now browsing by tag


#cyberfraud | #cybercriminals | BBB on Homes: October is National Cyber Security Awareness Month

Source: National Cyber Security – Produced By Gregory Evans

October is National Cyber Security Awareness Month, so it can be a good time to be learn about the newest technology scams, especially those affecting you at home.

A favorite tactic of scammers is to convince consumers to pay for services that would otherwise be free.

The Better Business Bureau of Greater Houston and South Texas is getting reports of a con where scam artists charge activation fees for devices that are, in fact, completely free to set up.

The scam typically follows a playbook. You purchase a new media player, virtual assistant or other tech device for your home.

It could be a Roku, Google Home, Alexa, or any other device that needs to be activated after purchase. When you are ready to use it, you search for the customer support phone number; however, instead of getting the official website, you end up on a look-alike site with phony customer support information.

You call that number, and you are told there is a new policy in place: All device users must now pay an activation fee. Reports on BBB Scam Tracker indicate that people have been charged anywhere from $80 to $100 to “activate” their new device.

Scammers may ask for unusual forms of payment, such as prepaid gift cards, or they may ask directly for your credit card number.

Once payment is made, they may claim there was a problem and a second payment is needed. In some cases, they may “help” you come up with a new username and password, thereby gaining access to your device account. In any case, scammers hope to get away with your hard-earned money along with your personal information.

The Better Business Bureau offers the following tips on how to protect yourself from tech scams:

Make sure you are visiting an official website. Scammers are skilled at creating look-alike websites with addresses that are spelled slightly different than the official website’s address. Carefully double check the URL or go directly to the site listed in your device’s instruction booklet.

Beware of sponsored links. Fake websites sometimes pop up in your web browser’s sponsored ad section and appear at the top of the search list. Be careful what you click on.

Never make a payment with prepaid debit or gift cards. Reputable companies will never ask you to wire money or pay with prepaid cards. Money sent this way cannot be recuperated.

Protect your home computer and network. A computer should always have the most recent updates installed for spam filters, anti-virus and anti-spyware software, and also be sure to enable firewall protection for your Wi-Fi network.

For more information and tips, check with the BBB at

The Better Business Bureau is an unbiased nonprofit organization that sets and upholds high standards for fair and honest business behavior.

Visit or call 713-868-9500. Leah Napoliello

is senior director of Investigative Services with the BBB of Greater Houston and South Texas. Send questions to Leah Napoliello, Better Business Bureau, 1333 West Loop South, Suite 1200, Houston, TX 77027, or e-mail Include your mailing address and phone number.

Source link

The post #cyberfraud | #cybercriminals | BBB on Homes: October is National Cyber Security Awareness Month appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | Law Firm Cyber Security: Start Simple:

Source: National Cyber Security – Produced By Gregory Evans

Oct. 2, 2019 – October is National Cybersecurity Awareness Month, so it’s a good time for law firms to revisit their cybersecurity practices to determine if they have the necessary defenses in place. But legal technology experts say law firms are behind.

Attorneys Dennis Kennedy and Tom Mighell recently discussed law firm cybersecurity on their podcast, the Kennedy-Mighell Report. Despite constant news about data breaches and law firms as targets, many solo and small firms still don’t do enough.

Mighell said he has spoken to many lawyers who don’t upgrade their systems and keep running programs that are unsupported, such as the Microsoft Windows 7 operating system. But unsupported programs are unlocked doors for lurking data thieves.

“Part of the problem is there continues to be brand new ways that bad people can get to us, and keeping up with it all is overwhelming,” said Mighell, chair of the American Bar Association’s Law Practice Management Section.

Christopher Shattuck, who manages the State Bar of Wisconsin’s Law Practice Assistance Program (Practice 411™), says cybersecurity is a practice management issue that Wisconsin lawyers must address since ethics rules (SCR 20:1.1, Comment 8) require lawyers to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

“Many calls that come through the Practice 411 program are related to cybersecurity and what firms should be doing,” Shattuck said. “The solutions will vary by practice, but we can help lawyers and law firms develop plans that are most appropriate for them.”

Keep the Doors Locked

Implementing security protocols doesn’t have to be overwhelming. Consider simple steps like upgrading outdated programs or devices, using strong passwords, and embracing two-factor authentication, which would have prevented the following breach:

Joe Forwardorg jforward wisbar Joe Forward, Saint Louis Univ. School of Law 2010, is a legal writer for the State Bar of Wisconsin, Madison. He can be reached by org jforward wisbar email or by phone at (608) 250-6161.

A small firm is using Office 365, a cloud-based subscription service that provides a suite of applications for individuals and businesses, such as Word, Excel and Outlook. There are built-in security systems that can help law firms stay secure, but what happens?

Hackers are able to access a user’s Office 365 account because the user’s password is very weak. Then the hackers send emails, impersonating the user (the payroll manager), and gets two payroll checks diverted to a different bank. That money is gone.

“There were two opportunities to stop that hacker dead in its tracks,” Mighell said. “The first would be to set a strong password that would be much more difficult to break.”

According to one cybersecurity expert, an eight-character password can take minutes to crack, whereas a 20-character passwords can take months. Secure password managers can help law firms and lawyers maintain longer, unique passwords.

“Even if the password could have been broken, two-factor authentication would have stopped it. If it’s done right, it’s 99 percent effective,” Mighell said.

