now browsing by tag
What does it mean for businesses to “go to the cloud?” While the term “cloud” can be used generically, there are many types of cloud architectures. A key benefit of moving to the cloud is that your data is secured with redundant, diversified servers managed by a third party. With your data managed by a third party vendor, it’s important to understand how and where that data is stored. ForgeRock carefully designs an isolated and secure cloud environment for each customer, while maintaining the benefits of the cloud, like sharing high-level resources to reduce costs for customers.
Secure by Design
To understand the concept of these shared cloud resources, it can be useful to imagine the ForgeRock Identity Cloud as a condominium building, with ForgeRock as the landlord. We are responsible for the general construction and maintenance of the building, as well as for shared infrastructure like common water supply and security. Condominium units within the building can be compared to individual customer environments within the cloud, each isolated and protected with walls, locked doors and windows.
By comparison, other identity cloud architectures and deployments are less like condominium buildings and more comparable to open spaces like high school gymnasiums — more open and malleable. These cloud architectures use virtual machine environments which can be spun up and spun down quickly. Would you feel as secure and safe living in a gymnasium as in your own condo unit?
In either scenario — condo or gymnasium — you could still have a noisy neighbor. The farther you are from your neighbors, the more sound protection you have. In the case of a data leak, being farther from your “noisy neighbors” by being in an isolated cloud environment, offers more data protection.
Is your cloud architecture an open space, or a condo building?
This example is an oversimplification but it is meant to underscore the steps ForgeRock has taken to ensure there is no shared knowledge among its customers. We call this architecture our “secure multi-tenant environment with full customer isolation.” In the next few sections, we’ll help you understand exactly what that means for you.
It is important to understand exactly what we mean by multi-tenancy. Revisiting the condominium building analogy, the entire building — from the basic condo unit to the luxury penthouse — is built to common standards using the same materials, and is operated consistently. In the same way, a multi-tenant cloud service is built on a common, consistent model to deliver service to its customers. ForgeRock provides high-level resources, like the ForgeRock Identity Platform that is shared across the entire ForgeRock Identity Cloud. All customer environments are built within the cloud from a standard template and hosted using a common technology base. These environments are maintained according to a consistent set of processes. They are continually updated against security vulnerabilities and upgraded with the latest code base.
Another benefit of multi-tenancy is the ability for large customers to self-manage multiple environments with a high-level, real-time overview across multiple data centers. Customers who require multiple geo-specific data centers for compliance reasons find this particularly valuable.
Full Tenant Isolation Explained
Continuing with the condominium metaphor, full tenant isolation can be compared to the individual condo unit itself. The ForgeRock Identity Cloud provides each customer with a distinct, dedicated data environment. All passwords, private keys, and other secrets associated with a customer’s ForgeRock Identity Cloud instance are generated, securely stored, and used solely within the customer environment. There is no shared knowledge between tenants — each tenant environment is self-sufficient and sovereign. Each environment runs a distinct copy of the service code under dedicated identities, with dedicated storage for customer secrets and data that only the customer can access. Additionally, the ForgeRock Identity Cloud enables customers to select their data center location so they can be in compliance with certain regulations. This is unique among identity cloud providers.
In addition to building a secure cloud architecture, ForgeRock also hardens our software by following the latest industry best practices. Our Secure Software Development Lifecycle (SSDLC) maintains high integrity though continuous testing. Our continuous deployment and integration means you will always have the latest version.
That’s the ForgeRock difference.
Learn more here. Or, contact your sales rep today.
*** This is a Security Bloggers Network syndicated blog from Forgerock Blog authored by n n Robert Vamosin n n. Read the original post at: https://www.forgerock.com/blog/cloud-series-building-secure-identity-cloud
The post #cybersecurity | #hackerspace |<p> Cloud Series: Building a Secure Identity Cloud <p> appeared first on National Cyber Security.
View full post on National Cyber Security
A trio of Australians has been charged with identity theft that netted AU$11 million (US$7.41m, £5.73m) – ill-gotten loot they allegedly ripped off by hacking into businesses and modifying their payrolls, pension payments (known as superannuation in Australia) and credit card details.
According to ABC News, police arrested the alleged cyber-robber – an unidentified 31-year-old man, formerly of Adelaide – at a library in Sydney’s Green Square earlier this week.
His alleged cyber accomplices were 32-year-old Jason Lees and 28-year-old Emily Walker, both arrested in the Adelaide suburb of Seaton. According to Walker’s Facebook profile, they’re a couple.
