now browsing by tag


#hacking | #SocialSec – Hot takes on this week’s biggest cybersecurity news (Feb 7)

Source: National Cyber Security – Produced By Gregory Evans

Expired cert blamed on Microsoft Teams outage; rancor over Iowa caucus app; and an artist with 99 smartphones causes traffic mayhem in Berlin

This week didn’t get off to the smoothest of starts for Microsoft Teams users, as widespread reports surfaced on Monday that the collaboration software had ground to a halt.

From around 8:30 ET on February 3, users around the world were unable to log into Microsoft’s Slack-like group messaging service, leaving them with nothing else to do but post impromptu memes on Twitter.

At around 10:00 ET, Microsoft said it had discovered that the problem was due to an expired digital certificate.

The Teams service was restored later that day, although with a reported 20 million daily users being locked out of their accounts, the episode no doubt left the chat app’s devs more than a little red-faced.

In the US, social media feeds have been clogged with news of ‘The App That Broke the Iowa Caucus’.

Tech outlets were quick to jump onto reports that the results from Monday’s Democratic caucus in the midwestern state had been delayed because of problems with the smartphone app that was being used to report votes.

The confusion delayed the announcement of the winner in the first round for presidential hopefuls. Unsurprisingly, the fracas attracted no small amount of controversy, with many directing their ire towards the app developers.

Speaking to CNET, Irfan Asrar of cybersecurity company Blue Hexagon, said: “What we believe is, this is an oversight, and an example of the app being rushed into production.”

Offering their own take on the situation (and framing their article with a pointed reminder that “trust and transparency are core to the US elections”), Motherboard published the full .apk file of the app that malfunctioned and sent the caucus into a tailspin.

From unreliable apps to shady social media accounts, Twitter said it has suspended a large network of “fake accounts” that were being used to exploit its API in order to match usernames to phone numbers.

According to TechCrunch, a bug in the microblogging platform opened the door for an attacker to submit “millions of phone numbers” through an official API, which returned any associated user account.

The news comes as Indian website The Print reported allegations that “nearly 18,000 Twitter accounts” were spreading fake news on behalf of the right-wing Bharatiya Janata Party (BJP).

“Approached for comment, both the BJP and the Congress [a rival Indian party] denied the allegation that they supported accounts propagating misinformation,” the report reads.

And finally this week, an artist has shown how Google Maps could be abused to cause potential chaos on the roads, after he wheeled 99 smartphones in a wagon around Berlin in order to create a fake traffic jam.

In his ‘Google Maps Hacks’ performance piece, Simon Weckert demonstrated how it was possible to turn a ‘green street’ to ‘red’ on the popular online mapping service – showing how one small step for a man could have a giant impact on other road users, who would be directed into taking alternative routes from an actually clear road.

A video posted to Weckert’s YouTube account offers a real-time demonstration of what The Daily Swig is dubbing a ‘Distributed Denial-of-(Road) Surface’ attack. *bows*

Source link

The post #hacking | #SocialSec – Hot takes on this week’s biggest cybersecurity news (Feb 7) appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | #SocialSec – hot takes on this week’s biggest cybersecurity news (Jan 10)

Source: National Cyber Security – Produced By Gregory Evans

CES kicks off as Las Vegas tackles cyber-attack; British electronics retailer slapped with ICO fine; and nominations open for the top 10 web hacking techniques of 2019

CES 2020 opened its doors in Las Vegas this week, with tech enthusiasts from around the world getting a first look at hundreds of thousands of new gadgets and gizmos from more than 4,000 exhibiting companies.

With four conference sessions being dedicated to security and privacy this year, it’s good to see that infosec was not completely overshadowed by the invisible keyboards, next-gen wheelchairs, and other products of the (not too distant) future.

However, dominating Twitter this week was the organizers’ decision to bring in Ivanka Trump as CES keynote speaker.

Trump took to the stage to discuss the importance of government and industry collaboration for jobs creation, along with employer-led strategies to reskill workers.

Many, however, questioned the organizers’ choice of keynote speaker.