With two-factor identification, a user who logs into an online program could choose to receive a text with a numeric code that is required for login. Applications like Authy provides a two-factor identification solution to protect online accounts.

Don’t Use Outdated Software

One of the biggest cybersecurity problems is running outdated systems. When operating systems and programs reach “end-of-life,” they are no longer supported by developers. That includes an end to security updates and patches.

A 2016 lawsuit against a Chicago-based law firm illustrates the potential harm that can occur if law firms use outdated programs. A client sued the firm for running outdated programs that allowed attorneys to remotely access the firm’s network via the internet, including time entry software, a virtual network system, and the firm’s email system.

For instance, attorneys could access a time-tracking program with a user name and password. But the client-plaintiff alleged the law firm “improperly configured the service and left it running out of date software” that was more than a decade old.

The client-plaintiff also alleged the firm’s virtual private network (VPN), which allowed attorneys to access the firm’s files and documents off-site, was not implemented properly and left the whole network open to “Man in the Middle” attacks.

Such attacks allow hackers to eavesdrop on communications and steal confidential information, especially when the faulty VPN, supporting insecure renegotiation, is accessed on public connections at conference centers, cafes, or other public networks.

The client’s lawsuit, which ultimately entered arbitration under the firm’s engagement letter, alleged breach of contract and fiduciary duty, and negligent legal malpractice.

Law firms don’t have to go it alone. Solo and smaller firms that don’t have in-house technical expertise can outsource IT services to Managed Service Providers (MSPs). Given the ethical duty to protect client data, this may be a necessary expense.

According to an article by the Florida Justice Technology Center, using MSPs “is an incredibly effective method of preventing cybersecurity breaches as the IT systems are managed by a third-party who are experts in securing systems. The MSP is contractually obliged to patch the operating systems, patch the applications, and update the firmware and microcode on the associated hardware,” the article states.

Simple Solutions

Cybersecurity experts Sharon Nelson and John Simek of Sensei Enterprises recently addressed common cybersecurity questions in the June 2019 Wisconsin Lawyer™. The article highlights simple things law firms can do to shore up their law firm security.

Do a Security Assessment. “The assessment is usually done using software tools and involves a thorough review of your network. The result is generally a report identifying critical, medium-level, and low-level vulnerabilities. A security assessment tends to come with a proposal for (at least) remediating the critical vulnerabilities along with the estimated cost. We believe it is wise to do these assessments, using a certified third-party cybersecurity company, annually.”

Train Employees. “There is no getting around the absolute need for annual employee cybersecurity training. It is generally somewhat inexpensive and covers the basics of current threats and how to avoid such things as clicking on suspicious links and attachments, going to sketchy websites, giving information over the phone (duped by social engineering), and many other easy-to-make mistakes. A solid hour of good training each year is a small price to pay for educating your employees and creating a culture of cybersecurity.”

Use Password Managers. “Beyond a doubt, the most important security tip is do notreuse passwords! The bad guys are now using computer bots to force attacks using passwords revealed from past data breaches. If you continue to reuse passwords, there is a high probability that the password will be used against other systems. This is another great reason to use password managers; doing so makes it easier to have unique passwords for every system.”

Move Law Firm Data to the Cloud. “Virtually all cybersecurity experts now agree that the cloud will protect your data better than you will. Is the cloud absolutely secure? Of course not. But do law firms, especially solo practices and small firms, tend to be woefully insecure? Yes, they do.”

Try to Keep Up with Technology. Resources such as Attorney at Work, Bob Ambrogi’s LawSites blog, and of course, Wisconsin Lawyer, help attorneys stay on top of new developments in the areas of technology and cybersecurity. “Don’t forget continuing legal education – and ask your colleagues for recommendations regarding speakers who both inform and entertain,” Nelson and Simek wrote.” The 2019 Wisconsin Solo and Small Firm Conference has an entire tracks of CLE programming dedicated to technology and practice management, including cybersecurity.

Don’t Click on Suspicious Links in Emails. A common cybersecurity threat involves “phishing,” where third parties will impersonate someone in your network with genuine-looking emails that contain links to unleash malware or other viruses. Examine emails carefully before clicking on links or call the purported sender to confirm.

You Might Also Be Interested In …

Source link

The post #nationalcybersecuritymonth | Law Firm Cyber Security: Start Simple: appeared first on National Cyber Security.

View full post on National Cyber Security

#cyberfraud | #cybercriminals | Cyber Security Month: How clean is your Contact Centre?

Source: National Cyber Security – Produced By Gregory Evans

Cyber Security Month: How clean is your contact centre? – Cyber Security Month aims to teach ‘cyber hygiene’ tips to consumers— but companies need to scrub up too, because contact centres can have dark corners where fraud festers.

One of the big themes of this year’s European Cyber Security Month is cyber hygiene — and how consumers can follow the kinds of daily routines, checks and behaviour that will help them to stay safe online.

The campaign offers security tips and advice to the public which ranges from using a firewall and not leaving your laptop unattended, to remembering to use a password on your phone and never opening email attachments from unknown sources.

It’s simple, sensible stuff. But consumers’ diligent personal care could be undermined — if the organisations they trust become breeding grounds for security problems themselves, especially around card payments.

During Cyber Security Month, Eckoh’s big question for companies is: How clean is your contact centre?

To find out, here are three ‘sniff tests’ for organisations:

Test #1: Are you still asking customers to read out card details over the phone?

In theory, there’s nothing wrong with this — but it’s risky if contact centre agents can hear the card numbers, see them on the screen, or be able to access them from call recordings.

