Category Archives: Internet Security
These are the first passwords hackers will try when attacking your device – ZDNet
More evidence that using weak or default passwords is a bad idea: they really are the first thing hackers try out when attempting to take over a device.
Security company F-Secure has a set of 'honeypot' or decoy servers set up in countries around the world to detect patterns in cyberattacks. The vast majority of traffic to these servers is a result of their discovery during scans of the internet by hackers looking for devices to access.
The company said it has seen a significant increase in the traffic to these honeypots in the second half of last year. It said the rise in 'attack traffic' reflects the increasing number of threats to Internet of Things (IoT) devices.
"Honeypot traffic was driven by action aimed at the SMB and Telnet protocols, indicating continued attacker interest in the Eternal Blue vulnerability as well as plenty of infected IoT devices," the company said.
SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)
According to its data, SMB port 445 was the most-targeted port over the period, indicating that attackers are still keen to use SMB worms and exploits such as Eternal Blue, like Trickbot. Telnet was also commonly targeted, likely as part of attacks on IoT devices. The same is the case with probes ofSSH on port 22, which enables secure remote access and is commonly associated with full administrative access.
Once a potentially vulnerable device is discovered, the next thing that attackers want to do is try to gain access to it.
According to F-Secure, the "ever-present" top choice of passwords for hackers to try was 'admin' -- a password which really should not used for any device, and especially not one connected to the internet. Other bad passwords on the list include '12345', 'default', 'password' and 'root'. Last year the UK's National Cyber Security Centre (NCSC) noted that the only slightly more complicated '123456' has been found 23 million times in the breaches.
The passwords that hackers try also reflect the sorts of devices they are currently targeting, F-Secure said: included on the list of the most commonly-tried passwords were the factory defaults for digital video recorders and embedded devices such as routers.
SEE:Cybersecurity: Do these ten things to keep your networks secure from hackers
"Brute forcing factory default usernames and passwords of IoT devices continues to be an effective method for recruiting these devices into botnets that can be used in DDoS attacks," F-Secure warned.
The UK recently set out guidelines recommending that all consumer internet-connected device passwords must be unique and not resettable to any universal factory setting.
Read the rest here:
These are the first passwords hackers will try when attacking your device - ZDNet
US threatens to pull big techs immunities if child abuse isnt curbed – TechCrunch
The Department of Justice is proposing a set of voluntary principles that take aim at tech giants in an effort to combat online sexual abuse.
The principles are part of a fresh effort by the government to hold the tech companies accountable for the harm and abuse that happens on their platforms, amid the past two years of brewing hostilities between the government and Silicon Valley. But critics also see it as a renewed push to compel tech companies to weaken or undo their warrant-proof encryption efforts under the guise of preventing crime and terrorism.
U.S. Attorney General William Barr announced the proposals at the Justice Department on Thursday with international partners from the U.K., Canada, Australia and New Zealand.
The principles, built by the five countries and tech leaders including Facebook, Google, Microsoft and Twitter aim to incentivize internet companies and social media giants to do more to prevent child sexual abuse on their platforms.
Barr said he hopes that the principles set new norms across the tech industry to make sure theres no safe space on the internet for offenders to operate.
The principles come ahead of anticipated bipartisan legislation to Congress the so-called EARN IT Act, which reports say could effectively force the tech companies hands by threatening to pull their legal immunities for what their users post if the companies fail to aggressively clamp down on online child sexual abuse.
Sens. Lindsey Graham (R-SC) and Richard Blumenthal (D-CT) announced the legislation shortly after the Justice Department presser ended.
The bill got quick rebuke from Senate colleague, Ron Wyden (D-OR), calling the bill deeply flawed and counterproductive bill.
This bill is a transparent and deeply cynical effort by a few well-connected corporations and the Trump administration to use child sexual abuse to their political advantage, the impact to free speech and the security and privacy of every single American be damned, said Wyden.
Barr warned that the government is analyzing the impact of Section 230 of the Communications Decency Act, which protects tech platforms from legal liability for content created by their users.
Under Barr, the Justice Department has taken a particular interest in dismantling Section 230. Last month, the Justice Department hosted a workshop on Section 230, arguing that the immunity it provides interferes with law enforcement and needs to be reexamined.
We must also recognize the benefits that Section 230 and technology have brought to our society, and ensure that the proposed cure is not worse than the disease, Barr said last month.
Any change to Section 230, widely regarded as the legal underpinning of all online platforms, could radically alter the landscape of the modern internet and give the government more power to control online speech. Privacy advocates view the governments interest in wielding Section 230 as a cudgel and existential threat to the internet as we know it.
Last month, Wyden, one of Section 230s co-authors, condemned the Trump administrations scrutiny of the law and argued that repealing the law would not be a successful punishment for large tech companies. The biggest tech companies have enough lawyers and lobbyists to survive virtually any regulation Congress can concoct, Wyden wrote. Its the start-ups seeking to displace Big Tech that would be hammered by the constant threat of lawsuits.
