Protecting

now browsing by tag

 
 

#cyberfraud | #cybercriminals | Protecting Real Estate for Data Privacy Day — RISMedia |

Source: National Cyber Security – Produced By Gregory Evans

Jan. 28 is Data Privacy Day, as set by the National Cyber Security Alliance’s (NCSA) Data Privacy Day campaign. The NCSA provides various resources on its website, including instructions on how businesses can protect themselves, detect fraud, respond quickly and recover if they have fallen victim.

How do these translate into real estate best practices?

Protect
The NCSA recommends that businesses keep software current, ensure updates are set to automatically install, implement stronger authentication processes, back up all information either in the cloud or on a hard drive, limit access to sensitive data and stay vigilant.

For real estate agents and brokers, that means keeping vulnerable data, such as transaction paperwork with client signatures, protected by double verification, as well as backed up to a secure location. Platforms such as DocuSign and ShelterZoom are helping to make transactions more secure in real estate by using technology such as encryption and blockchain.

According to Chen Konfino, chief executive of Younity, an app that allows users to remotely access their digital files from their computers using their mobile devices, who was interviewed by the New York Times, individuals can also protect themselves by using a VPN (virtual private network) on their device, which will encrypt their traffic and block emails from being intercepted.

Detect
Knowing what to look for is the first step. According to the NCSA, businesses should pay attention to any unusual requests, especially though email, that direct them to click unknown links or open suspect attachments. Brokerages can reduce the chance of fraud by implementing office-wide training sessions that teach agents how to detect scams, proceed safely and safeguard their information.

Respond
If an individual suspects fraud, what is the appropriate course of action? The NCSA recommends that they disconnect any computers that may have been compromised and bring in an IT team to take a look. Additionally, if widespread and severe enough, they should also contact law enforcement and retain legal counsel.

Due to the nature of real estate, in which brokerages can have hundreds of agents across multiple offices, any individuals who suspect fraud should immediately notify their broker so they can ensure the breach is not extensive.

Scams to Look Out For
According to the New York Times, the FBI has reported 3,766 instances of real estate scams between October 2014 and October 2019, with losses reaching nearly $339 million.

The best way to protect data? Know what the scams are. In 2019, several REALTORS® reported receiving texts and phone calls from 800-874-6500—the toll-free number for the National Association of REALTORS® (NAR). However, NAR reported it was not making these calls and they were fraudulent.

Scams happen often on the consumer side, as well. REALTORS® should educate their clients about the most common types of fraud they may encounter, which can include:

  • Wire transfer requests via email – All requests should be confirmed by the agent or attorney, in person or by phone.
  • Illegitimate rental or for-sale listings for which the “landlord” or “seller” requests payment upfront, such as a security deposit or down payment. These fraudsters often claim to require these deposits in advance and then disappear with the money.
  • Emails asking for sensitive information – Consumers should look for warning signs such as grammar and spelling errors, suspicious email addresses and phone numbers or addresses in their signature that cannot be verified.

Several organizations are taking the lead on fraud prevention in real estate. For example, Title Resource Group (TRG) recently launched a campaign, in the form of a game, to help educate agents and consumers about fraud.

NAR provides a Data Security and Privacy Toolkit to help educate industry professionals about how to protect their data and comply with legal requirements. The toolkit includes state law information and any pending federal regulations on the subject of data security, as well as checklists for implementing a data security program.

Brokers and agents, share your experiences with us and let us know what you are doing to protect your data.

Liz Dominguez is RISMedia’s senior editor. Email her your real estate news ideas at ldominguez@rismedia.com.

Source link

The post #cyberfraud | #cybercriminals | Protecting Real Estate for Data Privacy Day — RISMedia | appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Protecting Websites from Magecart and Other In-Browser Threats

Source: National Cyber Security – Produced By Gregory Evans

The Rise of Third-Party Scripts

Modern web applications have become increasingly reliant on external code, services and vendors that execute JavaScript code in the browser… often referred to as third-party scripts. As a close-to-home example shown below, Akamai executes dozens of scripts to populate our home page.  Nearly 70% of these scripts come from outside sources.