Card Not Present (CNP) fraud is predicted to reach £680m in 2021[1]. All it takes is a rogue agent copying a person’s card details or doing this on a large scale and selling numbers to criminals.

Alternatively, digital card records could be hacked or even shared accidentally by clumsy employees.

The average UK company uses three different solutions to handle call payments. But they’re often fraught with risks and awkwardness. Pause-and-resume methods are prone to errors and feel disjointed, as agents dip in and out of conversations.

It’s also a poor customer experience if calls are transferred to another department for the ‘payment bit’. Rigorous agent vetting and the setting up of clean rooms, where pencils and mobile phones are banned, can help to raise security levels. But there’s always the risk of a lapse and a few bad apples.

Increasingly, consumers understand the sensitivity of their data and feel uncomfortable handing it over to strangers. In fact, 68% of consumers believe that reading their card details out over the telephone is not secure[2]. Customers need a payment system that gives them absolute reassurance.

Test #2: Can you handle every kind of payment securely?

The way consumers prefer to interact with organisations ranges from the web, phone calls and mobile apps, through to email, web chat, social media and more. In fact, some customers will flit effortlessly between these channels and expect organisations to keep up.

Increasingly, they’ll also expect to pay for items via whichever channel they happen to be using at any time.

What’s more, they may want to pay for items in a host of different ways. It’s worth noting that over half of all online transactions will be made using alternative payment methods by 2021, according to Worldpay.

This explosion in contact channels and payment services creates enormous pressures on contact centres. When it comes to card security, the ‘attack surface’ within contact centres is stretched more and more.

Companies can’t say ‘No’ to customer demands — or say ‘Yes’ to taking risks. They can’t afford to be able to handle some payments securely but take a chance with others. Criminals will hunt out any weak links, so it’s important that security is rock solid on every channel.

Test #3: Are you putting too much faith in PCI DSS compliance?

This sounds a bit like a trick question. Every company that accepts, processes, stores or transmits credit card information must achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS) which puts you on the right track for processing card payments securely and reducing card fraud.

But PCI DSS is only a standard, it’s not a guarantee. Even if your contact centre achieved PCI DSS compliance a few weeks ago, you can’t be sure your security is watertight today. You’re still at serious risk of a data breach if there’s any lapse in security — an uncomfortable truth that can keep executives awake at night.

And it can happen all too easily. In fact, 90 percent of data breaches are caused by human error. What’s more, while compliance addresses some aspects of data protection it does not guarantee a secure contact centre.

So what’s the best way forward?

Cyber Security Month is a great way to educate consumers about staying safe. But more companies need to get serious about securing sensitive data, especially people’s card details.
A security breach can have devastating consequences. Even for small companies, the average cost of a cyber breach can be £267,000, so it’s no wonder that 87% of companies view cyber liability as one of their top 10 business risks.

Faced with growing threats and more data to defend, companies are increasingly looking to trusted payment partners to give them PCI DSS compliance and maintain it for them — by actually managing secure payments on their behalf.

With the right approach, contact centres can take payments over the phone, web and other channels, but sensitive card information is never heard, seen or recorded by their staff. Any sensitive data is simply passed seamlessly to their payment partner who authorises the transaction, without card details ever entering the contact centre’s environment.

Additional Information

Companies can discover more about contact centre security by downloading a free copy of the CNP guide from Eckoh.

It profiles fraudsters’ range of tactics — and the defence measures that organisations can take to stop them. Click Here to Download

Eckoh is a global provider of secure payment products and customer contact solutions, supporting an international client base from its offices in the UK and US.

Our secure payments products, which include the patented CallGuard, can be hosted in the cloud or deployed on the client’s site and remove sensitive personal and payment data from contact centres and IT environments. The products offer merchants a simple and effective way to reduce the risk of fraud, secure sensitive data and become compliant with the Payment Card Industry Data Security Standards (“PCI DSS”) and wider data security regulations.

Eckoh has been a PCI DSS Level One accredited Service Provider since 2010, processing over £1.5 billion in card payments annually.

Eckoh’s customer contact solutions enable inquiries and transactions to be performed on whatever device the customer chooses, allowing organizations to increase efficiency, lower operational costs and provide a true Omni-Channel experience. We also assist organisations in transforming the way that they engage with their customers by providing support and transition services as they implement our innovative customer contact solutions.

Our large portfolio of clients come from a broad range of vertical markets and includes government departments, telecoms, retailers, utilities, travel, transport, hospitality and financial services organisations.

For additional information on Eckoh visit their Website or view their Company Profile

Source link

The post #cyberfraud | #cybercriminals | Cyber Security Month: How clean is your Contact Centre? appeared first on National Cyber Security.

View full post on National Cyber Security

#cyberfraud | #cybercriminals | Strengthening the human firewall against cyber attacks

Source: National Cyber Security – Produced By Gregory Evans

An estimated 97% of cyber-attacks originate from or involve email.

This estimate cited by The Wall Street Journal may be a little bit high, according to IT consultant J. Peter Bruzzese, who believes it is between 90% and 95%. But it nevertheless means emails are the biggest threat and employees are typically the weakest point at which an organisation can be attacked.

Speaking at the Armour Expo on Friday, 4 Oct., Bruzzese said gone are the days when hackers would drop infected USB sticks in the parking lot of their target organisation.

Those who picked up the devices and used them would ultimately infect their computers and potentially a whole network. The method was so successful that IT teams started to super glue the USB drives on computers to render them unusable.

“We actually have software for that,” the IT consultant said. “But some people are really extreme. Why? Because that’s where the threat was coming from.”

Nowadays these types of attack have been replaced by sophisticated email scams.

These can take the form of ransomware and other malware attacks, URL links that lead to malicious websites and even impersonation attacks that make heavy use of “social engineering”, the hacker term for manipulating the victim through verbal or written interaction.

Far from the Nigerian email scams, which involved preposterous stories written in bad English, these attacks appeal right to the heart of the victim, said Bruzzese. They are emails using sophisticated language, often imitating a person known to the target, and containing plausible messages or requests.

The IT consultant presented an email that he, although highly sensitised to the threat, fell prey to himself. It was purportedly sent from the CEO of a client company, who informed Bruzzese that the company had changed direction and to continue the collaboration his compensation structure would have to be adjusted. More information was supposedly contained in an attached Excel file. 

Of course, Bruzzese said, he should have noticed that he had never communicated with the CEO about compensation in the past or that an Excel spreadsheet was not really needed in this context.

“I wasn’t thinking. That is what your end-user is like most of the time,” he told local IT professionals at the event hosted by IT and cyber-security firm eShore.

The first thing he therefore recommends is end-user training.

“You have to prevent the end-user from making that click or opening that attachment. If you can stop that just a proportion of the time, you will save the company the frustration of a ransomware attack, the frustration of some form of impersonation attack or URL-based attack where they get password credentials.”

But in some cases, even the best training will not be sufficient. When homoglyphs, different character sets that look like letters, are used to replicate an email domain name, Brazzese said what looks like “” to the naked eye will actually be “”, adding, “That’s how sneaky these folks are.”

The solution therefore must involve technology on top of user security awareness because most people will not pick up on these attempts. “You have to have the technology in place. An end-user is never going to see a URL that is based on homoglyphs.”

Moving email systems into the cloud will take care of some, but not all, security issues. Most people think that if they use Office365 they will never have a problem with a ransomware attack because their email is in the cloud and on Microsoft servers, Brazzese noted. “That makes sense, except there is a new form of attack called a ‘ransomcloud’ attack.”

In this attack, the end-user is prompted with a fake Microsoft message to opt into certain settings to enhance their security. Once these settings are accepted, the attackers can take control of the Microsoft mailbox online and they can encrypt it.

“They only way you can get your mailbox back is to pay the ransom unless you have a back-up, which in Office365 most people don’t,” the IT consultant added, because most people believe that Microsoft backs up their emails in such a way that they can be easily restored. But with 180 million corporate users across the globe that is impossible, he said.

Source link

The post #cyberfraud | #cybercriminals | Strengthening the human firewall against cyber attacks appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | MeriTalk Recognizes Federal Cyber Defenders at CDM Central and Cyber Smoke – MeriTalk

Source: National Cyber Security – Produced By Gregory Evans

When cybersecurity works at its best, you barely know anything about it. Because highly secure and efficient networks rarely create their own reasons to make the news.

DHS’ CDM program is helping agencies locate which direction cybercriminals and attackers are headed. Learn More

The same goes for the many thousands of dedicated security professionals across government and industry who work hard – often in the background and mostly unheralded – to guard networks against a stunning array of threats from sophisticated nation-state attackers all the way down to common thieves.

As part of National Cyber Security Awareness Month, MeriTalk will shine a light on the often unsung stalwarts who defend the networks on which we all depend.

MeriTalk, a public-private partnership dedicated to improving the outcomes of government information technology, is recognizing cyber defenders across industry and government who have been judged by the community to have made a significant contribution to the state of cyber security.

We will recognize these cyber defenders across our programs and platforms during the month of October – including the CDM Central conference and CDM Cyber Smoke networking program on October 10th – and in our daily news coverage at

We are proud to recognize these Cyber Defenders during the 2019 National Cyber Security Awareness Month. We salute you, and thank you for your service.

Source link

#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference

The post #nationalcybersecuritymonth | MeriTalk Recognizes Federal Cyber Defenders at CDM Central and Cyber Smoke – MeriTalk appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | Cyber security incident: Public message from Tū Ora Compass Health

Source: National Cyber Security – Produced By Gregory Evans

As a Primary Health Organisation, one of our roles is to collect and analyse data that comes from your medical centre. We do this to improve the care people receive. It helps to ensure people get proactive screening for diseases like cancer and get treatment for conditions like diabetes. This saves lives and helps keep people well.

On 5 August, our website was attacked as part of a global cyber incident. As soon as we became aware, our server was taken offline, we strengthened our I.T. security and started an in-depth investigation. The investigation has found previous cyber attacks dating from 2016 to early March 2019. We don’t know the motive behind the attacks. We have laid a formal complaint with Police and they are investigating.

We cannot say for certain whether or not the cyber attacks resulted in any patient information being accessed. Experts say it is likely we will never know. However, we have to assume the worst and that is why we are informing people.

Tū Ora holds data on individuals dating back to 2002, from the greater Wellington, Wairarapa and Manawatu regions. Anyone who was enrolled with a medical centre in that period could potentially be affected.

Tū Ora does not hold your GP notes, these are held by individual medical centres. This means the notes made on consultations you have had with your GP are not at risk of being illegally accessed through this cyber attack. We do not hold the data contained in your patient portal if you have one.

