now browsing by tag


New York is #quietly working to #prevent a major #cyber attack that could bring down the #financial #system

Source: National Cyber Security News

Five months before the 9/11 attacks, US Secretary of Defense Donald Rumsfeld sent a memo to one of his advisers with an ominous message.

“Cyberwar,” read the subject line.

“Please take a look at this article,” Rumsfeld wrote, “and tell me what you think I ought to do about it. Thanks.”

Attached was a 38-page paper, published seven months prior, analyzing the consequences of society’s increasing dependence on the internet.

It was April 30, 2001. Optimistic investors and frenzied tech entrepreneurs were still on a high from the dot-com boom. The World Wide Web was spreading fast.

Once America’s enemies got around to fully embracing the internet, the report predicted, it would be weaponized and turned against the homeland.

The internet would be to modern warfare what the airplane was to strategic bombers during World War I.

The paper’s three authors — two PhD graduates and the founder of a cyber defense research center — imagined the damage a hostile foreign power could inflict on the US. They warned of enemies infecting computers with malicious code, and launching mass denial of service attacks that could bring down networks critical to the functioning of the American economy.

Read More….


View full post on National Cyber Security Ventures

The #Safety of U.S. #Data Could #Rest in #Georgia

Source: National Cyber Security News

At one point or another, much of the U.S.’s data passes through Georgia.

The state is a financial technology capital, with 70 percent of all payment transactions handled in Atlanta. And Georgia is a major internet access point for not only the Southeast but also the Caribbean and part of South America, says Stanton Gatewood, the state’s chief information security officer.

“We have a tremendous amount of information flowing through the state of Georgia,” he says.

But as more data is generated online, cybersecurity resources struggle to keep up. In 2017, the cybersecurity workforce gap was expected to hit 1.8 million people by 2022, a 20 percent increase since 2015. Sources say a shortage exists because cybersecurity is a relatively new academic field, so people haven’t had ample opportunity to undergo the proper training and gain necessary skills. “The crush of demand is coming at once, and academia can’t really keep up,” says Michael Farrell, co-executive director of the Georgia Institute of Technology’s Institute for Information Security & Privacy.

In the face of this issue, Georgia is working to become a cybersecurity hub, amassing an arsenal of initiatives. The U.S. Army Cyber Command is moving from Virginia to Fort Gordon army base, right next to Augusta, Georgia.

Read More….


View full post on National Cyber Security Ventures

Your #phone’s #gyroscope could let #hackers guess your #PIN

Source: National Cyber Security – Produced By Gregory Evans

Security researchers have documented a way to unlock a target’s phone using readings from “zero-permission” sensors. Apps can access sensors such as the accelerometer and gyroscope without special permissions. The readings can be used to deduce your PIN.

Zero-permission sensors
Most smartphone hardware is protected against ordinary access from apps unless you’ve specially granted permission. If you’ve ever used an app that needs camera or microphone access, you’ll have seen a prompt to enable the functionality. Some sensors, including the accelerometer, barometer, proximity sensor and ambient light sensor, aren’t protected though, ostensibly because they’re non-critical and can’t intrude on your privacy.
A paper from researchers at the Nanyang Technological University (NTU) in Singapore suggests this lack of security might need to be reconsidered. As Sophos’ Naked Security blog explains, the researchers managed to correctly guess Android smartphone PIN codes with a 99.5% accuracy using data obtained from the “non-critical” sensors.

Because the sensors in modern smartphones are so accurate, the information they provide is sufficient to monitor a user’s activity. By looking at whether you’re moving, what angle you’re holding your phone at and basic environmental details, an attacker could glean enough clues to work out your PIN code.

The proof-of-concept attack demonstrated by the researchers analyses how a phone moves about as the user enters their PIN code. Because each number is in a standard location on the screen, the rotation and tilt of the phone provides pointers that identify the key being pressed. Most users will cause their phone to move in distinct ways as they reach for the top numbers and apply pressure to the screen.
Functionality over security

The researchers said that smartphone manufacturers should reconsider how they’re protecting the sensors being added to new devices. Hardware products such as fitness trackers and VR devices are dependent on the output from sensors. However, leaving physical sensors unprotected could give attackers a way to compromise phones without the owner ever suspecting.

“New technologies, such as health trackers, augmented or virtual reality, require more and more computing power and an increasing number and quality of physical sensors, to advance the user experience,” wrote the researchers. “However, the security countermeasures and the privacy protections implemented in smartphones are not improved at the same pace.”
The proof-of-concept attack could be implemented by malicious actors using a fake app. This could use machine learning techniques to accurately guess PIN codes after watching the user unlock their device several times. The only way to ensure protection is for mobile operating system vendors to place permissions around all physical sensors, giving users control over the apps that can use them.

The post Your #phone’s #gyroscope could let #hackers guess your #PIN appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Taking #Facebook #Quizzes Could Put You at #Risk for #Identity Theft

Source: National Cyber Security – Produced By Gregory Evans

From phishing schemes to a thief pilfering your passport, there are plenty of ways to fall victim to identity theft. And now, participating in Facebook quizzes is one of them. As ABC News reports, the seemingly harmless surveys that populate your feed could wind up providing unscrupulous hackers with the answers to your online security questions.

Popular Facebook quizzes often ask users to answer a series of sharable personal questions, ranging from the name of their pet to their birth city. Some people see them as a fun way to bond with friends, or a way to make new ones. But as one local police department in Massachusetts recently noted on Facebook, many of these queries are similar—if not identical—to security questions used by banks and other institutions.

“Please be aware of some of the posts you comment on,” the Sutton Police Department in Massachusetts wrote in a cautionary message. “The posts that ask what was your first grade teacher, who was your childhood best friend, your first car, the place you [were] born, your favorite place, your first pet, where did you go on your first flight … Those are the same questions asked when setting up accounts as security questions. You are giving out the answers to your security questions without realizing it.”

Hackers can use these questions to build a profile and hack into your accounts or open lines of credit, the department said. They could also trick you into clicking on malicious links.

Experts say it’s OK to take part in a Facebook quiz, but you should never reveal certain personal facts. Take quizzes only from respected websites, and always carefully vet ones that ask for your email address to access the poll or quiz. And while you’re at it, consider steering clear of viral memes, like this one from 2017, which asked Facebook users to name memorable concerts (yet another common security question).

The post Taking #Facebook #Quizzes Could Put You at #Risk for #Identity Theft appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

How #quantum #computing could create #unbreakable #encryption and save the #future of #cybersecurity

Source: National Cyber Security – Produced By Gregory Evans

A new breakthrough in quantum computing may mean quantum key distribution (QKD) is on its way toward being a practical cybersecurity protocol.

Researchers at Duke University, The Ohio State University, and Oak Ridge National Laboratory have announced in the latest issue of Science Advances that they’ve increased the speed of QKD transmission by between five and 10 times the current rates.

Up until this latest breakthrough, which is delivering megabit/second rates, speeds were restricted to between tens to hundreds of kilobits a second.

What is quantum key distribution?

It sounds like something straight out of science fiction, but quantum key distribution is reality, and it could be protecting your data before you know it.

QKD uses photons—particles of light—to encode data in qubits, or quantum bits. The qubits are transmitted to a sender and recipient as an encryption key, and here’s where things get crazy: The transmission channels don’t need to be secure.

QKD’s whole purpose rests on quantum indeterminacy, which states that measuring something affects its original state. In the case of QKD, measuring photonic qubits affects their encoding, which allows the sender and recipient to immediately know if a hacker is trying to crack their quantum encryption key.

That means, theoretically at least, that QKD would be a perfect encryption: Any attempts to crack it would immediately be noticed and keys could be changed.

Making QKD practical for cybersecurity

The breakthrough made by the Duke research team came from being able to pack more data onto a single photon. The trick was learning to adjust the time at which the photon was released, along with adjusting the phase of the photon, causing it to be able to hold two bits of information instead of just one.

What makes the new system developed by the researchers even more amazing is that they were able to do it with nothing but commercially available telecommunication hardware, save the single-photon detector.

“With some engineering,” said Duke graduate student Nurul Taimur Islam, “we could probably fit the entire transmitter and receiver in a box as big as a computer CPU.”

Islam and his research partners say that hardware imperfections render their QKD system less than hack-proof, but their research continues to incorporate hardware shortcomings to make up for them.

“We wanted to identify every experimental flaw in the system, and include these flaws in the theory so that we could ensure our system is secure and there is no potential side-channel attack,” Islam said.

While it’s likely to take some time to emerge from the research phase and become a practical tool, this latest QKD breakthrough gives cybersecurity a leg up on cybercriminals.

As quantum computing becomes accessible, the likelihood of it being used to obliterate current forms of encryption increases, making the development of practical QKD essential. This should come as good news to anyone concerned about the current, and future, state of cybersecurity.

The post How #quantum #computing could create #unbreakable #encryption and save the #future of #cybersecurity appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Here’s another #cyber #scam that could cost you #thousands

more information on sonyhack from leading cyber security expertsSource: National Cyber Security – Produced By Gregory Evans In this year of horrendous cyberheists — Equifax the most prominent — you’ve probably taken at least a few precautions: changed passwords, stopped opening files and links from unknown senders, upgraded your computer security measures, maybe put a freeze on your credit reports. But if you’re […] View full post on | Can You Be Hacked?

New #bill could let #companies #retaliate against #hackers

Source: National Cyber Security – Produced By Gregory Evans

New #bill could let #companies #retaliate against #hackers

– A new proposed bill could make it legal for companies to retaliate against hackers.

Dubbed the “hack back” bill, it was introduced last week to allow businesses to hack the hackers who’ve infiltrated their computer networks.

Called the Active Cyber Defense Certainty (ACDC) Act, it amends the Computer Fraud and Abuse Act anti-hacking law so a company can take active defensive measures to access an attacker’s computer or network to identify the hackers, as well as find and destroy stolen information. It was introduced by two U.S. Representatives, Tom Graves, a Georgia Republican, and Kyrsten Sinema, an Arizona Democrat.

“I’ve heard folks say this is like the Wild West what we might be proposing, but in fact it’s not,” Graves told CNN Tech’s Samuel Burke in an interview. “We are already dealing with the Wild West and there’s a lot of outlaws out there but we don’t have a sheriff, we don’t have a deputy and all we were asking for is a neighborhood watch.”

But security experts warn the legislation could have serious consequences if passed.

According to digital forensics expert Lesley Carhart, the fundamental problem with the idea is that a majority of organizations who would want to hack back aren’t qualified to do so responsibly. It often takes a long time to correctly identify who was responsible for a hack.

“In cybercrime and in nation state attacks, there are often lots of attempts to mislead and confuse researchers analyzing the attack timeline or malware,” Carhart said. “A savvy bad guy could fairly easily emulate an innocent third party, and draw down the wrath of unskilled analysts on them.”

One way researchers place blame on a person or group for a hack is by looking at the evidence left in code. For example, researchers found similarities between the WannaCry code and malware created by Lazarus group, a hacking operation that has been linked to North Korea, earlier this year. Intelligence agencies later connected the country to the massive ransomware attack.

But it’s not uncommon for hackers to spoof that evidence and try and trick analysts into thinking it came from somewhere else, such as putting code from known hacking groups, or innocent third-parties, into their malware.

The bill says active defense measures could only be taken inside the U.S., which means it would have limited benefit. A majority of attacks are based outside the country or route their attacks through servers overseas so it looks like they’re coming from overseas, said Amanda Berlin, author of the Defensive Security Handbook.

Companies would also be required to alert the National Cyber Investigative Joint Task Force, an organization led by the FBI, before trying to hack their hackers. The agency could also review active defensive measures before they’re taken.

The FBI and other law enforcement agencies are already involved in investigating and prosecuting cybercrime. They work closely with major security firms and companies impacted by breaches. However, a relatively low number of businesses in the private sector report ransomware, a common and lucrative cyberattack.

Carhart says poking around in a hacker’s network could impede law enforcement investigations and court proceedings by potentially contaminating evidence.

The FBI defense review also introduces some thorny foreign retaliation issues. Kristen Eichensehr, assistant professor at UCLA School of Law, explained in Just Security, a national security publication.

“The FBI’s participation in the review process may trigger the U.S. government’s international legal responsibility for actions of private actors,” she wrote.

However, some firms already engage in hacking back, despite the illegality. Graves said the bill could put some parameters on that behavior.

“Word on the street is many companies are already doing some of these things,” Graves told Burke in an interview. “They know, you know, and I know that they are doing is illegal. What we would be doing is bringing clarity to what some might already be doing and what tools might be successful.”

He also said he hopes additional tools will be developed by the security community that can protect people from hackers.

Some experts believe resources may be better spent elsewhere than through retaliation. According to Berlin, companies should invest in their existing infrastructure to prevent hacks in the first place.

“So many corporations get the basics wrong, or skip steps to spend money on some fancy blinky box that’s supposed to protect them from everything,” Berlin said.

This year’s most serious hack was not sophisticated. Equifax failed to patch a software hole despite a fix existing for months before hackers compromised data on 145.5 million people.

To keep systems secure, Berlin advised companies to remove non-essential machines from direct internet access, and patch early and often to prevent hackers from exploiting known holes. If something can’t be updated or fixed, it should be separated from other networks.

Experts warn that hacking back could also hurt innocent third-parties.

Consider Mirai, a massive botnet that turned connected home devices into an army of zombie computers controlled by one attacker. If a company was attacked by a botnet like Mirai and tried to hack back, they could be hitting an innocent family’s network connected to a security camera, instead of the real person behind the attack.

“I’m afraid it will take us back to ancient Babylon and Hammurabi code which called for an eye for an eye and a tooth for a tooth,” said Bassel Ojjeh, cofounder and CEO of security firm LigaData. “And everyone at this rate will go blind.”

The post New #bill could let #companies #retaliate against #hackers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Three out of five #Americans concerned #hackers could #spy on them via their #webcam

Source: National Cyber Security – Produced By Gregory Evans

Three out of five Americans concerned hackers could spy on them via their webcam

Avast solutions help users control who can access their webcam to prevent unwanted spying.

In October, we conducted an online survey around webcam security awareness and found that 61% of Americans are concerned hackers could spy on them through their computer’s camera.

They have every reason to be concerned.

Tools that can hack a computer’s webcam are available on the regular web, as well as the darknet, in some cases even for free. Although many computers come with a light that indicates the webcam has been activated, tools can circumvent the light from being triggered.

The survey reveals that Americans are more aware that hackers can spy on them without activating their webcam’s indicator light compared to the global results. Globally, two in every five (40%) respondents are unaware of the threat, while two-thirds of Americans claim they know of the possibility.

Many people, like former FBI Director, James Comey, and Facebook CEO, Mark Zuckerburg, cover their webcam to prevent unwanted spies from watching them. However, despite concerns being high, only 52 percent of Americans have physically covered up their computer’s webcam.

Covering webcams is a good start, but can be an inconvenience if you frequently need to use your webcam. We at Avast understand this inconvenience, which is why we give our users complete control over who can use their camera, without having to physically cover it up. – Ondrej Vlcek, CTO of Avast

Avast’s new feature, Avast Webcam Shield, which comes with Avast Premier, ends webcam spying for good by blocking malware and untrusted apps from hijacking webcams. Furthermore, users have the option of forcing all apps to ask their permission before they can access the computer’s webcam. The same feature is offered in AVG Internet Security, under a different name, Webcam Protection.


The post Three out of five #Americans concerned #hackers could #spy on them via their #webcam appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Blockchain Could Help Us Reclaim Control of Our Personal Data

Source: National Cyber Security – Produced By Gregory Evans

It’s a strange world we live in when large companies such as Experian, Equifax, and TransUnion are able to store huge quantities of our personal data and profit from it in a way that doesn’t always benefit us. And when those same companies lose our personal data and make us…

The post Blockchain Could Help Us Reclaim Control of Our Personal Data appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Your computer could be infected without you knowing it: Here’s how to find out

Source: National Cyber Security – Produced By Gregory Evans

Until you become the target of data theft, a malware attack is only what you read about in the news. Yet there is a big possibility that malware keeps hiding in your system for a long time without you being aware of it. Theft of data or money is not…

The post Your computer could be infected without you knowing it: Here’s how to find out appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures