open

now browsing by tag

 
 

Game Week: Panthers Open 2020 Campaign with Austin Peay | #facebookdating | #tinder | #pof | romancescams | #scams

PITT vs. AUSTIN PEAY September 12, 2020 • 4 p.m., ET Heinz Field (68,400/Natural Grass) • Pittsburgh, Pa. ACC Network • Pitt Panthers Radio Network Game Storylines • Pitt opens […] View full post on National Cyber Security

Shouldn’t your spouse let you know you’re in an open marriage? And more advice from Dear Prudence. | #facebookdating | #tinder | #pof | romancescams | #scams

“)), n = v(f[r.size_id].split(“x”).map(function (e) {return Number(e);}), 2), i.width = n[0], i.height = n[1]), i.rubiconTargeting = (Array.isArray(r.targeting) ? r.targeting : []).reduce(function (e, r) {return e[r.key] = r.values[0], e;}, {rpfl_elemid: s.adUnitCode}), […] View full post on National Cyber Security

How open banking can drive innovation and growth in a post-COVID world | #employeefraud | #recruitment | #corporatesecurity | #businesssecurity | #

By Billel Ridelle, CEO at Sweep Times are pretty tough for businesses right now. For SMBs in particular, a global financial and health crisis of the sort we’re currently witnessing […] View full post on National Cyber Security

#cybersecurity | hacker | Rogers’ vendor leaves database open

Source: National Cyber Security – Produced By Gregory Evans

A third-party service provider to Rogers Communications left open a database used for marketing purposes, exposing customer PII.

The Canadian telecom provider did not name the firm involved, nor the number of people affected, but reported that the incident was uncovered on Feb. 26, 2020 and involved the service provider leaving a database open to the public for an unspecified amount of time.

The third-party vendor, which handles promotional offer fulfillment for Rogers, exposed customer names, addresses, account numbers, email addresses and telephone numbers. No payment card information nor login credentials were involved.

The data that was exposed can cause a great deal of harm to its owners as cybercriminals can use it to create well-crafted phishing emails from which they may be able to extract even more valuable personal data.

Original Source link

The post #cybersecurity | hacker | Rogers’ vendor leaves database open appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | [Webinars] Black Duck on VMware Cloud and open source scans

Source: National Cyber Security – Produced By Gregory Evans Learn about the addition of Black Duck to VMware Cloud Marketplace and the benefits and limitations of different types of open source scans. Synopsys Black Duck Is Now on the VMware Cloud Marketplace The use of open source software is free, but that doesn’t mean it […] View full post on AmIHackerProof.com

An Open Source Bid to Encrypt the Internet of Things

Source: National Cyber Security – Produced By Gregory Evans

End-to-end encryption is a staple of secure messaging apps like WhatsApp and Signal. It ensures that no one—even the app developer—can access your data as it traverses the web. But what if you could bring some version of that protection to increasingly ubiquitous—and notoriously insecure—Internet of Things devices?

The Swiss cryptography firm Teserakt is trying just that. Earlier this month at the Real World Crypto conference in New York it introduced E4, a sort of cryptographic implant that IoT manufacturers can integrate into their servers. Today most IoT data is encrypted at some point as it moves across the web, but it’s challenging to keep that protection consistent for the whole ride. E4 would do most of that work behind the scenes, so that whether companies make home routers, industrial control sensors, or web cams, all the data transmitted between the devices and their manufacturers can be encrypted.

Tech companies already rely on web encryption to keep IoT data secure, so it’s not like your big-name fitness tracker is transmitting your health data with no protection. But E4 aims to provide a more comprehensive, open-source approach that’s tailored to the realities of IoT. Carmakers managing dozens of models and hundreds of thousands of vehicles, or an energy company that takes readings from a massive fleet of smart meters, could have more assurance that full encryption protections really extend to every digital layer that data will cross.

“What we have now is a whole lot of different devices in different industries sending and receiving data,” says Jean-Philippe Aumasson, Teserakt’s CEO. “That data might be software updates, telemetry data, user data, personal data. So it should be protected between the device that produces it and the device that receives it, but technically it’s very hard when you don’t have the tools. So we wanted to build something that was easy for manufacturers to integrate at the software level.”