As stewards of people’s information, data security is of utmost importance to Tū Ora. While this was an illegal attack by cyber criminals, it was our responsibility to keep your data safe and I am very sorry we have failed to do that.

We are now focused on doing everything we can to support people and making sure it can’t happen again. We have set up a number (0800 499 500 or +64 6 9276930 if dialling from overseas) for people to call to obtain more information.

While we have no evidence that patient data was accessed, we encourage you to be vigilant to unusual online requests.

Cert NZ has more information about staying safe online on their website at . Please read our FAQs below for more information.

Again, I want to apologise for this situation and the distress it will cause.

Ngā mihi,

Martin Hefford

Chief Executive

Tū Ora Compass Health

Source link

#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity

The post #cybersecurity | Cyber security incident: Public message from Tū Ora Compass Health appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | Cyber Security Today – Stalkerware and ransomware increasing, password advice and updates to watch for

Source: National Cyber Security – Produced By Gregory Evans

Stalkerware and ransomware increasing, password advice and updates to watch for.

Welcome to Cyber Security Today. It’s Friday October 4th, I’m Howard Solomon, contributing reporter on cyber security for

A few months ago I warned about stalkerware, which are apps installed on a smartphone or tablet that lets another person keep an eye on what you’re doing. Usually this app gets installed when you’re not looking by a spouse, lover or friend who has access to your device. This is not a parental control app a parent installs on a child’s device. This is is an illegal snooping app. This week security vendor Kaspersky put out some numbers that may give an idea of how common their use is, based on the number of detections from its security software. In the first eight months of the year there were more than 518,000 cases where the software either registered the presence of stalkerware on users’ devices or detected an attempt to install it. And remember, that number is only for devices that use Kaspersky software. Huge numbers of people either don’t use antivirus software on their mobile devices, or use another brand. Some of these apps hide themselves on devices, so victims don’t know its there. Stalkerware has to be installed directly by someone. So think twice before letting a friend, or someone closer, use your phone.

As I mentioned on Wednesday, this is Cyber Security Awareness Month. As part of that Google released a public opinion poll that, if representative, shows a lot of Americans aren’t cyber aware. Twenty-four per cent of respondents said they use weak passwords like “admin” and “1234.” Fifty-nine per cent have used a name or birthday in an online password. Many people must know others use weak passwords because 27 per cent of respondents say they’ve tried to guess someone else’s password — and of those 17 per said they guess right. Well, if you can guess right, so can criminals. Look, it isn’t easy to have to remember lots of passwords. That’s why there are password managers. Google has one it just improved, which is why it released the survey. There are lots of password managers. Go online, do a search, use one of them.

The FBI this week issued a reminder to organizations that ransomware is crippling those who aren’t prepared. The latest hit were three rural hospitals in the same group in Alabama. For a time new patients had to be sent to Birmingham. Last week a major hospital in downtown Toronto was hit. The FBI urges organizations to regularly back up their data and verify its integrity. Ensure backups can’t be infected by being connected to live networks. Focus on employee awareness and training to recognize suspicious email. And make sure all software gets security patches as soon as they are available.

Finally, some product updates to watch for: If you use WhatsApp on an Android device running version 9 or 8 of the operating system, make sure you upgrade to the latest version of WhatsApp. There’s a serious bug that could let a hacker into your device by sending you a repeating video called a GIF. Like one of those videos of a cat doing something silly.

And Microsoft has put out another Windows update to fix a printing problem. This patch is to fix ones that were issued over a week ago. It also updates Internet Explorer.

That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

Related Download
Sponsor: CanadianCIO

Cybersecurity Conversations with your Board – A Survival Guide

Download Now

Source link

The post #cybersecurity | Cyber Security Today – Stalkerware and ransomware increasing, password advice and updates to watch for appeared first on National Cyber Security.

View full post on National Cyber Security

#computersecurity | ANU cyber attack: How hackers got inside Australia’s top uni

Source: National Cyber Security – Produced By Gregory Evans

news, latest-news, anu hack, anu data breach, anu hack 2019, china hacks ANU, who hacked ANU, Australian National University, anu cyber attack, anu student staff data stolen

