now browsing by tag
#nationalcybersecuritymonth | Security experts explain why unlocking the Pensacola shooter’s iPhones would unleash a privacy nightmare for iPhone owners
- Apple’s decision not to unlock or create a backdoor into the iPhones used by a gunman in a Florida shooting last month puts the tech giant at odds with the United States government yet again.
- Security experts agree, however, that circumventing the iPhone’s security poses a significant risk to iPhone users since it would provide a means to obtain private data that even Apple can’t presently access.
- There’s a risk that such a tool could fall into the wrong hands, some experts warn.
- Visit Business Insider’s homepage for more stories.
Attorney General William Barr recently called on Apple to help unlock the iPhones used by a gunman in Pensacola, Florida last month – a situation that once again requires the tech giant to balance protecting consumer privacy with its legal obligation to assist in investigating a shooting that’s resulted in the loss of American lives.
But security experts agree that providing access to the shooter’s iPhone could jeopardize the security of the millions of iPhones in use around the world.
„In essence, you’re trying to make a weapon that can only be used on a single target,“ Jacob Doiron, an information systems lecturer at San Diego State University, said to Business Insider. „But that’s not the nature of weapons, or exploits. They are applicable to any device that has that profile or configuration.“
On Monday, Barr said that Apple had not provided any „substantive assistance“ in getting access to two iPhones belonging to the shooter, Mohammad Alshamrani, who killed three people at a naval airbase last month. But Apple has since refuted that characterization, saying that it had provided iCloud backups, information, and other data from Alshamrani’s account in cooperating with the investigation. Now, Apple is reportedly gearing up for a legal battle with the Department of Justice to defend its position, according to The New York Times.
„We have always maintained there is no such thing as a backdoor just for the good guys,“ Apple said in a comment to Business Insider. „Backdoors can also be exploited by those who threaten our national security and the data security of our customers.“
Apple took a similar position in 2016 when it was caught in a stand-off with the Federal Bureau of Investigation over whether it should unlock an iPhone linked to a shooting in San Bernardino, California. Apple refused to unlock the iPhone, and the FBI ultimately ended up working with a private companyto gain access to the device.
The crux of the issue when it comes to unlocking an iPhone or bypassing its encryption , according to privacy experts, is that once Apple creates a backdoor, there’s a risk that it can be used in unpredictable and in some cases harmful ways.
„I would say the chances of it falling into the wrong hands are 100%,“said Mark Nunnikhoven, vice president of cloud research for cybersecurity firm Trend Micro.
There’s also the question of why Apple couldn’t just create the tool for the purposes of the investigation and then push an update to iPhones that would render it obsolete. For that to work, the backdoor would have to be tied to the software only, not the iPhone’s hardware, says Doiron. „Sometimes these vulnerabilities take place on the hardware, level,“ he said. „That’s not something that could be fixed via software.“
„We’re on your side“
The broader issue, however, may be that creating such a tool would put private, encrypted data from iPhone users in the hands of Apple and its employees – a privilege the company doesn’t want to begin with. Such a move that would be in stark opposition to Apple’s stance on consumer privacy.
„You are not our product,“ Apple CEO Tim Cook said in an interview with ABC News last year. „Our products are iPhones and iPads. We treasure your data. We want to help you keep it private and keep it secure. We’re on your side.“
Foto: Apple CEO Tim Cook.sourceREUTERS/Toru Hanai
Theoretically, if Apple were to create some type of tool or key that would provide backdoor access to encrypted iPhone data, employees from Apple would have access to that information as well since they would likely be assisting in the investigation. What’s to prevent an Apple worker from going rogue and possibly leaking iPhone user data, or using the tool for nefarious purposes?
Nunnikhoven pointed to EternalBlue as an example of how a tool built for specific purposes could fall into the wrong hands. EternalBlue was a National Security Agency hacking tool that leaked to the public in 2017 that was linked to the WannaCry ransomware attack that infected computers all over the world during that same year.
Creating the tool in general would also require a significant effort on Apple’s part. It’s not simply about cracking the passcode of the device, but would likely require that a dedicated team at Apple create a piece of software capable of accessing the data stored on the device, says Nunnikhoven. The government, in other words, is asking Apple to enable something that isn’t even possible on iPhones today.
Unlocking these iPhones for the Pensacola investigation would also likely set a precedent for law enforcement agencies to request similar treatment for future cases as well, says Matt Wilson, chief information security advisor at BTB Security.
„It’s just more evidence to prove this isn’t just [cybersecurity experts] saying, ‚I don’t want to think about it,’“ said Wilson. „It’s [experts] saying we’ve thought about it very long and very hard, and we don’t see a viable way that addresses all of these issues.“
The post #nationalcybersecuritymonth | Security experts explain why unlocking the Pensacola shooter’s iPhones would unleash a privacy nightmare for iPhone owners appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans The 2020 marketer is a new breed of marketer that drives teamwork and devours data. 123rf A rigorous analysis of the reams of mobile and marketing predictions for the new year suggests 2020 will be remembered as the year mobile-first marketing finally grew up. The obsession […] View full post on AmIHackerProof.com
#nationalcybersecuritymonth | IIT Kanpur and TalentSprint Announce Partnership for Development of Cyber Security Experts to Combat Cyber Threats
- Equip and Enable 1000 Cyber Security Professionals in coming years
- Hybrid Executive Format with Bootcamps at IIT Kanpur and Live Online Sessions
- Advanced Certification Program in Cyber Security and Cyber Defense
The Indian Institute of Technology, Kanpur (IIT Kanpur) has announced an Advanced Certification Program in Cyber Security and Cyber Defense in partnership with TalentSprint. The program is designed for current and aspiring professionals who are keen to explore and exploit the latest trends in cyber security technologies. A combination of deep academic rigor and intense practical approach will allow participants to master in-demand skills and build world class expertise. The first cohort will start in early 2020.
IIT Kanpur, established in 1959, is widely recognized as a global trailblazer in computer science research and education. Most recently, IIT Kanpur has taken the lead in cyber security by setting up the Interdisciplinary Centre for Cyber Security and Cyber Defence of Critical Infrastructures (C3i). The mission of C3i is research, education, and training, and also spawn startups to create technological safeguards to protect critical national infrastructure. The centre collaborates with other global centres of excellence and is positioned to become a world leader in cyber security.
Speaking on the occasion, Dr. Manindra Agrawal, Program Director and Professor of Computer Science at IIT Kanpur, said: “It is estimated that there will be roughly 200 billion connected devices by 2020. Rapid convergence of Mobility, Internet of Things and Cloud Computing is leading to an explosive increase in security threats and the need for Cyber Defense experts to combat these threats is becoming all the more important. Our program will leverage the deep research capabilities of C3i to arm technology professionals with the right expertise to counter a wide range of emerging threats and vulnerabilities.”
Dr. Santanu Paul, Co-Founder and CEO of TalentSprint, said: “We are delighted to partner with IIT Kanpur on a mission to create Cyber Security experts. The demand for such professionals is outstripping supply. Companies need sophisticated responders to defend against the growing threat of cyberattacks. There is a huge talent crunch and 59% of the companies have vacant positions suggesting a cumulative global shortfall of 1.5 million such professionals.”
According to NASSCOM, India’s cyber security market is projected to grow to $35 billion by 2025. This 6-month Advanced Certification Program in Cyber Security and Cyber Defense will be delivered in an executive-friendly format with immersion bootcamps at the IIT Kanpur campus, complemented by live online interactive sessions via the TalentSprint digital platform. Program participants will also get direct exposure to C3i and its research expertise during their visits to IIT Kanpur. In addition, TalentSprint will curate state-of-the-art capstone projects for program participants, and actively leverage its digital platform for the purpose of accelerated experiential learning.
Technology professionals interested in this program should apply for selection at: https://iitk.talentsprint.com/Cyber Security/
Indian Institute of Technology, Kanpur, is one of the premier institutions set up by the Government of India. Registered in 1959, the institute was assisted by nine leading institutions of U.S.A in the setting up of its academic programs and laboratories during the period 1962-72. With its record of path-breaking innovations and cutting-edge research, the institute is known the world over as a learning centre of repute in engineering, science and several inter-disciplinary areas. In addition to formal undergraduate and postgraduate courses, the institute has been active in research and development in areas of value to both industry and government. For more information, visit www.iitk.ac.in
TalentSprint brings high-end and deep tech education to aspiring and experienced professionals. It partners with world class academic institutions and global corporations to develop and offer disruptive programs. TalentSprint’s hybrid platform delivers unique onsite and online experiences that help build cutting-edge expertise, for today and tomorrow. For more information please visit www.talentsprint.com
Click here for Media Contact Details
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans Approximately 70 percent of Americans use social media to connect with one another, engage with news content, and share information. Most users access social media platforms and consume content on their smartphone, just one of the many smart devices we use to monitor our health, fitness, […] View full post on AmIHackerProof.com
Ransomware is one of the easiest cyberattacks to detect because it comes with an actual ransom note. However, 2017 gave way to new propagation mechanisms, which automated worming and increased infection rates.
Employee-facing services and technologies are a top concern to cybersecurity professionals. About 40% of employees use personal devices to send work emails and share or access company data without the IT department’s oversight.
The bring your own device policy is challenging for IT departments to combat. Ultimately, the policy leads to unintended shadow IT, which is often the Achilles heel of solid security practices.
Negligent employee actions can cost a company about $280,000 per incident. If the cost were not enough, companies need to come to terms with the fact that 64% of security breaches are caused by ignorant employee actions.
To help companies better track the most high-risk employees, in terms of their cybersecurity incompetencies, vendors like Microsoft are including simulated ransomware or phishing attacks in their services.
Hackers will always take advantage of human error and poor judgment, so it’s up to security teams to educate line of business employees.
The post Cybersecurity #experts #agree — expect more #ransomware this #year appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Cyber security #experts discuss #mitigating #threats, say #universities can #play a key #role in #protecting the #country against a #cyber attack
Former U.S. Director of National Intelligence and Navy Vice Adm. Mike McConnell advocated today for stronger protection of digital data transfers and for universities to play a key role in filling cyber security jobs.
McConnell was among the keynote speakers at the 2018 SEC Academic Conference hosted by Auburn University. The conference, which is ongoing through Tuesday, is focused on the topic of “Cyber Security: A Shared Responsibility” and brings together representatives from the SEC’s 14 member universities along with industry experts in the area of cyber security.
McConnell is encouraging the use of ubiquitous encryption as a solution for stronger data protection.
“As we go to the cloud…ubiquitous encryption of some sort would be used so that if anybody accessed that data, you can’t read it. If you’re moving [the data] from point A to point B, it scrambles so you can’t read it,” he said.
McConnell understands that stronger data security can come at a cost for others, including law enforcement who may need to access data within a device during a criminal investigation.
“What I’m arguing is the greater need for the country is a higher level of [data] security. If that’s the greater need, then some things of lesser need have to be sacrificed. So when I say ubiquitous encryption, that’s what I’m attempting to describe. It is protecting the data that is the very lifeblood of the country,” McConnell said.
McConnell also addressed how academia can help in securing the nation from cyber attacks.
“We have about 300,000 job openings across the United States for which there are no cyber security-skilled people to fill those jobs,” he said. “Universities are debating academically ‘What is cyber security?’ and ‘How do you credit the degrees?’ and ‘How do you get consensus on what it is and what it should do?’”
He urged universities to move more quickly on coming to a consensus so they can get certified and accredited to start producing students who can fill those jobs.
Glenn Gaffney, executive vice president at In-Q-Tel, also spoke to the role higher education institutions can play in cyber security during his keynote address at the conference.
“It is at the university level where we don’t have to take a top-down approach,” Gaffney said, adding that universities can work together, through research and student involvement, to create proactive solutions to cyber security. “This is where the next generation of leaders will be developed. It’s here that these dialogues must begin. This is the opportunity.”
