now browsing by tag
Today the Financial Times has published a news story about how the British Home Office’s app for EU citizens applying to live and work in the UK post-Brexit “could allow hackers to steal phone numbers, addresses and passport details.”
It certainly caught my attention. Just yesterday I used the EU Exit: ID Document Check app on my cleaning lady’s Android phone to help her apply for residency. And – to be honest – it was pretty easy to use, once I’d worked out how to change the language of her phone from Romanian to English.
Applicants scan their passport, take a selfie, and use their phone’s NFC feature to read the biometric chip embedded in their passport.
But, according to the FT, Norwegian cybersecurity researchers have discovered flaws in the Android version of the app (they didn’t test the iPhone version):
Promon, a Norwegian cybersecurity company, found major loopholes that allowed them to take control of the app and access any information that was entered into it, including the facial scans and images of passport pages.
They were also able to see information being typed into the app, such as usernames, passwords and other details, and were able to alter information being entered.
“The tools we used are typically very easily accessible and require very little technical skill to use. It means any type of bad actor could perform this attack, without sophisticated technical knowledge,” said Tom Lysemose Hansen, chief technology officer at Promon, who added that they had “experienced no resistance”.
Ok… so it sounds scary that information could be surreptitiously stolen as it is entered into the app… but how would a hacker do this?
Mr Lysemose Hansen said Promon’s researchers had focused on copying and stealing or manipulating data while it was being actively entered into, or processed by, the app. But he added that it was possible to add malicious code to the app while it was inactive that would then help steal personal information when it was subsequently being used.
So what the researchers are saying is that if a hacker manages to compromise your smartphone or the app then it could do something malicious…
Err, isn’t that pretty much the case with all programs and computers? If a hacker already has control of the device or has already compromised the app then all bets are off…
Now, if the researchers had described a way in which an attacker might be able to remotely compromise the app or meddle with the phone then that would have been interesting. Or if it had been found that the app was sending sensitive data insecurely which could be intercepted then that would have certainly raised an eyebrow.
And yes, an app could always integrity check itself to see if it had been tampered with, but if someone is replacing your legitimate version of the app with a bogus compromised version there’s no reason why they couldn’t also tamper with the code which checks if it has been tampered with!
So, this doesn’t seem like a big deal to me.
The final word goes to the Financial Times again:
The app was tested for several months before being launched in March and there have been no reports of any security breaches. The app’s page on the Google Play Store states that it is “safe and secure” and that: “None of your personal identity information will be stored in the app or on the phone when you finish using it.”
The post #cybersecurity | #infosec | About the “easy to hack” EU Exit: ID Document Check app appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans The undead nature of the digital world, with its Facebook Memories and LinkedIn invites (or, as we learned this week, Valentine’s Day texts delivered from the deceased), causes the dead to die over and over and over again, making grief that much more difficult to overcome […] View full post on AmIHackerProof.com
ALPHARETTA, GA — The City of Alpharetta is warning the public to be cautious when using online dating websites after a citizen was recently blackmailed.
The Alpharetta Department of Public Safety recently took a report from a citizen who was using a dating app and made a decision to send intimate pictures to the person they connected with, the city said.
“The victim has now paid thousands of dollars to the person to keep those pictures off social media channels,” the city said. “The perpetrator, in this case, has not gone away and continues to threaten and demand more money from the victim.”
Cyber dating and the apps that make it possible attracts millions of people. Many in search of companionship, many seeking long-term relationships, and many seeking to steal identities or worse, the city said. The world of online dating is fraught with top-of-mind risks (Is that photo really the person I’m talking to? Could this person be a predator?), but there is also a growing list of concerns related to data privacy.
“The fact is, dating sites and apps have a history of being hacked,” Alpharetta said. “For example, in 2018 BeautifulPeople.com was hacked and the responsible cyber criminals sold the data of 1.1 million users, including personal habits, weight, height, eye color, job, education and more, online. In early 2019 detailed user records of more than 42 million dating app users were found on a Chinese database that was not even protected by a password. The user records found on the data base contained everything from IP addresses and geo-locations to ages and usernames, giving potential hackers plenty of information to take advantage of.”
But, there are also many stories of people who found each other via online dating apps and are in very happy relationships today, Alpharetta wrote. So, the city said it does not want to scare any adult away from using them. The city said it wants everyone to be safe with their online dating activities.