It’s been compared to Ocean’s Eleven – a cyber attack on Australia’s top university, methodically planned and then adapted on the fly by an “A team” of hackers who cracked into the personal records of 200,000 students and staff and walked away leaving virtually no trace. The operation was so slick investigators claim they still don’t know if the breach was the work of a foreign state, even as its “shocking” sophistication throws suspicion on China. But the hack didn’t go entirely to plan. Now, after months of forensic analysis, the Australian National University has revealed it’s likely the hackers “didn’t get what they wanted” from its records after all. They were foiled in the act – and it was entirely by accident. On Wednesday, the university released a post-mortem of the hack and how staff responded – the first public report of its kind into an Australian cyber attack. It describes a highly professional operation, likely of up to 15 people “working round the clock” to harvest data and build custom malware within the network itself. Hackers evolved, covered their tracks and returned for fresh attacks when a scheduled fire wall unexpected booted them out, in a campaign the university says was remarkably more sophisticated and “distinct” from an earlier breach involving national defence research in 2018. If the university hadn’t been cleaning up after that hack, where nothing was stolen but suspicion also fell heavily on China, it’s unlikely staff would have discovered this second breach when they did. “Frustratingly” the ANU says it doesn’t have enough evidence to point the finger at anyone this time around, not even organised crime – security teams now scouring the dark web for the stolen data have turned up nothing so far. Director of defence, strategy and national security at the Australian Strategic Policy Institute Michael Shoebridge has read the report closely (“It’s bit like CSI Miami”) and thinks China remains the most likely suspect – both for its well-known cyber capability and its interest in harvesting human intelligence on Australian government officials and researchers known to orbit the ANU. So how did the hackers get in and what clues did they leave behind? According to the report, which was developed in collaboration with Australia’s security agencies, the intrusion was first discovered in April, during a routine security sweep. A small army of cyber experts descended on the campus and the hunt began in earnest, with staff realising on May 17 someone hadn’t just been in the house, they’d been robbed. More than two weeks later, vice-chancellor Brian Schmidt went public with the news: the university had been hacked for the second time in less than a year. Nineteen years’ worth of HR data had been compromised. The final report now revises down that figure considerably – while hackers got into that database, analysts believe they stolen only a fraction of that, or roughly the same amount you can store on a CD. But to date investigators are still not sure exactly how much data was taken – or why. Professor Schmidt handed down the report on Wednesday with an apology to students and staff and a call to break the silence surrounding attacks of this kind. He said he hoped its detail would encourage disclosure about hacks more broadly, rather than providing an “instruction manual”. In the interest of transparency, only a small number of very specific details were omitted to prevent copycats. The hack was so sophisticated it “has shocked even the most experienced Australian security experts”, Professor Schmidt said, though he acknowledged the university “could have done more”. “This wasn’t a smash and grab, it was a diamond heist,” he said. “It’s likely they spent months planning this. They were organised and everyone knew their role.” It began, as many attacks do, with a seemingly innocuous email sent to a senior staff member in November 2018. The staffer wasn’t on campus at the time so it was read by a colleague. And they didn’t open the attachment. But this was something a little more sophisticated than the usual nefarious traffic the university deflects from its inboxes (ANU blocks 5000 intrusions attempts a day). Just previewing this email’s attachment was enough to deliver the malware and steal senior login credentials. And the hackers had their first door in. “The fact they got in without anyone actually clicking on an email, that wasn’t widely known around the traps,” Professor Schmidt says. “We were sort of ground zero for that.” From there, investigators think hackers must have gotten got lucky – an inside job has now been ruled out. The thieves managed to find an old legacy server due to be decommissioned within the year and it was there that they built their base of operations, installing “shadow infrastructure” to cloak their movements on the network as they hunted for a way into its more secure databases. Investigators say they are confident they know what the hackers were after – the HR files – because they made a beeline for that part of the network to the exclusion of other areas like research, much of which they had also gained access to. While the hackers ran extensive software to clean up their trail, university analysts believe they would have found traces elsewhere, as they did with the HR database, if they had been busy in more than one place. Instead, even when inside the network, they used password cracking software and kept running email “spear-phishing” campaigns like the one that first worked in November – trying to sniff out the right credentials to access the closed HR system, and eventually taking a final, desperate run at the IT department itself. Once they broke into the HR database through a previously unknown vulnerability, hackers used their own custom-made software to scrape its data so detail of exactly what was taken wouldn’t appear on ANU logs. But university investigators are confident the amount taken was much smaller than they originally thought – megabytes out of the many terabytes of information stored in the data-set. Spanning a period of 19 years, the affected HR records include payslips, bank account details, tax file and passport numbers, emergency contacts, and some academic records, on an estimated 200,000 current and former staff and students. Sensitive personal information such as medical and counselling records, academic misconduct and financial hardship is not stored in the same part of the network. Whether the data was taken based off a targeted search of the records, a random sample or some other extraction method is still unclear. But the intruders didn’t stop there. After extracting the HR files via another compromised computer, more phishing emails were sent out to harvest further credentials. Whatever hackers planned to do next, they were interrupted. A new scheduled firewall went up, booting them out of their base of operations in the middle of one of their clean-up cycles. They spent a frantic fortnight in the lead up to Christmas trying to break back in. Eventually, they found another foothold in a legacy computer not behind a firewall. But what about those email traps sent to IT staff? As hackers continued their operation, one or two red-faced IT staffers did click on their malicious emails, handing over more credentials. But others in the department recognised the emails for what they were and shut down the new attack station. Unfortunately, at the time, they didn’t see them as part of a much bigger attack. Unknown to the university, hackers were now waging another a two-month-long battle to get back inside its systems. For the ANU’s chief information security officer Suthagar Seevartnam, all this suggests the information they stole wasn’t the endgame after all. Part of the data harvested was made up of field names, often displayed in confusing jargon unique to the university. It would have been difficult for hackers to search and, indeed, decipher. And the ANU says what was taken doesn’t appear to have been misused. “Our current sense is the actor didn’t get what they wanted because they were stopped twice during their campaign,” Seevartnam says. “And what they did get was not immediately usable or they didn’t understand the data’s business context.” Once disrupted by ANU security upgrades, the hackers didn’t give up, trying new tactics almost up until the point of discovery, including attempts to disable the university’s email spam filter. They also returned to harvest another handful of HR files missed during the first extraction. Even after discovering the breach, the ANU says it was still under attack, working to shore up its defences and secure the network. Within an hour of going public with the news, the university came under fire again, this time in the form of a botnet campaign. And the following night, there was another attempt on the spam filter – leading investigators to suspect the same hackers still hadn’t given up. The university now believes its systems are secure. Whoever they were, they were well-resourced and highly skilled. As Professor Schmidt puts it: “This was a state-of-the-art hack, carried out by an actor at the very top of their game, at the very cutting edge.” Sophisticated is often code for “state sponsored” but at this stage the ANU insists it can’t rule anyone out. While it notes the type of data targeted – HR and financial records – would be of high value to criminals dealing in identity theft online, the information stolen hasn’t been detected online And both the university and police say the small number of suspected identity fraud cases involving ANU staff or students since the breach have all been deemed unrelated. So did hackers keep going because what they extracted wasn’t valuable enough to sell – or were they after something else? Shoebridge thinks it unlikely the type of data taken would have been of much interest to criminals in the first place. “They have better sources for that kind of stuff,” he says. “But universities are great datasets for foreign espionage outfits. This would fit nicely into information China has already gotten elsewhere. “ANU conducts a whole lot of interesting research, it’s student and teaching population over time flow on to become government officials.You need information on people to pressure them into doing what you want. “The level of sophistication and aggression here calls to mind a state actor. It’s pretty impressive ANU found them. I think they would have been happy to stay in the network, undetected.” Attribution is a notoriously difficult on the modern cyber battlefield. As countries throughout the world devote more resources to online spying and sabotage, diplomacy is struggling to keep the peace. The Australian Cyber Security Centre, which is run by the nation’s top spy agencies, did not respond to requests for comment before deadline but has been working closely with the ANU on the investigation. Last year, the centre’s head Alastair MacGibbon said he was aware of foreign countries that “actively try to steal IP from tertiary institutions and research centres” and last year the Australian government took the rare step of publicly rebuking China for stealing commercial secrets from local businesses. But this hack has not been attributed to the communist government so far. Shoebridge thinks attribution is important. “This should serve a lesson for all institutions, especially universities,” he says. “But it shouldn’t be on them to take on foreign governments. Australia needs to attribute attacks like these. If you catch a burglar in your house, pretending it didn’t happen just encourages them to come back the next night.” Having identified technical weak-points in ANU systems as well as “people and process issues”, the university will now look to rebuild its network entirely over the next four years and roll out extra training to staff. The university did not answer questions on funding for the new initiative or IT resources during the hack, but at the time it was discovered staff were in the middle of a significant security upgrade following the previous 2018 attack. “Unfortunately, there was not sufficient time to universally implement all measures across the ANU network between the two attacks in 2018,” the report says. “The sophistication and speed of the second attack underscore the threat environment in which we now operate.” ANU handed down the report as Australia’s top spy agency launched an investigation into another attack on regional Victorian hospitals this week. Seevaratnam says commentary around hacks should focus less on what organisations did wrong – which he calls “victim-blaming” – and more on the lessons that can be learnt to protect the community. “We need to encourage and support other victims coming forward and sharing their stories.”

