could

now browsing by tag

 
 

#cyberfraud | #cybercriminals | Could fighting coronavirus compromise cybersecurity?

Source: National Cyber Security – Produced By Gregory Evans

The COVID-19 pandemic has become a sobering experience in many ways. We are witnessing firsthand the negative impact that a fragmented national public health system has on our safety, health and economy. 

Social isolation has become a stark reality and necessity for people around the globe, including here in the United States. While social distancing has become the operational approach to slow down the spread of the COVID-19 virus (or at least flatten the infection curve), this isolation has ripple effects across other components of our lives. A vast number of people will telecommute and work from home. Schools at the K-12 and university levels are instructing students to stay away from campus and suspending face-to-face teaching. Faculty are moving all classes online. The entertainment and sports industries are canceling events and premiers, and restaurants and bars are closing. Major studios are rushing to push content to streaming services; the list will continue. 

While these responses are prudent, the result is that more of our daily routines are dependent on the internet, internet technologies and telecommunications. This strategy to move to the online cyber and virtual realm, at least in the interim, is happening with no real thought about the cybersecurity implications.

Historically, cybercriminals have used crises to increase criminal activity and scams related to stealing personally identifiable information, as well as financial and personal health Information to defraud victims. Foreign actors have spread disinformation and attempted to disrupt recovery operations as a means of causing more chaos. The same thing is happening and will continue to happen with the COVID-19 crisis. 

We already see cyberattacks against the U.S. Health and Human Services Department, and similar attacks in Europe. Scammers are sending fake emails and setting up fake COVID-19 health information websites, trying to phish user IDs and passwords. Other scammers are pretending to raise money to assist with replacement lunch programs for students or the isolated elderly. No one should be surprised to see a jump in cyber-criminal activity, as these people are opportunistic. We find ourselves in the perfect storm for cyberattacks.

Increased cyberattacks are not the only ripple effect we could see. The telecommunications and mobile network operators’ critical infrastructure must absorb an exponential increase in demand, with little or no ramp-up time. Similar to the public health system, these industries are fragmented and equally unprepared or capable across companies and regions. Internet and mobile network operators will find their resources pushed to the maximum. 

We need only to look at recent natural disasters such as floods and tornadoes to see how fragile this infrastructure is. The ability to communicate either via email or mobile phone with emergency services, loved ones or the media to get information disseminated is essential during a crisis and the ensuing recovery period. 

Social isolation will put a significant burden on the telecommunications and mobile network infrastructure. We will now have millions of people working from home using local or regional providers to connect to company networks. K-12 and university students are trying to resume their studies online using e-learning, placing more burden on networks and the infrastructure. People will increase their use of streaming media for news and entertainment purposes, including on their mobile devices. 

This increased demand will also not follow the regular demand cycles, at least in the foreseeable future — school time, the typical workday and leisure activities no longer have rigid schedules; they will be somewhat blended together. This lack of regular routines could potentially magnify the demand and further negatively impact bandwidth and availability.

We must understand that with our increased dependence on technology and cyber, there are increased risks that we need to be aware of and plan for. Governments, businesses and schools need to provide some direction and advice to the general public on how to follow not only appropriate “anti-COVID-19 hygiene” but also “cybersecurity hygiene.” 

Since networks will now be extended to homes during this time, similar cybersecurity policies, practices and standards that someone would adhere to if they were physically sitting at work or school need to apply.

We may also need to consider metering our online behavior to essential activities such as those related to our work, education or critical communications, or at the very least following the more regular rhythm of the day — routine work or school hours.

We will learn many lessons from the COVID-19 pandemic, and the cost will be high in terms of lives and the economy. Hopefully, when we come out on the other side of this crisis, we will also have a better understanding of how to protect our critical infrastructures and the real risks of living even deeper in cyberspace.

Dr. Marcus Rogers is a professor and executive director of cybersecurity programs at Purdue University; he has over 25 years of experience in public- and private-sector consulting in the area of information technology security, and has consulted for the military, law enforcement and for some of the largest financial and health care providers in the world.

Source link

The post #cyberfraud | #cybercriminals | Could fighting coronavirus compromise cybersecurity? appeared first on National Cyber Security.

View full post on National Cyber Security

#deepweb | A Public Index for the Web? How the Blockchain Could Potentially Fight Deepfakes

Source: National Cyber Security – Produced By Gregory Evans

Over the past two years a cottage industry has emerged of media experts and journalists warning of the potential dangers of “deep fakes.” Videos of Vladimir Putin or Barack Obama saying whatever a video-editor wants them to say have been widely shared on mainstream networks to raise fears over privacy and the dangerous “post-truth” world of the Internet. 

While most mainstream networks have a vested interest in questioning the legitimacy of digital and citizen-led news, there is no doubt that verifying video content is becoming more difficult. 

On the one hand, deep fakes are likely to become a central component of internet culture, fueling the political caricature and memes of tomorrow. On the other hand, there is a darker side. It’s not unrealistic to envision a future in which videos from inside Syria or a protest in Iraq are doctored in a way that could alter our understanding of key events.

