now browsing by tag


A #15-year-old #hacked the #secure Ledger #crypto #wallet

A 15-year-old programmer named Saleem Rashid discovered a flaw in the popular Ledger hardware wallet that allowed hackers to grab secret PINs before or after the device was shipped. The holes, which Rashid described on his blog, allowed for both a “supply chain attack” – meaning a hack that could compromise the device before it was shipped to the customer – and another attack that could allow a hacker to steal private keys after the device was initialized.

Rashid is not affiliated directly with any Ledger competitors although there was some suggestion that he did some work on Trezor and other competing hardware wallets. His response:

International Workshop on Secure Software Engineering in DevOps and Agile Development (SecSE)

General Cybersecurity Conference

 May 25, 2018 | Porto, Portugal

Cybersecurity Conference Description

Software security is about protecting information and ensuring that systems continue to function correctly even when under malicious attack. The traditional approach of securing a system has been to create defensive walls such as intrusion detection systems and firewalls around it, but there are always cracks in these walls, and thus such measures are no longer sufficient by themselves. We need to be able to build better, more robust and more “inherently secure” systems, and we should strive to achieve these qualities in all software systems, not just in the ones that “obviously” need special protection.

This workshop will focus on techniques, experiences and lessons learned for engineering secure and dependable software using the DevOps paradigm, as well as other forms of agile development.

Read More….


The post International Workshop on Secure Software Engineering in DevOps and Agile Development (SecSE) appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cyber Secure Nigeria

Source: National Cyber Security News

General Cybersecurity Conference

 May 9 – 10, 2018 | Lagos, Nigeria

Cybersecurity Conference Description 

Cyber Secure Nigeria 2018 will focus on the ‘core’ aspects of cyber security. We are currently calling for papers from prospective speakers. The Call for Papers invites submissions that will increase understanding of the most critical cyber security issues in our digitally connected world.

Read More….


View full post on National Cyber Security Ventures

Russian group #hacked German #government’s secure #computer #networks

Source: National Cyber Security News

A Russian-backed hacker group known for many high-level cyber attacks was able to infiltrate the German government’s secure computer networks, the dpa news agency reported Wednesday.

Dpa cited unidentified security sources saying the group APT28 hacked into Germany’s foreign and defence ministries and managed to steal data.

The attack was noticed in December and may have lasted a year, dpa reported.

The Interior Ministry said in a statement that “within the federal administration the attack was isolated and brought under control.” The ministry said it was investigating.

A spokesman wouldn’t give further details, citing the ongoing analysis and security measures being taken.

“This case is being worked on with the highest priority and considerable resources,” the ministry statement said.

APT28, which has been linked to Russian military intelligence, has previously been identified as the likely source of an attack on the German Parliament in 2015, as well as on NATO and governments in eastern Europe.

Also known by other names including “Fancy Bear,” APT28 has also been blamed for hacks of the U.S. election campaign, anti-doping agencies and other targets.

Read More….


View full post on National Cyber Security Ventures

(ISC)² Secure Summit Phoenix

Source: National Cyber Security – Produced By Gregory Evans

General Cybersecurity Conference

 March 9, 2018 | Phoenix, Arizona, United States

Cybersecurity Conference Description [Submitted by Organizer/ Or Written By Us]

It’s the same old story. Ransomware and phishing still dominate the headlines. Why are these tactics so successful? Why are organizations still falling victim to the same old tricks?

Read More….

The post (ISC)² Secure Summit Phoenix appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Smart #cars need #smart and #secure #IT/OT #Infrastructures

Source: National Cyber Security – Produced By Gregory Evans

IT can fail. It often does. We restart IT, and life goes on. Hackers can also compromise these same IT systems creating disruptions and causing theft of credentials. All manners of serious consequences result from these compromises.

When Operations Technology (OT) fails, the consequence is of a different nature – arguably far more significant and far more serious. Decades of safety systems developed to keep OT from failing work – most of the time. That’s the good news. The bad news is that these OT systems and their parallel safety systems were not designed to stop the present threat of hackers whose intent would be to make them fail in catastrophic ways – including task 1 to turn off the safety systems.

A state of geopolitical competition
Consider also that we are now in the time of cyber as a tool of geopolitical competition. That is a nice way to say “nation-state” attacks – the same thing. It is time to consider, with utmost urgency, the cyber protections needed for the installed base (legacy) of OT systems and the future base of innovations that will surely bring more of this kind of automation into our daily lives. The installed base of OT is a much longer topic – for another time. The future base of OT is the topic of this piece.