Source link

The post #computersecurity | ANU cyber attack: How hackers got inside Australia’s top uni appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | More women needed in cyber security to meet high industry demand: Sim Ann, Singapore News & Top Stories

Source: National Cyber Security – Produced By Gregory Evans

SINGAPORE – The Republic needs more women to take up positions in cyber security, a sector that is facing a shortfall of talent.

On Thursday (Oct 3), Senior Minister of State for Communications and Information Sim Ann said more women can be encouraged to join the cyber-security industry and thrive in it.

“Given the high demand for cyber security talent, it would be a pity to draw from only half the population,” she said, noting that estimates of the proportion of women in cyber security globally range from as low as 10 per cent to about 25 per cent.

“Effective strategies to tackle cyber security… must integrate the perspectives of all people – both men and women – so that the technologies deployed and the process implemented are practical and inclusive.”

In her opening address to audience members at the Women in Cyber event during the Singapore International Cyber Week (SICW), Ms Sim outlined three ways to get more women to join the cyber-security industry and thrive in it.

First, by engaging young people to raise awareness of the opportunities in cyber security. She said this is important as people often make career choices early in life.

One such initiative is the Singapore Cyber Youth Programme, which reaches out to secondary school-level students for boot camps and career mentoring sessions.

The other two ways are for women to constantly update and deepen their skills to take advantage of emerging trends in a fast-paced sector, and to have a strong community network, she added.

“Women support networks shed light on women role models who can inspire young aspiring professionals. They also serve as a comfortable launch pad for women to plug into broader industry and community networks,” Ms Sim said.

Ms Sim’s call for more women to join the industry follows a warning by the Cyber Security Agency of Singapore (CSA) in July that the industry potentially faces a shortage of up to 3,400 professionals by 2020.

Ms Alina Tan, 26, was among the many female cyber-security professionals in the audience for the Women in Cyber event.

Combining her twin interests in cyber security and car modifications led Ms Tan to specialise in automotive cyber security.

She started working in the Land Transport Authority’s Cyber Division last month, after spending about two years in cyber-security consulting.

“What I enjoy most about working in cyber security is that I’m always learning something new,” said Ms Tan, who in her free time organises weekly meet-ups for like-minded individuals in the local community to conduct their own research in car cyber security.

“I get a sense of satisfaction from discovering vulnerabilities in a system and then finding ways to secure it. You never know what you’re going to find in there and that’s very interesting for me.”

Held at Suntec City and Convention Centre from Oct 1 to Oct 3, SICW 2019 is the fourth edition of the annual event organised by CSA.

Source link

The post #cybersecurity | More women needed in cyber security to meet high industry demand: Sim Ann, Singapore News & Top Stories appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | Attacks on Multiple Airbus Suppliers Demonstrate a Need for Renewed Focus on Supply Chain Cyber Security

Source: National Cyber Security – Produced By Gregory Evans

The supply chain has become one of the most popular vectors for attackers looking to compromise an enterprise-scale company. Vendors often have access to the company’s sensitive data, or have enough access to their network to provide an opening that allows for privilege escalation. European aerospace company Airbus has found itself on the receiving end of a particularly large coordinated attack on its vendors over the past 12 months. With evidence pointing to a nation-state attacker, this case demonstrates why it is necessary for smaller companies to take supply chain cyber security just as seriously as their larger partners.

The Airbus attacks: Four breach attempts on vendors since late 2018

Given that the company has military contracts throughout the world, including the provision of transport and combat planes to many of Europe’s largest military powers, Airbus is a natural high-value target for nation-state espionage.

It is still unclear exactly who is behind these attacks on Airbus suppliers (as is so often the case with these things), but they have been linked to the Chinese state intelligence services based on the specific technical documents that the hackers targeted.

Agence France-Presse (AFP) reports that four vendors were targeted in separate attacks over the previous year: engine manufacturer Rolls-Royce, technology consultant Expleo, and two other contractors that were not publicly identified.

Airbus has only publicly admitted to one attack that resulted in unauthorized access to data. AFP cited security professionals with direct knowledge of the attacks for the remaining information. Airbus has issued a public statement indicating that supply chain cyber security defenses have been hardened against vendor vulnerabilities.

Before you continue reading, how about a follow on LinkedIn?

One of the sources claimed that the compromise of Expleo was discovered early this year, but that the company had been breached long before that. Expleo shared a virtual private network (VPN) with Airbus that the hackers were able to gain access to. Rolls-Royce was compromised by the same hacking group at some point after Expleo was.

Though there is a lack of hard evidence at this point, the cyber security sources believed that Chinese intelligence was involved due to the focus on stealing documents related to the engine and propulsion systems of military transport planes and passenger jets. China has been working on a mid-range airliner and a long-range jet for some time, but has struggled with research and development of engine systems. The methods used and goals closely fit the known patterns of APT10, the group of Chinese hackers that went on a tear of attacking managed service providers for major companies with strategic importance to global governments last year.

Supply chain cyber security lessons from the Airbus attacks

One of the most interesting items in this report was the news that a VPN may have been breached. That’s obviously a very worrying development for any company, but particularly for a defense contractor.

VPNs are supposed to be an enhanced security step implemented specifically to prevent breaches – when one fails it’s a pretty big deal. How could this have happened? The most likely answer is that the encryption key was stolen. It’s also possible that a trusted username/password combination was phished from an employee somewhere outside of the VPN, perhaps from a personal account. Of course, it’s also possible to crack the encryption – something beyond the reach of the average hacker, but perhaps not beyond the reach of the resources of a major nation-state.

What lessons should companies take from these major attacks on Airbus? VPNs are still a powerful privacy and security tool, but not an infallible one. In some cases, breaches may not even be their fault – APT groups have been known to develop exploits for particular VPNs in private, and they are sometimes unknown to the rest of the world until they are deployed successfully in a cyber attack.

Vital operators

Certain companies considered to be “vital operators” by their governments are subject to special cyber security regulations, but these regulations do not necessarily extend to their vendors.

Unfortunately, the process of obtaining contracts in many countries often forces companies to select the lowest reasonable bidder in order to win. Guess what aspect of operations often gets its budget slashed because it is seen as “unnecessary?” Companies often underestimate the importance of supply chain cyber security spending until a breach of critical infrastructure hits and the cleanup bill comes due.

Compliance monitoring of vendors is also a complex issue for an enterprise-scale defense contractor. For example, Airbus has tens of thousands of suppliers located all over the world. Ongoing compliance checks for such a sprawling network of vendors is a virtual impossibility. The solution to this particular problem usually has to come from government regulation of contractors; not only setting supply chain cyber security standards, but in some cases requiring smaller vendors to use only paper records or to do all of their work on the primary contractor’s secure system.

Proper supply chain cyber security is simply a cost of doing business for even smaller vendors. Their larger partners are becoming increasingly likely to have rigorous terms and regular audits laid out in their contracts. Even if they don’t, any vendor that leaves supply chain cyber security unattended due to budget or lack of awareness is gambling. The stakes are their reputation as a trusted partner, fines and potentially even damages from a lawsuit. Smaller vendors must understand that though they themselves may not possess the really juicy information that hackers are after, hackers are scrutinizing them as a vulnerable initial opening to get into the partner network.

Attacks on Airbus suppliers are suspected to be linked to Chinese intelligence due to the specific technical documents targeted by #hackers. #respectdata Click to Tweet

Enterprise-scale companies that work with many vendors need to understand what it is that hackers will test the supply chain cyber security for: access and shared sensitive information. Both should be limited to absolute necessities. Enterprise companies must also resist the temptation to downgrade their security to make it easier for multiple vendors to access their systems. The costs of data breaches always need to be calculated and weighed against the costs of simply getting the security right in the first place.


Source link

The post #cybersecurity | Attacks on Multiple Airbus Suppliers Demonstrate a Need for Renewed Focus on Supply Chain Cyber Security appeared first on National Cyber Security.

View full post on National Cyber Security