It’s not unrealistic to envision a future in which videos from inside Syria or a protest in Iraq are doctored in a way that could alter our understanding of key events.

The blockchain may have a solution. According to Amy James of Alexandria Labs, one of the fundamental problems of the web is that there is no public index. Today when we search the web, we’re searching a private index. This makes detecting changes to search rankings, or the de-platforming of certain ideas and even individuals, very difficult to determine.
 


Amy James of the’Open Index Protocol’ explains how a distributed global index for the web could help fight deepfakes.
 

There’s also a less obvious reason why a public index might be a good idea. James argues that “because the web doesn’t have a transparent, secure and version-controlled index it can be difficult to discern truth from fiction online.”

“the web was intended to be fully decentralised.”

On a blockchain immutable index in which every ‘transaction’ is public and recorded, it should be easier to notice when a video is first uploaded and edited, or if different versions of the exact same video are in existence. 

James adds “the web was intended to be fully decentralised.” The apps we all know and love – from Spotify, to Netflix – provide customization and allow networks to scale. At the same time, “private companies build the walled garden infrastructure that we have today so the web could scale and be convenient.” While this model maybe profitable, it centralizes information and control in the hands of closed platforms. “When the web was developing in the early 90s the technology didn’t exist yet to build an index as an open standard protocol,” states James.

“When the web was developing in the early 90s the technology didn’t exist yet to build an index as an open standard protocol”

Alexandria Labs believes the future is a “fully decentralized open protocol for indexing and distribution.” Instead of artificial barriers to content access, an open-source and decentralized protocol would index all public data on the Web, recording it on the blockchain. That’s one way of figuring out if a video of Nancy Pelsoi drunk is actually real. 
 

Full disclosure: Al Bawaba is exploring blockchain solutions on the Open Index Protocol. 

Source link
——————————————————————————————————

The post #deepweb | <p> A Public Index for the Web? How the Blockchain Could Potentially Fight Deepfakes <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#deepweb | More than 200 million MGM customers could have stolen info on the black market

Source: National Cyber Security – Produced By Gregory Evans

MGM RESORTS SAYS THERE WAS A DATA BREACH IN JULY 2019 — Morgan & Morgan has filed a lawsuit against MGM Resorts International over a data breach that has exposed the personal information of millions of people. The lawsuit was filed February 21, 2020 and states that in July of 2019, MGM’s computer network system was hacked. The stolen information was then posted on a closed Internet forum.

Related: Attorney files lawsuit against MGM Resorts over recent data breach

The report states more than 10.6 million MGM guests were impacted, but one of the lead attorneys said it could be much more.

“We absolutely have heard that we could be talking upwards of 200 million plus,” said Attorney Jean Martin.

She said one of their main concerns is what information was stolen. She said initially, MGM reached out to impacted customers in September of 2019, saying only names and maybe addresses had been posted online, but that information had been taken down. However in February, the lawsuit says even more personal information had been posted on an internet hacking forum, leading to prolonged risk of that stolen information spreading. Some of the information stolen included names, addresses, driver’s license numbers, passport numbers, military ID numbers, phone numbers, emails and birthdays.

“That’s what happens when your information is compromised. You never know when it’s going to go up on the web and on the dark web, when it’s going to be sold and when it’s going to be used, so now the people that have had their information compromised face this risk for the rest of their lives,” said Martin.

MGM Resorts released a statement prior to the lawsuit’s filing, and declined to give any updated information.

“Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts. We are confident that no financial, payment card or password data was involved in this matter. MGM Resorts promptly notified guests potentially impacted by this incident in accordance with applicable state laws. Upon discovering the issue, the Company retained two leading cybersecurity forensics firms to assist with its internal investigation, review and remediation of the issue. At MGM Resorts, we take our responsibility to protect guest data very seriously, and we have strengthened and enhanced the security of our network to prevent this from happening again.”

Source link
——————————————————————————————————

The post #deepweb | <p> More than 200 million MGM customers could have stolen info on the black market <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | The Washington State Privacy Act Could Be More Comprehensive Than the CCPA

Source: National Cyber Security – Produced By Gregory Evans

Washington state could be next in line to pass a state-wide consumer privacy law in the absence of a federal mandate. 

In January, a bipartisan group of legislators introduced the Washington Privacy Act (WPA) and Senator Reuven Carlyle, who sponsored the bill, discussed why the senators believe the bill is important: “It has never been more important for state governments to take bold and meaningful action in the arena of consumer data privacy. That’s what this legislation does.”

The WPA is, in some ways, similar to some of the most recognizable privacy acts, such as CCPA and GDPR. In fact, the bill borrows many practices from those same bills. However, it differs in some significant ways, and, if it passes, it will be the most comprehensive privacy law in the US.

What’s notable about the WPA is the ripple effects it could create down businesses’ supply chains: The WPA not only stipulates data protection responsibilities for organizations which determine the purposes and means of data processing (“controller”), it also requires these organizations to verify that their vendors (“data processor”) have sufficient data protection mechanisms in place to process personal data safely.