With that in mind, here are a few tips that the city encourages all online daters to use:
As with all of your Internet accounts, use a strong, unique password and two-factor authentication, if it’s available.
Beware of anyone sending you links, and especially links using shortened URLs. Hackers will try to lure you away from the dating app to sites that can more easily harvest your data. This is one of the most common Tinder scams. Rest your cursor over any link before you click it to see the address.
Only ever access your dating app on a secure WiFi network. An even better option is to protect the Internet connection of your dating app with a trustworthy VPN. This will add an extra layer of security to the app’s encryption.
Privacy And Social Engineering
Never share your full name, address, or place of work in your profile. Tinder, Bumble and Happn all allow users to add information about their job and education. With just this information and a first name, Kaspersky researchers were able to match a dating app profile to a LinkedIn or Facebook account 60 percent of the time.
Do not link your account on a dating app to your Facebook account. This makes it easier for hackers to connect your social media profile to your online dating one. It also would expose your data if Facebook were to suffer a data breach.
Using the same logic, do not link your Instagram, Twitter, or WhatsApp accounts to your dating app or share them in your profile.
For accounts or relationships based on your email, don’t use your everyday email address. Instead, get a separate, anonymous email just for that specific app or relationship.
Always disable any location-sharing features in your accounts on dating apps.
If you are uncomfortable sharing your cell phone number with someone you just met online, there are services that allow you to create a separate phone number. These services give you temporary phone numbers that last a couple of weeks for free or for a small fee. Since they are temporary, it is hard to use such a phone number on your dating app account, but it could give you some time to meet your matches in real life before you trust them with your phone number.
If an account looks suspicious, try doing a reverse image search of the profile pictures. If your search finds the photo is from a modeling agency or a foreign celebrity, you are likely looking at a fake account.
Eventually, you will have to share information about yourself. You are trying to convince someone that you are interesting enough to meet. Try to talk more about your interests, ambitions, and preferences and avoid specific information that could identify you. More “I love pizza” than “My favorite pizza restaurant is on the corner of Main St. and 2nd Ave.” Never be afraid to say “no” if someone asks you for personal information that you’re not yet comfortable sharing.
Avoid sending digital photos to users you do not trust. Digital photos can contain metadata about when and where the photo was taken along with other information that could be used to identify you. If you must share a photo, be sure to remove its metadata first. Also, always keep in mind that any explicit pictures you send could be used for blackmail.
If you are chatting with someone and they are responding incredibly fast or if their responses seem stilted and full of non-sequitur questions, you should proceed carefully. While it is possible you have enchanted someone so thoroughly that they are struggling to respond coherently, it is more likely you are chatting with a bot. Online bots are getting harder and harder to detect, but one test you can try is to work gibberish into a phrase, like “I love a;lkjasdllkjf,” and see if the bot repeats the non-word or transitions into a non-sequitur question. (If it’s a human, you can always cover by saying your phone slipped.)
This may seem obvious, but if someone asks you over a dating app to send them money, your answer should always be “No.”
Do not immediately friend your matches on Facebook. Once someone has access to your Facebook account, they can see your friend and family network along with your past activity and location. Wait until you have been dating for a month or two before friending them.
Have a mutual understanding of boundaries. No matter what kind of date you have planned, it is always safer to know exactly what you’ll be doing. By discussing a plan beforehand, you can both go into the situation knowing what you are and aren’t comfortable with.
Meet in a public place first. No matter what kind of date you’re going on, it is always safer to meet in an open and public place first. Avoid meetings that take place in remote areas, vehicles or anywhere that makes you feel uncomfortable.
Always let someone know where you are. Before meeting up with someone, let a friend or family member know where you’ll be. Some apps let you share your location with others so that someone can keep an eye on you during your date.
The post #cyberfraud | #cybercriminals | Alpharetta Warning Public About Online Dating Scams, Threats appeared first on National Cyber Security.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | Camden County residents are being warned about a new scam that targets your cellphone
Source: National Cyber Security – Produced By Gregory Evans 0 Camden County residents are being warned about a new scam that targets your cellphone CAMDEN COUNTY, Ga. – We’re always on our smartphones so it’s easy to let our guard down, opening the door for scammers. Now, our cash and identity can be at risk […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans NEVADA (KTNV) — As part of Cybersecurity Awareness Month, Nevada Attorney General Aaron D. Ford advises Nevada’s youth and parents to be aware of online scams targeting minors. Just like adults, scammers target young people through popular online platforms, such as apps, games, and popular social […] View full post on AmIHackerProof.com
At least governments are becoming cognizant of — and more willing to pre-emptively act on — the threat to the election process from cybercriminals.