Being open source is also what gives the Signal Protocol, which underpins Signal and WhatsApp, so much credibility. It means experts can check under the hood for vulnerabilities and flaws. And it enables any developer to adopt the protocol in their product, rather than attempting the fraught and risky task of developing encryption protections from scratch.

Aumasson says that the Signal Protocol itself doesn’t literally translate to IoT, which makes sense. Messaging apps involve remote but still direct, human-to-human interaction, whereas populations of embedded devices send data back to a manufacturer or vice versa. IoT needs a scheme that accounts for these “many-to-one” and “one-to-many” data flows. And end-to-end encryption has different privacy goals when it is applied to IoT versus secure messaging. Encrypted chat apps essentially aim to lock the developer, internet service providers, nation state spies, and any other snoops out. But in the IoT context, manufacturers still have access to their customers’ data; the goal instead is to protect the data from other entities and Teserakt itself.

It also only hardens IoT defenses against a specific type of problem. E4 looks to improve defenses for information in transit and offer protection against data interception and manipulation. But just like encrypted chat services can’t protect your messages if bad actors have access to your smartphone itself, E4 doesn’t protect against a company’s servers being compromised or improve security on IoT devices themselves.

“I think it’s a good idea, but developers would need to keep in mind that it covers only one part of data protection,” says Jatin Kataria, principle scientist at the IoT security firm Red Balloon. “What’s the security architecture of the embedded device itself and the servers that are receiving this data? If those two endpoints are not that secure then end-to-end encryption will only get you so far.”

Teserakt has been consulting with big tech companies in aerospace, healthcare, agriculture, and the automotive and energy sectors to develop E4, and plans to monetize the tool by charging companies to customize implementations for their specific infrastructure. The company has not yet open-sourced full server code for E4 alongside the protocol details and cryptography documentation it released, but says that final step will come as soon as the documentation is complete. Given the glacial pace of investment in IoT security overall, you probably shouldn’t expect E4 to be protecting the whole industry anytime soon, anyway.

The Original Source For This Story: Source link

The post An Open Source Bid to Encrypt the Internet of Things appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | National’s road charging proposals “wide open to abuse”

Source: National Cyber Security – Produced By Gregory Evans Monday, 16 December 2019, 5:24 pmPress Release: Dog And Lemon Guide National’s proposed user-pays scheme for road users will almost inevitably become a state-controlled mass vehicle surveillance system, says the car review website dogandlemon.com. Editor Clive Matthew-Wilson, who was also the former editor of a computer […] View full post on AmIHackerProof.com

#hacking | Open database leaked 179GB in customer, US government, and military records

Source: National Cyber Security – Produced By Gregory Evans

Govt officials confirm Trump can block US companies from operating in China
The US president has not made an order as yet, only requesting for US companies to move out of China.

An open database exposing records containing the sensitive data of hotel customers as well as US military personnel and officials has been disclosed by researchers. 

On Monday, vpnMentor’s cybersecurity team, led by Noam Rotem and Ran Locar, said the database belonged to Autoclerk, a service owned by Best Western Hotels and Resorts group. 

Autoclerk is a reservations management system used by resorts to manage web bookings, revenue, loyalty programs, guest profiles, and payment processing. 

In a report shared with ZDNet, the researchers said the open Elasticsearch database was discovered through vpnMentor’s web mapping project. It was possible to access the database, given it had no encryption or security barriers whatsoever, and perform searches to examine the records contained within. 

The team says that “thousands” of individuals were impacted, although due to ethical reasons it was not possible to examine every record in the leaking database to come up with a specific number. 

Hundreds of thousands of booking reservations for guests were available to view and data including full names, dates of birth, home addresses, phone numbers, dates and travel costs, some check-in times and room numbers, and masked credit card details were also exposed. 

See also: Citizen Lab: WeChat’s real-time censorship system uses hash indexes to filter content

Data breaches are a common occurrence and can end up compromising information belonging to thousands or millions of us in single cases of a successful cyberattack. 

