now browsing by tag
#nationalcybersecuritymonth | Rochdale News | News Headlines | Internet savvy Whitworth girls reach semi-final of national competition
Date published: 05 March 2020
Whitworth Community High School students Grace Campbell-Ousey, Elizabeth Gack and Skye Wilkinson, who got through to the semi-final of the CyberFirst Girls Competition.
Three students from Whitworth Community High School got to pit their skills against other schools in the semi-final of a national competition held at PricewaterhouseCoopers office in Leeds.
Grace Campbell-Ousey, 12, Skye Wilkinson, 12, and Elizabeth Gack, 12, were selected for the second round of the The CyberFirst Girls Competition, set up by GCHQ’s National Cyber Security Centre.
The competition is aimed at promoting the industry as a career option to girls to increase diversity in the workforce.
Skye said: “The top 12 girls were split into groups of three for the first part of the competition which we completed online.
“We had four categories, networking, logic and coding, cryptography and cyber security, and we had a series of tasks at beginner, intermediate and expert levels.
“There was a lot of pressure and we had four hours, with a break for lunch, in which to complete as many tasks as we could.”
Both Grace and Elizabeth said they enjoyed the networking tasks best, but Grace said the cryptography was hard. Although all the tasks offered hints, they resulted in points being deducted if they were used.
Skye said: “My favourite part was speaking to the people who were running the competition and I learnt a lot from what they had to say.”
The competition certainly inspired Skye and Grace because they have both signed up for a development day workshop at a university in June and they are looking at computing careers.
View full post on National Cyber Security
About Bruce Schneier
I am a public-interest technologist, working at the intersection of security, technology, and people. I’ve been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I’m a fellow and lecturer at Harvard’s Kennedy School and a board member of EFF. This personal website expresses the opinions of neither of those organizations.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | FBI Publishes 2019 Internet Crimes Report Causing 3.5 Billion Dollars Loss
As the internet has become an indispensable part of our lives, crimes committed on the internet have started to increase significantly. In the 2019 report of the FBI, it was emphasized that cybercrime cost $ 3.5 billion.
The Federal Bureau of Investigation (FBI) published the ‘2019 Internet Crimes Report’. According to the published report, the number of crimes complained during the year reached 467 thousand 361. The cost of the crimes complaining exceeds $ 3.5 billion.
Cybercrime increased in 2019
The Internet Crime Complaints Center (IC3), an FBI source that reports suspected cybercrime activities, was established in May 2020 and reached a total number of 4,883,231 complaints with 2019 reports.
While the number of complaints received in the last five years has reached 1.7 million, the total annual loss has increased from $ 1.1 billion (2015) to $ 3.5 billion (2019). The damage of cybercrime to individuals and businesses in the US has exceeded $ 10 billion in the past five years. 2019 was the worst year in this respect. During the year, the highest cyber crime complaints ever made, while the victims of cyber crime have also suffered their greatest losses. In the fight against cybercrime, an amount of $ 300 million was saved.
In the fraudulent activities carried out via company e-mails, more than $ 1.7 billion was lost. A total of 23,775 complaints were made in this area in 2019. Business email scams have become the most dangerous group in cybercrime.
“Many organizations have been vulnerable to email attacks because criminals are developing their methods to compromise traditional email,” said Cencornet CEO Ed Macnair. The attackers targeted the most CEOs and staff working in the financial department in these areas.
Macnair said that cybercriminals trick employees and steal valuable information by using e-mail addresses similar to trusted companies’ e-mails. Macnair said this method is very difficult to catch by traditional defense systems and companies need to improve their security techniques.
The FBI warned about the magnitude of the ransomware’s impact on businesses and organizations. In the ransomware attack against the city of New Orleans in December 2019, it was revealed that the FBI’s warnings were not taken seriously.