New South Wales police reportedly said that the unidentified 31-year-old man allegedly stole more than 80 personal and financial profiles so as to use them in identity fraud in South Australia from early 2019, and then in NSW from August 2019. He’s been charged with 24 fraud-related charges in Newtown Local Court. Walker and Lees have been charged with money laundering and deception.
(What’s the difference between lies, deception and fraud, you well may ask if you’re not Australian? Under Australian criminal law, not all lies are deception, and not all deceptions amount to fraud, according to the law firm Sydney Criminal Lawyers. Here’s the law firm’s explanation.)
According to ABC News, the police prosecutor, Senior Sergeant Mike Tolson, told the court that the prosecution anticipates bringing hundreds of additional charges.
The stolen data came from businesses and organizations targeted for their employees’ data, including staff names, addresses and birthdates. The defendants allegedly used the details to set up hundreds of bank accounts into which they then allegedly deposited money.
All of the stolen identity has come from intruding upon businesses.
The defendants allegedly used multiple cryptocurrency accounts to launder more than $18 million, Tolson told the court:
However, one of the wallets that has been identified alone contains more than $18 million in transactions […] and multiple withdrawal accounts.
The prosecutor said that last month, police seized nine computers, their hard drives, and six mobile phones during a raid on the couple’s home. Next week, the court will consider an application for bail.
Investigators called the crimes “sophisticated and complex.” NSW Police Force Cybercrime Squad commander Detective Superintendent Matthew Craft said that it’s a timely reminder to beef up cybersecurity defenses:
Identity information is a valuable commodity on the black market and dark web, and anyone who stores this data needs to ensure it is protected.
Ripped-off payment card details – like these! – do indeed sell like hot cakes on the dark web, where carders snap them up, slap them onto new cards, and go on mad spending sprees on somebody else’s dime.
In December 2019, we also found out exactly how fast those hot cakes get sold: two hours, it turns out. That’s how long it took somebody – or something, if it turns out to have been an automated bot – to find, and use, a credit card posted by a security researcher.
Check your statements
Regularly checking your credit card and other financial statements means you’ll spot fishy charges before they cling to you.
We the consumers aren’t typically held responsible for fraudulent activity – but only when we report bad charges in a timely fashion. Don’t delay, if you don’t want to get stuck paying for somebody else’s baby lions and/or Lamborghinis.
Latest Naked Security podcast
The post Cybercrooks busted for multimillion-dollar identity fraud – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans Google Cloud Identity is free to some extent, but if interested in the broader features of Google Cloud Identity, it can be quite expensive over time. The post Google Cloud Identity Pricing appeared first on JumpCloud. *** This is a Security Bloggers Network syndicated blog from […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans Identity sprawl – too many usernames and too many passwords – has never been as big a concern as it is today: More devices are being brought into the enterprise, more people are working remotely and using their own devices, and more users continue to access […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans You only have one “you” that hackers, criminals and scammers would love to steal. We’re talking about identity theft, which is a bigger threat than you’re probably aware of. It’s estimated every two seconds there is another identity theft victim. And this type of theft often […] View full post on AmIHackerProof.com
#cybersecurity | #hackerspace | Going After the Good Guys: The Government’s Ransomware Identity Crisis
Why fixing that ransomware attack might get you indicted
Note: We’re pleased to publish this article from attorney Ryan Blanch, sharing
an expert perspective on some of the legal issues in the cybersecurity
comes to ransomware, malware, and hackers, the government is finding it
difficult to keep pace with the quickly evolving landscape of cybercrime. And
sometimes, the government seems to be going after the good guys instead of the
bad guys, as evidenced by the recent CoalFire debacle in which Iowa arrested
and charged the same cybersecurity professionals it had contracted to try to
breach the state’s security systems.
As a criminal
defense attorney, I’ve been involved in myriad cybercrime cases. There were the
DDoS attacks on the Church of Scientology, and then the infamous Blackshades
malware allegedly used to spy on Miss Teen USA. We defended a sports gambling software company
accused of conspiring with the mob abroad, which went to trial and was ultimately dismissed.
Later, we handled a cryptocurrency hacking case, an online currency arbitrage
platform; and, more recently, the allegedly illegal deployment of scores of
Bitcoin ATM machines around high crime neighborhoods – to name a few.
cases, it’s at least apparent why prosecutors are focusing on our client. But
in other cases, prosecutors are barking up the wrong tree—they’re going after
the targets they can find instead of looking for the actual bad guys. After all,
career hackers can be nearly impossible to track down and apprehend. In the
sports gambling case I handled, my client reported that the New York district
attorney’s office wanted to strongarm him into hacking into his clients’
systems to turn over personal data on gamblers and their bookmakers who may be
involved in illegal gambling.
where prosecutors seem to be struggling to find and prosecute the right parties
is with ransomware attacks. If you should fall victim to a ransomware attack,
be very careful how you navigate your crisis. And that goes double for those
who try to help you. The government may be looking to indict you both. And the penalties are steep.