Ray Rothrock, CEO and chairman of RedSeal Inc., was the day’s third speaker, presenting on the topic of “Infrastructure: IoT, Enterprise, Cyber Physical.” Rothrock also held a signing for his new book, “Digital Resilience: Is Your Company Ready for the Next Cyber Threat?”
Attendees at the conference are exploring computer and communication technology; the economic and physical systems that are controlled by technology; and the policies and laws that govern and protect information stored, transmitted and processed with technology.
Students at each SEC member university participated in a Cyber Challenge and presented posters displaying their work in the area of cyber security.
The post Cyber security #experts discuss #mitigating #threats, say #universities can #play a key #role in #protecting the #country against a #cyber attack appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Far-reaching #cyber-security #Bill not uncommon in other #countries, say #Singapore experts, #industry players
Singapore is not alone in proposing a far-reaching Bill to beef up cyber security, said experts, even as it wins the support of stakeholders following a recently concluded public consultation on the issue.
Concerns about the Cyber Security Agency (CSA) of Singapore’s far-reaching powers had surfaced during the consultation. Firms must surrender any information requested when CSA investigates a suspected cyber attack, as its proposed Bill would take precedence over bank and privacy rules that prohibit data sharing.
Convinced that Singapore should not have it any other way, lawyer Gilbert Leong, senior partner at Dentons Rodyk & Davidson, said: “The far-reaching Bill is justifiable in the light of the potential damage from state-sponsored cyber espionage.”
CSA’s powers, like those of the police, are calibrated and are strictly meant to keep the lights on for essential services, Mr Leong said.
In announcing on Monday (Nov 13) its decision to keep most of its proposed ideas in the Bill, CSA responded to public feedback received during the consultation, and said the designation of a computer as critical information infrastructure would no longer be an official secret under the Official Secrets Act.
The proposed Bill, to be tabled for debate in Parliament next year, also mandates that owners of critical information infrastructure, such as those in banking, telecom and energy sectors, report security breaches and attacks “within hours”.
Similar mandatory data breach reporting requirements have been in place in the US, Europe, Japan, Australia and South Korea for years.
Mr Shlomo Kramer, founder and chief executive officer of Israeli cyber-security start-up Cato Networks, said Singapore is, in fact, playing “catch-up” with these nations in this respect.
“Such regulation will move the needle in a positive way and make organisations feel accountable,” said Mr Kramer, who also co-founded what was the first firewall solutions provider Check Point in 1993.
He spoke to The Straits Times three weeks ago when he was in Singapore to meet local cyber-services resellers ViewQwest and Quann.
Checks and balances – which are included in the proposed Bill – prevent the abuse of disclosed information, Mr Kramer noted. For instance, CSA officers may be held criminally liable if they are found to have misused the information.
Mr Bryce Boland, chief technology officer for Asia-Pacific at cyber-security firm FireEye, said laws are generally stronger in countries with a high dependence on technology. Thus, the far-reaching aspects of Singapore’s cyber-security Bill could be compared to similar laws in the United States and Britain, said Mr Boland.
Said lawyer Koh Chia Ling from law firm OC Queen Street: “The general global trend is that countries are enacting such laws and Singapore is essentially doing the same.”
Mr Jack Ow, technology partner at law firm RHTLaw Taylor Wessing, said Germany, the Czech Republic and China have similar cyber-security regimes. “The loss or compromise of such computers and computer systems could adversely affect national security or public health, safety and order,” said Mr Ow.
Technology lawyer Bryan Tan of Pinsent Masons MPillay said that debates are ongoing in the United States just like they have taken place in Singapore, arising from an ever-growing tension between security and privacy.
Referring to preserving privacy in the US, he added: “All bets are off when it comes to fighting terror or a national security issue – no one will compromise.”
Owners of critical information infrastructure said the Bill is necessary. They are waiting to work out implementation details with CSA and their sectors’ regulators.
A spokesman for telco Singtel said: “The risk of cyber-security breaches is growing, especially now as Singapore pursues its ambition to become a Smart Nation.”
An M1 spokesman said: “It is important that the powers under the Bill are exercised reasonably.”
Meanwhile, such stringent reporting requirements are not new to the banking sector.