In 2018, there were some reductions in complaints about ransomware attacks, but this number increased again in 2019 and reached the highest number of complaints after 2016. Ransomware attacks caused $ 2.4 million of damage in 2016, up from $ 8.9 million in 2019.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | 5 bag jail terms for $1.2m internet scams, seized assets to go to FBI
Source: National Cyber Security – Produced By Gregory Evans Chukwuma David Chinaka: one of the five persons convicted for cyber scam today Justice Oluwatoyin Taiwo of the Special Offences Court, Ikeja, Lagos has sentenced five persons, Obaro James Omemi, Ehizojie Slyvanus Omokhuale, Eghosa Atekha Osunde, Chukwuma David Chinaka and Quincy Peter Patrick to one year […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans As I reported earlier this month, there’s an unpatched zero-day vulnerability in Internet Explorer that is being exploited in targeted attacks. Microsoft still hasn’t issued an official patch for what is technically known as CVE-2020-0674, but did detail what it described as a “workaround” in its […] View full post on AmIHackerProof.com
End-to-end encryption is a staple of secure messaging apps like WhatsApp and Signal. It ensures that no one—even the app developer—can access your data as it traverses the web. But what if you could bring some version of that protection to increasingly ubiquitous—and notoriously insecure—Internet of Things devices?
The Swiss cryptography firm Teserakt is trying just that. Earlier this month at the Real World Crypto conference in New York it introduced E4, a sort of cryptographic implant that IoT manufacturers can integrate into their servers. Today most IoT data is encrypted at some point as it moves across the web, but it’s challenging to keep that protection consistent for the whole ride. E4 would do most of that work behind the scenes, so that whether companies make home routers, industrial control sensors, or web cams, all the data transmitted between the devices and their manufacturers can be encrypted.
Tech companies already rely on web encryption to keep IoT data secure, so it’s not like your big-name fitness tracker is transmitting your health data with no protection. But E4 aims to provide a more comprehensive, open-source approach that’s tailored to the realities of IoT. Carmakers managing dozens of models and hundreds of thousands of vehicles, or an energy company that takes readings from a massive fleet of smart meters, could have more assurance that full encryption protections really extend to every digital layer that data will cross.
“What we have now is a whole lot of different devices in different industries sending and receiving data,” says Jean-Philippe Aumasson, Teserakt’s CEO. “That data might be software updates, telemetry data, user data, personal data. So it should be protected between the device that produces it and the device that receives it, but technically it’s very hard when you don’t have the tools. So we wanted to build something that was easy for manufacturers to integrate at the software level.”
Being open source is also what gives the Signal Protocol, which underpins Signal and WhatsApp, so much credibility. It means experts can check under the hood for vulnerabilities and flaws. And it enables any developer to adopt the protocol in their product, rather than attempting the fraught and risky task of developing encryption protections from scratch.
Aumasson says that the Signal Protocol itself doesn’t literally translate to IoT, which makes sense. Messaging apps involve remote but still direct, human-to-human interaction, whereas populations of embedded devices send data back to a manufacturer or vice versa. IoT needs a scheme that accounts for these “many-to-one” and “one-to-many” data flows. And end-to-end encryption has different privacy goals when it is applied to IoT versus secure messaging. Encrypted chat apps essentially aim to lock the developer, internet service providers, nation state spies, and any other snoops out. But in the IoT context, manufacturers still have access to their customers’ data; the goal instead is to protect the data from other entities and Teserakt itself.
It also only hardens IoT defenses against a specific type of problem. E4 looks to improve defenses for information in transit and offer protection against data interception and manipulation. But just like encrypted chat services can’t protect your messages if bad actors have access to your smartphone itself, E4 doesn’t protect against a company’s servers being compromised or improve security on IoT devices themselves.
“I think it’s a good idea, but developers would need to keep in mind that it covers only one part of data protection,” says Jatin Kataria, principle scientist at the IoT security firm Red Balloon. “What’s the security architecture of the embedded device itself and the servers that are receiving this data? If those two endpoints are not that secure then end-to-end encryption will only get you so far.”
Teserakt has been consulting with big tech companies in aerospace, healthcare, agriculture, and the automotive and energy sectors to develop E4, and plans to monetize the tool by charging companies to customize implementations for their specific infrastructure. The company has not yet open-sourced full server code for E4 alongside the protocol details and cryptography documentation it released, but says that final step will come as soon as the documentation is complete. Given the glacial pace of investment in IoT security overall, you probably shouldn’t expect E4 to be protecting the whole industry anytime soon, anyway.