Partial Request Map View of www.Akamai.com 

Source: https://requestmap.herokuapp.com/render/200107_S4_75af286693538a095b33ac5e4740b0b8/

We, like almost all other internet-based businesses, use third-party scripts because they enhance the web experience, are easy to add and modify, promote a consistent web experience and are pre-integrated and maintained by the third parties.  In fact, web sites today average 56% third-party scripts (Akamai has 68% third-party).

Source: Security and Frontend Performance, Challenge of Today: Rise of Third Parties, Akamai Technologies and O’Reilly Media, 2017

 

The Security Challenge

Magecart – a class of credit card hacker groups using new & more sophisticated attack methods has become the “poster child” of third-party scripts attacks.

protectingwebthree.PNG

Because third-party scripts come from a myriad of trusted and untrusted sources in a business’s supply chain, the attack surface for web-facing applications has become significantly larger and harder to protect.  Sites that use credit card processing are at constant risk – in fact out of the tens of thousands of sites hit with Magecart in the last few years, 1 in 5 victims are re-infected, often within months of the last attack.

Source: Sangine Security, 2018. https://sansec.io/labs/2018/11/12/merchants-struggle-with-magecart-reinfections/

Unfortunately, most application protection solutions today have tried to retrofit existing techniques to prevent third-party script threats using firewall and policy controls. When rigorously applied, this approach can restrict open business practices and the advantage of third-party scripts. And, when applied to loosely, can miss a lot of attacks.

The primary way, security teams keep their scripts clean, is via constant script review and testing… which is really hard.

Because of this constant, time consuming, invisible challenge for security teams to be able to detect and mitigate third-party script attacks, it often isn’t done making injecting malicious code into web pages via third-party Javascripts one of the most popular attack methods for credit card and credential skimming today. In 2019, an average of 4800 websites were compromised from third-party injected code every month, a 78% increase over 2018.

Source: Symantec 2019 Internet Security Threat Report

Akamai Page Integrity Manager

Page Integrity Manager is designed to discover and assess the risk of new or modified JavaScript, control third-party access to sensitive forms, and enable automated mitigation. The solution fully monitoring the behavior of each JavaScript workload in the session, through a series of detection layer, using machine learning model, heuristics, signatures and risk score model. This advanced approach identifies suspicious and malicious behavior, enable automated mitigation using policy-based controls, and block bad actors using Akamai threat intelligence to improve accuracy.

Prevented Threats

protectingwebfour.PNG

Capabilities

  • Behavioral detection technology constantly analyses the behavior of script execution, in real-user sessions, to identify suspicious, or outright malicious behavior and notify security teams with timely and actionable insights.
  • Outgoing network monitoring and script Intelligence: monitor network requests and know what real users are downloading and executing when they interact with your brand to detect potential malicious threats.
  • CVEs detection: continuously check all web resources, seen on the web application against open Common Vulnerabilities and Exposures database, to identify existing known vulnerabilities in runtime JavaScript code.
  • Edge Injection for rapid enablement: Page Integrity Manager is injected at the CDN level, easy to deploy, no code needed. 
  • Policy management: control your runtime JavaScript execution by optionally craft policies that monitor and/or restrict access to cookies, network destinations, local storage, sensitive data inputs, or DOM events per originating domains

Akamai will be launching Page Integrity Manager in 2020.

We are inviting customers to participate in a valuable beta project with a working product to help you be protected from malicious scripts.

To learn more, download our Beta Product Brief.

Join our beta program today by contacting your Akamai sales team.

https://securityboulevard.com/

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Mike Kane. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/-QH1Nxqx7Mc/protecting-websites-from-magecart-and-other-in-browser-threats.html

Source link

The post #cybersecurity | #hackerspace |<p> Protecting Websites from Magecart and Other In-Browser Threats <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cyberfraud | #cybercriminals | 5 Tips for Protecting Your Tax Refund from Fraudsters

Source: National Cyber Security – Produced By Gregory Evans

By South Carolina Treasurer Curtis Loftis

Benjamin Franklin once said, “Nothing is certain except death and taxes.” But just as you can count on tax time happening each year, you can be certain there will be scammers trying to steal your personal information and tax refund.

