecting pre-paid mobile sim card activation and the company’s account website.

Some customers have reported being able to see what looked like other customers’ personal details, including names, addresses and phone numbers while trying to activate a mobile phone sim card.

Related: My Health Record 'minor glitch' still generating thousands of pages of internal files

Related: 'The goal is to automate us': welcome to the age of surveillance capitalism

Hey @Optus I just got an email saying my latest bill is ready. Its $300. It should be less than $100 as my usual plan. I logged into my account and it said "Hi Vladamir". I have a screenshot. What's the go??!

Continue reading...

Mumsnet reports itself to regulator over data breach

Company apologises after bug meant users were able to log into accounts of strangers

Mumsnet has reported itself to the information commissioner after a data breach resulted in users accidentally logging into the accounts of strangers.

Related: Mumsnet forums are a guilty pleasure, but there are truths, too

Related: Mumsnet brings in tougher forum rules after transgender row

Continue reading...

EU recalls children’s smartwatch over data fears

European commission says Enox Safe-Kid-One can easily be hacked and poses risk to children

A children’s wristwatch that allows the wearer to be easily contacted and located has been recalled by Brussels over safety fears.

The European commission said the Enox Safe-Kid-One, which comes fitted with a global positioning system (GPS), a microphone and speaker, posed a serious risk to children.

Related: Democracy is under threat from the malicious use of technology. The EU is fighting back | Julian King

Children and tech

Continue reading...