Regardless of whether or not this particular piece of legislation passes, it’s important for businesses to understand the WPA and what it represents: individual states are thinking about and passing legislation requiring businesses to address consumer privacy and data protection. As more states pass these kinds of laws, the burden on businesses to comply with them will continue to grow. 

What businesses would need to be WPA compliant?

As it is written currently, the WPA would apply to two categories of companies that conduct business in or target consumers in Washington:

  1. Businesses that control or process personal data of 100,000 or more consumers.
  2. Businesses that derive greater than 50% of gross revenue from the sale of personal data and processes, and control or process the personal data of 25,000 or more consumers.

Notably, this means that the WPA would apply to some of the biggest businesses in the country, such as Amazon and Microsoft. But it would also apply to little known data brokers and retail stores. 

The WPA focuses on two groups: The first is controllers — businesses or individuals who decide how and for what purposes personal data is processed. For example, a business that collects data and uses it to send targeted ads or email marketing would be a controller.

The other group is processors — businesses or individuals that do not make decisions about how data is used and only process it as directed by the controller. A credit card processing company is a good example of a processor; they don’t collect or make decisions about the data, they just process it for the controller.

What rights does the WPA give consumers? 

Under the WPA, consumers have certain rights when it comes to their personal data. These rights include:

Right of access: The right of a consumer to know if a controller is processing their personal data and to access that personal data.

Right to correction: The right of a consumer to correct their personal data.

Right to deletion: The right of a consumer to request that their data be deleted.

Right to data portability: The right of a consumer to obtain their personal data in a portable and, as much as technically feasible, readily usable format.

Right to opt out: The right of a consumer to opt out of having their personal data processed for targeted advertising, the sale of their personal data, or profiling in furtherance of decisions that produce legal or significant effects on the consumer.

Individuals would not be able to bring lawsuits against companies for breaking the law, but the state Attorney General’s Office would be able to pursue violations under the state’s Consumer privacy Act. 

Processor_requirements_WPA

Controller requirements under the WPA

In short, the WPA requires controllers to be more transparent about their data use and to only use consumer data for the purposes they specified when collecting the data. There are a few other specific requirements, but many of them flow into those core purposes.

The WPA creates these specific controller responsibilities:

Transparency: This would require controllers to provide a privacy notice to consumers that includes what personal data is being processed, why it is being processed, how they can exercise their rights, what data is shared with third parties, and what categories of third parties controllers share their data with. Additionally, if the controller sells personal data, they have to “clearly and conspicuously” disclose this and explain how consumers can opt out.

Purpose Specification: Controllers are limited to collecting data that is reasonably necessary for the express purpose the data is being processed for. 

Data Minimization: Data collection must be adequate, relevant, and limited to what the controller actually needs to collect for the specified purpose.

Avoid Secondary Use: Processing personal data is prohibited for any purpose that isn’t necessary or compatible with the specified purpose of collecting or processing the data — unless the controller has the consumer’s consent.

Security: Controllers are required to put administrative, technical, and physical data security policies and processes in place to protect the confidentiality, integrity, and accessibility of the consumer data they are collecting or processing.

Nondiscrimination: Controllers are disallowed from processing personal data in a way that breaks anti-discrimination laws. It also forbids them from using data to discriminate against consumers for exercising their rights by denying them — or providing a different quality of —  goods and services.

Sensitive Data: Processing sensitive data without a consumer’s consent is forbidden.

Minors and Children: Processing personal data of a child without obtaining consent from their parent or legal guardian is prohibited.

Non-waiver of Consumer Rights: Any contract or agreement that waived or limited a consumer’s WPA right is null and void.

Data Protection Assessments: Companies would also be required under the WPA to conduct confidential Data Protection Assessments for all processing activities involving personal data, and repeat the assessments any time there are processing changes that materially increase risks to consumers.

Data controllers must weigh the benefits of data processing against the risks. If the potential risks for privacy harm to consumers are substantial and outweigh the interests, then the controller would only be able to engage in processing with the explicit consent of the consumer. 

Hyperproof

Processor requirements under the WPA

Processors’ responsibilities are different than the controllers’ responsibilities, and while the bulk of the WPA is currently on the controller, it does require that processors have the following items in place:

  • Technical and organizational processes for fulfilling controllers’ obligations to respond to consumer rights requests
  • Breach notification requirements
  • Reasonable processes and policies for protecting consumers’ personal data
  • Confidentiality
  • Controller ability to object to subcontractors
  • The ability for controllers to conduct audits

Additionally, processors and controllers must have contracts in place with provisions regarding personal data processing. The required provisions are similar to the GDPR’s data processing requirements.

How does the WPA differ from the CCPA?

While the WPA borrowed heavily from the CCPA in some areas, there are some key differences that make the WPA more comprehensive.

For example, the WPA requires businesses to weigh the risks and benefits posed to the consumer before they process their data. Specifically, covered businesses must conduct data protection assessments for all processing activities involving personal data. 

The WPA also prohibits businesses from exclusively relying on automated data processing to make decisions that could have a significant impact on consumers, which is not included in the CCPA.

Another significant difference is how the WPA addresses facial recognition software. The CCPA treats facial recognition and other biometric data the same as all other personal data, while the WPA has more specific requirements for how controllers and processors must treat facial recognition data. 

Namely, the WPA specifies that, among other things, facial recognition technology must be tested for accuracy and potential bias, controllers must obtain consent for adding a consumer’s face to a database, consumers must be notified in public places where it is happening, and results must be verified by humans when making critical decisions utilizing facial recognition technology.

What are the consequences of non-compliance?

information_security_policy

The cost of non-compliance with the WPA

While the CCPA allows individuals to bring action against companies that are noncompliant, the WPA doesn’t have this provision. However, it does give the Washington Attorney General authority to take legal action and enforce penalties of up to $7,500 per violation. This will add up quickly for businesses that have data breaches or are found to be out of compliance with the WPA.

Preparing for the WPA and beyond

Many businesses are already thinking about WPA compliance, and the most forward-thinking businesses are also considering what this means for the future of privacy laws. The WPA is receiving praise from advocate groups such as Consumer Reports as well as tech giants like Microsoft, and many are even calling for further improvements to the bill. 

Even if the WPA does not come to pass, it is likely for other states to pass similar legislations around consumer data privacy. Either way, your organization needs to be prepared to operate in a world where data privacy issues will be continue to be legislated and litigated.

Companies with already mature infosec and privacy practices will have a big head start when implementing WPA-compliant practices.

To prepare for the WPA and future privacy laws, start by understanding what’s required by the existing industry-agnostic data privacy regulations (e.g., CCPA, GDPR). You’ll need to ensure that your privacy policy, data handling practices, security protocols and vendor contracts are compliant with these regulations. Doing so will help your organization be well prepared when new legislation like the WPA goes into effect. 

To learn more about what your organization can do to readily meet common data privacy legislations, check out this article Understanding Data Privacy and Why It Needs to Be a Priority for Your Business.  

Additionally, to help organizations strengthen their security posture and meet regulatory requirements, Hyperproof has published a suite of articles on cybersecurity controls, best practices and standards. Here are a few of the most popular resources on our website: 

Hyperproof’s compliance operations software comes with pre-built frameworks to help you  implement common cybersecurity and data privacy standards (e.g., GDPR, CCPA, SOC 2, ISO 27001) — so you can improve your data protection mechanisms and business processes to readily meet data privacy and data security regulations. Hyperproof not only provides guidance when you implement these compliance standards, it also automates many compliance activities to save you time when adhering to multiple regulations and industry standards. 

If you’d like to learn more about how Hyperproof can help you prepare to meet the WPA as well as existing data privacy laws, please contact us for a personalized demo.

Banner photo by Felipe Galvan on Unsplash

The post The Washington State Privacy Act Could Be More Comprehensive Than the CCPA appeared first on Hyperproof.

*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Jingcong Zhao. Read the original post at: https://hyperproof.io/washington-state-privacy-act/

Source link

The post #cybersecurity | #hackerspace |<p> The Washington State Privacy Act Could Be More Comprehensive Than the CCPA <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | A Well-Equipped Security Team Could Save You Millions of Dollars a Year

Source: National Cyber Security – Produced By Gregory Evans

Data breaches are expensive. By now, most organizations are well aware of this fact. When it comes to resource planning, however, SecOps teams need concrete data to ensure adequate funding is available to handle a breach. 

Taking a look at recent breaches and industry analysis can help. 

The Financial Cost of a Data Breach Is Rising

IBM conducts an annual “Cost of a Data Breach” study as the basis for a global analysis of the cost impact of data breaches. According to the study, the average cost of a data breach in the U.S. is growing:

·  2017: $7.35 million

·  2018: $7.91 million

·  2019: $8.19 million

Between 2017 and 2019, the average financial impact of a data breach at a U.S. based company rose 10 percent. Companies that experience “mega breaches” involving millions of records can expect to pay anywhere from $40 million to $350 million to clean up the mess. 

IBM expects these figures to continue climbing in the coming year. 

What factors impact the cost of a data breach?

A data breach is not limited to a single incident to be mitigated in just a few days. IBM estimates that it takes companies an average of 280 days to fully recover from a breach. Responding to these breaches extends beyond addressing the root cause of the hack. 

Companies must satisfy notification requirements, preserve affected documents and logs, and address potential PR concerns. If the breach involved PHI (protected health information) or identifying information like Social Security Numbers, the response becomes even more complicated. Most companies will need to hire outside legal consultants to ensure a proper response has taken place.

Beyond these immediate issues, companies that experience a data breach will face “long-tail” costs, those occurring beyond a year year after a breach. These costs include class action lawsuits, regulatory fines, and the potential loss of customers who have lost trust in the company. IBM estimates that lost business accounts for 36 percent of the average total data breach cost.

Proactive Companies Fare Better

Not only will the cost of a data breach increase, so will the odds that a given company will experience a breach. 

Companies are more than 30 percent more likely to experience a breach in the coming years, according to IBM. The Herjavec Group estimates that a ransomware attack will affect a new business every 11 seconds by 2021. 

The risk of a data breach is not a vague threat intended to scare companies into investing more in backend security response. The risk is simply the reality companies must overcome to protect their clients’ data and their own future success. Bad actors are here to stay, unfortunately, and they are becoming savvier all the time. 

Still, companies can make proactive decisions to reduce the risk of a data breach. Key actions that can help include:

·  Establishing in-house incident response capabilities

·  Integrating advanced machine-learning AI into security platforms

·  Increased cybersecurity education for all employees

·  Creating DevSecOps teams who address data security from the start of the development process

IBM estimates that the presence of an in-house incident response team has a significant impact on reducing data breach costs. Using incident response teams can reduce the cost of a data breach by an average of 10.5 percent, a figure that can save companies hundreds of thousands of dollars. 

Next Steps

Don’t wait until you’re in response mode to come up with a data security strategy. MixMode’s third-wave, machine-learning AI detects vulnerabilities before they attract bad actors, giving our clients the upper hand when it comes to cybersecurity. 

Why is machine learning better?

Machine learning is a subset of AI that adds automation and intelligence to computer programs. A music platform that can predict which songs and artists a listener will likely enjoy is one example of machine learning at work.

MixMode takes the concept of machine-learning a few steps further. Not only could our context-aware AI make accurate song predictions, but it could also actually create original music compositions in the same vein. 

While today’s hackers and cybercriminals are often well-versed in typical machine-learning AI, MixMode’s unique context-aware AI is a world apart. 

Our platform takes a deep dive into your network to develop a baseline level of knowledge it will use to evaluate network anomalies. The result is at least a 12 percent reduction in the cost of detecting and responding to data breaches. That’s what happens when SecOps teams don’t have to wade through a mountain of false positives to address real issues. 

Learn how MixMode can ensure your organization won’t become the next company to make the news thanks to a data breach. Reach out to MixMode today to set up a demo. 

MixMode Articles You Might Like:

Network Data: The Best Source for Actionable Data in Cybersecurity

Using the MixMode query language to integrate with Splunk

3 Cyberthreats Facing Federal and State Governments in 2020

Staying CCPA Compliant with MixMode’s Unsupervised AI

5 Cybersecurity Threats That Will Dominate 2020

Wire Data: What is it Good For?

Yesterday’s SIEM Solutions Can’t Combat Today’s Cyberthreats

Source link

The post #cybersecurity | #hackerspace |<p> A Well-Equipped Security Team Could Save You Millions of Dollars a Year <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | Don’t rush to rip out your landline – it could pay you to WAIT for the wireless 5G revolution

Source: National Cyber Security – Produced By Gregory Evans

For better and for worse, our lives have been revolutionised by the internet. But a new high-tech innovation known as 5G is set to transform everything once again.

The internet plays a pivotal role in our lives thanks to broadband piped through our homes. But ‘fifth generation’ 5G will take this a giant step forward.

It will enable mobile phones to use wireless broadband that matches the best fibre optic speeds. We will be able to rip out old phone lines and internet cables that clutter the house – and instead use mobile reception for all our needs.

Experts believe 5G will lead to an explosion of new ‘smart’ gadgets that talk to our mobile phones through more reliable superfast signals – offering everything from fridge cameras that order groceries when the contents are running low, to robot chauffeurs that can take us around in a self-driving car.

The possibilities of this connection of gadgets – known as ‘the internet of things’ – seem almost limitless.

The 5G technology will start by making pin-sharp video phone calls the norm so we can ditch our landlines, if we haven’t already.

And with broadband download speeds of perhaps 200 Megabits per second (Mbps) – which is more than four times faster than the current average home broadband speed – the technology will also help us economise, clean the home and be more secure.

Smartphone apps controlled by 5G will monitor our heating and lights – turning gadgets off when not needed – while providing 24-hour security with cameras viewed from our phones.

They will also run robotic vacuum cleaners and lawn-mowers when we are away on holiday.

But 5G is not without its critics. Last week, the Government came under fire when it announced Chinese firm Huawei would be allowed to be a major player in the building of the UK 5G network.

Experts fear it could allow Chinese spies to eavesdrop on private conversations and install ‘a Trojan horse’ – holding communication networks to ransom with the threat of a cyber war.

Ernest Doku, a technology expert at comparison website uSwitch, says: ‘5G has the potential to transform the way we live – but at this stage it is no silver bullet as we still need to ensure everyone has access to the connection before it can change the world.

‘Last year, it started to be rolled out in major cities such as London, Edinburgh, Cardiff and Belfast – though connectivity is still small and patchy. And you need an expensive new smartphone such as the £800 Samsung Galaxy S10 to gain access.

‘So far Apple devices cannot connect to the 5G network and the revolution cannot begin in earnest until they do – which may happen when the latest iPhone models come out in September.’

Download speeds are at least ten times faster with 5G than on the previous best 4G technology – far better than most people’s home broadband and in line with top fibre optic speeds.