U.K. Security Minister James Brokenshire lauded the initiatives existing six tech partners, encouraging the rest of the industry to fall in line. Its critical that others follow them by endorsing and acting on these principles. The minister claimed that plans to encrypt tech platforms are sending predators back into the darkness and away from artificial intelligence advances that can expose them.
Barr also questioned if disappearing messages or certain encryption tools appropriately balance the value of privacy against the risk of safe havens for exploitation?
But privacy groups remain wary of legislative action, fearing that any law could ultimately force the companies to weaken or break encryption, which government officials have for years claimed helps criminals and sexual predators evade prosecution.
End-to-end encryption has become largely the norm in the past few years since the Edward Snowden revelations into the vast surveillance efforts by the U.S. and its Five Eyes partners.
Apple, Google and Facebook have made encryption standard in its products and services, a frequent frustration for investigators and prosecutors.
But last year, the Five Eyes said it would contemplate forcing the matter of encryption if tech giants wouldnt acquiesce to the pacts demands.
The government has called for responsible encryption, a backdoor-like system that allows governments to access encrypted communications and devices with a key that only it possesses. But security experts have universally panned the idea, arguing that there is no way to create a secure backdoor without it somehow being vulnerable to hackers.
The bill has already received heavy opposition. Facebook said that child safety is a top priority, but warned that the EARN IT Act would roll back encryption, which protects everyones safety from hackers and criminals.
Its a similar anti-encryption bill to one that Sens. Dianne Feinstein (D-CA) and Richard Burr (R-NC) introduced in 2016, which would have forced tech companies to build backdoors in its systems. The bill failed.
The Electronic Frontier Foundation said the bill would undermine the law that undergirds free speech on the internet. Firefox browser maker Mozilla said the bill creates problems rather than offering a solution.
The law enforcement community has made it clear this law is another attempt to weaken the encryption that is the bedrock of digital security, said Heather West, Mozillas head of Americas policy. Encryption ensures our information from our sensitive financial and medical details to emails and text messages is protected.
Without it, the world is a far more dangerous place, said West.
Read more from the original source:
US threatens to pull big techs immunities if child abuse isnt curbed - TechCrunch
Why SSL Encryption Will not Become a Victim of its Own Success – Infosecurity Magazine
At the start of 2020, there are some technologies originally developed only with the very best of intentions that seem to have a darker side, challenging us to come up with new ways to harness and handle their capabilities.
One of these technologies is encryption, which was developed years ago as a way to enhance the security of digital data and data streams and is now deployed in countless consumer products.
The internet has been an important accelerator behind the use of encryption technology. As a result, more than 80 per cent of todays global internet traffic is encrypted. WhatsApp, for example, uses encryption technology to reassure its users that their messages can only be read by the intended recipient. In a world in which cyber-criminals are active 24/7, trying to get their hands on as much data as possible, this level of security is an essential feature of online data exchange.
300 million attacks per monthHowever, the prevalence and success of encryption technology has not escaped the attention of internet data thieves. For years, cyber-criminals have been adopting all kinds of disguises to continue their pursuit of targets.
One of their most recent tricks is to send malevolent code in encrypted format in an attempt to sidestep traditional security programs, which are incapable of viewing the contents of encrypted data packets or are deliberately designed not to in order to protect users privacy. In some cases, a security solution may simply not have enough capacity to check the content of all encrypted traffic without grinding to a halt. Criminals are already deploying encrypted threats at huge scale. In 2019, the Zscaler ThreatLabZ team recorded almost 300 million of these kinds of attacks per month!
Certificate authoritiesMany organizations believe that they are protected from attacks on SSL encrypted data because they use a public key infrastructure (PKI). A PKI provides the technology that is required to encrypt internet traffic, including a component known as a certificate authority.
Certificate authorities are the parties responsible for managing and securing the unique keys and providing websites with the certificates that act as the key to the browsers lock. There are many certificate authorities that do a great job and do everything they can to ensure that communication is secure. But, in principle, anyone can set up a PKI infrastructure and issue certificates.
There are many certificate authorities that have a good reputation and that execute high-level checks and verification processes, but there are many others that arent as well regarded, who are known for issuing certificates to bad actors without any checks. As a result, it is now very easy for these bad actors to construct their own encrypted websites that, at least at first glance, can look entirely legitimate.
This means that a digital transaction may appear secure when, in fact, it is anything but. SSL/TLS encryption is a guarantee of confidentiality and integrity, giving users the assurance that their data cannot be viewed or manipulated while in transit. That little lock shown in your browser doesnt tell you anything about the intentions of the person, or the system that you are communicating with.
A dilemma for CISOsThese developments have produced a complicated dilemma for many CISOs. They dont need to worry about whether or not to use encryption for data in transit. That question has already been answered, because encryption significantly enhances security and is often mandatory anyway. The challenge lies in the incoming data traffic that is already encrypted.
While most CISOs understand that inspecting encrypted data can further boost security, some remain unsure as to whether or not to actually do it. Sometimes, the company may not have the technology needed to check incoming encrypted data effectively; sometimes, the doubt stems from uncertainty in relation to the employees rights to privacy.
This uncertainty ensures that the status quo is maintained, and that encrypted data traffic is accepted without question even though the organization has no idea what a data packet contains or whether it could cause harm to the company or its employees.
The General Data Protection Regulation (GDPR) introduced in mid-2018 is one of the reasons why many CISOs doubt the legitimacy of measures to scan encrypted data traffic. Although the regulation does not set out exactly which preventive measures organizations should implement to be considered compliant, it is very clear on one thing: organizations are responsible for providing a secure digital work environment for their employees.
If an organization has no idea what data is coming into its systems and what the impact of it could be, it is not doing everything it could to facilitate a secure digital working environment as described in Article 32 of GDPR.
For any CISOs who have concerns about privacy, remember this: during inspection, the reports and logs (or, more accurately, the files generated from them) can be configured to show only metadata to operators. All PI fields are blocked out. This approach provides enough information to perform a technical check on the data.
If this check suggests that an incident has occurred to justify the disclosure of the PI data, you can initiate a process to gain insight into the obfuscated personal data.
This process applies only in exceptional circumstances, for example, if someone is suspected of leaking data or if you need to know whose systems have been compromised by a hacking attempt. Often, representatives from HR or the legal team are involved in these kinds of processes. Organizations can also set out their processes in privacy policies, which employees are expected to be aware of and understand.
The solution: the security cloudOrganizations are increasingly opting to send and receive all their data traffic via a security cloud. These services have sufficient capacity to analyze vast amounts of data, including encrypted data, in very short timeframes before forwarding it on to end users.
One of the main advantages of this way of working is that the process of decryption and inspection takes place in the cloud, which means that organizations do not need to make huge investments in processing power and that they only receive data that has been approved by the cloud security provider.
Thanks to cloud technology, organizations can continue to benefit from the power of encryption, remain compliant with regulations, such as GDPR, and assure their employees that their privacy and data will be protected across all their devices.
Read more:
Why SSL Encryption Will not Become a Victim of its Own Success - Infosecurity Magazine
Let’s Encrypt: OK, maybe nuking three million HTTPS certs at once was a tad ambitious. Let’s take time out – The Register
Let's Encrypt has halted its plans to cancel all three million flawed web security certificates after fearing the super-revocation may effectively break a chunk of the internet for netizens.
Earlier this week, the non-profit certificate authority, which issues HTTPS certs for free, announced a plan to disable some three million certificates tainted by a software bug.
The programming blunder, in Let's Encrypt's automated certificate management software, affects users who create a certificate for a domain and then, some days later, create more related certificates the code bungled the rechecking process that needed to take place.
Website owners were told to fix their certs as soon as possible because mass revocation would begin on March 4, at 16:00 PT (00:00 UTC). Failure to take action meant visitors to unamended websites would see warnings of insecure connections in their browsers. The culling process actually began March 4, 00:00 PT (20:00 UTC).
The short timeline is a consequence of the Baseline Requirements that Certificate Authorities agree to follow. Even so, Let's Encrypt only managed to make it halfway through the process before calling time.
In a forum post on Wednesday, Josh Aras, executive director of Let's Encrypt, announced a delay to avoid undue damage to the internet.
"Unfortunately, we believe its likely that more than one million certificates will not be replaced before the compliance deadline for revocation is upon us at March 5 19:00 PT (03:00 UTC, 21:00 US EST)," wrote Aras. "Rather than potentially break so many sites and cause concern for their visitors, we have determined that it is in the best interest of the health of the Internet for us to not revoke those certificates by the deadline."
By the compliance deadline this evening, Aras said 1,706,505 certificates that have been replaced would have been revoked. And 445 certificates that forbid issuance by Let's Encrypt were treated as high-priority targets for revocation.
As for the remaining 1.3 million or so, some of these will be revoked when Let's Encrypt is certain that doing so will not cause undue disruption. Other bad certs left untreated should die of old age. Aras said that since Let's Encrypt certificates only have 90 day lifetimes (they designed for auto-renewal), unfixed certs will expire on their own if not dealt with.
The Register asked Let's Encrypt whether the owners of the spared certs have been told they have extra time. Evidently, they haven't.
"The original set of affected subscribers for whom we have email addresses were sent an email letting them know of the error with their certificates," a spokesperson said.
"That email guided them to our forum to get help and the most updated information. The forum is the best place to interact with Let's Encrypt, so we aim to drive people there as much as possible."
Sponsored: Quit your addiction to storage
Global Internet Security Audit Market Analysis, Key Insights, and Forecast 2025 By Application, Type, End User and Region – Feed Road
Internet Security Audit Market Size, Type, Application, and Regional Analysis, Trading Analysis, Industry Analysis, Premium Insights, Patent Analysis, Market Attractiveness, Competitive Landscape, Traders/Distributors, Key Buyers, Forecasts 2020 2025
The Global Internet Security Audit Market study exhibits a comprehensive analysis of the present and future market trends across the globe. The study presented by Reportspedia presents convincing data referring to the commercialization aspects, industry dimension, and profit estimation of the market. The latest report on the Internet Security Audit industry provides the end-to-end analysis of this business vertical, and includes the detailed information about the industry, with respect to key constraints such as the present market size, revenue, market share, periodic deliverables, and profits estimations for the estimate period of 2020 2025.
Get Free PDF Sample Report(Including Full TOC, List of Tables & Figures, Chart):
The Leading Companies Included In the Reports Are:
SymantecIntel SecurityIBMCiscoTrend MicroDellCheck PointJuniper NetworksKasperskyHewlett PackardMicrosoftHuaweiPalo Alto NetworksFireEyeAT&T CybersecurityAVG TechnologiesFortinetESETVenustechH3C TechnologiesNSFOCUS
Trade analysis of the market is also the key aspects of the report as it provides information on the import and export of the product across the globe. Analysis tools like SWOT analysis and Porters five force model have been provided to present a perfect in-depth knowledge about Internet Security Audit market. The industry is also been analyzed in terms of value chain analysis and analysis of regulatory policies.
The study also illustrates the competitive landscape of foremost manufacturers in the industry with their diverse portfolio and geographical expansion activities. The Internet Security Audit market report byReportspedia also includes participants financial overview which consists of an assessment of revenue outcomes, sales volume, gross margin, cash flow, capital investment, and growth rate which will allow clients to gain intact knowledge of participants financial strengths and position in the global Internet Security Audit industry.
For more Queries. Enquire Here @
https://www.reportspedia.com/report/technology-and-media/global-internet-security-audit-market-2019-by-company,-regions,-type-and-application,-forecast-to-2024/32637 #inquiry_before_buying
Market Size Segmentation by Region (or Countries), Types and Applications:
Key Focused Regions in the Internet Security Audit market:
South America (Brazil, Argentina)
The Middle East & Africa(South Africa, Saudi Arabia)
Europe (Spain, U.K., Italy, Germany, Russia, France)
North America (U.S., Mexico, Canada)
Asia-Pacific (China, Japan, India, Southeast Asia)
Global Internet Security Audit Market Size Segmentation by Type:
System Level AuditApplication Level AuditUser Level Audit
Global Internet Security Audit Market Size Segmentation by Application:
GovernmentEducationEnterpriseFinancialMedicalAerospace, Defense and IntelligenceTelecommunicationOther
Report Objectives:
1) Examination of the global Internet Security Audit market size by value and size.
2) To accurately calculate the market segments, consumption, and other dynamic factors of the various units of the market.
3) Determination of the key dynamics of the market.
4) To highpoint key trends in the market in terms of manufacturing, revenue and sales.
5) To summarize the top players of Global Internet Security Audit industry and show how they compete in the industry.
6) Study of industry procedures and costs, product pricing and various developments associated with them.
7) To showcase the performance of different regions and countries in the Global Internet Security Audit market.
The Report Answers the key Questions
What are the important trends and dynamics?
Where will most development take place in the long term?
Which regulation thats will impact the industry
What does the competitive landscape look like?
What the openings are yet to come?
TOC of Internet Security Audit Market Report Includes:
1 Industry Overview of Internet Security Audit Market
2 Industry Chain Analysis
3 Manufacturing Technology
4 Major Manufacturers Analysis
5 Global Productions, Revenue and Price Analysis by Regions, Creators, Types and Applications
6 Global and Foremost Regions Capacity, Production, Revenue and Growth Rate of Internet Security Audit market (2015-2019)
7 Consumption Volumes, Consumption Value, Import, Export and Trade Price Study of Internet Security Audit market by Regions
8 Gross and Gross Margin Examination
9 Marketing Traders or Distributor Examination
10 Worldwide Impacts on Internet Security Audit Industry
11 Development Trend Analysis
12 Contact information of Internet Security Audit
13 New Project Investment Feasibility Analysis
14 Conclusion of the Global Internet Security Audit Industry 2020 Market Research Report
Click here to view the full report: https://www.reportspedia.com/report/technology-and-media/global-internet-security-audit-market-2019-by-company,-regions,-type-and-application,-forecast-to-2024/32637 #table_of_contents
Go here to see the original:
Global Internet Security Audit Market Analysis, Key Insights, and Forecast 2025 By Application, Type, End User and Region - Feed Road
Modernizing Threat Management for the Evolving Attack Surfaces of OT, IoT and IoMT – Security Intelligence
The traditional threat landscape comprised of conventional IT assets is difficult enough to protect, detect and respond to, but the landscape seems to be quickly expanding beyond traditional IT. Those new domains are operational technology (OT), the internet of things (IoT) and the internet of medical things (IoMT).