“Ivanka is not a woman in tech,” tweeted Brianna Wu, a software engineer who is running for Congress in Massachusetts.

“She’s not a CEO. She has no background. It’s a lazy attempt to emulate diversity, but like all emulation it’s not quite the real thing.”

Outside of the exhibition hall, Las Vegas officials said the city narrowly avoided a security incident on January 7.

Municipal officials confirmed that systems were attacked early on Tuesday morning, forcing government IT staff to take down a number of online services, including its public website.

A full-blown crisis was apparently averted thanks to swift action from those tasked with protecting Sin City’s digital infrastructure.

Elsewhere, the US Department of Homeland Security (DHS) issued a bulletin warning of a potential escalation of malicious cyber activity following the recent killing of Iranian military commander Qasem Soleimani.

Speaking to The Daily Swig this week, Suzanne Spaulding, advisor at Nozomi Networks and former DHS employee said the risk of retaliatory action by Iran is particularly high, given “that the ‘red lines’ are not clearly defined in cyberspace”.

Check out our coverage for more on the Iranian cyber threat.

Over in the UK, electronics retailer DSG Retail has been fined £500,000 ($655,000) after its point of sale system was compromised.

An investigation by the Information Commissioner’s Office (ICO) found that an attacker installed malware on nearly 5,400 checkout tills in Currys PC World and Dixons Travel stores between July 2017 and April 2018.

As previously reported by The Daily Swig, the breach impacted at least 14 million people and resulted in the payment card details of 5.6 million consumers being compromised.

“DSG breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data,” the ICO said.

“This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.”

Although £500,000 would be enough to make even the world’s biggest organizations sit up and pay attention, some noted that if the breach had taken place just one month later, DSG could have faced a far heftier, GDPR-induced fine.

And finally, nominations are open for the top 10 web hacking techniques of 2019.

Hosted annually by PortSwigger, this community-led initiative aims to seek out and honor the best hacking techniques of the past 12 months.

Caching exploits topped the 2018 web security hit list, and while it remains to be seen who will lead the pack this year, nominations in 2019 include developments in server-side request forgery, request smuggling, mutation cross-site scripting, and many other areas of research.

Check out the PortSwigger blog for full details.

Source link

The post #hacking | #SocialSec – hot takes on this week’s biggest cybersecurity news (Jan 10) appeared first on National Cyber Security.

View full post on National Cyber Security

#cyberfraud | #cybercriminals | Cloud, 5G and ‘wetware’ attacks — the 5 biggest cybersecurity threats of 2020

Source: National Cyber Security – Produced By Gregory Evans (Source: Giphy) Businesses are getting cosier with the cloud. As more data pours in, it makes sense to use a public cloud server rather than set up servers in-house. But just because they’re moving to a ‘cloud smart’ agenda doesn’t mean that they aren’t being ‘cloud […] View full post on

#nationalcybersecuritymonth | Tech 2019: Our biggest technology stories

Source: National Cyber Security – Produced By Gregory Evans As 2019 splutters to a close, it’s time for our annual lookback at our most-read tech stories, and to ask: “What happened next?”. Facebook and its family of apps dominates this year’s list with four entries – it probably won’t be a surprise that none of […] View full post on

What a decade! Our baddest stories and biggest lessons, year by year… – Naked Security

Source: National Cyber Security – Produced By Gregory Evans Here they are: the baddest stories and the biggest lessons, from 2010 to 2019. From a totally made-up hoax that shocked the world, through a social networking app that promised what it couldn’t deliver, to a larger-than life cybercelebrity who was busted in a military-scale takedown […] View full post on

#deepweb | Stocks making the biggest moves premarket: Home Depot, Boeing, Disney

Source: National Cyber Security – Produced By Gregory Evans Check out the companies making headlines in the premarket Tuesday: Home Depot — Home Depot shares dropped more than 5% in the premarket after the home improvement retailer reported disappointing same-store sales. The company said global same-store sales rose 3.6% in the previous quarter. Analysts polled […] View full post on

#city | #ransomware | 90pc of UK’s biggest law firms at risk of having confidential client data stolen

Source: National Cyber Security – Produced By Gregory Evans Around nine in 10 of the UK’s biggest law firms are at risk of being scammed or having their clients’ confidential data stolen or compromised due to sub-standard IT security. A new study of 200 of the country’s biggest law firms found more than 90pc are […] View full post on

#cybersecurity | Negligent Users are Biggest Cybersecurity Threat to German Organizations: Survey

Source: National Cyber Security – Produced By Gregory Evans

You are only as strong as your weakest link and the cybersecurity industry is no different. A recent survey by SolarWinds, a provider of IT management software, pointed out that negligent users are the biggest cybersecurity threat to German organizations. The company did the survey in a bid to highlight the threats the cybersecurity professionals are facing daily.

The research, which surveyed over 100 information technology professionals from Germany, stated that user errors constituted the largest share of cybersecurity incidents in the last 12 months, at a whopping 80 percent. The study stressed on the fact that internal factors are the most pressing cybersecurity threats. User errors were followed by exposures caused by poor network system or application security at 36 percent, and external actors infiltrating the company’s network at 31 percent.

To understand the factors contributing to the trend, the survey also found out that poor passwords were one of the major concerns for German techies. Nearly 45 percent of the respondents stated that poor and weak passwords were one of the biggest reasons for the breaches, while 42 percent of the respondents stated that sharing passwords is also another grave contributor. Other factors were accidental exposure, deletion, modification of critical data and even copying data into unsecured devices.

To top it all, it was also revealed that 89 percent of IT experts felt that they were unequipped to successfully implement and manage cybersecurity tasks today, with their current IT skillset.

“Our research shows once again that the biggest risk to the organization comes from the inside, aligning with research SolarWinds conducted in other regions earlier this year,” said Tim Brown, vice president of security, SolarWinds. “This underscores the continued need for organizations to address the human side of IT security and consistently educate users on how to avoid mistakes while encouraging an environment of learning and training. However, that alone is not enough; tech pros also need the best possible technology to effectively fight against both threats from the inside and potentially more sophisticated threats from the outside. SolarWinds is committed to helping IT and security teams by equipping them with powerful, affordable solutions that are easy to implement and manage. Good security should be within the reach of all organizations.”

It is not always an accidental error from insiders; sometimes these incidents are a part of a much larger scheme. Earlier this year, a recruiter from the telecommunications company AT&T Network was charged for paying insiders to upload malware on the company’s computer networks to unlock cell phones.

According to the United States Department of Justice (DOJ), the insiders, who worked in AT&T’s Bothell Customer Service Center, allegedly exploited AT&T’s proprietary locking software to remove millions of phones from the AT&T network system and payment plans, which incurred a loss of a million dollars to the company. It’s said that Fahd and his co-conspirators gave over $1 million in bribes to install malware and spying devices in the company.

Source link

#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity

The post #cybersecurity | Negligent Users are Biggest Cybersecurity Threat to German Organizations: Survey appeared first on National Cyber Security.

View full post on National Cyber Security

4 #solutions to the 3 #biggest #cybersecurity #challenges

Cybersecurity and the threat of malicious actors make headlines every day. Boards of directors are recognizing cyber threats as one of the most significant risks. To date, this cybersecurity discussion has centered largely on IT systems; however, the industrial control system (ICS) that operates a facility is often as critical as or more critical than the IT system to an industrial company’s financial results.
The FBI issued a warning in 2016 to the nation’s power companies that the sophisticated cyberattack techniques used to bring down portions of the Ukraine’s power grid in 2015 could easily be used against U.S. firms. In fact, the most recent report of Russian hacking was identified last week by the U.S. Computer Emergency Readiness Team (U.S. CERT).

According to an alert released by U.S. CERT, a seven-year-old group known as Dragonfly orchestrated the hacking campaign, which hit U.S. government entities and domestic companies in the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors. “In multiple instances, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities,” states the report.

The results of such an attack could be catastrophic, as Pew Research Center reports that 61% of experts agree a major cyber attack would occur by 2025 causing far-flung harm to the nation’s security and capacity to defend itself. The cost of such attacks will be tremendous. Lloyd’s estimates a blackout across 15 U.S. states would affect 93 million people and cost the economy between $234 billion and $1 trillion.

Despite the need for ICS cybersecurity, three key challenges impede many operations executives from pulling the trigger on that investment. John Livingston, CEO of Verve Industrial Protection, identifies three reasons for that hesitancy:


lack of tools

lack of talent.

1. Risk/fear by leadership of operational disruption from deploying cybersecurity measures. Most operational leaders do not believe their systems are under significant threat. The lack of publicized successful attacks and the general architecture of these networks lead to the belief that these systems are immune to the threats seen on the IT side.

“As a result, the risk of doing something is greater than the risk of doing nothing,” says Livingston. “Potential operational risks include putting security software on control systems equipment that may disrupt normal operations; changing passwords that may create delays in response to a critical operational issue; and adjusting network architectures that may limit access to critical employees or vendors. All of these risks are very real, so I do not intend to downplay them. They must be addressed in any solution.”

2. Lack of tools and approaches that are tuned to the unique challenges of securing industrial control systems. The IT cybersecurity market has grown with a focus on protecting traditional IT devices, explains Livingston. The tools often don’t work in the operations-technology (OT) environment without significant adjustment and tuning. In fact, if improperly installed, they can cause more risk than protection.

3. Talent shortage of people with both operational expertise and cybersecurity knowledge that can be applied to these unique circumstances. A report from Frost & Sullivan and the International Information System Security Certification Consortium, or (ISC)², found that the global cybersecurity workforce will have more than 1.5 million unfilled positions by 2020. At the same time, the number of experienced ICS engineers is declining rapidly as fewer young people go into this career. When you combine the need for ICS and cybersecurity expertise, the talent shortage is extreme.

What can be done?
While the challenges are very real, Livingston recommends four key measures companies can take. Each step is specific to a company’s CFO, as CFOs are a natural bridge between the chief information officer (CIO) or chief information security officer (CISO) with their IT backgrounds and the operations executives.

1. Know what you can do, not just what you cannot do, in ICS. There is a lot you can do, but OEMs and people who have been burned by poorly implemented solutions have convinced owners and operators that these systems are too sensitive to protect. Or at a minimum can only be protected by the OEMs themselves. “I encourage the CFO to bring an independent view and assess what can be done, if done appropriately and safely,” says Livingston. “As we like to say, ‘Take back control of your network,’ from the OEMs holding it hostage.”

2. Pick a standard for security and build a maturity plan. There are many standards that can be applied to ICS security from NIST and NERC CIP to CSC20 and IEC/ISA. All have their pros and cons, and an organization could debate them for a long time. Livingston’s advice is to select something and begin the journey. Each stage of security maturity has benefited over the previous. And they get better as you add new layers over time. A standard allows a CFO to measure centrally against a metric that is common across all industrial control systems.

3. Build security into your capital, as well as operations and maintenance planning. By doing this you don’t have separate budgets for security and operations. Security is a fundamental feature of operations, like maintenance or safety is. Like safety and maintenance, security is a part of ensuring consistent, reliable operations and should be a part of all capital and operational planning discussions.

4. Consider a holistic approach. Take a holistic approach to managing the security risk that not only includes tools and processes for protection, but also purchasing targeted insurance for those risks that do not warrant the expense necessary to protect. “You won’t be able to secure everything, or every possible attack,” explains Livingston, “but you should build foundational elements and then insure what you can.”

The role of CFO in ICS security is absolutely critical. For non-services companies, the protection of these systems is fundamental to sustaining financial results. The CFO is uniquely positioned to bridge the space between the CISO and the operational leadership to drive to a solution using the four steps outlined above to begin a cybersecurity maturity journey and make this a part of every planning discussion.