Let’s hash it out.
How Ransomware Attacks Work: From Attack to Prosecution
brings companies to their knees in an instant as it encrypts user data and
files irretrievably. In some cases, the only way to resume business as usual is
to pay the ransom outright and most of them only take crypto.
Phase 1: The Attack
You show up
to work to find a message like this one filling all 100+ displays of your
company’s employee workstations. Your CTO and IT administrator are in a panic. Your
entire company has been locked out of its servers, computers and files. The company
stands to lose hundreds of thousands of dollars each week that this persists. There
is a countdown clock on the monitor, and IT cannot find any way to access the
system. All you can think is, ‘What would Kiefer Sutherland do?’
Phase 2: The Fallout
It’s day two
and the losses have already exceeded $40K. Clients are taking flight as they
fear the worst. Employees are asking whether they should come to work, and the IT
department is pulling its collective hair out. You wonder what you have them around for if
they can’t fix your computer-related problems. Arnie, Head of IT (for now), has
resorted to Googling (from his personal cell phone) “ransomware help” to look
for outside companies that might be able to lend a hand.
The 5 bitcoin
demanded hasn’t yet increased, but it might as well have because the volatile
bitcoin market has already added $5,753 to the price (some companies are
starting to keep an emergency bitcoin account to offset the risk of price
reminds you that you have business insurance that may cover this sort of thing.
You call your insurer. They do in fact cover ransomware attacks and have a list
of “approved providers” aka cybersecurity firms who can help.
Phase 3: The White Knight Arrives
It looks as
though all that panic-driven Googling may have paid off. Arnie has already
found a cyber security firm and is on the line with them. As luck would have
it, this firm is also on your insurance company’s “approved provider” list. The firm thinks they may be able to resolve
the problem remotely. But when asked, they admit that no one can actually decrypt
the files. More pointedly, if you were
to marshall the combined forces of Homeland Security, the NSA, M.I.T., Kaspersky
Labs and Elliot Gunton to the singular purpose of retrieving the electronic
files of your trading house and photos of your mini labradoodle wearing a tutu,
they would all wind up with zilch. That’s how hard it is to unencrypt what’s
been properly encrypted.
So how can
this cybersecurity firm help?
ransom, of course.
So then, what
good are they? Well, for starters, they have a bitcoin wallet on the ready. You
don’t. Secondly, they actually know how to deploy a decryption key. You don’t
(and neither does Arnie).
most ransomware, eh hem, artists don’t restore your files for you when you pay
the ransom. They merely send you a key. Technical support doesn’t exist. It’s
do it yourself. And you wouldn’t want your attackers fixing it for you even if
Here is why
it makes sense to hire the cyber security firm rather than pay the ransom
yourself in a nutshell:
- They can pay immediately.
- They may be able to get the attackers
to lower the ransom. Probably not enough to decrease your cost but enough to
offset the cost of the firm’s fee.
- You shouldn’t be dealing with your attackers.
They may expand the problem to other systems if you let the wrong information
- Once you get the key, if you don’t
deploy it correctly you could corrupt your files forever. Some of these keys
require several steps to deploy them. And you need to make sure you back up
your files first, etc.
- After you get your files back you
need to close the proverbial back door. Your attackers could come back if you
don’t. The honor of your extortionist ends with the promise to send you the
key. It does not include a promise to never return.
- The best firms will issue and update a
white paper to make sure that you continue to follow best practices to avoid
- An honest firm will tell you if the
strain of your ransomware variant is actually undecryptable. Some variants are old,
and the decryption key has already been disseminated publicly. If your firm has
the key, they may just deploy it for you at little or no cost.
Phase 4: The White Knight Gets Indicted
All good? Not so fast. Now the cyber security firm’s principals and employees are contacted by the FBI’s Cyber Division. The U.S. Attorney’s Office wants to talk about a turn-in date and because they know this is a real company with generally law-abiding individuals, they wanted to call and invite them in to “self-surrender” so they can forgo the unpleasantness that comes with a 3AM home arrest warrant execution.
your company’s savior is going to need to hire a great criminal defense
out the government doesn’t look kindly on paying ransoms. The reasons
themselves are not objectionable:
- The money could go straight to terrorist
organizations and other criminal cartels
- The money is difficult to trace when
transferred through bitcoin.
government also knows that juries don’t like to convict victims for paying
their extortionist. It’s like arresting the mother of a kidnapped child for
paying the kidnappers their ransom to get her baby back.
It would never fly.
How The Government Views Paying Computer Ransoms
computer files, lost business revenue and even stolen intimate photos are less
sympathetic reasons to sponsor a crime cartel than say, getting a real live
child back. But, just the same, the DOJ doesn’t like to lose. And prosecuting
victims is a losing strategy. So, for now, victims can (probably) pay ransoms
back directly (as ill-advised as that is) to their attackers.
But if you
hire an intermediary, that’s where the government is testing a prosecutorial
theory. The theory is if they can prosecute the cyber firms who pay the ransoms
then they can get a pelt for what they view as an ugly business. Hey, somebody
has to pay. Cybercrime is the new bank robbery and it’s turning into an
epidemic. The government’s so-called ransomware “experts” are in the stone
ages. But prosecuting cyber security firms makes it look like they are doing
something about this epidemic (spoiler alert: they aren’t).
enough, the FBI has made multiple statements encouraging or allowing companies
to pay off ransomware attacks:
Bonavolonta, Assistant Special Agent of the FBI’s Cyber and Counterintelligence
Program, said that in most cases, because the FBI can’t
help these companies recover files, their agents often end up recommending them
to pay the ransom to get their data back.
official statement from the FBI said they don’t “advocate” paying
ransoms, but that the “FBI understands that when businesses are faced with an
inability to function, executives will evaluate all options to protect their
shareholders, employees, and customers.”
They haven’t yet publicly announced a policy of indicting companies for paying ransoms or started issuing mass indictments. But they are hovering around the periphery, looking for instances where they think they might be able to dirty-up the white knight cyber security firm to make them a public example of the perils of paying ransoms as a business model.
What if they succeed? What does that accomplish? It doesn’t stop the ransomware attacks. It doesn’t stop the victims from paying those ransoms directly. But it takes out a middle man would-be protector, leaving the victim to their own devices.
Making the Good Guys Prosecutable: Dirtying up the White Knight
don’t like to convict victims, how would they feel about their heroes? As a
matter of public policy, do we want to criminally prosecute the saviors of
those who have otherwise irretrievably lost their businesses?
is it depends. We should not criminalize the only people that offer any
protection whatsoever to the victims of ransomware. They also provide a
mechanism for insurance companies to insure the losses of such an attack. The
government is putting this in jeopardy (more on this to come). In order to make
a white knight prosecutable, the government needs to shift our view of them. The
prosecution will want the jury’s perception of the white knight to be that of
an opportunistic broker of shattered dreams. Instead of saving their victims
from further attack, they provide a surcharge to further exploit them. As
ridiculous as this sounds, this is what in fact is being kicked around at DOJ
The Insurance Companies as Co-Conspirators?
So, if the
cybersecurity firm is recommended and, in some instances, paid for by the
victim’s insurance company, doesn’t that make said insurance company an
accomplice in the conspiracy to pay ransoms to possible crime cartels? After all, the insurance company knows exactly
how the cyber security firm addresses the problem – by paying ransoms. So, will
the government start prosecuting Allstate for providing ransomware protection
to its insureds?
taking the cyber security firm out of the equation, it would force the
insurance company to pay the ransom to the insureds or even worse, pay it
directly to their attackers. Knowing that would result in potential
prosecution, they would have to stop insuring businesses and individuals from
ransom attacks all together, compounding the victim’s losses exponentially.
No Good Deed Goes Unpunished
So if the
reasons listed above are all valid reasons why you SHOULD hire a cyber security
firm in a ransomware attack and if billion dollar insurance companies are
recommending that their insureds hire these companies (knowing full well that
those companies will pay the ransoms), then how in the world can the government
look to criminally charge these very same companies for doing what it has
failed to do – rescue victims of
For now, the government is limiting its
prosecutorial powers to low hanging fruit; looking at smaller cyber security outfits
that they believe make easy targets to test-flex their muscles. They have yet to rope in the insurance companies
who refer them business. And their internal (and informal) policy of the moment
seems to militate against charging ransomware victims who pay ransoms
‘victim beware’ when it comes to paying ransoms. You don’t know where the money
is going—and the U.S Treasury’s Office of Foreign Assets Control (OFAC)
maintains a nearly incomprehensible and ever changing
list of thousands of countries, individuals and entities to whom it’s a crime
to send funds.
The takeaway: If you fall victim to ransomware, hire a cyber security
firm to handle it. If you are such a
firm, proceed with caution and consult with legal counsel about best practices.
*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store authored by Ryan Blanch. Read the original post at: https://www.thesslstore.com/blog/going-after-the-good-guys-the-governments-ransomware-identity-crisis/
View full post on National Cyber Security
#deepweb | In new world of data breaches and dark web deals, identity theft goes mainstream: JPSO | Crime/Police
Source: National Cyber Security – Produced By Gregory Evans Identity theft used to be a more complicated, hands-on racket that included mail theft, dumpster diving, scam telephone calls and emailed offers. But hackers, aided by improvements in computer technology and internet accessibility, have introduced an illicit efficiency to the crime, stealing the personal information of […] View full post on AmIHackerProof.com
Security Summit partners including the Internal Revenue Service (IRS), the US tax industry, and several state tax agencies published security guidance and updated content to highlight identity theft precautions to be taken during the incoming holiday shopping season.
Individual and business taxpayers, as well as tax professionals, are advised to boost their security defenses against potential identity theft attempts that will soon surface during the holidays.
“While people are shopping online, identity thieves are trying to shoplift their sensitive information. As the holiday season and tax season approach, everyone should remember to take basic steps to protect themselves,” IRS Commissioner Chuck Rettig said.
“The Security Summit has made progress in fighting back against tax-related identity theft, but we need people to watch out for common scams that can put their financial and tax data at risk.”
Identity theft safeguards and protection measures
The US tax collection agency provides businesses with an updated ‘Security Awareness For Taxpayers’ PDF document during this month’s National Tax Security Awareness Week, ready to share with employees, clients, and customers
The Security Summit members also recommend taking the following measures to protect personal and financial information online:
• Use security software for computers and mobile phones – and keep it updated.
• Protect personal information; don’t hand it out to just anyone.
• Use strong and unique passwords for all accounts.
• Use two-factor authentication whenever possible.
• Shop only secure websites; Look for the “https” in web addresses; avoid shopping on unsecured and public WiFi in places like shopping malls.
• Routinely back up files on computers and mobile phones.
As part of the Tax Security Awareness Week, the IRS will also provide basic steps for easily recognizing email and phone scams, detecting identity theft attempts, and creating strong passwords for online accounts.
Videos with Easy Steps to Protect Your Computer and Phone and on how to Avoid Phishing Emails are also provided by the IRS and its Summit partners with additional information for taxpayers on how to augment their security.
Security plans and malware warnings
In July, the IRS issued a joint news release with the Security Summit partners to remind professional tax preparers of their obligation to have a data security plan in place with appropriate safeguards to protect sensitive taxpayer information from data theft attacks.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also provides a Safeguarding Your Data Security Tip issued through the National Cyber Awareness System.
One month later, an IRS warning alerted taxpayers and tax professionals of an active IRS impersonation scam campaign that used spam emails to deliver malicious payloads.
The security guidance the IRS will share during the National Tax Security Awareness Week is designed to help both taxpayers and tax pros to defend against attacks such as those that are targeting the tax season with realistic phishing emails bundling malicious attachments.
Attackers are also known to use phone scams as observed in 2016 when they posed as IRS representants and asked their targets to extinguish outstanding debts of thousands of dollars via gift card payments.
The post #nationalcybersecuritymonth | IRS Publishes Guidance to Help Taxpayers Fight Identity Theft appeared first on National Cyber Security.
View full post on National Cyber Security
#cybersecurity | #infosec | How Facebook helps an abusive ex-partner find out your new identity, even after they’ve been blocked
Source: National Cyber Security – Produced By Gregory Evans Imagine the scenario. You’re a woman in an abusive relationship with a man. Things have turned violent. You leave the man, block his account on Facebook, and maybe even change your name legally as you want to start afresh. You update your Facebook profile to reflect […] View full post on AmIHackerProof.com
Clarksville, TN – Clarksville Police are trying to identify a woman who withdrew over $8,000 from a bank which did not belong to her.
On January 5th, 2018, a woman, identifying herself as Brenda Molinet entered a Clarksville bank and requested bank statements for her accounts. The teller requested an ID and was provided a Florida driver’s license with the name and driver’s license number specified on the bank accounts.
The woman claimed to be in town for a funeral. She, then, withdrew over $8,000 from “her” bank accounts.
On January 8th, 2018, the Clarksville bank received a notification from a Miami-Dade bank branch, that a Brenda Molinet was in their branch disputing the withdrawal on her account.
Anyone with information can contact Detective Jobe, 931.648.0656, ext 5269, TIPSLINE, 931.645.8477 , or go online and submit a tip anonymously at P3tips.com/591
The post Clarksville #Police are #searching for #Identity Thief appeared first on National Cyber Security .
View full post on National Cyber Security