The post An Open Source Bid to Encrypt the Internet of Things appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans Internet-connected gadgets like lightbulbs and fitness trackers are notorious for poor security. That’s partly because they’re often made cheaply and with haste, which leads to careless mistakes and outsourcing of problematic parts. But it’s also partly due to the lack of computing power in the first […] View full post on AmIHackerProof.com
The Russian government calls it the “sovereign internet” law and from 1 November it compels the country’s ISPs to forward all data arriving and departing from their networks through special gateway servers.
Promoted since 2018, from the government’s point of view the sovereign internet is a way of protecting the country from the bad stuff the internet – or other countries – might throw at it.
To its critics, Runet, as it’s also known, is a straight power grab by a government obsessed with the idea of control, surveillance and censorship of its population.
If this sounds a bit like China’s infamous Great Firewall, senior Russian politicians downplay the comparison. Said Prime Minister Dmitri Medvedev earlier this year:
Certainly, we won’t have Chinese-style regulations. No firewall will emerge here.
On the contrary, he said, Runet was more about pushing back against the historic regulation of the internet by one country, the US, which had the power to threaten the integrity of Russia’s internet infrastructure.
At face value, it seems the government’s solution in Runet is to build a sort of parallel national internet, which is connected to global networks but can be disconnected from it if the government decides that’s necessary.
It sounds like an intranet of the sort Iran once proposed – a separate network with connections to the outside world – but its design is closer to that of a giant proxy through which traffic can be made to pass some of the time.
The simplest element of this will be deep packet inspection (DPI), a technology already universally used by ISPs across the world to prioritise traffic, block unwanted protocols, and prioritise specific applications.
But unlike conventional quality of service DPI, this won’t be controlled by ISPs, which will pass traffic to servers in the same racks controlled by communications regulator Roskomnadzor to do Runet’s heavy lifting.
Arguably, this is similar to the Great Firewall because its design sets up government-controlled servers as gateways capable of blocking traffic to applications, websites, and keywords the authorities want to stop citizens from accessing.
DPI has its limits, which is why Runet is trialling a much more radical concept that has some experts scratching their heads – a parallel DNS infrastructure.
DNS is a complex, distributed global address book, listing which IP addresses are associated with which domain names.
Setting up a parallel DNS implies that Russia will somehow mirror or proxy this system, or set up rival root domain servers, allowing it to to filter which domains will be resolved or what they resolve to.
No country has ever tried before and it’s hard to see how it can be done without creating a lot of potential bottlenecks or points of failure.
It looks as if this part of Runet is some way off being operational, which suggests that the technical challenges have yet to be overcome.
There is some justification for Russia’s worry about other countries launching cyber-operations against it – a scattering of reports suggest the US is probing Russian infrastructure (including its infamous ‘troll factory’ in St Petersburg) in a way that should give its leaders cause for concern.
And yet to sceptics, the idea of Runet offering the country glorious isolation is a far-fetched fantasy which ignores the realities of how ISPs and the internet works.
Internet traffic isn’t like a pipe that can be turned on and off or diverted at will. It functions as a cooperative system in which Russian ISPs must peer traffic that is heading to other destinations in ways that belie simple concepts of internal and external, good and bad.
The Russian government’s real battle is with a very narrow range of applications such as messaging app Telegram, VPN network providers (many of which were banned in 2017) and overlay privacy systems such as Tor.
If they are the real target, Runet is just another tool in the box. It won’t stop these from working but it might make accessing them less reliable and dissuade some Russians from using them.
The post Russia’s sovereign internet law comes into force – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
FIFTY years ago on the third last day of October 1969, as I was about to leave the hallowed halls of my alma mater St Thomas’ Secondary School forever, a team at the University of California at Los Angeles (UCLA) had just managed to make a computer ‘talk’ to a machine. That place is now known as Silicon Valley, the birthplace of the internet and the World Wide Web.
Prof Leonard Kleinrock, who had led the team, said at its 50th anniversary that today the internet is being used by four billion of the world’s total population of 7.7 billion (as of last month), accounting for 52 per cent, or one out of every second person on earth.
For usage, it’s northern Europe and north America that lead the world at 90 per cent and 88 per cent market penetration. Middle Africa is placed at the bottom of the list with only 12 per cent total usage; still a respectable figure considering its remoteness and lack of resources.
As of June 2019, among Asian countries, Korea leads with a 95.1 per cent coverage and usage; followed by Japan (93.5), Singapore (84.5), Thailand (82.2), and Malaysia (80.1).
According to the Department of Statistics Malaysia, by the end of this year, Malaysia will hit 57 per cent smartphone usage among its population, which means that almost six out of 10 Malaysians uses a smartphone to communicate and access the internet.
These statistics are both revealing and frightening at the same time.
What does all this mean?
First of all, according to Kleinrock, “it democratises everyone. As engineers we had totally missed the social networking side of it. We were thinking about people talking to computers or computers talking to computers, not people talking to people”.
That has proven to be their biggest mistake – because the internet has found the perfect formula for a dark side, where there are no set rules and people using it can be as good or as nasty as they want it to be.
In the early days of the lone clever hacker sitting in his dingy little room or basement, a bad seed was planted. There is a dark side to this new and revolutionary technology, which was supposed to be able to help mankind in all kinds of ways.
Among its many lofty ideals – of being able to exchange knowledge and information on anything, from sharing a personal film review to how to perform a highly skilled specialist brain surgery procedure; it has today exploded into an unquantifiable myriad of opportunities far too many to name in a limited column such as this.
There are still mostly good things happening and the world wide web is being used for a million different useful and admirable things. But there is a dark side, which has crept in, and if we are not careful in controlling and limiting its spread, it will in time be able to take over and manipulate everything that’s good and admirable about it thus far.
Kleinrock blamed the creators themselves for not anticipating this phenomenon.
“It had started with businesses hawking things that are outdated or unneeded, violating privacy for profit. Bad actors now include nation states, organised crime and powerful corporations doing big bad things! We were not, in hindsight, the social scientists that we should have been.”
Today, right here, nearer home, in our own little world, we use the internet for so many useful things.
Almost everyone who can log onto a personal computer (PC) at home, or uses his smartphone or iPad to access the net, has his own unique email address and communicates with all his friends locally and worldwide by email. It would seem that after the explosion of WhatsApp that emails have been used less but for all purposes it’s still the go-to application for both informal and business communication. The beauty of it being there’s always something in black and white and on record. Emails can be used at any time of the day or night and they can be drafted and stored for delivery at any preferred time. WhatsApp somehow still seems too casual and flippant.
In recent times, the beast in the system has reared its ugly head within our country. In the lead up and during the political campaigns and many scandals prior to the national general election of 2018, large sums of money was spent (mostly by the then ruling regime) on what was termed ‘cyber-troopers’, whose single-minded duty was to write and spread fake news and rumours running down anyone or anything who tried to topple the current regime.
It was fortuitous that the non-government supporters at the time had vastly outnumbered those from the ruling party; and also by that time the mainstream media had lost most of their credibility in running political news.
By then too there was in place a large enough credible group of independent and anti-government media, which was able to counter any and all of such fake news and other similar attacks. This was despite the fact that they were mostly disorganised and had worked independently of each other and were under great persecution by the then government.
It had seemed that justice had won the day on that fateful May 9, 2018 morning.
At the moment these same forces have continued doing their dastardly work – they are now churning out stories and fake news on a regular basis throwing spanners into the works of the current PH government by inventing and spreading hatred, uncertainty, and disunity along the same old themes of religion, race, and anything else that can disunite the supporters of the PH government.
Such fake news and bad intentions have so far been quite successfully countered, but it looks like there’s no end anytime soon.
All of this came about because on that fateful day 50 years ago, someone invented the internet. Today, it has become the main default way for us humans to communicate with each other and I can certainly say that it has done more good than harm. Yet the continuing challenge is for each and every one of us to be wary, careful, and to ensure that we are discerning enough to be able to tell the real from the fake, the honest from the scam, and the good from the bad.
Long live the internet!
Comments can reach the writer via [email protected]
The post #deepweb | <p> The internet at 50 – the dark side of the web <p> appeared first on National Cyber Security.
View full post on National Cyber Security
This article first appeared on MyHackerTech.com
This week we had the pleasure of talking to Laurie Mercer, Security Solutions Engineer at vulnerability coordination and bug bounty platform, HackerOne. Security Engineers are tasked with designing and building systems that remain dependable against malicious cyber attacks, vulnerabilities, and even natural disasters.
To be a security engineer you need a hybrid and knowledge and experience in several areas of IT. These areas include network engineering, system engineering, and security architecture, but other areas of IT may come into play as well.