About smart cars
Smart cars make sense when we also consider smart roads and a smart IT/OT infrastructure. We are at the start of the age of smart transportation, roads filled with sensors to interact with autonomous cars in ways to control flow and enhance safety. Smart cars and smart roads go together. They connect by means of a computer network.

For smart transportation to succeed, it will need all three parts: autonomous capabilities in cars + smart roads + an IT infrastructure that connects them together. Together, they combine to make smart transportation. That is the future. 2018 will serve as the year where this future accelerates.

We should make them secure from the start – all parts. Consider this scenario. Someone hacks a car. It makes the news. The impact was – a hacked car and possibly a traffic accident. The sale of cars vulnerable to these hacks is undiminished. We’ve seen this scenario already. But accidents happen all the time. Now consider if it were the “smart road” that is hacked, and the hacker navigates up the network into the applications and the databases. This can’t happen – right? For those who make their living doing ethical hacking, the question is typically, how much time do I have?

OT failure paired malicious intent
Coupled with other malicious intentions in this geopolitically motivated time we are in, the scenario just described takes on far more significant importance. We don’t have to think too hard to know what can happen when OT fails.

The failures of the Deepwater Horizon oil spill into the Gulf in 2010 did incalculable damage. It is a manifestation of this OT failure in an extreme case where the combination of failed processes, sensors plus human error created this perfect storm. It is prudent to ask the question, can these kinds of events be intentionally perpetrated by human actors working to hack the system, allowing them to learn enough of the control processes to orchestrate this kind of catastrophic failure? In the year just starting and the years to come, we are likely to find that the answer is the same – how much time do I have?

What do we do? We start to recognize these very possible issues and become skilled in cybersecurity for both IT and OT systems, for smart transportation and all the other OT industries. That is the start – with urgency.

The post Smart #cars need #smart and #secure #IT/OT #Infrastructures appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cybersecurity #Tips to Help #Retailers and #Consumers Stay #Secure During the #Holiday Season

Source: National Cyber Security – Produced By Gregory Evans

It’s time to take advantage of all those holiday specials and spend all your hard-earned bitcoin — er, I mean money — buying gifts for friends, family and, of course, yourself. Many retailers, large and small, online and brick-and-mortar, run holiday promotions as early as September. Gone are the days of waiting until Black Friday or Cyber Monday to take advantage of sales and specials.

The bad guys will be shopping, too — just not for the same items you are. Instead, they will be shopping for your wallet.

It’s true that some cyber Grinches ramp up their malicious activities during the holiday season, perhaps in the form of holiday-specific spam, spear phishing or compromised sites. While increased vigilance is encouraged during this time, there are a number of cybersecurity tips and best practices consumers and retailers should follow throughout the year to help mitigate threats. Having the right controls and awareness in place before the holidays can go a long way during the busy shopping season.

For Retailers: Vigilance Encouraged Throughout the Year

Black Friday and Cyber Monday are heavy shopping days and are likely to remain so for the foreseeable future. However, IBM X-Force research conducted over the past few years revealed that there was no significant uptick in network attacks targeting X-Force-monitored retailers during the traditional holiday shopping period in late November. In fact, last year, the volume of attacks for those two days fell below the daily attack average for retailers.

However, now that the shopping extravaganza lasts for two or more months, it’s possible that this four-day window is too short of a time period to identify notable network attack trends.

So far in 2017, network attacks targeting retail networks were highest in Q2, with June being the most-targeted month. Attacks dropped notably beginning in August and have been steadily declining, with the volume of attacks monitored for October below the monthly average for the year.

Time to celebrate? Not necessarily. In 2016, we observed a notable surge in the volume of attacks targeting retailers in mid to late December. Additionally, malware compromises occurring earlier in the year that have gone undetected can wreak havoc once the busy season commences. In December 2016, a security researcher discovered that nearly 7,000 online stores running Magento shopping cart software were infected with data-stealing skimmer malware capable of logging credit cards and passwords and making them available to attackers as image files for exfiltration.

Furthermore, bad actors do not have to steal anything to wreak havoc on the retail industry. A distributed denial-of-service (DDoS) attack is enough to cost the sector millions. In fact, the average cost of DDoS attack for organizations across all industries rose to over $2.5 million in 2016.

Retailers are encouraged to monitor their networks with increased vigilance during this holiday season. Vulnerable point-of-sale (POS) systems, compromised websites, and targeted spam and phishing campaigns can be costly.

To help keep your security posture strong over this holiday shopping season and all year long, review and implement the recommendations outlined in the IBM report, “Security Trends in the Retail Industry.”

For Consumers: What Cybersecurity Tips Are Missing From Your Repertoire?