Devices from non-traditional IT environments are finding their way onto corporate intranets, which can create a shadow IT environment. These devices are unmanaged and some managers dont have a full understanding of the risks associated with these devices. More visibility into these devices could help a chief information security officer (CISO) to understand whether they are acting appropriately. As the number of connected devices within an enterprise grows, so too does the attack surface if these connected and shadow devices do not have security built into them. This wave of digital transformation provides new attack vectors that could come with significant and far-reaching risk and liability.
Industrial organizations are adding many connected technologies into the manufacturing process, such as industrial control systems (ICS), supervisory control and data acquisition systems (SCADA), distributed control systems (DCS), programmable logical controllers (PLC) and smart sensors. Manufacturing environments have devices on the assembly line and robots, oil pipelines have pressure sensors, and food facilities have temperature sensors. With the addition of these numerous connected devices can come mounting security risks to critical infrastructure.
A yearly research study conducted by IBM shows that in 2019 there was a 2,000 percent increase in OT cybersecurity attacks. Yes, you read that correctly 2,000 percent. As operational organizations and industries experience innovation and connectivity, bad actors can take notice and execute security attacks. To help mitigate these risks, organizations can adopt an operational technology security strategy.
As businesses modernize their operational equipment and traditional IT systems rely on operational data to optimize and improve organizational metrics, the two environments are converging. Traditional IT infrastructure can control physical assets in the operational technology domain, and this overlap allows an IT breach to target OT devices. In 2019, IBM X-Force Incident Response and Intelligence Services (IRIS) responded to a breach where ransomware infected an IT system and moved laterally into OT infrastructure. The attack brought plant operations to a halt and caused a ripple effect in global markets. Research also shows that threats to industrial control systems and operational technology will likely continue to grow.
The combination of digital transformation and the Internet of Everything can reshape the modern landscape of goods and services. Additionally, the new dawn of 5G could bring blazing connection speeds and have significant impacts on the number of connected devices. If we look across offices, factories, hospitals and transportation networks, we see numerous devices throughout the organization:
All of these devices are designed to connect and transmit information to other devices and systems. However, IoT devices can present a rapidly growing enterprise security risk. Why is that? IoT devices generally do not have security agents installed. Security agents are pieces of software that allow the collection of device data and enable protection of the device. However, there are connected and unmanaged smart devices that do not have this capability. These issues can make IoT devices easier for attackers to access remotely. IBMs Threat Intelligence Index reports widespread use of command injection (CMDi) attacks containing instructions to download malicious payloads targeting various types of IoT devices. Because many IoT devices do not have security agents to monitor these attacks, we need to take an agentless approach to help gain visibility into devices and their activity on a network.
How do you implement an agentless approach? Machine learning (ML) and artificial intelligence (AI) are a big part of it. Security providers first create an enterprise-scale knowledge base of an organizations devices and combine that with a device behavior crowdsourcing engine. This crowdsourcing engine uses ML and AI to determine when a device exhibits abnormal behavior. For example, an IP camera that is behaving differently than hundreds of others across a clients environment can be flagged as a possible threat.
Additionally, the internet of things is bringing its connectivity to all markets, including the medical industry. The internet of medical things generally refers to a group of medical devices, software applications and infrastructure all connected to the internet. These devices can include heart pumps, patient trackers, blood infusion pumps and more. Patient data captured from these connected devices helps to inform decisions by healthcare providers. Therefore, a cybersecurity threat to these devices could interfere with care and potentially cause physical harm to patients. IBMs Threat Intelligence Index reports that healthcare was the 10th most targeted industry for cybersecurity attacks in 2019.
In short, many organizations are on a journey of digital transformation that is increasing the number of devices and ultimately the variety of threat vectors as potential security targets. The security domain touches on every area of an organization including OT, IoT and IoMT areas.
So how do we provide threat management for all of these connected and unmanaged devices?
The convergence of the device landscape presents a new challenge for organizational security. Attacks against the IoT, for example, need to be analyzed to determine the IT assets the attacker may be ultimately after. In many cases, the IoT or OT device is being utilized as an attack vector only, which ties the security of connected devices to that of traditional IT assets.
Securing these domains requires an integrated approach to threat management and an understanding that threat management is a journey. The NIST Cybersecurity Framework provides a programmatic approach that addresses the entire life cycle of threats. NIST outlines the following five core tasks:
Using a standardized approach such as NISTs can help organize the activities of a security or incident team by outlining a logical, practical approach to incident management. A standards-based approach provides a reliable, repeatable framework for managing multiple types of security incidents and encourages transparency, a shared vocabulary and predictable outcomes in responding to threats.
Potential benefits of using this approach include:
Threat management is the heart and soul of any security organization. Using a standardized approach can help organizations integrate threat and incident life cycle management. Performing NIST functions across the new hybrid landscape can help security organizations manage cybersecurity risks.
IBMs X-Force Threat Management is an integrated program of services and technology designed to help your organization through the entire threat management journey. Our X-Force Threat Management solution helps implement the NIST framework for the OT, IoT and IoMT domains to bring visibility into unmanaged and connected devices. Our solution offers:
We leverage technology that discovers potential threats in your environment managed and unmanaged devices, both on and off your network as well as in your airspace. IBMs X-Force Threat Management integrates the capabilities of offensive security services, managed security services, artificial intelligence, incident response and continuous improvement. IBM X-Force Threat Management offers integrated threat and incident life cycle management.
Learn more about X-Force Threat Management
The rest is here:
Modernizing Threat Management for the Evolving Attack Surfaces of OT, IoT and IoMT - Security Intelligence
WhatsApp Provides Information to Intelligence Services – What is the Safest Messenger? – Communal News
The announcement came on Twitter via Jake Leslie Davis that WhatsApp passes all their information to the security services. Jake Davis (also known as Topiary) is a professional hacker. He worked previously for Anonymous. He is from the United Kingdom. Anonymous is a decentralized international hacktivist group that is widely known for its various DDoS cyber attacks against several governments. Davis came in from the cold and became a cybersecurity expert.
WhatsApp Messenger is a free messaging app available for Android and other smartphones. WhatsApp uses your phones Internet connection. According to Davis, when requesting access to data, according to the General Rules of Personal Data Protection, the user can send a list with all his contacts and the names of the groups in which he is a member. It contains both old and new data, and from all phones that the user has ever used.
Davis is concerned that there is a high probability that all this information can be passed to intelligence agencies. Hence, foreign agencies can end up accessing your data. China and Russia are notorious for hacking. This information gives access to large networks of people who communicate with each other and what groups they are in.
There is also a risk of being added to a group with a dubious name and content.
Earlier it was reported that using the Google search engine, users of the WhatsApp messenger can find links that allow them to enter private chats.
Last year, Edward Snowden warned about the use of WhatsApp and Telegram messaging services. Telegram is a cloud-based instant messaging and voice over IP service.
The US government uses PRISM (a code name) under which the United States National Security Agency (NSA) collects internet communications from various US internet companies. PRISM collects stored internet communications based on requests that are made to internet companies under Section 702 of the FISA Amendments Act of 2008 to turn over any data that match court-approved search terms.
Russia uses SORM. It is an intelligence gathering system in Russia that has a wide reach. It can also collect information on the servers based in Russia. Hence, that is the main reason why the Kremlin wants everything on Russian servers. Overall, PRISM is superior compared to SORM.
The most dangerous Russian services that gather all your information for the Kremlin are Vkontakte, Odnoklassniki, Yandex, Rambler, Mail.ru, Snaphat and Telegram.
Currently, the most secure messengers are Signal and Wire.
Every time the app is accessed and the internet is used, you are being tracked via a myriad of ways. The information is used for marketing purposes as well as intelligence gathering by governments. You also face the threat of being hacked to gather access to information for criminal enterprises.
Original post:
WhatsApp Provides Information to Intelligence Services - What is the Safest Messenger? - Communal News
It has been 15 years, and we’re still reporting homograph attacks web domains that stealthily use non-Latin characters to appear legit – The Register
What's old is new again as infosec bods are sounding the alarm over a fresh wave of homoglyph characters being used to lure victims to malicious fake websites.
Researchers at Soluble today said they worked with Verisign to thwart the registration of domain names that use homoglyphs non-Latin characters that look just like letters of the Latin alphabet to masquerade as legit domains.
First reported back in the 2000s, this technique allow miscreants to use characters that, when displayed in the browser bar, appear to show the URL of a valid site such as Apple.com or Google.com despite being a completely different domain name. These bogus sites are designed to look real while phishing credentials or distributing malware. You think you're logging into Google.com from an email or instant-chat link, but really you're handing over your password to a crook.
There have been a number of efforts over the years, most recently in 2017, we reckon, to rid the internet of homograph abuse once and for all.
In the most recent case, it was found that the Unicode Latin IPA Extension characters could and were being exploited to setup lookalike domains.
"Between 2017 and today, more than a dozen homograph domains have had active HTTPS certificates," noted Soluble researcher Matt Hamilton. "This included prominent financial, internet shopping, technology, and other Fortune 100 sites. There is no legitimate or non-fraudulent justification for this activity."
There is no legitimate or non-fraudulent justification for this activity
Normally, it would not be possible to register domains with mixed scripts, as Verisign put protections in place years ago. However, the researchers found that those protections did not extend to Unicode Latin IPA, meaning that prior to Verisign updating its filters after being tipped off by Soluble, the characters could be used to set up lookalike URLs.
"Safeguarding the stability, security and resiliency of the critical infrastructure we operate is our top priority," Verisign said in a statement. "While the underlying issue described by Mr Hamilton is well understood by the global Internet community and is the subject of active policy development by ICANN we appreciate him providing additional timely details about how this issue may be exploited.
"Although we understand that ICANN has been on a path to address these issues globally, we have also proactively updated our systems and obtained the necessary approval from ICANN to implement the changes to the .com and .net top-level domains required to prevent the specific types of confusable homograph registrations detailed in Mr Hamiltons report."
Fortunately, the domains are hard enough to register and set up that miscreants don't want to burn them on anything other than the highest-value of targets.
"While it is unlikely that you, the reader, were attacked with this technique," Hamilton notes, "it is likely that this technique was used in highly targeted social-engineering campaigns."
Sponsored: Quit your addiction to storage
Dear passwords: Forget you. Here’s what is going to protect us instead – USA TODAY
Everything you have learned about passwords might be wrong. Buzz60
Do you hate remembering passwords?Soon, you may be able to forget them for good.
For years, weve relied on a secret we share with a computer to prove we are who we say we are. But passwordsare easily compromised through a phishing scam or malware, data breach or some simple social engineering. Once in the wrong hands, theseflimsy strings of characterscan be used to impersonate us all over the internet.
Slowly, we're kicking the password habit. With data breachescosting billions, the pressure is on to find more foolproof ways to verify someone's identity.
We are moving into a world which were calling passwordless, which is the ability for our applications, devices and computers to recognize us by something other than the old-fashioned password, says Wolfgang Goerlich, advisory chief information security officer for Cisco-owned security firm Duo.
All about tech products, devices, more: Sign up for Jeff Graham's take with our Talking Tech newsletter
Anxiety, depression and PTSD: The hidden epidemic of data breaches and cyber crimes
Data breach: How to make your passwords worthless to cyber thieves
Newer formsof identification areharder to imitate:something we are (such as the contours of our faceor the ridges of our thumb) or something we have (physical objects such as security keys).
Intuit, for example,lets users sign into its mobile apps with a fingerprint or facial recognitionor their phones passcode instead of a password. Your fingerprint or screen lock can access some Google services on Pixel and Android 7+ devices.
Passwords are a 60-year-old solution built on a 5,000-year-old idea.
Goerlich estimates that within five years, we could be logging into most of our online accounts the same way we unlock our phones.And then we will be able to finally break up with passwords for good.
What will replace them? That's a bit more complicated.
Any system that depends on a single factorisn't secure enough, according to Vijay Balasubramaniyan, CEO of Pindrop, a voice authentication and security company.Biometric information such as an iris scan or a fingerprint can be stolen, too, and you can't change those.
Balasubramaniyan predicts several pieces of information will be used to verify identity. Machines will analyze our speech patterns or scan our fingerprints. Well also be identified by something we have (our mobile devices, computers, key cards, fobs or tokens) and something we do (our movements and location, our behavior and habits, even how we type).
One of the major proponents of a passwordless future is the FIDO Alliance, which stands for Fast Identity Online. The consortium includes industry heavyweights including Apple, Google and Microsoft.(Photo: Jefferson Graham)
If that seems more invasive than sharing some random bits of knowledge such as our mothers maiden name or a PIN number, it is. But Balasubramaniyan argues these trade-offs are necessary to shield our personal information in a hyper-connected world.
Its going to be scary, he says, but, its time for consumers to demand a higher level of privacy and security.
Secret words to tell friend from foe have been around since ancient times and, in the early days of the internet, they made a lot of sense.
We started out with just a handful of passwords to access our email, a few e-commerce sites, maybe an online subscription or two.But soon, we were transferringour entire existence into the cloud, storing our medical and financial information, photos of our kids and our innermost musings there.
And every time we clicked a link or downloaded an app, we had to come up withanother password. As even more devices connected to the internet, from home surveillance systems to thermostats, we hit password overload.
Today,people have an average of 85 passwords to keep track of, according to password manager LastPass. Our brains just arent wired to squirrel away unique passwords for so many online accounts.So we reuse and share them. We jot them down on Post-Its or in Word documents. We sign in with Facebook or Google. We shell out a few bucks for a digital password manager.
You don't feel like entering your password over and over, so you press the keep me signed in button. Was that a mistake? Buzz60
Forgot your password?That's because common password advice is bad, experts say
Hackers hit your inbox: Email is still most vulnerable to phishing
But data breaches keep proliferating. So were toldto conjure up stronger passwords, the longer and more random the better (use special characters!). Were proddedto enable two-factor authentication. And we grumble so much about it all, our collective frustration has turned into a popular internet meme:Sorry your password must contain a capital letter, two numbers, a symbol, an inspiring message, a spell, a gang sign, a hieroglyph and the blood of a virgin.
Turns out theonly fans of passwords are hackers and identity thieves. Even researcher Fernando Corbat, who helped create the first computer password in the early 1960s, was a detractor before he died.
Corbat told the Wall Street Journal in 2014 that he used to keep dozens of his passwords on three typed pages. He called the current state of password security kind of a nightmare.
"Passwords are a 60-year-old solution built on a 5,000-year-old idea,"says Jonah Stein, co-founder of UNSProject, which allows you to access your accounts using the camera on your phone. "Daily life demands that we create and remember a new password for almost every single thing we do reading the news, paying bills, or simply ordering a pizza. The promise of online convenience has been broken by antiquated authentication solutions with unrealistic security best practices."
(Photo: Getty Images)
So will passwords finally go the way of the eight-track tape? For years, reports of their demisehave been greatly exaggerated. Tech leaders have dangled but never delivered on promises to eliminatepasswords.
There is no doubt that, over time, people are going to rely less and less on passwords, Microsofts billionaire founder Bill Gates told the RSA conference in 2004. "People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."
So whats taking so long? Too many options being floated and too little consensus on what will work best.
Companies, eager for our eyeballs and our business, are holding out for solutions that strike a balance between convenience and security.With security costs skyrocketing and consumer trust flailing, the industry is under growing pressure to lockdown our accounts, security experts say.By 2023, 30% of organizations will use at least one form of authentication that does not involve a password, a significant increase from the 5% today, according to research firm Gartner.
One of the major proponents of a password-free worldis the FIDO Alliance, which stands for Fast Identity Online. The consortium of heavyweights from Google to Microsoft is developing technical standards to verify identity. Apple recently joined the FIDO Alliance, giving the group even more clout.
We cant ditch passwords overnight, but, according to Andrew Shikiar, executive director of the FIDO Alliance, the imperative is there now.
Businesses are feeling these pain points and they are being pushed to come up with solutions that are not dependent on the old ways of authenticating, he says.
That the industry is working arm in arm on solutions is really unprecedented, Shikiar says. This sort of collaboration is a very good sign that, not only is there a way to go past passwords, there is a will.
Read or Share this story: https://www.usatoday.com/story/tech/2020/02/28/data-breaches-hackers-passwords/4870309002/
Original post:
Dear passwords: Forget you. Here's what is going to protect us instead - USA TODAY
Do these three things to protect your web security camera from hackers – ZDNet
Owners of smart cameras, baby monitors and other Internet of Things products have been urged to help keep their devices safe by following three simple steps to boost cybersecurity and making it more difficult for hackers to compromise them.
The advice from the UK's National Cyber Security Centre (NCSC) the cyber arm of the GCHQ intelligence agency comes as IoT security cameras and other devices are gaining popularity in households and workplaces.
However, these devices can bring additional risks to users, as insecure settings can leave IoT cameras open to hackerswho could use them to snoop on what's going on, or even use the device as a stepping stone to hack into the rest of the network.
SEE:Cybersecurity in an IoT and mobile world(ZDNet special report) |Download the report as a PDF(TechRepublic)
But the NCSC's new guidance paper Smart security cameras: using them safely in your home sets out three things users can do to make it much harder for their IoT devices to be hacked or accessed without authorisation. They are:
1. Change the default password
Many IoT passwords come equipped with a default password that is either short and easy to guess, or the same default password is shipped with all the devices meaning if the password for one device is leaked, it's also leaked for everyone.
The NCSC recommends that users change the password on the device which is most commonly done by using the app used to monitor the device. The advice from the NCSC is to change the password to three random words and to avoid using anything in the list of the most commonly hacked passwords.
2. Apply software updates regularly
Users can go a long way to keeping the IoT camera secure by regularly applying the relevant software updates which often not only add new features, but boost the security of the device. If possible, users should set the device to automatically install these firmware updates, so that the device is protected in the most up-to-date way possible and without the user having to think about doing it by themselves.
SEE:Cybersecurity: Let's get tactical(ZDNet/TechRepublic special feature) |Download the free PDF version(TechRepublic)
3. Disable unnecessary alerts
If users don't need the feature that allows them to remotely view camera footage via the internet, the NCSC recommends disabling it; thus preventing hackers who might be able to gain access to the device from being able to snoop on the room the camera is in.
"Smart technology such as cameras and baby monitors are fantastic innovations with real benefits for people, but without the right security measures in place they can be vulnerable to cyber attackers," said Dr Ian Levy, technical director at the NCSC.
"These are practical measures which we can all take to help us get the most out of our home-based technology in a safe way," he added.
The advice from the NCSC comes shortly after the UK government proposed draft legislation for Internet of Things security that would mean device manufacturers would have to adhere to particular standards in order to sell products to consumers in the UK; however, it remains unclear how these rules will be enforced.
See the article here:
Do these three things to protect your web security camera from hackers - ZDNet