This week, January 27 – January 31, is Tax Identity Theft Awareness Week. Tax identity theft happens when someone steals your Social Security number (SSN) or other personal information to file a phony tax return and receive a refund. As an advocate for the taxpayers of South Carolina, I wanted to bring attention to this year’s observance and offer resources to help you learn more about spotting potential scams and fighting imposters’ attempts of stealing your information.

Our state was recently ranked at number five in a list by WalletHub for States With the Most Identity Theft and Fraud, highlighting the importance of taking the extra steps necessary to protect yourself and your information. To curb the threat of tax-related identity theft this filing season – and year-round – keep in mind the following tips:

#1. File your tax return early.

Oftentimes, people do not know they’re victims of tax identity theft until their return is rejected as a duplicate filing or the Internal Revenue Service (IRS) notifies them via mail of suspicious activity. Filing early helps limit this risk, as it gives scammers a shorter timeframe to file a fraudulent return using your information. By filing your legitimate return early, identity thieves won’t be able to try and steal your refund later. Find information about filing options at dor.sc.gov/iit-filing.

#2. Choose your tax preparer wisely.

Most tax return preparers provide outstanding and professional tax service. However, each year, some taxpayers are hurt financially because they choose the wrong tax return preparer. If you plan to pay someone to help prepare your taxes, do diligent research in advance and choose wisely, as you’ll be sharing with them your most personal information, including details about your marriage, income, children, social security number and overall financial picture.

#3. Know the signs of an IRS imposter.

Scams take many shapes and forms, which is why it’s important to know the signs of a legitimate IRS communication and the signs of a scam. For example, there’s a common phone scam where IRS impersonators call taxpayers, saying they owe money and must pay right away. However, the real IRS does not initiate contact via phone and will never call you demanding money. By familiarizing yourself with common IRS imposter scams, you’ll empower yourself with the knowledge to thwart fraudsters’ attempts at identity theft. You can find information about recent and prevalent tax scams on the IRS website.

#4. Protect your personal information.

You can only control what happens to your personal information as long as it’s in your possession. Be diligent in storing documents that contain sensitive financial information in a secured location. Once you no longer need them, shred them. Use the IRS publication Security Awareness for Taxpayers as a reference for additional steps you can take to protect yourself from identity thieves.

#5. Ensure your computer is protected.

The South Carolina Department of Revenue (SCDOR) recommends filing online using a reputable provider – it’s fast, accurate, and secure. But you still need to be proactive about protect your information by ensuring your computer is protected. When dealing with financial or sensitive information, only use secure, protected Wi-Fi networks – never public Wi-Fi networks – and only give personal information over encrypted websites, which you can identify by the “https” web address prefix. Utilize the SCDOR Cyber Security Awareness resource center, which offers pertinent information about protecting yourself online.

Curtis Loftis is the South Carolina State Treasurer. As Treasurer, he is the state’s “private banker,” managing, investing and retaining custody of nearly $50 billion in public funds.

If you believe your information has been compromised, you can contact the IRS Identity Protection Specialized Unit at 1-800-908-4490, or visit IdentityTheft.gov.

The South Carolina Department of Revenue (SCDOR) is the state agency responsible for the administration and regulation of tax laws in South Carolina. If you suspect or know of an individual or company that has committed tax fraud in South Carolina, or if you think you may be a victim of identity theft that has led or could lead to tax fraud, you can file a report with the SCDOR at dor.sc.gov/report-tax-fraud. For information and helpful resources about Income Tax in South Carolina, visit dor.sc.gov/iit.

Source link

The post #cyberfraud | #cybercriminals | 5 Tips for Protecting Your Tax Refund from Fraudsters appeared first on National Cyber Security.

View full post on National Cyber Security

Protecting programmatic access to user data with Binary Authorization for Borg

Source: National Cyber Security – Produced By Gregory Evans

Binary Authorization for Borg, or BAB, is an internal deploy-time enforcement check that reduces insider risk by ensuring that production software and configuration deployed at Google is properly reviewed and authorized, especially when that code has the ability to access user data. BAB ensures that code and configuration deployments meet certain standards prior to being deployed. BAB includes both a deploy-time enforcement service to prevent unauthorized jobs from starting, and an audit trail of the code and configuration used in BAB-enabled jobs.