“Post 2016 [election], I think there has been a real awakening as to the threat that is out there. So that’s the good news on this end that people are aware this has happened and want to protect against it happening,” CrowdStrike co-founder and CEO George Kurtz tells Yahoo Finance.
Obviously, many politicians in the U.S. were badly asleep at the technological switch during the 2016 presidential campaign. It’s something they hope to avoid — by spending on key cybersecurity tech from the likes of CrowdStrike — into the 2020 election.
In July, the Senate Intelligence Committee said in a report that election systems in all 50 states were targeted by Russia in the 2016 presidential election between Donald Trump and Hillary Clinton. And just earlier this month, the same committee said in a new report that bad online actors in Russia could target the 2020 presidential election.
President Trump has continuously denied Russia played any role in his winning of the presidency.
Recall that CrowdStrike was called on by the Democratic National Committee to investigate the 2016 hack of its email and chat systems. CrowdStrike and several other cybersecurity firms found that Russian intelligence agencies were responsible for the DNC hack.
The work CrowdStrike did for the DNC — coupled with its leadership position in the security cloud market — have it teed up to win new business from governments ahead of the 2020 election. CrowdStrike received the important FedRAMP certification last year, and is now able to pitch for new business from government agencies.
“Given the technology that we have and the ability to stop breaches, it has been very well received not only in the Fed market but also in state and local governments. And I think you’ve seen a lot of those stories specifically around ransomware. Given our AI and our machine learning, we’ve been able to prevent those ransomware attacks for our customers without any signature updates or any changes,” Kurtz told analysts on a Sept. 5 earnings call.
Kurtz added, “We think both Fed and state and local government are great opportunities for us, and we’re really excited about those as we get into the buying season, particularly in the Fed space.”
Brian Sozzi is an editor-at-large and co-anchor of The First Trade at Yahoo Finance. Follow him on Twitter @BrianSozzi
Read the latest financial and business news from Yahoo Finance
Follow Yahoo Finance on Twitter, Facebook, Instagram, Flipboard, SmartNews, LinkedIn, YouTube, and reddit.
The post #hacking | There’s a ‘real awakening’ about the threat of 2020 election hacking appeared first on National Cyber Security.
View full post on National Cyber Security
Amit Parbhucharan analyses the recent Eir data breach and what it says about the state of GDPR at this early point in its tenure.
Recently, Irish telecommunications company Eir experienced a data breach event in which the theft of a staff member’s laptop resulted in the potential exposure of personal data belonging to 37,000 of its customers. While the laptop itself remained password-protected, the data on it was wholly unencrypted having unfortunately been stolen during a window of time in which a faulty security update from the previous working day rendered the device decrypted and vulnerable.
Because the computer held customer data that included specific names, email addresses, phone numbers and other legally protected data, Eir followed the procedure dictated by the General Data Protection Regulation (GDPR) that went into effect on 25 May, reporting the incident to the Irish Data Protection Commissioner.
‘Portable devices with access to sensitive data will always be an area of potential data breach risk to organisations, and the worst-case scenarios can and will occur’
GDPR introduced data privacy regulations requiring companies to meet specific standards when handling the personal data of EU citizens and residents, including the responsibility to notify the information commissioner’s office within 72 hours of discovering a data breach. GDPR is enforced through steep penalties for non-compliance, which can reach as high as the greater of €20m or 4pc of a business’s total worldwide revenue for the previous year.
However, GDPR regulators will consider an enterprise’s organisational and technological preparedness, and intentions to comply when judging whether such penalties are necessary.
Risky human behaviour
It appears that Eir did many things right in its data breach response. The company demonstrated its established capability to recognise the breach and to report it promptly.
That said, data was still put at risk. Laptops and other such portable devices with access to sensitive data (phones, USB drives etc) will always be an area of potential data breach risk to organisations, and the worst-case scenarios can and will occur. Loss and theft are facts of life, as are other high-risk circumstances that can be much more difficult to anticipate.