It means not only lightning fast access to the internet but the ability to download music and movies much quicker. Downloading a feature film on 4G can take a quarter of an hour – but with 5G it might take just 90 seconds.

BUT WATCH OUT FOR STINGRAYS! 

New 5G technology offers an exciting opportunity to improve our networks – but it also opens a new door for fraudsters.

One of the key concerns is the threat of so-called ‘stingrays’. This is where a criminal intercepts your mobile signal with a copycat aerial that tricks it into sharing encrypted identifying data about the phone.

Using this information, the fraudster knows what handset you are using, can track your exact whereabouts and might even be able to hack into your phone operating system’s software.

If this is achieved it might be possible to break into your apps that control and monitor 5G ‘smart’ gadgets. By cracking such codes criminals can eavesdrop on phone conversations and even spy on what you get up to from security cameras you place around the home. Harvesting information that can be seen when you tap into a mobile phone could also enable a fraudster to steal identities, using your personal information to go on an online spending spree or using personal details to empty your bank account.

Cyber security expert Colin Tankard, of Digital Pathways, says: ‘The public needs to be aware of the dangers of this new technology – and with more gadgets being hooked up to 5G it increases the risk of problems if you should get hacked.’

Tankard believes those that embrace 5G must ensure they add a layer of security to their smartphones by downloading ‘virtual private network’ software on to their handsets via an app. Such free software is available from security specialists such as Avira, Symantec and Sophos. Decrypting your phone signals to spy on private conversations is one of the key concerns of the critics of the Chinese 5G manufacturer Huawei. The Government is adamant that it has addressed such security issues by only allowing it to have a maximum 35 per cent stake in any projects – with sensitive areas such as military bases and nuclear facilities strictly off limits.

But this has not stopped the National Cyber Security Centre – the cyber war combat arm of the Government’s intelligence service – from voicing concern. The NCSC has listed Huawei as a ‘high-risk’ firm for security.

NCSC technical director Dr Ian Levy says: ‘The level of security in our networks needs to improve as our reliance on them increases. The threat for UK operators ranges from hostile states to organised crime and petty fraudsters.’

There are just a handful of main providers of the technology that supply 5G to customers of mobile networks such as EE, Vodafone and O2. These include Finnish phone giant Nokia, Swedish company Ericsson, South Korean firm Samsung and Chinese part-state run ZTE. But the most controversial is Huawei.

Last week, it was licensed to have up to a 35 per cent market share in 5G projects – supplying masts, antennae and cables. But it was banned from participating in 5G provision for military bases and nuclear plants.

The mobile market leader in 5G is EE. Even though 5G reception at the moment is almost non-existent outside cities (though EE claims it is available in 50 UK locations), signing up to the new technology is not cheap.

You pay £54 a month to EE for its best-selling Samsung Galaxy S10 5G deal – which includes 10GB of data a month, enough for 500 hours of internet browsing. You then pay a further £30 upfront for the device and must sign up for two years. Vodafone has slightly less 5G nationwide coverage and costs £56 a month with £49 upfront for the same phone and 5GB of data each month if you sign up for two years.

Another company that recently joined the fledgling 5G party is O2. It charges £54.64 a month plus an upfront £30 for a Galaxy S10 5G phone and 15GB of data usage a month – but only if you are willing to sign up for at least 36 months.

If you are using your phone in an area with no 5G reception then the mobile automatically reverts to the previous fastest-speed service 4G – or goes on to 3G or 2G if this reception is not available either.

THE way the technology works is by using a new radio bandwidth that allows more information to be packed into a broadcast than previously possible. But it also requires older 4G masts to be adapted so they can send and receive data on the new wavelength.

The 5G technology will also require small transmitters to be positioned on streets outside people’s homes to ensure ‘smart’ devices in the home can be connected with no interference or loss of signal.

Such building work will cost many millions of pounds and because it is still in the early stages, the ‘smart’ gadgets that can use it are not widespread.

Although we might expect 5G to become more popular this year – so far it has a geographical coverage of less than 5 per cent – it could take a decade before devices other than mobile phones catch up with this super-fast broadband wireless technology.

Doku says: ‘Although it may be exciting to be among the first people to embrace this new technology, prices for 5G phones and access to the 5G network should fall if you hold on for at least 12 months.

‘Also, as a newbie, you may initially be disappointed as national coverage is still poor and the number of gadgets connecting to 5G is limited.

‘But the potential for 5G to transform the way we live and manage our homes is really exciting.’ 

Some links in this article may be affiliate links. If you click on them we may earn a small commission. That helps us fund This Is Money, and keep it free to use. We do not write articles to promote products. We do not allow any commercial relationship to affect our editorial independence.

Source link

The post #nationalcybersecuritymonth | Don’t rush to rip out your landline – it could pay you to WAIT for the wireless 5G revolution appeared first on National Cyber Security.