What is more uncommon, however, is that the US government and military figures have also been involved in this security incident. 
It appears that one of the platforms connected to Autoclerk exposed in the breach is a contractor of the US government that deals with travel arrangements. 

vpnMentor was able to view records relating to the travel arrangements of government and military personnel — both past and future — who are connected to the US government, military, and Department of Homeland Security (DHS).

Within the records, for example, were logs for US Army generals visiting Russia and Israel, among other countries.

CNET: California proposes regulations to enforce new privacy law

Autoclerk facilitates communication between different hospitality platforms, and it appears that a substantial portion of the data originated from external platforms. In total, the database — hosted by AWS — contained over 179GB of data.

At the time of writing it has not been possible to track the overall owner of the database due to the “number of external origin points and sheer size of the data exposed,” the team says.  

The United States Computer Emergency Readiness Team (CERT) was informed of the leak on September 13 but did not respond to the researcher’s findings. 

vpnMentor then reached out to the US Embassy in Tel Aviv, and seven days later, the team contacted a representative of the Pentagon who promised swift action. Access to the database was revoked on October 2. 

TechRepublic: Financial industry spends millions to deal with breaches

“The greatest risk posed by this leak is to the US government and military,” the team says. “Significant amounts of sensitive employee and military personnel data could now be in the public domain. This gives invaluable insight into the operations and activities of the US government and military personnel. The national security implications for the US government and military are wide-ranging and serious.”

ZDNet has reached out to US-CERT and affected parties and will update when we hear back.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Source link

The post #hacking | Open database leaked 179GB in customer, US government, and military records appeared first on National Cyber Security.

View full post on National Cyber Security

When it comes to #cybersecurity, everyone leaves their #virtual door #open

How many of you have taken the two-factor authentication seriously and enabled it for your gmail account? Or for your social networking sites such as Facebook, Twitter and Instagram? Or for those websites that you have registered to shop online, pay utility bills or even book a cab? If you don’t remember doing it, it’s time to do it now.

According to a Google software engineer Grzegorz Milka, less than ten per cent of active gmail users – just one in ten people – are bothered to turn on two-factor authentication. This is a staggeringly low figure when one considers email accounts are the center of a digital web.

When people forget passwords for third-party services – such as social media, online shopping, and digital payment accounts – it is often their gmail account that serves as the recovery point. The fact that Google rolled out two-step authentication about seven years ago and yet the numbers are so low clearly explains that hardly anyone care to secure their social media platforms, which introduced this feature much later.

Your data is not just with banks or UIDAI or GSTN. Consumers store personal information on their smartphones putting themselves at risk in their day-to-day lives be it knowingly or unknowingly.

Read More….

advertisement:

The post When it comes to #cybersecurity, everyone leaves their #virtual door #open appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Mobile #networks #investigate flaw that leaves #4G #customers open to #hacking

Source: National Cyber Security News

Security researchers have discovered a set of severe vulnerabilities in 4G LTE protocol that could be exploited to spy on user phone calls and text messages, send fake emergency alerts, spoof location of the device and even knock devices entirely offline.
A new research paper [PDF] recently published by researchers at Purdue University and the University of Iowa details 10 new cyber attacks against the 4G LTE wireless data communications technology for mobile devices and data terminals.
The attacks exploit design weaknesses in three key protocol procedures of the 4G LTE network known as attach, detach, and paging.

Unlike many previous research, these aren’t just theoretical attacks. The researchers employed a systematic model-based adversarial testing approach, which they called LTEInspector, and were able to test 8 of the 10 attacks in a real testbed using SIM cards from four large US carriers.

Authentication Synchronization Failure Attack
Traceability Attack
Numb Attack
Authentication Relay Attack
Detach/Downgrade Attack
Paging Channel Hijacking Attack
Stealthy Kicking-off Attack
Panic Attack
Energy Depletion Attack
Linkability Attack

Among the above-listed attacks, researchers consider an authentication relay attack is particularly worrying, as it lets an attacker connect to a 4G LTE network by impersonating a victim’s phone number without any legitimate credentials.

This attack could not only allow a hacker to compromise the cellular network to read incoming and outgoing messages of the victims but also frame someone else for the crime.

Read More….

advertisement:

View full post on National Cyber Security Ventures