Mr Patrick Chew, OCBC Bank’s head of operational risk management, said: “Under the Technology Risk Management Guidelines introduced in 2013, financial institutions in Singapore are already required to notify our regulator as soon as possible of any critical system failures arising from (technology) and cyber security incidents.”
View full post on National Cyber Security Ventures
San Diego cyber security expert Ted Harrington with Independent Security Evaluators invited us to his Downtown office to see how quickly and easily he and his colleagues demonstrate successful hacks of modern medical devices. Medical devices like pacemakers and patient monitors are some of the newest vulnerabilities to cyber attack in the healthcare industry.
The threat hits home. According to the California Life Sciences Association, the state has more medical device jobs that anywhere in the nation, with 74,000 employees. A total of 7,700 of them are based in San Diego.
San Diego is a city that’s no stranger to malicious software or “malware” assaults on the medical sector. Last year, the 306-bed Alvarado Medical Center had its computer system affected by what it called a “malware disruption”. The hospital briefly considered doing an on-camera interview with us about the security changes that have been implemented since the incident, but then it backed out.
The hospital spokesperson cited in part, “A careless slip during an interview can reveal possible [vulnerabilities] in our ‘armor’ that a hacker can take advantage of.”
Also last year, nearby Hollywood Presbyterian Medical Center made headlines when it paid a $17,000 ransom to the hacker who froze its computer system for several days.
“Healthcare is attacked more than any other industry because that’s where the money is,” writes prominent cybersecurity company Sophos in its SophosLabs 2018 Malware Forecast report.
A records check on the U.S. Department of Health and Human Services’ Office of Civil Rights website shows a total of thirteen California healthcare facilities that are currently under investigation for reported hacks.
Now, the threat to patient privacy could be challenged by a threat to patient safety.
Harrington and his team connected my finger to a sensor that was attached to a patient monitor. My healthy vitals were displayed on the patient monitor screen and on the screen representing a nurse’s computer.
In a real-world setting, that nurse’s computer would be in a different room from the patient and his or her monitor. 10News Reporter Jennifer Kastner was asked to remove my finger from the sensor, to make it look like she was flat-lining, but Harrington and his team hacked the nurse’s computer in seconds to make the nurse’s computer show that she was still healthy.
He and his team also showed us they could hack a patient’s displayed blood type.
“If the physician thinks the patient is a certain blood type and orders a transfusion of a different blood type, that directly hurts the patient. It would most likely result in a fatality,” says Harrington.
In October, the FBI put out a warning about the growing concern over cyber criminals targeting unsecured “Internet of Things (IoT)” devices, including medical devices like wireless heart monitors and insulin dispensers.
Years ago, it was reported that former Vice President Dick Cheney had his pacemaker altered to prevent an assassination attempt.
“We can’t bury our heads in the sand anymore. These types of medical cybersecurity vulnerabilities are going to become commonplace,” says Dr. Christian Dameff with UC San Diego Emergency Medicine.
Dameff is also a self-described hacker. Despite the FDA’s claim that there aren’t any known cases of patients’ devices getting hacked, Dameff believes attacks have happened and they were likely accidental, but never got reported.
“These devices in our systems are not well equipped to even discover these types of attacks,” he said. “It’s essentially like asking a toaster to figure out if your house has been hacked. They’re just not designed to find out.”
The experts we spoke to want to make it clear that while there’s a threat of cyber attacks on medical devices, the likelihood of it happening to the average patient is low. They urge people to stay mindful of the risks and talk to their healthcare providers about solutions.
View full post on National Cyber Security Ventures
University IT teams have differing perspectives from the students they serve on the state of cybersecurity, according to a recently released infographic from CDW-G.
The IT solutions company surveyed 250 higher education IT professionals and 300 students, examining their views of cybersecurity and what students expect from their schools versus what IT professionals are able to deliver. The company released the infographic, “Securing Higher Education — It Takes Two,” at this year’s EDUCAUSE annual conference.
The most surprising statistic, according to Nicci Fagan, director of higher education at CDW-G, was that 91 percent of IT pros who experienced a data breach alerted students — but just 26 percent of students said they were aware of the attack.
Another glaring discrepancy showed that 82 percent of IT pros say they require students to engage in cybersecurity training at least once a year. However, only 35 percent of students said that was required of them.
“You have IT professionals on campus who are communicating this out to students on campus, but it’s not resonating,” Fagan said in an interview with EdScoop. “It comes down to making sure that we’re communicating through multiple channels and getting consistent feedback from the student body.”
Jordan Cohen, a student intern at CDW-G who currently attends Rutgers University, added that students get their news from multiple sources and on several platforms.
“I think there’s a major difference in channels that are being used in sending news, and channels that students are accustomed to receiving news,” Cohen said. “Rutgers does a great job of getting information out, but I think part of it is making sure they’re interacting with students — you’re not just putting it on the university website, you’re taking advantage of social media.”
Fagan said that along with shoring up communications strategies, colleges and universities also need to offer ongoing training for students and educate them about the type of cyberattacks that can occur and what they can do to minimize or prevent them.
“Just like you have students going through orientation every year … it should be part of the university’s communication plan in terms of how they’re addressing cybersecurity for their students and how students are taking accountability for their own cybersecurity,” she said.
Sixty percent of institutions have experienced a data breach in the last year, according to the research, and 29 percent have experienced data loss. The most common breaches were malware attacks, followed by phishing attempts and distributed denial-of-service (DDoS) attacks.
Fagan said IT professionals are trying to combat breaches through network segmentation and advanced threat protection, among other methods.
“Universities are relying on their solution provider to offer outside penetration testing or security assessments,” she said. “They’re getting someone else’s opinion on where they might have vulnerabilities and that can be very helpful to universities as well.”
CDW-G works with about 3,000 higher education institutions across the country, and the company is a frequent presence at EDUCAUSE.
“I think exactly what we’re talking about continues to be the No. 1 issue: information security and helping customers navigate the opportunities that are out there,” Fagan said, echoing what EDUCAUSE leaders also pinpointed as the top issue in higher ed IT today.
Cohen, a history major, said he is involved with cybersecurity efforts at his school and through CDW-G because it has a direct impact on him and his peers.
“What’s really interesting about cybersecurity is it’s really the new frontier,” he said. “We’ve advanced past the Wild West stage and now we’re looking at all the new ways technology affects our lives. It’s important to protect our data, and as more and more data is stored in the cloud, I think students care about that, and, personally, I do as well.”
The post College IT experts and students have opposing views on cybersecurity appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
A successful cyberattack on your enterprise may be imminent, and security experts say many companies aren’t doing enough to protect themselves. Increasingly, risks are coming from within.
Ask a cybersecurity expert or hacker to name the weakest link in any security plan and they will inevitably answer “the people.” Just like everything else, security can’t account for the unpredictability of the human factor. In an enterprise setting, employees will circumvent protocols for the sake of convenience, offer bits of information to strangers because they asked nicely, and generally make a mess of any well-laid enterprise-wide cybersecurity plan.
According to the Cybersecurity Trends 2017 Spotlight Report (PDF), 54% of cybersecurity professionals surveyed anticipate a successful cyberattack on their organization in the next 12 months. Some 40% of those professionals also view the lack of employee awareness as a major obstacle to stronger cybersecurity.
With increases in mobility and the adoption of a BYOD culture in the enterprise, 69% of the surveyed cybersecurity professionals are increasingly concerned about data leakage. Another 64% believe their organizations will have to deal with the download of unsafe applications and the introduction of malware stemming from portable storage devices and the like in the next year.
While workforce mobility and the culture of BYOD certainly produce tremendous benefits for modern enterprises, the technology presents a challenging risk for cybersecurity professionals. The only viable approach to overcoming, or at least mitigating, the human factor is to educate employees and establish a comprehensive policy to govern how personal devices, especially portable storage devices, will be introduced to an enterprise network.
TechRepublic’s premium sister site, Tech Pro Research, offers a ready-made Portable Storage Device Policy to help you regulate and secure usage of portable storage devices to help reduce the risks.
View full post on National Cyber Security Ventures