View full post on National Cyber Security

Microsoft Azure Flaws Could Have Let Hackers Take Over Cloud Servers

Source: National Cyber Security – Produced By Gregory Evans

microsoft azure hacking

Cybersecurity researchers at Check Point today disclosed details of two recently patched potentially dangerous vulnerabilities in Microsoft Azure services that, if exploited, could have allowed hackers to target several businesses that run their web and mobile apps on Azure.

Azure App Service is a fully-managed integrated service that enables users to create web and mobile apps for any platform or device, and easily integrate them with SaaS solutions, on-premises apps to automate business processes.

According to a report researchers shared with The Hacker News, the first security vulnerability (CVE-2019-1234) is a request spoofing issue that affected Azure Stack, a hybrid cloud computing software solution by Microsoft.

If exploited, the issue would have enabled a remote hacker to unauthorizedly access screenshots and sensitive information of any virtual machine running on Azure infrastructure—it doesn’t matter if they’re running on a shared, dedicated or isolated virtual machines.

According to researchers, this flaw is exploitable through Microsoft Azure Stack Portal, an interface where users can access clouds they have created using Azure Stack.

By leveraging an insure API, researchers found a way to get the virtual machine name and ID, hardware information like cores, total memory of targeted machines, and then used it with another unauthenticated HTTP request to grab screenshots, as shown.

microsoft azure screenshots

Whereas, the second issue (CVE-2019-1372) is a remote code execution flaw that affected the Azure App Service on Azure Stack, which would have enabled a hacker to take complete control over the entire Azure server and consequently take control over an enterprises’ business code.

What’s more interesting is that an attacker can exploit both issues by creating a free user account with Azure Cloud and running malicious functions on it or sending unauthenticated HTTP requests to the Azure Stack user portal.

Check Point published a detailed technical post on the second flaw, but in brief, it resided in the way DWASSVC, a service responsible for managing and running tenants’ apps and IIS worker processes, which actually run the tenant application, communicate with each other for defined tasks.

Since Azure Stack failed to check the length of a buffer before copying memory to it, an attacker could have exploited the issue by sending a specially crafted message to DWASSVC service, allowing it to execute malicious code on the server as the highest NT AUTHORITY/SYSTEM privilege.

“So how can an attacker send a message to DWASSVC (DWASInterop.dll)? By design, when running the C# Azure function, it runs in the context of the worker (w3wp.exe),” the researchers said.

“This lets an attacker the possibility to enumerate the currently opened handles. That way, he can find the already opened named pipe handle and send a specially crafted message.”

Check Point researcher Ronen Shustin, who discovered both vulnerabilities, responsibly reported the issues to Microsoft last year, preventing hackers from causing severe damage and chaos.

After patching both issues late last year, the company awarded Shustin with 40,000 USD under its Azure bug bounty program.

The Original Source Of This Story: Source link

The post Microsoft Azure Flaws Could Have Let Hackers Take Over Cloud Servers appeared first on National Cyber Security.

View full post on National Cyber Security

#infosec | US Could Appoint a Cybersecurity Leader for Each State

Source: National Cyber Security – Produced By Gregory Evans

The USA is considering legislation that would protect local governments by requiring the appointment of a cybersecurity leader for each state.

Backers of the Cybersecurity State Coordinator Act of 2020 say the proposed law will improve intelligence sharing between state and federal governments and speed up incident response times in the event of a cyber-attack.

Under the legislation, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency would be tasked with appointing an employee of the agency in each state to serve as cybersecurity state coordinator. 

Money to create these positions would come from the federal government, which would be required to ring-fence the necessary funding. 

The role of each state coordinator would be multifaceted, combining elements of training, advisory work, and program development.

Each leader would serve as a principal federal cybersecurity risk advisor, coordinating efforts to prepare for, respond to, and remediate cyber-attacks. Another core responsibility would be to raise awareness of the financial, technical, and operational resources available to nonfederal entities from the federal government.

Coordinators would be expected to support training, exercises, and planning for continuity of operations to expedite as swift a recovery as possible from cybersecurity incidents. Furthermore, they would be called on to assist nonfederal entities in developing and coordinating vulnerability disclosure programs consistent with federal and information security industry standards.

“State, local, Tribal, and territorial entities face a growing threat from advanced persistent threat actors, hostile nation states, criminal groups, and other malicious cyber actors,” reads the bill. “There is an urgent need for greater engagement and expertise from the Federal Government to help these entities build their resilience and defenses.”

The bill, which has attracted bi-partisan support, was introduced by Senators Maggie Hassan and Gary Peters and is co-sponsored by senators John Cornyn of Texas and Rob Portman of Ohio.

Portman said: “This bipartisan bill, which creates a cybersecurity state coordinator position, would help bolster state and local governments’ cybersecurity by facilitating their relationship with the federal government to ensure they know what preventative resources are available to them as well as who to turn to if an attack occurs.”

____________________________________________________________________________________________________________________

#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity
____________________________________________________________________________________________________________________

Source link

The post #infosec | US Could Appoint a Cybersecurity Leader for Each State appeared first on National Cyber Security.

View full post on National Cyber Security

How Tweets Could Prevent War, an App Store Dilemma, and More News

Source: National Cyber Security – Produced By Gregory Evans Twitter is shocking and Apple is balking, but first: a cartoon about posthumous photo sharing. Here’s the news you need to know, in two minutes or less. Want to receive this two-minute roundup as an email every weekday? Sign up here! Today’s News Did Twitter help […] View full post on AmIHackerProof.com

#deepweb | Richard Frank: LifeLabs hackers could still hold health records of 15 million Canadians

Source: National Cyber Security – Produced By Gregory Evans

LifeLabs announced this past week that hackers had invaded its computer system and put the records of 15 million Canadians at risk

Veronica Henri / Veronica Henri/Toronto Sun

OPINION: If the cybercriminals already have a copy, then retrieving data by paying ransom will not suddenly disallow the attackers from further using that data

LifeLabs — Canada’s major provider of lab diagnostics and testing services — announced on Dec. 17 that hackers had potentially accessed computer systems with data from “approximately 15 million customers” that “could include name, address, email, login, passwords, date of birth, health card number and lab test results.”

As a Canadian citizen whose data and whose family’s data is probably among the 15 million records stolen, my first thought is about the implications of this breach.

At the International Cybercrime Research Centre in the School of Criminology at Simon Fraser University, we’ve been studying online hacker communities for about seven years and the Dark Web for the past four years. The Dark Web, with its large number of marketplaces (called cryptomarkets, think eBay for drugs and stolen data), is a fascinating place where all sorts of products, data and services are made available for purchase. Payments are made using anonymous (mostly) untraceable digital currencies. I would expect parts of LifeLabs’s database to eventually end up in a marketplace like that.

So how did this happen? Details of the hack have not been revealed due to the ongoing investigation, but hopefully we will eventually learn the specifics. According to the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC), “cyber criminals penetrated the company’s systems, extracting data and demanding a ransom,” which LifeLabs paid.

This points to a likely ransomware attack, where the attacker encrypts the data on a computer system and makes it inaccessible. Unless a backup of the data exists, the only way to recover the data is by paying the attacker a ransom, who sends the victim the decryption keys to unlock the data. Most of these ransomware attacks use encryption so strong that even security firms cannot unlock the files, which has led to a new type of business where consultants help ransomware victims negotiate and pay the ransom.

In most ransomware cases the data remains on the victim’s computer, but its access is revoked through strong encryption. This implies that the attackers do not actually have a copy of the data and thus the chances for future revictimization remain low. However, the language of the OIPC indicates that in this case, the data were “extracted.” This puts a new twist on the story.

Ransomware attackers sometimes do use ransomware — software that threatens to block access or publish data — that not only locks files, preventing the victim from doing anything, but also leaks the files back to the attackers. This allows the attackers to potentially extort more money from the victim, as happened a few weeks ago to Allied Universal, a security firm in California. That seems to be the case with LifeLabs.

If this is true, then our data is out there, in the hands of cybercriminals, and will remain out there. LifeLabs has stated that they have “retrieved the data by making a payment,” but if the cybercriminals already have a copy, then retrieving it will not suddenly stop the attackers from further using that data.

Did LifeLabs not have a proper backup and recovery procedures in place so it could recover from this failure without having to resort to paying a ransom?

The likely scenario is that LifeLabs fell victim to a ransomware attack, possibly sparked by a phishing email with a malicious link or attachment, which resulted in up to 15 million customers’ information (our information, not LifeLabs’) being extracted to the attackers. LifeLabs paid the ransom to regain access to the data and continue business.

What can we, as customers, do? Unfortunately, not much.

The data theft is beyond our control. Periodically we must do business with third-parties that require our personal information and we have no choice but to hand it over. Implicit in this transaction is that the other party (LifeLabs, for example) will protect that data. The only available option we have as customers is to be vigilant of our personal information, including financial and health details; but this is after the data theft.

We must check our credit card statements, our credit histories, our insurance claims. We must not use the same password in multiple places and should use two-factor authentication whenever possible.

Potentially the best way to prevent future breaches would be to incentivize organizations that collect our personal details to secure them properly. This could be done by changes to the legislation, like in the European Union and its new General Data Protection Regulation (GDPR) introduced in 2018.

In August 2018, the British Airways website was breached and 500,000 customer details stolen. The United Kingdom’s Information Commissioner’s Office handed down a fine of £183 million (approximately $321 million), based on a new U.K. law designed to mirror the EU’s GDPR. With penalties like that, third-party organizations would have no choice but to take data security seriously, rather than as an operational cost.

Richard Frank is assistant professor of criminology at Simon Fraser University.


Letters to the editor should be sent to provletters@theprovince.com.

CLICK HERE to report a typo.

Is there more to this story? We’d like to hear from you about this or any other stories you think we should know about. Email vantips@postmedia.com.

Source link
——————————————————————————————————

The post #deepweb | <p> Richard Frank: LifeLabs hackers could still hold health records of 15 million Canadians <p> appeared first on National Cyber Security.

View full post on National Cyber Security