Laurie started his IT career in software development and transitioned into penetration testing as his interest in IT Security strengthened. Today, Laurie’s focus is on responsible disclosure, vulnerability management, and risk reduction. He has worked in several roles including software, security, and education and has a diverse set of professional experiences.
For example, Laurie has worked on government security projects, including projects for the Chinese government, and the British Royal Family. Let us take a look at what Laurie had to say.
How did you get started in the industry?
I’ve been hooked on computers from a young age when I got my very first computer — a blue screen Amstrad!
By Bill Bertram – Own work, CC BY-SA 2.5, Link
I spent my teenage years building and breaking Linux boxes and, after reading Computer Science at the University of East Anglia, I began developing software professionally for projects large and small.
At the time I was coding everything from Ruby web apps to real-time communication services in C++STL. This was 3 years after the “Manifesto for Agile Development” was published and engineering practices, while rapidly changing, were still archaic. My first project had as much documentation as code and the system was updated every year, onto physical servers!
My career as an ethical hacker started rather accidentally. I had just returned from a Chinese language course in Kunming, China, when I was approached by a London based boutique consultancy. They were looking for a fast learner with a background in software engineering: if you can learn Chinese in 3 years, then ethical hacking should be a breeze, they said!
I retrained from a builder to a breaker and worked as a pen-tester for several years, alongside visionary researchers like James Forshaw (now ar Google’s Project Zero, the first-ever researcher to be awarded a US$100,000 bug bounty), James Kettle (now head of research at Portswigger) and Black Hat Conference regular, Alex Chapman.
As a “builder turned breaker”, my responsibilities have focused on both testing software and also trying to build security practices into software development teams.
In my current role as a security solutions engineer at HackerOne, I help to run bug bounty programs, coordinating thousands of the world’s best hackers to find vulnerabilities in software developed by companies and open source projects. Rather than having one or two people looking vulnerabilities once or twice a year, we can leverage thousands of people with diverse skill sets to continuously perform security assessments.
Bug bounty programs have become the number one source of high and critical vulnerabilities, and bounties are being paid out daily — some organizations are offering as much US$250,000 for a single critical bug.
What do you think are the biggest cybersecurity challenges the world is facing in 2019?
There are many cybersecurity challenges that we will have to overcome this year, and in the years that follow, but I’ve come up with three main areas.
As a user, I’m concerned that we put our trust in so many different systems and services every day, both in our personal and professional lives. These services may be incredibly beneficial to us, but how can we trust that they are safe and secure?
The scalability of security capabilities is a major concern. We live in a world where the number of digital services is increasing at a seemingly exponential rate. We need to design systems that scale appropriately to the number of people that will be using them now, but also 10 years from now.
In order to trust organizations to manage our data responsibly, we need to build frameworks for them to prove they are secure. At present, some companies are more transparent than others. Even when a company shares the information, sometimes it’s hidden layers and layers deep into a website, making it difficult to access. We need to set expectations for security and a process by which organizations can prove they have met these expectations.
How do you see the cybersecurity industry evolving in the next decade?
Hackers are the immune system of the internet. This immune system will grow to a community of millions of hackers, inclusive of security and IT professionals, hobbyist breakers and builders, developers, CISOs, presidents.
As new technology platforms are invented and adopted, new vulnerabilities will be introduced and discovered. Security will foster more collaboration and transparency will breed trust.
What are some simple steps that organizations can take to secure their data?
Have a Vulnerability Disclosure Program. A study recently conducted by the company I work for, HackerOne, found that 94% of the Forbes Global 2000 do not have known vulnerability disclosure policies. This means that there’s no way for good-faith security researchers to report the bugs they find. If more companies implemented a Vulnerability Disclosure Program, the future will be safer for everyone.
Implement continuous security testing. New vulnerabilities are discovered all the time and sometimes things are missed. This is why continuous security testing is a must.
What advice would you give to aspiring ethical hackers and security professionals?
– Go to HackerOne and make a profile!
– Watch the Hacker101 training videos.
– Install Burp: A popular and useful tool for testing web application security.
– Complete the Hacker101 Capture The Flag.
– Report some vulnerabilities!
– Learn to code! There is no point in finding vulnerabilities if we can’t fix them!
Together we can build a safer internet!
View full post on National Cyber Security