The post 4 #solutions to the 3 #biggest #cybersecurity #challenges appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Looking #ahead to the #biggest 2018 #cybersecurity #trends

Source: National Cyber Security – Produced By Gregory Evans

Jon Oltsik, an analyst with Enterprise Strategy Group in Milford, Mass., examined some of the top 2018 cybersecurity trends. While some analysts have focused on ransomware, and others made dire pronouncements about nationwide power-grid attacks, Oltsik said he’s more concerned about cloud security, where easily exploitable vulnerabilities are becoming increasingly likely.

Security teams — many of which are facing a severe lack of cybersecurity skills — are struggling with the rapid deployment of cloud technologies, such as virtual machines, microservices and containers in systems such as Amazon Web Services or Azure. Many organizations are switching to high-end security options from managed security service providers or SaaS providers. ESG research indicated 56% of organizations are interested in security as a service.

Among other 2018 cybersecurity trends, Oltsik said he foresees greater integration of security products and the continued expansion of the security operations and analytics platform architecture model. As large vendors like Cisco, Splunk and Symantec scramble to catch up, they will fill holes in existing portfolios. Although he said he sees machine learning technology stuck in the hype cycle, in 2018, Oltsik projects machine learning will grow as a “helper app” in roles such as endpoint security or network security analytics.

With the introduction of the European Union’s General Data Protection Regulation (GDPR) on May 25, 2018, Oltsik said a major fine — perhaps as much as $100 million — may serve as a wake-up call to enterprises whose security platforms don’t meet the standard.

“One U.K. reseller I spoke with compared GDPR to Y2K, saying that service providers are at capacity, so if you need help with GDPR preparation, you are out of luck. As GDPR anarchy grips the continent next summer, look for the U.S. Congress to (finally) start engaging in serious data privacy discussions next fall,” he added.

The challenges of BGP
Ivan Pepelnjak, writing in ipSpace, said when Border Gateway Protocol (BGP) incidents occur, commentators often call for a better approach. “Like anything designed on a few napkins, BGP has its limit. They’re well-known, and most of them have to do with trusting your neighbors instead of checking what they tell you,” he said.

To resolve problems with BGP, Pepelnjak recommended the following: First, IT teams need to build a global repository of who owns which address. Second, they need to document who connects to whom and understand their peering policies. And they need to filter traffic from those addresses that are obviously spoofed.

The good news, Pepelnjak, said, is most BGP issues can be solved with guidance from volume 194 of Best Current Practices — the latest update. In Pepelnjak’s perspective, internet service providers (ISPs) are often the problem. ISPs have little incentive to resolve BGP issues or reprimand customers who can easily switch to more permissive providers. An additional problem stems from internet exchange points running route servers without filters.

According to Pepelnjak, because engineers hate confrontation, they often turn to cryptographic tools, such as resource public key infrastructure, rather than fixing chaotic or nonexistent operational practices. “What we’d really need to have are (sic) driving licenses for ISPs, and some of them should be banned for good, due to repetitive drunk driving. Alas, I don’t see that happening in my lifetime,” he added.

Read more of Pepelnjak’s thoughts on BGP issues.

Artificial intelligence, low-code and abstracting infrastructure
Charlotte Dunlap, an analyst with GlobalData’s Current Analysis group in Sterling, Va., blogged about the repositioning of mobile enterprise application platforms (MEAP) to address app development and internet of things. Dunlap said advancements in AI, API management and low-code tools play into DevOps’ need for abstracted infrastructure.

GlobalData research indicated that MEAP is widely used to abstract complexity, particularly in use cases such as application lifecycle management related to AI-enabled automation or containerization.

GlobalData awarded high honors to vendors that integrated back-end data for API management, such as IBM MobileFirst and Kony AppPlatform. Dunlap said mobile service provider platform strategies have increasingly shifted to the needs of a DevOps model.

“Over the next 12 months, we’ll see continued momentum around a growing cloud ecosystem in order to stay competitive with broad platform services, including third-party offerings. Most dominant will be partnerships with Microsoft and Amazon for offering the highest levels of mobile innovation to the broadest audiences of developers and enterprises,” Dunlap said.

The post Looking #ahead to the #biggest 2018 #cybersecurity #trends appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures