Advertisements

Phishing Is Getting More Sophisticated. Here’s What to Look Out For

Many CEOs live in fear that their companies will suffer a data breach. That’s for good reason: In 2019 the average breach of U.S. companies cost $73,000. And the cost of the attendant reputational damage with vendors and customers can be far greater.

It’s probably no surprise, then, that in a recent Inc. survey, senior executives said their two greatest worries on a wide-ranging list of technology-related developments were having sensitive data stolen and being the victim of a ransomware attack. Some respondents know the pain firsthand–8 percent said their company has experienced a breach within the past two years, while 12 percent say they’ve experienced one in the past five years. With that in mind, Inc. spoke with cybersecurity experts to find out the latest when it comes to company breaches.

The first thing they made clear is that the 12 percent figure is probably low, since there are likely an increasing number of breaches that companies aren’t aware of and don’t report. Something that might play into that: hackers’ new methods of choice.

More than half of all breaches last year were not performed using malware, according to a January report fromcybersecurity firm Crowdstrike. That’s important because malware often is easily detectable. Increasingly, hackers are finding ways to access your company’s network using its existing systems, like logging on with an employees’ stolen credentials, says Shawn Henry, Crowdstrike chief security officer.

“More time undetected means more success for them,” Henry says, noting that the average adversary spent 95 days in an organization’s network before being detected, up from 85 days a year ago. “It’s similar to why you go for a colonoscopy, or you go to the dermatologist to be checked for unusual marks. It’s preventive maintenance. If something is there for months or years undetected, you’re in trouble.”

Gone phishing

Hackers can find their way into your system in a number of ways, with phishing scams being one of the most prevalent. These attacks are becoming more sophisticated, according to Joseph Steinberg, author of Cybersecurity for Dummies and a former Inc. columnist.

In some cases, a hacker might spoof the email address of an executive, send a note telling employees they’ve been laid off, and instruct them to log onto the network as soon as possible to fill out a form to receive their severance. The employees then click a link to their company’s network and, not realizing it’s actually a fake, enter their usernames and passwords. Suddenly, the hackers have a working set of login credentials–or many of them.

What’s more, now hackers are more often studying a company’s personnel and learning their manner of speaking by email before spoofing them, Steinberg says. They’ll glean personal information through the social media accounts of executives or their family members to find out, say, that they’re about to head off on vacation.

“Then they send a message to the CFO that sounds real and say, ‘I’m getting on my flight to Disneyland, so don’t bother calling me. Just take action.’ ” Suddenly, an employee is sending sensitive information–or even a wire payment–to a bad actor.

“Phishing 10 or 15 years ago was a shotgun,” Steinberg says. “I’m going to fire out hundreds of shells and hopefully some of them hit the target, whereas this is much more like a rifle. I’m trying to get this one person, but I’m hitting with a much more accurate and stronger attack.”

Shifting your mindset

Though it’s detectable once it’s in your system, malware is infiltrating more discreetly than ever before. Last year saw a trend away from the use of malware in email attachments–which many employees have learned to recognize as a red flag–and toward links instead, according to cybersecurity firm Proofpoint. “The increasing prevalence of cloud applications and storage means that we are all conditioned to click through links to view, share, and interact with a variety of content,” the company wrote in a December report.

Adversaries increasingly are using URL shorteners to make links in emails appear legitimate, the firm says. Hackers sometimes use URLs that are just one character different than the real thing, like a letter with a line under it, which is tough to spot in hyperlinked text, according to Steinberg.

The best ways to combat hackers

So how to prevent against all this? While companies need to make sure they invest in cybersecurity measures, of course, the experts offer additional tips.

1. Make sure all employees are properly trained and educated.
Have procedures in place for everything, Steinberg says. “And those procedures don’t go away just because the CEO is getting on a flight to Miami,” he says.

2. Get help from your rivals.
Share information about attacks to competitors in your industry with the hopes that they’ll do the same, Henry advises. “It’s understanding that if they targeted my transportation company this week, they’re going to target your transportation company next week,” he says. “Let’s share this intelligence with you so that you can better protect yourselves.”

3. Never think you’re immune.
Perhaps most important is understanding that your company can become a target, no matter how small or how secure, Steinberg says. “When that mindset changes from, ‘Nobody would be interested in hacking me’ to ‘I’m skeptical about everything that comes to me because I know there are criminals targeting me,’ it changes the way you react,” he says. “It changes the way you do lots of things, so that these types of attacks become a lot less likely to succeed.”

 

By Kevin J. Ryan Staff writer, Inc.@wheresKR

 

Source: Phishing Is Getting More Sophisticated. Here’s What to Look Out For

Image result for banggood big banners for clothingImage result for banggood big banners for clothing

Advertisements

Stunning Huawei Confirmation—1 Million Cyberattacks Every Day

China’s under fire Huawei is being attacked by more than just the U.S., says a company exec. The Chinese tech giant endures around a million cyberattacks per day on its computers and networks—and that’s according to its security chief, John Suffolk. This will be the most unexpected Huawei cyberattack story of the year so far.

As reported in the Japanese press, Suffolk implied such attacks are focused on IP-theft, which given Huawei leads the world for 5G network innovation and files more patents than any other company in the world, will come as little surprise. That said, the company has also accused the U.S. government of mounting cyberattacks as part of its concerted campaign against them.

In September, Huawei alleged in the media that U.S. law enforcement has “threatened, coerced and enticed” existing and former employees, and has executed “cyberattacks to infiltrate Huawei’s intranet and internal information systems.”

Today In: Innovation

Suffolk did hot attribute the attacks to any country or particular threat actor—including the U.S., and did not confirm whether they were from nation-states or competitors. But he did acknowledge that although almost all are defended, some attacks on older systems get through. The implication of this was not clear, although the media reported that these “cyberattacks have included a type of theft of confidential information by sending a computer virus by email.”

Such phishing or business email compromise attacks are universal, it would be more surprising if Huawei didn’t receive its fair share. They often rely on social engineering to trick employees into installing malware disguised as attachments, or visiting fake sites or viewing social media clips that are laced with harmful code.

Suffolk used the media to confirm his claims that although Huawei is embroiled in its own allegations around cybersecurity, no tangible backdoors or cyber compromises have been found. He also reiterated the company’s pledge to work with customers to shore up their cyber defences when using equipment from the Chinese company.

The focus of the U.S. allegations is that in addition to receiving Chinese state support, Huawei is vulnerable to intelligence tasking by Beijing within overseas markets—either to steal or disrupt. Suffolk told the media that if the company’s CEO Ren Zhengfei was ever asked to compromise the company, “he would blankly refuse to do that—if he was pressurized to do that, he would close the company down.”

Earlier in the week, a surprise EU report warned that the combination of new technologies and 5G networks risks hostile state control of critical infrastructure, logistics, transportation even law enforcement. The report didn’t name China or Huawei, but did reference sole 5G suppliers from countries “with poor democratic standards,” for which the reference to Huawei and China was clear.

There will more surprises with this latest revelation from Huawei—the sheer scale of the cyberattacks will raise eyebrows, as will the obvious references back to the company’s claims against the U.S. last month.

October could prove to be a significantly better month for the tech giant than September. Having managed to launch the Mate 30 Series absent U.S. tech, and with U.S. President Trump now signalling a softening in blacklist restrictions and progress in trade talks with China, Huawei execs will be hopeful of some welcome relief from both the sanctions and the headlines.

Follow me on Twitter or LinkedIn.

I am the Founder/CEO of Digital Barriers, developing AI surveillance solutions for national security, counter-terrorism and critical infrastructure organisations in the US, EMEA and Asia. I write about the intersection of geopolitics and cybersecurity, as well as breaking security and surveillance stories. I also focus on the appropriate balance of privacy and public safety. Contact me at zakd@me.com.

Source: Stunning Huawei Confirmation—1 Million Cyberattacks Every Day

 

Connectivity, The C-Suite, And The Consumer: An Evolving Cyber Landscape

There is widespread consensus that Industry 4.0 technologies have the power to create radically exciting efficiencies and growth opportunities for businesses. However, the advancement of technology is not without consequence. According to Cybercrime Magazine, the annual cost of cybercrime damages is expected to hit USD $6 trillion by 2021 globally. Advances in technology are driving progress, but also bringing new possibilities of cyber threat. And, both executives and consumers are taking notice.

A recent Deloitte survey found that executives rank cybersecurity and other technology-related risks among the greatest challenges to their growth outlook. Furthermore, the 2019 Deloitte Global Millennial Survey found that an overwhelming majority of respondents are concerned about privacy and cyber issues.

However, evidence shows that although executives are aware of consumer fears, they are unclear in how to respond.[1]

As organizations double down on connected devices and data analytics, they must look beyond strictly business outcomes and assess how to take advantage of new digital opportunities while managing vulnerabilities and protecting consumer privacy.

Against this backdrop, executives must reimagine their approach to cyber. This requires leadership to redefine the role of cyber risk management while also recognizing and addressing the concerns of both internal and external stakeholders.

Rethinking the cyber ecosystem

Executives have traditionally viewed cyber as a means to protect information, and thus, control has been relegated to the IT function. However, this model is no longer sufficient in Industry 4.0 as connected products and technologies have multiplied vulnerabilities across the organizational and consumer spheres. In this era of complexity, cyber is everywhere.

Although cyber is increasingly viewed as a C-suite issue, oftentimes individuals at the board and leadership level are far removed from the day-to-day challenges of keeping an organization secure, vigilant and resilient. To be successful moving forward, leadership must be an active participant in understanding how to respond to the constantly evolving cyberthreat landscape.

Everyone within an organization holds some level of responsibility for managing cyber, starting with board and C-suite leadership. To prevent breaches and enable growth, organizations must empower leaders across functions to build cyber into their purview.

High maturity organizations prepared to address cyber employ teams of passionate and energized staff across the business who are up to date on the latest threats and have aligned their cyber strategy and overall cyber program. This makes cultivating, attracting and retaining cyber talent a critical part of the solution to tackle cyber challenges. Organizations must prioritize learning across the enterprise to allow them to effectively manage cyber and implement comprehensive cyber solutions across all levels.

The consumer challenge

According to the 2019 Deloitte Global Millennial Survey, 78 percent of respondents are worried about how organizations share personal data with each other, and a quarter of millennials have ended consumer relationships because of companies’ inability to protect data.

Furthermore, only 14 percent of millennials strongly agree that the benefits of technology outweigh the risks associated with sharing personal data, and 79 percent are concerned they will be victims of online fraud.

This presents a significant warning sign to organizations—failing to put data protection and potential vulnerabilities at the top of the corporate agenda could not only hurt the business itself, but significantly erode trust with consumers.

Heightened vulnerabilities in the consumer space underscore the importance for organizations to build cyber into their strategies from product development to customer support. When looking at the entire cyber ecosystem and considering roles and responsibilities throughout an organization, businesses that view consumer insights and concerns as motivation to refocus cyber efforts will gain a competitive edge.

How organizations can respond

Cyber truly is everywhere, and is something that must be taken into account as organizations evaluate and formulate their business strategies.

As businesses work to reposition cyber from a threat to a growth opportunity, inter-organizational collaboration is key. Spearheaded by the board and C-suite, organizations must prioritize working together throughout the organization to address these concerns. With connectivity comes responsibility and establishing trust amongst all key stakeholders, including third parties and consumers, will enable organizations to capture value from cyber and take full advantage of the technological opportunities presented by Industry 4.0.

[1] Deloitte research report, “Global growth in the era of Industry 4.0,” Deloitte, May 2019.

Nick Galletto is the Deloitte Global Cyber Risk leader based in Toronto. Nick has over 30 years of experience in information technology, networking, systems management and information security management. He has accumulated extensive experience in the management, design, development and implementation of cyber risk management programs.

Nick has worked with executive leaders in helping them understand and implement cyber risk strategies as a business enabler. He’s helped many organizations mature their overall security posture; including architecting, designing and integrating cyber solutions to address specific industry cyber risks. Nick has worked with a number of large enterprises across many industries, helping them transform their cyber strategy as they’ve moved from an era of compliance and risk to this new era of cyber everywhere.

Over the last several years Nick’s primary focus has been helping clients with the development and implementation of cyber risk management solutions both for IT and OT, making their organizations cyber resilient by proactively protecting, detecting, responding and recovering from cyber events.

Nick has a Master of Business Administration, and he is a Certified Information Systems Security Professional, a Certified Information Security Manager, Certified in Risk and Information Systems Control and SABSA Certified Architect.

Source: Connectivity, The C-Suite, And The Consumer: An Evolving Cyber Landscape

20.9M subscribers
An expert in cybersecurity and network infrastructure, Nick Espinosa has consulted with clients ranging from small businesses up to the Fortune 100 level. Nick founded Windy City Networks, Inc in 1998 at age 19 and was acquired by BSSi2 LLC in 2013 where he is their CIO. In 2015 Security Fanatics, a Cybersecurity/Cyberwarfare outfit dedicated to designing custom Cyberdefense strategies for medium to enterprise corporations, was launched. A nationally recognized speaker, member of the Forbes Technology Council, regular columnist for Forbes, on the Board of Advisors for both Roosevelt University’s Center for Cyber and Information Security and Bits N’ Bytes Cybersecurity Education, award winning co-author of a bestselling book “Easy Prey”, and host of “The Deep Dive” radio show on 101.3FM WHIW, Nick is known as an industry thought leader and sought after for his advice on the future of technology and how it will impact every day businesses and consumers. An expert in cybersecurity and network infrastructure, Nick Espinosa has consulted with clients ranging from small businesses up to the Fortune 100 level. Nick founded Windy City Networks, Inc in 1998 at age 19 and was acquired by BSSi2 LLC in 2013 where he is their CIO. In 2015 Security Fanatics, a Cybersecurity/Cyberwarfare outfit dedicated to designing custom Cyberdefense strategies for medium to enterprise corporations, was launched. A nationally recognized speaker, member of the Forbes Technology Council, regular columnist for Forbes, on the Board of Advisors for both Roosevelt University’s Center for Cyber and Information Security and Bits N’ Bytes Cybersecurity Education, award winning co-author of a bestselling book “Easy Prey”, and host of “The Deep Dive” radio show on 101.3FM WHIW, Nick is known as an industry thought leader and sought after for his advice on the future of technology and how it will impact every day businesses and consumers. This talk was given at a TEDx event using the TED conference format but independently organized by a local community. Learn more at https://www.ted.com/tedx

Nasty New Malware Waits Until You Visit A Pornsite, Then Starts Recording

4.jpg

At the end of last week, ESET’s security researchers disclosed the discovery of a new strain of malware that takes the trend for sextortion to a new level. Varenyky, as the malware was named by its finders, monitors the activity on infected computers, watching until a pornographic website is visited, and then starts recording the screen.

According to the ESET team, Varenyky first came to light in May, when a malware spike was identified in France. And this is the other twist with Varenyky—it has been designed to specifically target French computer users. For now.

Varenyky is aimed at Orange customers in France, sending out fake invoices as Microsoft Word attachments to load the malware. When those documents are opened, a macro is executed which ensures the computer and its user are indeed French, if not the malware slips away with no damage done. But if the targeted computer ticks its boxes, Varenyky checks back with its C&C to determine what elements of malware to download, executing further macros to install software that can “steal passwords and spy on victims’ screens using FFmpeg when they watch pornographic content online.

When trigger keywords (a myriad of common and more specialised sexual terms) or websites (including YouPorn, PornHub and Brazzers) are detected, “the malware records a computer’s screen using an FFmpeg executable—the recorded video is then uploaded to the C&C server.” The clear risk is for advanced levels of sextortion or even blackmail. And while the current findings appear relatively generic (at least to the French), there is the potential for the malware to be targeted at individuals.

The spam emails—as many as 1500 per hour have been sent—focus on “win a smartphone competitions—an iPhone X, a Galaxy S9 or S10.” The victim is asked for personal information and then, as the scam progresses, credit card details as well. None of this is related to the video capture of sex sites, it is a broad-brush approach.

Varenyky is interesting because of its specific national targeting and its mix of credential theft and sextortion campaigning. The triggered screen recording, though, is grabbing the headlines. Not because of this particular campaign—there is no evidence of the videos having been used maliciously yet, but because it’s a nasty twist on a theme, and we can expect to hear more about it. As ESET warns, “this shows that operators are inclined to experiment with new features that could bring a better monetization of their work.”

A week ago, I reported that phishing defense specialist Cofense had published more than 200 million email addresses, that the company says are “being targeted by a large sextortion scam.” You can actually search the database for your own email address here. The usual sextortion concept of operations is to take breached email accounts—user names and passwords—and include those in a large-scale mail-out campaign to attempt to trick account holders into thinking they have been compromised, with passwords used as a convincer. It’s a numbers game. Small percentages returning lucrative rewards.

Now there is the potential for the use of video as a twist on what we have seen before—shades of Black Mirror episodes coming to life.

And so, the usual advice pertains. Don’t fall for scam promotions. Think before you click on attachments from unfamiliar senders. Don’t share personal information and definitely don’t share credit card details. And always keep your software and virus protection up to date.

There are many functions of Varenyky, ESET warns, “related to possible extortion or blackmail of victims watching pornographic content.” And the hackers behind the malware are already in the sextortion business even though the videos have not yet been used. ESET reports that Varenyky “is under heavy development and it has changed a lot since the first time we saw it,” which suggests functionality and sophistication will increase.

What we know for sure, though, is that this malware is now out there, and so the risk is very real.

Find me on Twitter or Linkedin or email zakd@me.com. Disclosure: I cover security and surveillance, the sector in which Digital Barriers operates. Direct conflicts are highlighted.

I am the Founder/CEO of Digital Barriers, a provider of video surveillance and analytics technologies to security and defense agencies as well as commercial organizations. I cover the sectors in which DB operates, potential conflicts are highlighted.

 

This Maps Shows Which Cities Are Using Facial Recognition Technology—And Which Have Banned It

As government use of facial recognition technology becomes more widespread, the digital rights nonprofit Fight for the Future has created an interactive map that shows where in the United States it’s being used and where it’s being resisted.

The map draws on news reports and research to show the ways that state and local governments have rolled out facial-recognition-related initiatives, like where agencies are scanning driver’s license databases or screening passengers on international flights, as well as which cities have banned local government from buying or using the technology or are considering legislation to that effect.

The map also shows all the places where police have formed partnerships with Amazon’s home security subsidiary, Ring. Police departments across the country have given residents free or discounted doorbell camera systems and encouraged people to share their security footage, creating what privacy advocates describe as an unprecedented surveillance network.

A spokesperson said that the Ring system does not use facial recognition technology.

Fight for the Future launched the map as part of its push for a nationwide ban on facial recognition technology, which it says threatens civil liberties and would have a chilling effect on free expression.

“The goal of the map is to educate people about where facial recognition technology is being used across the country and the different ways that it’s happening and then give them the tools to do something about it,” Fight for the Future deputy director Evan Greer tells Forbes. People who sign up on the group’s website will receive advocacy tool-kits to help them organize around the issue.

Proponents of facial recognition—which typically identifies people from video or photos by comparing their facial features with those in a database—says it can help solve crimes (or stop them before they happen), while critics point to studies that show the technology to be error-prone, particularly for people of color, and say the negative consequences of ubiquitous surveillance outweigh possible benefits.

Lawmakers recently held a series of hearings on facial recognition technology, with senators on both sides of the aisle expressing concerns about potential consequences of government usage, though without any real agreement on what national regulation could look like. 

So far, local governments have led the way. Earlier this week, Oakland, California became the third city to ban its government agencies from buying or using facial recognition technology for any purpose, following San Francisco and Sommerville, Massachusetts. Several states are also considering bills that would place moratoriums on the technology.

Greer says the map—which you can view here—likely isn’t comprehensive due to the secrecy around facial recognition but that Fight for the Future team plans to update it regularly as new information surfaces.

Follow me on Twitter or LinkedIn. Send me a secure tip.

I’m a San Francisco-based staff writer for Forbes reporting on Google and the rest of the Alphabet universe, as well as artificial intelligence more broadly.

Source: This Maps Shows Which Cities Are Using Facial Recognition Technology—And Which Have Banned It

What Will Happen to Internet Privacy in the Future?

Unfortunately, we have reached a point where the internet doesn’t work correctly unless we sacrifice some of our privacy. Everything from Twitter to cell phones wants access to our personal information, GPS location, and more. To most of us, how companies store and use our information is mostly a mystery. There are constant stories about stolen consumer information, yet we still, willingly, give out ours because the alternative is cloud services and social networks locking us out. If internet privacy has already eroded so much in the present day, what will things be like in the future? Read more…..

Source: What Will Happen to Internet Privacy in the Future?

Haven’t Tried a Password Manager? You Won’t Regret It. – Dashlane Blog

You’ve heard it before—you should use a password manager. A password manager helps you create strong, complex passwords, which are much safer than reusing the same weak passwords across all websites. But did you know that a password manager makes using the internet easier in a lot of other ways, too?…….

Source: Haven’t Tried a Password Manager? You Won’t Regret It. – Dashlane Blog

Colorado Securities Regulators Crack Down on Four More ICOs for Alleged Illicit Practices – Helen Partz

1.jpg

The Colorado Division of Securities has filed cessation orders against four Initial Coin Offerings (ICOs) allegedly involved in fraudulent and illicit practices, according to an official announcement Nov. 20.

Colorado Securities Commissioner Gerald Rome issued the new cease and desist orders following investigations by the Division’s ICO Task Force. Rome has issued 18 cessation orders to ICO projects offering unregistered securities since May, 2018. According to the announcement, at least two more orders are still pending.

The recent orders affected four crypto and blockchain-related firms; Global Pay Net, Credits LLC, CrowdShare Mining, and CyberSmart Coin Invest. All the companies were reportedly accessible to Colorado residents and allegedly violated securities laws.

Regulators state that the projects also engaged in fraudulent marketing practices; Global Pay Net allegedly falsely claimed that “investors receive 80 percent of the company’s profits.” CrowdShare Mining promised an “at least 1,000 percent” four-year return on investment for investors who bought its token.

Commissioner Rome stated that the “sheer number” of cease and desist orders against ICOs should be a “red flag […] that there is a real risk that the ICO you are considering is a fraud.” Rome also highlighted the problem of crypto investor protection, claiming that fraudsters “simply create a fake ICO to steal investors’ money,” and “trick investors into wrongfully paying them.”

Earlier this month, the securities regulator issued cease and desist orders to four ICOs for allegedly offering unregistered securities.

On Nov. 19, Italian securities regulator Commissione Nazionale per le Società e la Borsa (CONSOB) issued enforcement actions against three crypto-related firms for alleged violation of local financial laws by failing to register as financial intermediaries.

That same day, the North Dakota Securities Commissioner issued a cease and desist order against an alleged Russia-based ICO that posed as Liechtenstein Union Bank.

According to a recent study by the University of British Columbia, ICOs face a “compliance trilemma” that limits their potential. Some issuers shirk compliance measures in order to “reach a distributed pool of investors” and have an offering that is “cost-effective.”

The study explains, “If issuers forgo these costs, the risk of being non-compliant rises significantly. The result is a trilemma, whereby issuers currently must forgo one of these goals to realize the other two, or to compromise on all three.”

%d bloggers like this:
Skip to toolbar