Many online consumers have improved their security awareness as media coverage and education opportunities have increased. However, below are a few cybersecurity tips that many consumers likely haven’t thought of.

Assess Convenience Versus Risk

Our digital interactions leave data trails. Finding the right balance between personalization and privacy is the consumer’s responsibility, not just the retailer’s. Many sites have the option to save your card data for future use. While this feature offers convenience to the consumer, the stored data can be stolen via SQL injection attacks or other database compromises — after all, there are billions of leaked records due to misconfigured servers. Always look for the green lock icon in the browser address bar to ensure a secure connection to websites.

Be Wary of Unsuspicious Emails

Criminals have gotten really good at devising phishing lures that are extremely difficult to recognize as fraudulent. Receive an attachment from someone that appears to be in your contact list? Call them to confirm. Order something online? Before clicking the “track package” link in the confirmation email, ensure that it is actually an item you purchased from the correct vendor.

Use Passphrases and Multifactor Authentication

Exercise strong password hygiene by choosing to use a long, easy-to-remember passphrase, such as “ipreferpassphrasesoverpasswords,” instead of complex passwords containing a combination of letters, numbers and special characters. Unfortunately, this is not always an option since many websites now require a password that contains this combination. Use different passphrases for each site. If this seems too daunting, use a password manager. Rather than managing dozens of passphrases on your own, you’ll just have to remember the one key to your digital vault.

Always opt for multifactor authentication when available, and figure out which option is the most secure when choosing a real-time short message service (SMS) text message, an email message or an automated phone call.

Get Creative With Security Questions

When setting up new accounts, opt for security and password reset questions that aren’t public to make it harder for fraudsters to get their hands on your information. For example, don’t use your mother’s maiden name, which could be easily found online. Even answers to opinion-based questions, such as favorite movie, food, etc., can be found on social media. For increased security, lie about your answers or use passphrases as the answers.

Skimmers Abound

By now, you have most likely heard of skimmers being placed on the card readers at gas stations and bank ATMs. A skimmer is a hidden device placed inside the mouth of a payment card reader that is designed to copy your card data for criminals to user later. But what about in-store POS systems? Be on the lookout for suspicious-looking card swiping terminals that could be skimmers, or cash register attendants who seem to swipe your card on two different readers. Maintain this vigilance not only during the holiday season, but all the time, especially if you travel to other countries.

Know Your Card Security Features

Banks and credit card companies have implemented some great security features, such as being able to set limits on the number of times the card can be used within an hour or on the amount that can be spent on one purchase. However, if you’re unaware of these limits for your personal accounts or your phone number is not up to date in your bank profile, you may end up with a declined card.

Cover Your Card

Is the person in line behind you taking a selfie, or is he or she taking a picture of your card as you make a purchase? By obtaining the credit card number, name, expiration date and the card security code or card verification value on the back, an attacker may be able to use the information to make online purchases.

Keep Your Guard Up Year-Round

The holiday season is a great time to take stock of the past year while relaxing and spending time with loved ones, but it’s no time to let your guard down, especially given the increasing sophistication of cybercriminal tactics targeting holiday shoppers and sellers alike. We encourage retailers and consumers to follow best practices not only this holiday season, but also all year long to help mitigate attacks and compromise.

The post Cybersecurity #Tips to Help #Retailers and #Consumers Stay #Secure During the #Holiday Season appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

15 Tips to Staying Secure While Staying Connected

Source: National Cyber Security – Produced By Gregory Evans

National Cybersecurity Security Awareness Month brings to light what you already know – cruising the internet can be harmful if you don’t follow best security practices. The good news is you don’t need to be a cybersecurity pro to employ smart online safety habits that can go a long way…

The post 15 Tips to Staying Secure While Staying Connected appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hacker claims to have decrypted Apple’s Secure Enclave, destroying key piece of iOS mobile security

Source: National Cyber Security – Produced By Gregory Evans

A hacker going by the handle xerub has just released what he claims to be a full decryption key for Apple’s Secure Enclave Processor (SEP) firmware. This could be a major blow for iOS security because of the importance of the SEP: It handles Touch ID transactions and is completely…

The post Hacker claims to have decrypted Apple’s Secure Enclave, destroying key piece of iOS mobile security appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

How Hotel Cybersecurity Keeps Guests and Data Secure

Source: National Cyber Security – Produced By Gregory Evans

Hotels need cybersecurity: Although they don’t have the volume of transactions that big box retail stores do, their transactions are generally larger, and their guests have more at stake than just their groceries. But the personal information hotels store is only part of what’s at risk. Breaking Down Hotel Cybersecurity…

The post How Hotel Cybersecurity Keeps Guests and Data Secure appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures