data

now browsing by tag

 
 

What Chinese company Zhenhua Data will do with data of 35,000 Aussies | #facebookdating | #tinder | #pof | romancescams | #scams

You – the internet user – have become the front line in a battle for hearts, minds and political advantage. And your personal details are the weapons in an international […] View full post on National Cyber Security

#infosec | Norwegian Cruise Line Suffers Data Breach

Source: National Cyber Security – Produced By Gregory Evans

A major cruise operator has suffered a data breach as the travel industry battles the storm created by the COVID-19 outbreak.

Information from a database belonging to Norwegian Cruise Line was discovered on the dark web by an intelligence team at DynaRisk on March 13. 

Data exposed in the incident included clear text passwords and email addresses used to log in to the Norwegian Cruise Line travel agent portal by agents working for companies including Virgin Holidays and TUI. 

DynaRisk said data relating to 29,969 travel agents was breached from the portal on the agents.ncl.eu website on March 12.

“After verifying that the data records are legitimate credentials, we notified a Norwegian Cruise Line representative immediately. Despite opening our message later that day, we received no response. After five days a representative responded to our team to discuss the breach,” said a DynaRisk spokesperson.

DynaRisk said that the incident left agents who were “already vulnerable at this time” at higher risk of cybercrime. 

A DynaRisk spokesperson said: “They are now exposed to account takeovers on numerous platforms, sophisticated phishing emails and fraud, which could put further pressure on large travel agents or worse still, put smaller agents out of business.”

Norwegian Cruise Lines told Infosecurity Magazine: “It has recently come to our attention that the agents.ncl.eu website may have been compromised. In an abundance of caution, we are in the process of asking certain travel partners that may have been affected to change their password for the site and any site for which they may have used the same password, and to remain vigilant of any suspicious activity or emails. 

“We believe limited personal information was involved, specifically names of travel agencies and business contact information such as business addresses and email. This appears to be a unique and isolated incident that involved only a regional travel partner portal which houses marketing materials and educational information and did not involve guest data. We are deeply committed to protecting the security and confidentiality of information and regret any concern this matter may have caused.” 

Norwegian is the third cruise line this month to hit the cybersecurity headlines. Princess Cruises and Holland America Line both reported being hacked on March 2.   

____________________________________________________________________________________________________________________

#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity
____________________________________________________________________________________________________________________

Source link

The post #infosec | Norwegian Cruise Line Suffers Data Breach appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | K-12 Remote Learning Checklist: Securing Data in a Remote Learning Environment

Source: National Cyber Security – Produced By Gregory Evans

12-Step Remote Learning Checklist to Help District IT Protect Student and Staff Data

K-12 school districts across the country are shutting down to increase “social distancing” and help slow down the outbreak of COVID-19—the disease caused by exposure to the new coronavirus. Many are either considering or preparing for a shift to remote learning for the remainder of the year.

Technologies focused on learning management, online teaching, collaboration, and video conferencing will help districts provide students and staff with the tools needed to move forward with remote learning. This shift requires a lot of time and effort for district IT teams to vet, implement, and support in the coming weeks.

But K-12 IT teams must also plan for the adjustments in cyber safety and security this shift will require.

Students and staff will be accessing their Google and/or Microsoft accounts from locations outside of the school’s networks. They will also be using new, often OAuth-enabled, EdTech SaaS for a variety of learning and student management purposes. Both of these trends expose district information systems to data security and student data privacy risks.

G Suite & Office 365 Data Security & Student Safety Remote Learning Checklist

What is G Suite and Office 365 security and student safety? It is the district’s ability to have visibility and control into the activity taking place in collaborative cloud software as a service (SaaS) applications—such as Google G Suite and Microsoft Office 365—commonly used by districts today.

If or when your district moves to remote learning, traditional perimeter security safeguards, such as firewalls and content filters, become less effective. This is especially true if your district doesn’t have 1:1 device capabilities. Students will be accessing their school account from an unmanaged device without all the security measures a district device would have.

[FREE] K-12 REMOTE LEARNING SECURITY CHECKLIST: DOWNLOAD & SECURE DISTRICT DATA FROM CYBER ATTACKS >>

 

To help K-12 IT teams securely transition to remote learning and working, we’ve developed this 12-step remote learning checklist focused specifically on cybersecurity and safety protections.

1. Document remote work security policies

Your district’s staff and students are likely not used to working in a remote environment, and may not realize that security tools like firewalls and web content filters are less effective outside your district’s network. If your district hasn’t done so already, now is the time to create and document remote work security policies.

Start by developing a document outlining a list of approved cloud applications to be used for remote learning purposes. If your district doesn’t have a learning management system (LMS) or other remote learning tools already available, consider looking into tools such as BrainPop, Discovery Education, Agilix, Edmentum, and more. Other cloud applications your district’s IT team may want include Zoom, Google Hangouts, Cisco’s Webex, or another popular video conferencing tool that your district is comfortable with using.

Once your team has decided which cloud apps are approved, make sure to include the list in your district’s remote work security policy document. You may also consider including a list of apps that shouldn’t be downloaded and installed.

If your district isn’t 1:1, this will be tougher to enforce due to the fact that students will be accessing their school accounts from an unmanaged device. However, having a guide in place will prove useful in helping students and staff protect their devices, and sensitive data, when logging in to use these apps from home.

2. Create employee cybersecurity training & testing

Simple human error is the number one reason cybersecurity incidents happen in any organization. Educate your district’s staff, students, and parents on common cybersecurity best practices and what to look for in terms of possible red flags.

Create guidelines that encourage students, staff, and parents to look at who emails are coming from. Does the email domain match your district? If there are any links within an email, does the redirect URL match the destination the email claims?

Same goes for file attachments. Are they coming from a trusted source and do the documents pertain to any lessons or assignments students and staff are working with?

You may also want to consider testing your users’ ability to recognize a suspicious email.

One common tool to send out phishing email tests to see how prepared and educated your district stakeholders are regarding cybersecurity is KnowBe4. With this tool, your IT team can conduct phishing tests, password strength tests, email exposure and domain tests, and more. This way, your team has a better picture of where your weaknesses lie and what you need to educate further on during this hectic time.

3. Monitor student and staff account logins

Students and staff will be logging into their school accounts from outside of your district’s security perimeter—and from an unmanaged device if your district isn’t 1:1.

Your IT team must monitor account logins and look for anomalous behavior that may indicate an account takeover attack. Anomalous behavior might include multiple unsuccessful logins, failed multi-factor authentication checks, and successful logins from an unapproved location such as another country.

 

[FREE] K-12 REMOTE LEARNING SECURITY CHECKLIST: DOWNLOAD & SECURE DISTRICT DATA FROM CYBER ATTACKS >>

 

4. Check for unsanctioned 3rd party SaaS apps

Now that students will be using their school device—or a personal device—outside of school, monitoring for risky 3rd party apps is especially important. This is because malicious apps and apps with insufficient infrastructure security pose far-reaching risks to your district’s information systems.

Additionally, the flood of “free” teaching and learning apps on the market creates openings for serious OAuth security risks. Teachers and students alike may take advantage of these tools with the best intentions, but EdTech that hasn’t been properly vetted can lead to a variety of cybersecurity risks.

Your IT team should monitor which apps are granted OAuth access to district Google and/or Microsoft accounts, check what permissions are granted, and be able to remove the apps that don’t meet your infrastructure security, data security, and/or student data privacy policies.

5. Monitor for improper file sharing and access

Student data privacy laws still apply when your district transitions to remote learning, and keeping track of data becomes more difficult when students and staff access everything remotely.

To help prevent any financial, staff, and/or student data from leaving your district’s G Suite or Office 365 environment, look for drives, folders and files that have given external accounts access to view and/or edit. If any external shares are found, make sure to break them and set up policies to automatically remediate when a future external share is granted.

6. Secure personally identifiable information (PII) and create data loss prevention policies

Data loss prevention is a strategy to ensure the sensitive information of students and staff are protected and don’t inadvertently leave the network. Have your IT team start by checking email and files for PII, such as social security numbers, W2s, and bank account information. Then, delete, quarantine, or revoke access to any information that is being improperly shared.

Once complete, set up automatic policies to remediate all PII that leaves your district’s network to ensure FERPA requirements are met.

7. Create student safety monitoring & policies

Just because your district’s students are distanced from one another as a result of school closures and self-isolation, doesn’t mean that they aren’t communicating via their school Google or Microsoft accounts.

Students may be using their school accounts to send emails or use Google Docs as a chat board. It’s important for your IT team to continue monitoring for signals of cyberbullying, self-harm, inappropriate content, abuse, and other forms of student safety threats. Unfortunately, it may be easier for these issues to go undetected during this time.

8. Enable anti-phishing and anti-malware protection

With dispersed students and staff, cybersecurity risks in your district are going to increase. Your IT team will need to ensure they have anti-phishing and anti-malware protection enabled.

Students and staff will be logging in from their home networks and maybe from a personal device, which means school firewalls, web content filters and endpoint security may not be effective for the time being.

The best option for your team at the moment is to start with configuring your district’s G Suite and Office 365 anti-phishing and anti-malware capabilities, and layer additional safeguards to ensure district cloud applications are protected—regardless of the device or the location.

9. Monitor for lateral phishing activity

In the event a student or staff member at your district does fall victim to a phishing scheme, it’s important for your IT team to be monitoring the activity that is taking place within district cloud apps.

This means not only monitoring the email traffic coming from external sources, but also monitoring and analyzing emails sent from internal accounts to others. Doing so is critical to reveal signs of an account takeover and lateral phishing attack.

[FREE] K-12 REMOTE LEARNING SECURITY CHECKLIST: DOWNLOAD & SECURE DISTRICT DATA FROM CYBER ATTACKS >>

 

Are you getting phishing email alerts from an internal email address? Is a student or staff member sending an unusual number of emails to other school accounts that they don’t usually interact with? Is an account suddenly sharing and/or downloading more files than usual? These are a couple of examples of trends your team will need to look for more often in a remote learning environment.

10. Make multi-factor authentication mandatory

Multi-factor authentication requires your district’s students and staff to take a second step, after entering the correct password, to prove they have authorized access. Students and staff will be logging in from unrecognized devices, which makes this security tool a critical one for your district to have enabled during this time.

It’s also incredibly quick and easy to set up through your Google and/or Microsoft admin portal.

Multi-factor authentication typically includes entering a code that is sent to their phone via SMS. It can also include phone calls, answering security questions, mobile app prompts, and more.

11. Reset passwords across all accounts and set a password strength policy

Set policies and standards for your district’s cloud app passwords now that students and staff are accessing remotely.

At a minimum, enable your system’s “require a strong password” feature. You can also set minimum and maximum password lengths, password expiration, and more.

If your district already has policies in place, now is a good time to check current passwords to see if there are any passwords that are out of compliance and force password changes through your admin console.

12. Run a G Suite & Office 365 data security & student safety audit

With this checklist, now is an opportune time to run a cloud security audit of your district’s G Suite and/or Office 365 environment. An audit will check for any configuration errors, sharing risks, files containing sensitive information, risky 3rd party SaaS apps, and more.

It’s also important to run an audit on a periodic basis more frequently now that districts are closing or moving to remote learning. Weekly reports can be automated and provide you with detailed information into the security health of your cloud applications, and the activity taking place between students, staff, and external environments.

If your district uses SaaS applications such as G Suite and Office 365, protecting the data and accounts in these apps is a critical layer in your cybersecurity infrastructure.

Without it, monitoring and controlling behavior happening on the inside is impossible. This blind spot creates critical vulnerabilities in your district stakeholders’ sensitive information and is now a much bigger blind spot given the current circumstances.

The post K-12 Remote Learning Checklist: Securing Data in a Remote Learning Environment appeared first on ManagedMethods.

*** This is a Security Bloggers Network syndicated blog from ManagedMethods authored by Jake Kasowski. Read the original post at: https://managedmethods.com/blog/k-12-remote-learning-checklist/

Source link

The post #cybersecurity | #hackerspace |<p> K-12 Remote Learning Checklist: Securing Data in a Remote Learning Environment <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | Interos Completes Series B Funding to Drive Data Science

Source: National Cyber Security – Produced By Gregory Evans

Markus Spiske from Pexels

Interos announced it has raised $17.5 million in a Series B funding round to accelerate data science and engineering growth, expand personnel and boost sales to drive commercial momentum for its leading risk management platform.

The funding comes after Interos tripled its headcount, increased annual recurring revenue by 700% and hiked SaaS subscription bookings by 693% in 2019. With the funding, Interos expects to capitalize on last year’s growth and more than double its personnel in 2020, hiring more staff to augment its proprietary software, which exposes critical risks in the global supply chain for leading private and public sector customers. 

 The round was led by first-time investor Venrock with participation from Kleiner Perkins. 

 “After a strong 2019, this funding shows Interos has already secured major support in 2020 from the world’s most successful investors,” said Jennifer Bisceglie, CEO and founder of Interos. “Like our customers, investors see the value of the Interos platform, which is critical for global businesses in 2020. From events like the coronavirus to political unrest, companies need a platform that exposes risks and identifies how events affect suppliers around the world the moment they happen.” 

“Interos is one of the most compelling big data and AI companies I’ve come across in the last decade,” said Nick Beim, Venrock partner. “Over the last 20 years, global supply chains have grown so rapidly and with so much opacity that most companies don’t know who they’re working with or who they’re dependent on. There’s so much data to gather to fully understand those risks, and Interos helps companies address these urgent, strategic issues with a brand new set of capabilities.”

Interos also recently added Phil Venables, a cybersecurity and risk expert to its board of directors. Venables’ distinguished career includes previously serving as Goldman Sachs’ first chief information security officer and head of technology risk, and as its chief operational risk officer. Prior to his work at Goldman Sachs, Venables was the chief information security officer at Deutsche Bank. Venables serves on the executive committee of the U.S. Financial Services Sector Coordinating Council for Critical Infrastructure Protection, is co-chair of the Board of Sheltered Harbor, and is a member of the boards of the Center for Internet Security and the NYU Tandon School of Engineering. He is also an adviser to the cybersecurity efforts of the U.S. National Research Council and the Institute for Defense Analyses.

Interos has worked with the U.S. Department of Defense, NASA and Department of Energy critical infrastructure. Interos uses machine learning to build and maintain the world’s largest knowledge graph of over 50 million relationships to discover and monitor the entirety of a supplier ecosystem. Each month, Interos ingests over 85,000 information feeds, processing over 250 million risks a month. Interos instantly visualizes the most complex multi-tier relationships, updating and alerting to changes in risk along five factors: financial, operations, governance, geographic and cyber.

 “In today’s interconnected world, Interos is bringing clarity to the muddled, confusing nature of supplier relationships,” said Ted Schlein, partner at Kleiner Perkins. “By automating due diligence, leveraging sophisticated technology and exposing vital risks, Interos shines a light on an otherwise opaque global supply chain.”

Source link

The post #nationalcybersecuritymonth | Interos Completes Series B Funding to Drive Data Science appeared first on National Cyber Security.

View full post on National Cyber Security

#school | #ransomware | Oregon Business – Data Risk

Source: National Cyber Security – Produced By Gregory Evans

Small businesses face a heavy risk when it comes to cyber security. The best defense relies on an active, educated employer.


On March 9, 2018, the Oregon Clinic discovered an unidentified party had accessed an email account. The data breach gave attackers access to names, birth dates, medical information, and in some cases, the social security numbers of patients and staff. 

The clinic was able to recover from the attack, and went on to offer patients impacted by the breach one full year of identity monitoring services. 

But other businesses which have been subjected to cyberattacks face more dire consequences.



According to a recent study by insurance carrier Hiscox, the average cost to a business when it is subjected to a cyberattack is around $200,000. 

Small businesses suffer most from these costly attacks. Due to the massive price tag associated with an infringement, 60% of small businesses go out of business within six months of being victimized, according to the National Center for the Middle Market. 

Attackers target small businesses for a variety of reasons. Some try to gain access to employee and client information, such as email accounts, bank numbers and social security numbers. Hackers also install ransomware, which, as the name implies, will hold a network hostage until the business owner pays a fee to be released. 



Hackers also target servers to create a “zombie” network, which uses a business server as a launching pad to conduct other attacks to avoid detection. 

Other attackers, especially ones from foreign governments, take over a network to mine for bitcoins. 

Close to 50% of all cyber attacks are perpetrated against small businesses, which hackers often perceive as low-hanging fruit. According to a report compiled by Verizon, nearly half of small businesses reported a data breach in the past two years. 



Despite the likelihood of an attack, and the relative risk involved, less than half of small business owners reported spending money on cyber security last year. 

This is in part because maintaining a good cybersecurity defense is costly. Unlike virus protection, a business cannot simply install a defensive program against cyberattacks and remain safe.

“The demand for these cybersecurity professionals is so high that the price they command for their services is also very high,” says Dr. Wayne Machuca, lead instructor for Mt. Hood Community College’s cybersecurity program. “This precludes small and medium-sized businesses from being able to afford and adequately staff around their cybersecurity needs.” 



There are 4,600 cybersecurity job openings in Oregon, according to cybersecurity employment website CyberSeek. Despite Oregon’s reputation as a state with a heavy tech sector, there are twice the number of cybersecurity job openings as there are qualified professionals to fill them. 

Ruth Swain is the interim director of the Small Business Development Center at Mt. Hood Community College, which helps small businesses protect themselves against cyber threats through the Oregon Center for Cybersecurity. 

With Machuca’s help, the center has developed a program which allows students in their last year of school to provide training and cybersecurity expertise to small businesses owners and their employees free of charge. 

“We worked with the interns and instructors here to come up with a cybersecurity prevention checklist for small businesses,” says Swain. “The advising is free, so we are encouraging businesses to sign up.”

The program was awarded a grant from the National Science Foundation, and Machuca says they have used the grant money to replicate the program along with its sister colleges.  “It’s really exciting stuff,” he says. 



Skip Newberry, president and CEO of the Technology Association of Oregon and executive sponsor of Cyber Oregon, an organization dedicated to delivering the latest cybersecurity information and best practices to businesses, says businesses which cannot afford a cybersecurity professional on staff should train employees to recognize cyberattacks. 

“The first and best defense is adequate training for employees,” he says. “In this day and age, anyone who uses technology should be trained in how to spot phishing and spear phishing attempts, and best practices for managing passwords, which is how the vast majority of cyber breaches occur within small businesses.”

Much of the training is preventative, but if an attack has occurred, the most important thing for a business is not to keep silent. 


To subscribe to Oregon Business, click here.

Source link

The post #school | #ransomware | Oregon Business – Data Risk appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | US healthcare technology: Move to standardize APIs for patient data access receives mixed response

Source: National Cyber Security – Produced By Gregory Evans


Emma Woollacott

12 March 2020 at 15:38 UTC

Updated: 12 March 2020 at 15:42 UTC

Interoperability rules largely welcomed, but potential privacy and security issues must be addressed, experts warn

New rules giving patients better access to their medical data have been approved by the US Department of Health and Human Services (DHSS) – but experts warn that security may not be entirely sewn up.

Currently, many electronic health record contracts contain provisions that either prevent or are perceived to prevent the sharing of information related to the records in use, such as screenshots or video.

From the beginning of next year, though, health plans doing business in Medicare, Medicaid, CHIP, and federal exchanges will be required to share patients’ health data.

Meanwhile, a new API will allow developers to create apps allowing patients to access their own data, as well as integrating a health plan’s information with their electronic health record (EHR).

“Delivering interoperability actually gives patients the ability to manage their healthcare the same way they manage their finances, travel, and every other component of their lives,” says Don Rucker, national coordinator for health information technology.

“This requires using modern computing standards and APIs that give patients access to their health information and give them the ability to use the tools they want to shop for and coordinate their own care on their smartphones.”

Predatory apps and snake oil warning

The new rules are generally being welcomed – with reservations.

“I’m not sure diving in headfirst by giving patients apps to access their own healthcare records via mobile apps is a good idea,” says Paul Bischoff, privacy advocate for security research firm Comparitech.com.

“Patients might not know what they’re agreeing to when handing over permission to apps to access their health records. This could lead to predatory apps that leverage medical records to sell snake oil.”

Meanwhile, says Tim Mackey, principal security strategist with the Synopsys Cybersecurity Research Center, the nature of the US’ insurance-based healthcare system means that patients may need to be careful about the information they share.

“Given the sensitive nature of medical records, and the potential for a pre-existing condition to negatively influence future patient care, vetting of both app creators and medical data usage in care decisions are concerns,” he says.

“As consumers embrace apps as a proxy for physical identification and their mobile devices as a central store for their most sensitive data, both the security of those apps and the potential for compromise of a mobile device become increasing concerns.”

Much-needed security standard

According to the DHSS, similar apps already exist, in the form of Medicare Blue Button 2.0, which allows patients to securely connect their Medicare Part A, Part B and Part D claims and other data to apps and other tools.

More than 2,770 developers from over 1,100 organizations are working in the Medicare Blue Button 2.0 sandbox, it says, and 55 organizations have applications in production.

But, says David Jemmett, CEO and founder of security firm Cerberus Sentinel, it could be hard to implement a comprehensive security standard.

“As things stand currently, you don’t know if your portal has been checked for security standards unless there has been certification to meet a number of additional standards,” he says.

“Often the code itself goes unchecked and third-party companies can be building them for the interface, but there is no one to go line by line, ensuring security standards are met to certify the software.”

READ MORE EU to give €100bn MedTech industry a security health check

Source link

The post #hacking | US healthcare technology: Move to standardize APIs for patient data access receives mixed response appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | How to prevent the data breach that keeps on happening

Source: National Cyber Security – Produced By Gregory Evans

By Dr Steve Jeffery, pre-sales engineer

The potential for revealing personally identifiable information (PII) in the ‘To’ or ‘CC’ fields of an email is a risk well understood. Yet despite this, it remains the source of far too many data breaches.

• In January 2020, Capita accidentally leaked the email addresses of all those attached to a support incident ticket on their call handling system.
• In October 2019, West Berkshire Council sent an email containing a survey about leisure centres to 1,107 recipients who could all see each other’s email addresses.
• In April 2019, the UK Home Office accidentally disclosed details of hundreds of EU citizens requesting settled status to one another
• A UK Freedom of Information request in 2018, showed at least 147 self-reported data breaches to the ICO were down to this error.

Accidental in nature, it’s easy to see why these types of breaches occur. When we want to send an email to a number of people – be that a newsletter, an event invitation, or an update on a technical support ticket – we might simply copy and paste the email addresses into the ‘To’ or ‘CC’ fields and press ‘Send’ without giving it a second thought. This approach means that all recipients of the email are visible to each other, which isn’t a problem if you are addressing a group known to one another, but in the case of a mailing list to customers, it is a privacy breach that could result in a fine.

It is no surprise that human error is the cause of so many breaches. Conditioned to using email, we have become inured to the potential danger that exists every time we press ‘Send’. Focussing on the task at hand, we don’t always give the time required to consider the privacy ramifications of our actions. We know that ‘BCC’, or blind carbon copy, is the field to use to ensure email addresses remain private, yet accidents still happen. What can an organization do to mitigate this risk?

Reducing the risk of an email data breach

To offset the inevitable risk associated with email communications, organizations need a clear cybersecurity strategy encompassing people, processes, and technology. Email policies need to be established, the workforce trained, and policy rules enforced with software. The software acts as the final safety net against the inadvertent actions of employees.

The Clearswift Secure Email Gateway can support employees to make better decisions, without increasing the administration burden on the IT support team.

In the gateway, simply create an email policy rule that automatically holds emails where the number of recipients in the “To” or “CC” fields exceeds a minimum number set. When an email exceeds that threshold, an alert is sent to the employee. If the action was deliberate, the employee can release the email without the need to raise an IT support ticket. The decision to release the email message is audited and recorded in the gateway. If, however, a mistake occurred, the employee can delete the email and create a new version compatible with the organization’s privacy policies.

Additional information

Learn more about preventing data breaches with Clearswift Secure Email Gateway
Step-by-step guides for setting up Recipient Limiters can be found on the Customer Support Portal.

Source link

The post #cybersecurity | #hackerspace |<p> How to prevent the data breach that keeps on happening <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#deepweb | Kenya’s data storage boom entices global tech giants : The Standard

Source: National Cyber Security – Produced By Gregory Evans

Kenya is set to become a major recipient of foreign direct investments in cloud computing.
This is as international investors rush to fund a data centre boom spawned by the proliferation of smartphones, mass adoption of business software and 5G.
Huawei, Microsoft and Amazon Web Services are some of the international players currently enticing small businesses with free data storage in preparation for a looming expansion in data fanned by 5G networks and fibre optic cables.
“So there’s a big opportunity there, as more people begin to use cloud services instead of having their own data servers. These are going to become more valuable,” said Xalam Analytics in their latest report on Africa data centre boom.
Another incentive for the localisation of data storage is that it improves internet speeds since users no longer have to fetch data from the other side of the world.
It is also being driven by clamours by government officials to have local data hosted domestically for national security purposes.

For More of This and Other Stories, Grab Your Copy of the Standard Newspaper.  

Banks such as Absa Kenya are making investments in machine learning and artificial intelligence tools to improve customer experience and credit risk. New “digital banks” such as Tala, Branch, Zenka are cloud-based.
Since cybersecurity is not an expert capability field for banks, continuous upgrading and development of data centres have been expensive.
Saccos have not been left behind either, as most of them are running on software that allows customers to access their services on the phone.
They also need to store this data somewhere given that in-house data centres are too costly for them. Governments are using cloud and virtualised infrastructure to enhance public service delivery.
Large retail firms also use computer capabilities such as Amazon Web Services databases to transform how they reach a predominantly mobile and digital customer base. Corporates whose expertise is not data storage are slowly giving up their small in-house data centres to major players – helping to drive demand while scores of cloud-native startups are leveraging the cloud to disrupt entire industry sectors.
“The fast-rising requirements of cloud-based technology businesses and their customers, as well as the search for the smallest possible delays in transaction times, has seen businesses seek alternative cloud options,” said the managing director, Carrier Services Division at Telkom Kenya Kebaso Mokogi.
The Kenyan market is currently served by Safaricom, Liquid Telecom, MTN business and other regional players who are set to face competition from the deep-pocketed multinationals who are able to outprice them.
However, Kenya alone does not have the market to attract such high profile investments but is acting as a Launchpad for regional business. It is, however, one of the most active in internet and tech-driven business hubs alongside South Africa and Nigeria.
Africa currently accounts for less than one per cent of total available global data centre capacity, according to data from Xalam Analytics, despite the continent being home to about 17 per cent of the world’s population.
However, its capacity has doubled in the past three years.
Xalam Analytics says the key players in Africa – South Africa, Kenya and Nigeria are set to see investments from multiple investors among them Warren Buffet backed Berkshire Partners and London-based private equity firm Actis, which is injecting Sh25 billion into African data centres over the next three years.
Actis is the investor behind Garden City Mall in Nairobi.
“If you look at the trends around data, its consumption, and cloud migration globally — those trends have played out in many markets and have led to significant growth of the data centre sector,” said Kabir Chal, director at Actis.
“Africa is no different: you see digitisation, the inexorable migration to cloud, and really the advent of big data but, as a consequence, the supply of data hasn’t kept up.”
For data-storage companies operating in Africa, a big hurdle is the continent’s lack of infrastructure, which complicates an already capital-intensive, power-hungry business.
Kenya’s power supply remains low at less than 2,000MW compared to South Africa’s 40,000MW. The two have nearly equal population size.
Companies must often rely on large-scale generators running on costly diesel and petrol to provide electricity, while slow internet speeds, high data costs and a lack of fibre networks constrain their operations.
Nevertheless, the Actis investment is part of a broader trend of international players looking to become involved in the data centre sector in sub-Saharan Africa — where the total data centre capacity equals about a quarter of London’s or half of Frankfurt’s, according to Xalam Analytics.
Microsoft also launched its first African cloud data centres last year, which is a key growth market alongside Nigeria, Kenya and Ghana.
It already accounts for roughly half of Africa’s data centre capacity. Meanwhile, Amazon Web Services plans to open a cluster of data centres in the coming months — the company’s first foray on the continent.


Do not miss out on the latest news. Join the Standard Digital Telegram channel HERE.

Xalam AnalyticsSafaricomGarden City MallMicrosoftHuawei

Source link
——————————————————————————————————

The post #deepweb | <p> Kenya’s data storage boom entices global tech giants : The Standard <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | DEF CON 27, Artificial Intelligence Village – Tal Leibovich’s & Shimon Noam Oren’s ‘From Noisy Distorted Data Sets To Excellent Prediction Models’

Source: National Cyber Security – Produced By Gregory Evans

Thanks to Def Con 27 Volunteers, Videographers and Presenters for publishing their superlative conference videos via their YouTube Channel for all to see, enjoy and learn.

Permalink

The post DEF CON 27, Artificial Intelligence Village – Tal Leibovich’s & Shimon Noam Oren’s ‘From Noisy Distorted Data Sets To Excellent Prediction Models’ appeared first on Security Boulevard.

Source link

The post #cybersecurity | #hackerspace |<p> DEF CON 27, Artificial Intelligence Village – Tal Leibovich’s & Shimon Noam Oren’s ‘From Noisy Distorted Data Sets To Excellent Prediction Models’ <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | Hillicon Valley — Presented by Facebook — FCC fines mobile carriers $200M for selling user data | Twitter verified fake 2020 candidate | Dems press DHS to complete election security report | Reddit chief calls TikTok spyware

Source: National Cyber Security – Produced By Gregory Evans

Welcome to Hillicon Valley, The Hill’s newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley. If you don’t already, be sure to sign up for our newsletter with this LINK.

Welcome! Follow the cyber team, Maggie Miller (@magmill95), and the tech team, Emily Birnbaum (@birnbaum_e) and Chris Mills Rodrigo (@chrisismills).

 

FCC FINES TOP MOBILE CARRIERS: The Federal Communications Commission (FCC) is proposing more than $200 million in fines against the country’s top mobile carriers after a lengthy investigation concluded T-Mobile, AT&T, Sprint and Verizon improperly sold access to their customers’ precise location information. 

The agency is alleging the companies broke the law by failing to protect information about the geolocation of their hundreds of millions of customers. 

“The FCC has long had clear rules on the books requiring all phone companies to protect their customers’ personal information,” FCC Chairman Ajit Pai (R) said. “And since 2007, these companies have been on notice that they must take reasonable precautions to safeguard this data and that the FCC will take strong enforcement action if they don’t.”

“Today, we do just that,” Pai said.

The proposed fines — which Verizon, AT&T, T-Mobile and Sprint are now allowed to contest — are some of the largest the FCC has proposed in decades. But since reports began emerging about the fines on Thursday night, consumer advocates and privacy hawks in Congress have accused the regulatory agency of holding back and letting the telecom companies off the hook with fines that amount to a “rounding error” compared to their significant bottom lines.

Sen. Ron WydenRonald (Ron) Lee WydenOvernight Health Care — Presented by American Health Care Association — California monitoring 8,400 people for coronavirus | Pence taps career official to coordinate response | Dems insist on guardrails for funding Schiff presses top intel official to declassify part of report on Khashoggi killing Top Trump advisers discuss GOP need to act on health care at retreat with senators MORE (D-Ore.), who was one of the first to shed light on the companies’ unlawful information sharing, released a statement accusing Pai of going easy on the companies.

“It seems clear Chairman Pai has failed to protect American consumers at every stage of the game – this issue only came to light after my office and dedicated journalists discovered how wireless companies shared Americans’ locations willy nilly,” Wyden said. “He only investigated after public pressure mounted.”

“And now his response is a set of comically inadequate fines that won’t stop phone companies from abusing Americans’ privacy the next time they can make a quick buck,” Wyden said.

Verizon, for instance, boasted a total revenue of $31.4 billion in 2019 and is facing a fine of $48 million.

The FCC is proposing a fine of $91 million for T-Mobile, $57 million for AT&T, $48 million for Verizon and $12 million for Sprint.  

T-Mobile, which is facing the largest fine by far, said in a statement Friday that it intends to dispute the FCC’s conclusions.

“We take the privacy and security of our customers’ data very seriously,” T-Mobile said. “While we strongly support the FCC’s commitment to consumer protection, we fully intend to dispute the conclusions of this NAL and the associated fine.” 

Public Knowledge, a consumer rights group, said the FCC’s fines indicate the chairman is enforcing the law “to the barest degree possible.” 

Read more on the fines here.

 

SPONSORED CONTENT — FACEBOOK

Elections have changed and so has Facebook

Facebook has made large investments to protect elections, including tripling the size of the teams working on safety and security to more than 35,000. But the work doesn’t stop there.

See how Facebook has prepared for 2020.

 

TURN IT IN: House Homeland Security Committee Chairman Bennie ThompsonBennie Gordon ThompsonRussian interference reports rock Capitol Hill Intel officials warned House lawmakers Russia is interfering to get Trump reelected: NYT Top Democrats demand answers on DHS plans to deploy elite agents to sanctuary cities MORE (D-Miss.) on Friday raised concerns around the Department of Homeland Security’s failure to submit a congressionally mandated election security report on time. 

DHS was required under the 2020 National Defense Authorization Act to submit a report to Congress on successful and attempted cyberattacks on U.S. election infrastructure during the 2016 elections, along with any future cyberattacks on elections that DHS anticipates. 

The agency was required by the NDAA to submit the report within 60 days of the bill being signed into law. President TrumpDonald John TrumpThe Memo: Biden seeks revival in South Carolina Congress eyes billion to billion to combat coronavirus Sanders makes the case against Biden ahead of SC primary MORE signed the NDAA on Dec. 20, with Feb. 18 marking the deadline for the report to be submitted to appropriate congressional committees. 

Thompson, whose committee is among those that DHS is required to submit the report to, said Friday that the failure of DHS to submit the report “further obstructs Congress’ abilities to conduct proper oversight,” and noted this was “in direct violation of the law.”

“The threat to our democracy from foreign governments is real, and the Administration’s pattern of denial must stop,” Thompson added. “With President Trump in office, the American people cannot expect our elections to be secure and free from foreign interference or cyber-attacks with status quo measures in place.”

Read more here.

 

‘WALZ’-ING AROUND: Twitter earlier this month verified an account for a fake 2020 congressional candidate created by a teenager.

The account was for a fictional Republican congressional candidate from Rhode Island named Andrew Walz.

His Twitter bio claimed that Walz was a “proven business leader” and a “passionate advocate for students,” CNN Business first reported.

The owner of the account was a 17-year-old high schooler from upstate New York who, according to the network, made the account over the holidays because he was “bored.”

“During Christmas break I was kind of bored and I learned a lot from history class, but also on the news they were talking more about misinformation,” the high school student told CNN Business.

The teen said it took him about 20 minutes to make the website for his candidate and then another five minutes to create the Twitter account.

He got his profile picture from a website called This Person Does Not Exist, which computer generates realistic photos of fake people.

Then, he filled out a short survey with information about his fake candidate on Ballotpedia, the nonprofit “Encyclopedia for American Politics.” Twitter announced in December that it would be partnering with the nonprofit in an attempt to verify more congressional candidates. 

However, according to the student, neither Twitter or Ballotpedia asked for any further kind of identification to confirm that Walz was, in fact, genuine.

The social media platform has received flak from candidates who say it has been slow to verify them.

Read more on the incident here.

 

REDDIT DINGS TIKTOK: TikTok is under scrutiny from Reddit CEO and co-founder Steve Huffman for practices he calls “fundamentally parasitic,” referring to serious privacy concerns surrounding the app.

The app is a video-sharing social networking service owned by ByteDance, a Beijing-based company established in 2012 by Zhang Yiming. TikTok launched in 2017 for iOS and Android in markets outside of China.

Huffman said one of the suspicious practices the company partakes in is fingerprinting, a method of tracking devices for each unique visitor, according to The Verge.

“Maybe I’m going to regret this, but I can’t even get to that level of thinking with [TikTok],” Huffman said at the Social 2030 venture capital conference. “I look at that app as so fundamentally parasitic, that it’s always listening, the fingerprinting technology they use is truly terrifying, and I could not bring myself to install an app like that on my phone.”

Research by data protection expert Matthias Eberl highlights the fingerprinting Huffman refers to as an aggregate of audio and browser tracking, allowing the company to know the types of content each user is following. TikTok parent company ByteDance claims the fingerprinting methods are for recognizing malicious browser behavior, but Eberl offers his skepticism, as the platform seemingly works fine without the scripts enabled.

“I actively tell people, ‘Don’t install that spyware on your phone,’ ” Huffman said of TikTok’s software.

Read more here.

 

SPONSORED CONTENT — FACEBOOK

Elections have changed and so has Facebook

Facebook has made large investments to protect elections, including tripling the size of the teams working on safety and security to more than 35,000. But the work doesn’t stop there.

See how Facebook has prepared for 2020.

 

SCHEMING: Advocates are sounding the alarm over online scams that leave senior citizens particularly vulnerable, urging lawmakers and administration officials to take more steps to protect unsuspecting Americans.

Experts say that threat is heightened during tax season as online options for filing have grown in popularly, opening the door to more scams aimed at obtaining sensitive information or money from victims.

“Consumers should be especially vigilant as we approach tax season,” said Bill Versen, chief product officer at Transaction Network Services, a data services provider.

While there are a slew of scams at tax filing season, experts say that the elderly face a higher risk of being ensnared and experiencing financial hardship.

The most common kinds of tax scams are phishing and calls where a scammer impersonates an IRS official, according to Monique Becenti, a product specialist at cybersecurity firm SiteLock.

Phishing is a tactic used by hackers to get access to private information using fake emails, text messages and social media posts.

These communications are designed to bait unaware users, often the elderly, into giving up their personal information or clicking on links that can download dangerous malware onto computers and phones alike.

But the most common scam between 2014 and 2018 was fraudulent IRS calls, according to a yearly report released by the Senate Committee on Aging.

In those calls, the scammer impersonates an IRS official, demanding payment or sensitive information. In some cases, scammers have been known to threaten to suspend licenses, close businesses or even arrest individuals if they fail to pay fake bills.

“The overall goal is cyber criminals trying to file taxes on behalf of that person,” Becenti told The Hill. And once an individual falls victim, scammers can run further schemes. “Ultimately, they have their Social Security number. … Now they have the ability to open up fraudulent accounts on behalf of that individual.”

Read more here.

 

CHANGE OF PACE: Facebook sued a marketing company Thursday, alleging in federal court that the firm “improperly” collected data from users of the social media platform.

The lawsuit, filed in the Northern District Court of California, claimed oneAudience paid developers to use a malicious software development kit, or SDK, in their apps.

SDKs are tools that let developers make apps more quickly.

OneAudience’s SDK collected data in an improper fashion from Facebook users who opted to log in to certain apps, the lawsuit alleged.

Facebook claimed the data included names, email addresses and gender, in limited cases.

Facebook said it sent a cease-and-desist letter to oneAudience in November, but claimed the company did not cooperate with a requested audit.

OneAudience did not immediately respond to a request for comment.

In a blog post, Jessica Romero, Facebook’s director of platform enforcement and litigation, wrote that the lawsuit was filed to protect the platform’s users.

“This is the latest in our efforts to protect people and increase accountability of those who abuse the technology industry and users,” she wrote. “Through these lawsuits, we will continue sending a message to people trying to abuse our services that Facebook is serious about enforcing our policies.”

Read more here.

 

CAMEO: Former Illinois Gov. Rod Blagojevich (D) joined an app where people can pay for personalized video messages after President Trump commuted his sentence on corruption charges earlier this month. 

Blagojevich is on the app Cameo offering personal messages for $100. 

“Hey it’s Rob Blagojevich. I’m very excited to connect with you on Cameo. If you want a birthday greeting, an anniversary greeting, motivation or any other kind of shoutout, I can’t wait to hear from you,” the former lawmaker said on his account. 

The app features a variety of celebrities and personalities that offer personalized messages for fans upon request. 

Former Trump White House press secretary Sean SpicerSean Michael SpicerRod Blagojevich joins app where people can pay for personalized video message Press: It’s time to bring back White House briefings Rapid turnover shapes Trump’s government MORE also has an account on the app, as does former Trump administration communications director Anthony ScaramucciAnthony ScaramucciRod Blagojevich joins app where people can pay for personalized video message Scaramucci thanks John Kelly for speaking up against Trump Trump lashes out over Kelly criticism: ‘He misses the action’ MORE, former Trump aide Omarosa Manigault and former Trump campaign manager Corey LewandowskiCorey R. LewandowskiRod Blagojevich joins app where people can pay for personalized video message The Hill’s Morning Report – Sanders repeats with NH primary win, but with narrower victory Trump campaign chief relocating to Washington: report MORE

Trump commuted Blagojevich’s sentence earlier this month. He called Blagojevich’s 14-year sentence “ridiculous” 

“He served eight years in jail, a long time. He seems like a very nice person — don’t know him,” Trump said.

Read more here.

 

A LIGHTER CLICK: Hope y’all are happy

 

AN OP-ED TO CHEW ON: Indictment of Chinese hackers is wake-up call for better public-private cooperation

 

NOTABLE LINKS FROM AROUND THE WEB:

Vatican joins IBM, Microsoft to call for facial recognition regulation (Reuters / Philip Pullella, Jeffrey Dastin) 

The World Health Organization has joined TikTok to fight coronavirus misinformation (Verge / Makena Kelly)

Walmart is quietly working on an Amazon Prime competitor called Walmart+ (Recode / Jason Del Rey)

Source link

The post #nationalcybersecuritymonth | Hillicon Valley — Presented by Facebook — FCC fines mobile carriers $200M for selling user data | Twitter verified fake 2020 candidate | Dems press DHS to complete election security report | Reddit chief calls TikTok spyware appeared first on National Cyber Security.

View full post on National Cyber Security