In one odd case from our experience, a resident of an in-patient healthcare organisation actually threw a laptop containing protected health data out of a window due to frustration that those devices were for staff use only. A technician deployed to site to understand why the laptop wasn’t online discovered it near the street, where it lay for hours before (luckily, that time) being recovered.
Obviously, wild circumstances like these are unforeseen, but they need to be prepared for nevertheless. There are also those cases where an employee’s lapse in judgement opens the possibility for dire consequences. Laptops get left unattended during credentialed sessions, passwords get written on sticky notes for convenience and stolen along with devices. To ‘Eir’ is human, if you’ll excuse the pun, and small windows of risk too often turn into major (and costly) incidents.
This is why organisations need to implement robust, layered data security strategies such that devices have more than one line of defence in place when challenges pop up. Encryption is essential to protecting data, and should serve as the centrepiece of any data security strategy – GDPR compliance requires as much.
But measures must also go beyond encryption. Employee training in secure practices is certainly another critical component to a successful execution. Similarly, capabilities such as those that enable remote data deletion when a device is out of hand offer a reliable safeguard in those circumstances where encryption is rendered ineffective.
‘Each effective layer of data security in place beyond encryption demonstrates a genuine commitment to protecting individual privacy’
Ensuring the security of customer data has always been critical to protecting an organisation’s reputation and maintaining customer trust – GDPR only raises those stakes.
In the unfortunate event that a data breach must be reported under GDPR, and regulators conduct an official audit, each effective layer of security in place beyond encryption demonstrates a genuine commitment to protecting individual privacy. That commitment serves as a positive factor in the eyes of both those auditors and the public who must continue to trust the organisation with their data going forward.
Amit Parbhucharan is general manager of EMEA at Beachhead Solutions, which provides cloud-managed PC and mobile device encryption, security, and data access control for businesses and managed service providers.
The post What the #Eir #breach and #GDPR can teach us about #multilayered #data #security appeared first on National Cyber Security .
View full post on National Cyber Security
My career working as a system administrator has involved a hefty amount of exposure to the cybersecurity realm, particularly while working for financial organizations. As data breaches continue to occur through a myriad of exploits (both technological and through human error) the stakes are constantly rising. We’ve reached a level where careers are built – and lost – based on protecting corporate assets.
Whether you’re contemplating a career in cybersecurity or have already started down the path, here are some frank observations which can help guide you in your career.
1. Information only goes so far
Information is great; after all, we work in IT which stands for information technology. However, when it comes to providing information to users regarding security concepts to adhere to or watch out for, don’t assume it’s an end-all, be-all strategy or a done deal the moment you click send.
For instance, telling users not to click on suspicious email links does not automatically mean they will comply. Likewise, warnings grow stale or forgotten over time, rendering them less useful. Emails often go unread or misplaced, so there’s even less of a guarantee of compliance. Prepare to be more engaged.
2. Policies are good, but having technological controls to back them up is better
Security policies to dictate what users can and cannot do are useful for establishing expectations and boundaries. Example policies on TechRepublic’s sister site, Tech Pro Research cover the following areas:
Mobile Device Computing
Information Security Incident Reporting
However, make sure to enact technological controls to go along with these policies such as enforcing complex passwords, encryption of storage devices, monitoring and alerting for security violations and other tools.
3. Clueless users are a bigger threat than malicious hackers
Hackers know this. This is why social engineering is so powerful; it’s far easier to convince a hapless user you’re from the IT department and need their password to fix a non-existent problem than it is to try to guess or crack said password, even with brute force techniques.
It’s also important to keep in mind that ignorance far outweighs evil intent when one of your users does something inappropriate such as visiting a suspicious website or trying to log into an unauthorized system. That’s why policies will help reduce the amount of mistakes or ill-advised actions.
4. Cybersecurity is only glamorous in the movies
It’s rare that Hollywood depicts cybersecurity accurately. I’m surprised and pleased if a movie so much as references the concept of an IP address. Most of the time “busting hackers” is made to look intriguing and cool; cybersecurity pros are depicted at an almost James Bond level of brilliance and sophistication.
Sadly, the reality of cybersecurity is less about catching criminals red-handed through a fiendishly clever trap and more about the daily drudge work. Watching someone combing through logs, applying patches, attending training and reading security advisories would hardly sell a movie ticket.