BAB ensures that Google’s official software supply chain process is followed. First, a code change is reviewed and approved before being checked into Google’s central source code repository. Next, the code is verifiably built and packaged using Google’s central build system. This is done by creating the build in a secure sandbox and recording the package’s origin in metadata for verification purposes. Finally, the job is deployed to Borg, with a job-specific identity. BAB rejects any package that lacks proper metadata, that did not follow the proper supply chain process, or that otherwise does not match the identity’s predefined policy.

BAB can be used for many kinds of deploy-time security checks. Some examples include:

  • Is the binary built from checked in code?
  • Is the binary built verifiably?
  • Is the binary built from tested code?
  • Is the binary built from code intended to be used in the deployment?

After deployment, a job is continuously verified for its lifetime, to check that jobs that were started (and any that may still be running) conform to updates to their policies.
Binary Authorization for Borg provides other security benefits
Though the primary purpose of BAB is to limit the ability of a potentially malicious insider to run an unauthorized job that could access user data, BAB has other security benefits. BAB provides robust code identity for jobs in Google’s infrastructure, tying a job’s identity to specific code, and ensuring that only the specified code can be used to exercise the job identity’s privileges. This allows for a transition from a job identity—trusting an identity and any of its privileged human users transitively—to a code identity—trusting a specific piece of reviewed code to have specific semantics and which cannot be modified without an approval process.

BAB also dictates a common language for data protection, so that multiple teams can understand and meet the same requirements. Certain processes, such as those for financial reporting, need to meet certain change management requirements for compliance purposes. Using BAB, these checks can be automated, saving time and increasing the scope of coverage.

Binary Authorization for Borg is part of the BeyondProd model
BAB is one of several technologies used at Google to mitigate insider risk, and one piece of how we secure containers and microservices in production. By using containerized systems and verifying their BAB requirements prior to deployment, our systems are easier to debug, more reliable, and have a clearer change management process. More details on how Google has adopted a cloud-native security model are available in another whitepaper we are releasing today, “BeyondProd: A new approach to cloud-native security.”
In summary, implementing BAB, a deploy-time enforcement check, as part of Google’s containerized infrastructure and continuous integration and deployment (CI/CD) process has enabled us to verify that the code and configuration we deploy meet certain standards for security. Adopting BAB has allowed Google to reduce insider risk, prevent possible attacks, and also support the uniformity of our production systems. For more information about BAB, read our whitepaper, “Binary Authorization for Borg: how Google verifies code provenance and implements code identity.”

Additional contributors to this whitepaper include Kevin Chen, Software Engineer; Tim Dierks, Engineering Director; Maya Kaczorowski, Product Manager; Gary O’Connor, Technical Writing; Umesh Shankar, Principal Engineer; Adam Stubblefield, Distinguished Engineer; and Wilfried Teiken, Software Engineer; with special recognition to the entire Binary Authorization for Borg team for their ideation, engineering, and leadership

Source link

The post Protecting programmatic access to user data with Binary Authorization for Borg appeared first on National Cyber Security.

View full post on National Cyber Security

Cyber security #experts discuss #mitigating #threats, say #universities can #play a key #role in #protecting the #country against a #cyber attack

Former U.S. Director of National Intelligence and Navy Vice Adm. Mike McConnell advocated today for stronger protection of digital data transfers and for universities to play a key role in filling cyber security jobs.

McConnell was among the keynote speakers at the 2018 SEC Academic Conference hosted by Auburn University. The conference, which is ongoing through Tuesday, is focused on the topic of “Cyber Security: A Shared Responsibility” and brings together representatives from the SEC’s 14 member universities along with industry experts in the area of cyber security.

McConnell is encouraging the use of ubiquitous encryption as a solution for stronger data protection.

“As we go to the cloud…ubiquitous encryption of some sort would be used so that if anybody accessed that data, you can’t read it. If you’re moving [the data] from point A to point B, it scrambles so you can’t read it,” he said.

McConnell understands that stronger data security can come at a cost for others, including law enforcement who may need to access data within a device during a criminal investigation.