5. Automation is key
It’s essential to learn and utilize whatever centralized controls you can use to enact security changes such as locking down vulnerabilities or patching systems. Relying on Group Policy Objects, configuration management tools like SCCM or Puppet, and even simple bash scripting to execute a “for” loop will save hundreds of hours over the course of your career. They will also operate more effectively than manual human intervention, reducing the risk of error or mishap.
6. You can never test enough
Before rolling out any security-related changes always make sure to thoroughly test these in an environment as similar to your live production environment as possible. Some of these changes can be vastly complex and lead to unexpected results, however.
For instance, disabling the antiquated TLS (Transportation Layer Security) 1.0 protocol can lead to issues with older SQL databases, and the connection between the change and the resulting problem may not be immediately evident. Always thoroughly analyze the results for both users and systems when applying changes in a test environment.
7. Being the good guy pays peanuts
It may sound depressing, but as my police officer friends can relate, contrary to the cliche, crime does pay. A hacker who conducts a data breach can become rich overnight, a cybersecurity pro might work an honest job for thirty years without yielding the same payoff.
My point is not to argue that it’s better to lead a life of crime, but if you’re going to be the good guy understand the bad guys have a vast monetary incentive to do what they do, so thwarting them makes it tougher when they’re motivated by avarice. Avarice will cause people to do unbelievably outlandish or desperate things, as opposed to honest people earning a steady (if merely comfortable) paycheck.
8. Security is a journey, not a destination
The only truly secure system is one kept behind a locked door, taken off the network and therefore rendered completely inaccessible. But wait, as long as that door has a key in someone’s possession, it’s still possible that system could end up compromised.
There’s truly no such thing as perfect security, or a completely locked down environment. The cybersecurity professional’s job is never truly done; it’s only “done for now.”
View full post on National Cyber Security Ventures
Companies are surrounded by cybersecurity threats, but many are not making it a priority to educate employees about them, a survey says.
Nearly half (46%) of entry-level employees don’t know whether their company has a cybersecurity policy, according to research firm Clutch.
The survey demonstrated a lack of awareness that can put companies at risk for IT security breaches. Nearly two-thirds of employees (63%) said they don’t know whether the quantity of IT security threats their companies face will increase or decrease over the next year. Additionally, among entry-level employees, 87% said they don’t know how the number of threats will shift in the next year.
The survey also found that employees are less likely to recognize IT services as the primary area of security vulnerability at their company. Instead, they cited theft of company property as the primary threat to company security, ahead of unauthorized information and email phishing scams.
The findings are a bit ironic, because “most cyberbreaches are caused by employees, inadvertently,” Robert Anderson, co-chair of the cybersecurity and data privacy group at Lindabury, McCormick, Estabrook & Cooper, P.C., told FierceCEO.
“There is a tendency for businesses to not put the emphasis on employees, but they are the greatest vulnerability,” Anderson said.
The post Many #employees know #little about #cybersecurity #threats appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Source: National Cyber Security News
Interest in cybersecurity is escalating across the insurance profession, reflecting the complex and potentially catastrophic threats that clients, particularly financial services firms, now face.
The combined power, speed and baked-in vulnerabilities of information technology (IT) have given rise to previously unimaginable but now-endemic risks to organizations.
Malicious actors can and do steal, lock or destroy confidential data, in bulk or in smaller but still-devastating caches, and then exploit the information’s resale, extortion or spite value. Moreover, even accidental errors can cause confidential information to leak, with similarly costly regulatory, litigation and business fallout.
Because these risks are deep and potentially disastrous, insurance agents and brokers are increasingly tasked with counseling clients about how to contain them. Frequently, this requires dispelling clients’ misconceptions about those risks and effective countermeasures.
Below we explore each of six such misconceptions that often beset organizations. Avoiding these errors is essential to fulfilling the core functions of a cybersecurity programs:
(1) identifying cyber-risks;
(2) protecting critical infrastructure using appropriate safeguards;
(3) detecting incidents;
(4) responding; and
(5) recovering from them. See, National Institute of Standards, Framework for Improving Critical Infrastructure Cybersecurity (v. 1.0) (2014) at 7-8 (NIST Framework).
View full post on National Cyber Security Ventures