“What I’m arguing is the greater need for the country is a higher level of [data] security. If that’s the greater need, then some things of lesser need have to be sacrificed. So when I say ubiquitous encryption, that’s what I’m attempting to describe. It is protecting the data that is the very lifeblood of the country,” McConnell said.

McConnell also addressed how academia can help in securing the nation from cyber attacks.

“We have about 300,000 job openings across the United States for which there are no cyber security-skilled people to fill those jobs,” he said. “Universities are debating academically ‘What is cyber security?’ and ‘How do you credit the degrees?’ and ‘How do you get consensus on what it is and what it should do?’”

He urged universities to move more quickly on coming to a consensus so they can get certified and accredited to start producing students who can fill those jobs.

Glenn Gaffney, executive vice president at In-Q-Tel, also spoke to the role higher education institutions can play in cyber security during his keynote address at the conference.

“It is at the university level where we don’t have to take a top-down approach,” Gaffney said, adding that universities can work together, through research and student involvement, to create proactive solutions to cyber security. “This is where the next generation of leaders will be developed. It’s here that these dialogues must begin. This is the opportunity.”

Ray Rothrock, CEO and chairman of RedSeal Inc., was the day’s third speaker, presenting on the topic of “Infrastructure: IoT, Enterprise, Cyber Physical.” Rothrock also held a signing for his new book, “Digital Resilience: Is Your Company Ready for the Next Cyber Threat?”

Attendees at the conference are exploring computer and communication technology; the economic and physical systems that are controlled by technology; and the policies and laws that govern and protect information stored, transmitted and processed with technology.

Students at each SEC member university participated in a Cyber Challenge and presented posters displaying their work in the area of cyber security.

advertisement:

The post Cyber security #experts discuss #mitigating #threats, say #universities can #play a key #role in #protecting the #country against a #cyber attack appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Encryption #vital to #protecting our #data in the #modern #age

As some law enforcement officials would like to have you believe, choosing to digitally arm yourself for defensive purposes does not make you a criminal. For many years now, arguments have been made over the extent an individual should be able to, however no serious case to eliminate this ability had been made — until now.

At a recent speech, CIA Director Mike Pompeo touched on the traditional national security topics, but then he ventured into the surreal. The CIA director offered, “Cyber is another vector — it’s not a threat of its own, but it is a means by which many non-nation-state actors can inflict incredible costs on the United States of America.” The alarming part is when he attaches the proliferation of end-to-end encryption as part of the challenges his agency faces when tracking these non-nation state terrorists.

To be clear, the head of America’s intelligence agency is saying that encryption is part of the problem for law enforcement in fighting the bad guys. Though this shouldn’t be a shock, as Congressman Pompeo once wrote, “The use of strong encryption in personal communications may itself be a red flag.”

For anyone wondering why an individual would consider using encryption in their daily lives, let me illustrate what this means. In today’s connected world, the reason you read so many stories about cyber-crimes committed by two-bit hackers is because they are trying to steal your credit card number, or enough personal information to commit identity theft. They are afforded this ability because of your lack of encryption. In Free states, encryption is used to protect people from cyber criminals. In the more oppressive countries, encryption is used as a tool to break through firewalls to gain access to an uncensored free and open internet. In many cases, it is the users’ only interaction with the outside world that hasn’t been sanctioned by their government.

Criminalizing encryption is the elimination of our right to self-protect from privacy thieves. The hard truth is encryption exists to protect our right to free speech online here and abroad.

The CIA is far from being a lone voice in the woods, as Deputy U.S. Attorney General Rod Rosenstein is a long-time encryption critic. He’s used every criminal event of national interest as a platform to attack personal digital security as part of a tech conspiracy to thwart law enforcement’s effort to tackle crime. While personal encryption is effective against hackers, governments by and large are getting every byte of your data they want.

Perhaps the deputy attorney general’s most naïve position has been to demand tech companies create strong consumer encryption, but also offer law enforcement backdoor access to your device’s data. This is coming from the same government that maintains a monstrous data center farm in Utah to collect and maintain every bit and byte of digital communications generated globally. The NSA is charged with overseeing the $1.2 billion facility, and promises to only use it for terrorist connected cases. However, as we’ve noted in the past, perhaps the greatest leakers of secure and private information is the very intelligence community that is charged with shielding us from those evildoers. Aside from the ridiculous expectation of an encryption-lite option, a Stanford University cryptographer made it abundantly clear in a recently released paper, and assures us that this type of “securely accessible” encryption does not exist.

Due to the mounting law enforcement worldview of effective encryption as a platform used primarily by criminals, and the general decline of privacy, the ability to maintain some shred of confidentiality is now accompanied with stigma, as well as a price tag that is growing out of reach to the average consumer. Sadly, the United States has been moving toward becoming a country that enjoys cheap luxuries, but expensive necessities. Privacy is no longer a right in the digital realm, but a commodity to be bartered without the creator’s consent.

This exposure has lead everyday consumers to seriously consider options that help shield their data. One pragmatic piece to the privacy solution would be to minimize the chances of such data theft concerns by allowing competition to reign in the ISP markets once again in the form of “open access,” which would restrict network infrastructure providers to operating within prescribed limits. Removing the government protected oligarchy that rules America’s current internet access options would allow consumers to choose providers that consider privacy a priority to their customers, rather than a self-entitled byproduct.

Privacy and access to effective encryption should be a fundamental right. The overtures by the government have forced consumers to consider privacy enabling applications — but it shouldn’t be that way. The right to self-protect should not come with an over-burdensome price tag, and certainly not with an assumption of guilt. There is a strong and proven legislative path forward in allowing consumers to protect ourselves, and it begins with open access.

advertisement:

The post Encryption #vital to #protecting our #data in the #modern #age appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Tips on protecting your digital systems from cyber hackers

Source: National Cyber Security – Produced By Gregory Evans

Computer systems around the world are still working to get back on track after an international cyber attack similar to one just a few weeks ago, and now a new and damaging outbreak of malicious data-scrambling software caused mass disruption across Europe, hitting Ukraine especially hard. Ukraine’s prime minister said…

The post Tips on protecting your digital systems from cyber hackers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

How federal government departments are protecting Australians’ data against cyber hack

Source: National Cyber Security – Produced By Gregory Evans

How federal government departments are protecting Australians’ data against cyber hack

The federal government has conceded it can’t be certain public service departments are secure against major hacking attacks, as Malcolm Turnbull’s senior cyber adviser suggested Australia might have dodged the latest international crisis because it fell during the weekend. At least eight Australian businesses have been infected by the bug crippling some systems in Britain, Europe and the US, with …

The post How federal government departments are protecting Australians’ data against cyber hack appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

New cybersecurity center at UD to explore protecting health info

Source: National Cyber Security – Produced By Gregory Evans

New cybersecurity center at UD to explore protecting health info

Health information is now one of the most sought-after online records pursued in cyber attacks and that’s one of the reasons behind a partnership to create the Center for Cybersecurity & Data Intelligence at the University of Dayton.
Premier Health,

The post New cybersecurity center at UD to explore protecting health info appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Protecting yourself from identity theft

Source: National Cyber Security – Produced By Gregory Evans

A report from Javelin Strategy & Research finds the number of identity fraud victims remained steady at 13.1 million in 2015 when compared with 2014, however it is still the second highest number of victims since Javelin began conducting its annual study in 2004. According to the Identity Theft Resource Center, every 3 seconds there is a new victim with 7% of US Residents 16 years or older having been affected. According to Frank Cilona, President of the Better Business Bureau, “The first rule in Identity Protection is ‘If you don’t need it, dispose of it…Responsibly’. Consumers should use the word SHRED as a helpful guide in protecting themselves.” n S – Strengthen passwords. Use at least 8 characters, alpha numerics, symbols and upper and lower case letters. n H – Handle personal identifying information with care. Don’t give this information out unless absolutely necessary. n R – Read credit reports annually. Go to AnnualCreditReport.com every year for a free credit report. n E – Empty your purse or wallet. Don’t carry any more than necessary and never have your Social Security card with you. n D – Discuss these tips with your friends. Share your knowledge and educate those […]

The post Protecting yourself from identity theft appeared first on National Cyber Security.

View full post on National Cyber Security