Category Archives: Internet Security

Cyber Minds: Expert Insights on Blockchain and Much More – Government Technology

Shira Rubinoff is the President and Co-Founder of Prime Tech Partners, which is a unique incubator in NYC. She is also the President of SecureMySocial, which warns people of social media problems in real time.

In Shiras new book Cyber Minds, we see a unique mix of cutting-edge perspectives on blockchain and where it is going, insights on several hot technologies like AI and the Internet of Things (IoT) as well as solid cybersecurity advice for technology and business leaders.

Cutting right to the core, this book offers the best practical content l I have seen regarding blockchains potential, future and cybersecurity opportunities and drawbacks. The materials on blockchain, which includes interviews with thought-leaders in the area, are simply ground-breaking.

Heres an excerpt from page 52 regarding blockchain:

If you look into the financial services space, weve blueprinted the financial architecture and sort of overlaid it with the crypto industry. When you look at that, you realize that within five year, something amazing has been built. Weve got exchanges, wallets, mining, interfaces, and so on. Its all moving towards institutional grade infrastructure.

Logistics is another example. In the past few weeks, weve heard the news of the biggest competitors in logistics coming together. I believe it was DHL, UPS, and FedEx coming together to think about how they can use blockchain to reduce and merge the burden of governance in the system. Well get more efficient Internet safety from that.

Blockchain is being used by farmers for cattle feeding and in Switzerland, its starting to be used in the watch industry and the butter industry among others.

Here's one other excerpt that I like from page 60 (quoting Sally Eaves) on the leading blockchain sectors:

"Yes, I would say two sectors (are leading) - financial services and supply chain. We are going to see more development in both, but I would love to showcase a sector outside of this too: healthcare.

I am seeing a lot of research and development focused on the 'marriage' of AI and blockchain technologies. As an example, we have opportunity to use blockchain as a method of security for our DNA data, negating fears of it being misused - while AI can enable rich insights to be anonymously extracted from it. ..."

Input From Experts

This book gets 5 stars from me for the blockchain material alone, but it also offers interviews and recommendations on cloud security, IoT, artificial intelligence (AI) and much more. From my perspective, the advice offered form these top global leaders is excellent:

Topics Covered in Book Cyber Minds

Heres an overview of the topics covered in the book:

I also like the straight-forward and easy to understand steps that Ms. Rubinoff uses to describe cyber hygiene, and those sections in the beginning and ending serve as a primer for readers who have less experience and insight into cybersecurity challenges. The workforce development strategies include:

After giving you these guidelines, Shira warns about the most common behaviors that could lead to a data breach and the psychology behind them.

This YouTube video show you Ms. Rubinoffs excellent speaking skills and abilities in communication on technical topics.

Final Thoughts

The interviews and insights offered in this book make it an excellent choice for technology, security and business leaders to learn the latest approaches and thinking on cybersecurity on a range of hot tech topics. I find the insights and interviews discussing topics like blockchain and cloud computing to be very insightful and different.

I have no hesitation in strongly recommending this book and giving it 5 stars.

Read the original:
Cyber Minds: Expert Insights on Blockchain and Much More - Government Technology

The top UK cyber security companies – Information Age

Investing in the right cyber security for your company is more vital than ever, but which are the top UK cyber security companies right now?

It's important to know what kinds of services your company needs.

The following cyber security companies vary in what services they provide, from what devices or software they cater for, to the kinds of security they offer. Some completely focus on cyber security, and others deal in multiple services, including cyber security.

Looking for the right cyber security provider may depend on the size of your company, or the areas of the companys system that you feel are the most vulnerable.

With this in mind, lets take a look at the top UK companies in the space right now.

Professional services company EY offers cyber security advice to companies of all sizes, from start-ups to established multi-national firms.

The company has teams dedicated to cyber security, strategy, risk, compliance and resilience, and can offer guidance into securing a range of tech, including IoT and cloud.

Cyber security services offered by EY include a cyber maturity accelerator, vulnerability assessments and penetration testing.

Clearswift specialises in data loss prevention (DLP) and protecting against leaks.

The firm offers companies various products that focus on this issue, including its Adaptive Data Loss Prevention tool, which aids effective data storage and transfer, and SECURE gateways for email, web and Internet Content Adaption Protocol (ICAP).

The ICO told businesses that ultimately it is their responsibility to ensure customer data is secure Read here

Telecommunications provider BT offer network-based security in the form of behavioural analytics for guidance.

The company has its own cyber security platform, which protects its customers as well as its own infrastructure, as well as Cyber Defence Operations for larger corporations.

Specific specialist services that BT offer include asset oversight, threat identification and neutralisation, and continuity planning in the event of future Distributed Denial of Service (DDoS) attacks.

Professional services provider PwC offers two forms of network cyber security: IT risk identification and security, and cyber threat detection and response.

Services include rapid risk reduction, compromise discovery assessments and crisis management.

PwC adopts both proactive and preventive approaches in order to protect the networks of larger companies.

Defence, security and aerospace firm BAE offers cyber security to commercial and governmental customers.

Its services include fraud detection and prevention, incident response and services relating to regulation compliance.

The company focuses on helping its clients to stop cyber attacks from penetrating their systems in the first place using analytics.

Information Age explores Kineticas active analytics use cases, which is helping accelerate data innovation across industries. Read here

Data protection specialists Sophos deals in antivirus and encryption, as well as securing Wi-Fi and email gateways.

While the company also offers products for cyber at home, the business-orientated services that Sophos offer include endpoint protection, firewalls and protection for the cloud.

Acuity Risk Management analyses and guides larger corporations in dealing with cyber threats.

Risk management guidance is given via its software platform, STREAM Integrated Risk Manager, which features analytics, as well as dashboards and reports.

The services offered by Acuity through STREAM focus on governance, risk and compliance (GRC).

The services offered by Becrypt focus on endpoint encryption and protection for enterprise IT and the Internet of Things (IoT).

Its clientele range from governmental bodies to businesses and organisations with critical infrastructure.

Also offering USB/port control, Becrypt additionally managed devices on iOS and Android.

With GDPRs one-year milestone only less than a month away, businesses are still using unencrypted USB devices to store their data. Read here

SentryBay are a DLP company offer its services to a variety of industries, from financial services to insurance.

Its Data Protection Suite (DPS) is a prominent feature, but the companys capabilities also include anti-keylogging and mobile security.

Read more:
The top UK cyber security companies - Information Age

Recent IPO Cloudflare Closes Out 2019 Strong and Is Poised for More Growth – Motley Fool

After rising 20% after its debut as a public company in September 2019, Cloudflare (NYSE:NET) hasn't been able to hold on to any positive traction since. There are reasons for that, including a premium valuation factoring for continued double-digit sales growth and a lockup period on shares expiring the first half of March 2020 (which could trigger share price declines if too many of those shareholders decide to sell). Nevertheless, the cloud computing and internet security outfit has a unique growth strategy and plays in a fast-growing industry, and is thus worth a look after delivering a strong end to 2019.

During the final quarter of 2019, Cloudflare's sales accelerated from the pace set during the first nine months of the year. Revenue increased 51% to $83.9 million, and adjusted gross profit also grew as the company added more customers to its lineup of cloud-based web delivery and security services. In total, Q4 helped Cloudflare notch a 49% increase in revenue in its first year as a public concern, and adjusted net losses for full-year 2019 were $69.5 million compared with $59.5 million in losses in 2018 as cash was funneled back into the business to maximize growth.

Metric

Three Months Ended Dec. 31, 2019

Three Months Ended Dec. 31, 2018

Change

Revenue

$83.9 million

$55.5 million

51%

Adjusted gross profit margin

78.7%

76.9%

1.8 pp

Operating expenses

$95.7 million

$59.6 million

61%

Adjusted net earnings (loss)

($16.4 million)

($15.6 million)

N/A

Pp = percentage point. Data source: Cloudflare.

Of course, not all investors are going to be comfortable with a company that intentionally operates at a loss, and that is forecast to continue that way. Adjusted operating losses (which back out one-time expenses and noncash stock-based employee compensation) are expected to be $65 million to $61 million in 2020 as Cloudflare continues to invest in new services and foster sales. The upshot, though, is that the 2020 revenue outlook for $389 million to $393 million implies another 36% increase over 2019 at the midpoint, and the company is well funded to support its ambitions with $637 million in cash and equivalents in the bank.

Image source: Getty Images.

Based on those expectations, Cloudflare stock trades for 14 times one-year forward sales. It isn't cheap, but it is a relative value compared with some of the other cloud-native software and security providers that went public in 2019. And there is plenty of room for the company to keep growing at the rates it has been.

Cloudflare has taken a different approach to promoting its services, starting with small businesses and fellow start-ups to try out its web delivery, edge network, and cybersecurity offerings -- often for free. As the products are perfected, Cloudflare then moves upmarket with its software and starts picking up larger paying customers. It's the opposite approach to the one most cloud vendors utilize these days, but it's been working. CEO Matthew Prince said that the company ended the year with 2.6 million total customers. Only 82,000 of them pay, but that number was an 8% increase over the third quarter of 2019 alone.

This strategy has a number of potential benefits. First, Cloudflare is getting small but future high-growth companies into its ecosystem early. That gives the software outfit some built-in growth even if its total customer count were to suddenly stall. Second, while small businesses get the software tech they need for free or at a low cost, the strategy allows Cloudflare to test out new products of its own before going after larger deals.

As for those large customers (which Cloudflare defines as having billings of at least $100,000 per year), total count nearly doubled in 2019 and tallied up to 550 at the end of the year. Dollar-based net retention was also 112% in Q4, implying that existing paying customers were spending 12% more than a year ago.

In short, while Cloudflare may get overlooked from the 2019 class of tech IPO stocks, there is a lot of good going on at the cloud computing company. New products are continuously being released, and global spending on the cloud industry is still growing by double digits. Investors who can ride out the ups and downs and scoop up some more shares on the dips should put this stock on their radar.

Go here to see the original:
Recent IPO Cloudflare Closes Out 2019 Strong and Is Poised for More Growth - Motley Fool

For Free Expression in Iran, the U.S. Can Act to Keep the Internet On – Just Security

Irans parliamentary elections on Feb. 21 will be neither free nor fair. Thousands of candidates have been disqualified, and there have been calls from Irans civil society leaders and others to boycott the process entirely.

But theres another reason to keep an eye on this election. The Iranian government has throttled slowed the flow of information online for users around elections in the past, and this one is unlikely to be an exception. The regimes willingness and capacity to wage such cyber as well as physical crackdowns was evident in November, when it shut off the internet for its population of 81 million people to quell nationwide protests, and then killed and jailed thousands of protesters under cover of online darkness.

Since then, the election boycott movement has gained support, and regional tensions have increased. Authorities may try even more draconian measures to restrict internet freedoms around the election, including ramping up the implementation of the long-planned national intranet, which would give them full control over what sites and content Iranian users can access. This could be more harmful than a complete shutdown, because it would force Iranians onto platforms the regime controls, thus exposing them to government surveillance and monitoring.

What can be done? While the Trump administration has been criticized for its hard-line policies on Iran, the United States has the power to limit or stop efforts to cut off Iranians from the global online world. The U.S. can do this by allowing American companies to provide technology services and platforms to the Iranian people without fear of violating sanctions.

The Trump administrations maximum pressure policy towards Iran has had unintentional consequences. Chief among them is that intensifying pressure around sanctions compliance has caused leading U.S. technology companies to purge Iranian users from their platforms wholesale. These include communication platforms such as Slack and Github, and cloud computing platforms such as Amazon Web Services, DigitalOcean, and Google Cloud. Companies purge users with no prior warning and without allowing users to backup and export their data.

In previous years, when authorities tried to block censorship circumvention tools, as they are likely to do during the election, technology teams outside Iran could still find ways to correspond with activists inside. Today, because of the purge of users from major U.S.-based platforms, it is difficult for even the most tech-savvy Iranian activists to reach the outside world.

These purges have also given authorities the perfect opportunity to force the Iranian technology community to move its infrastructure to domestic data centers, giving authorities full physical control and jurisdiction over every server and byte of data. Iranian users worried about the safety of their data were left with no choice.

U.S. technology companies claim they would be happy to provide services to Iranian users but that sanctions bar them from doing so. This is only partly true. Sanctions do prohibit provision of some services. But technology companies are cutting off more than they need to, because they fear litigation and U.S. government fines. The administration can help ease these fears by providing express guidance on what technology sanctions prohibit and permit.

The administration can also help expand existing sanctions exemptions. General License D1, which provides exemptions to technology sanctions for personal use, is ineffective in helping Iranian users access information. The language of the license is vague and has not kept pace with new technologies, such as cloud computing platforms essential for users to run censorship circumvention tools.

The U.S. House of Representatives recently passed a bipartisan resolution calling for an expansion of General License D1. With this bipartisan support, the Treasury Department should revisit the language of General License D1 to help the Iranian people access information freely.

There are many human rights issues in Iran that require attention. But should Iran be permitted to isolate the Iranian people from the global internet and conduct mass surveillance of human rights defenders and political dissidents, all other efforts at supporting human rights and democracy will be for naught. The Trump administration has voiced support for the Iranian people to freely assemble, protest, and express themselvesit also holds the tools to help stave off a total internet blackout. It should act, before its too late.

See original here:
For Free Expression in Iran, the U.S. Can Act to Keep the Internet On - Just Security

5G and the Huawei controversy: is it about more than just security? – BBC Focus Magazine

Between the Internet of Things and smart cities, we expect half a trillion objects to be connected by 2030, from streetlamps to autonomous cars, factories and clothes. The overwhelming majority will rely on 5G and its successor, making wireless technology essential to our daily life, our security, and economy.

British internet providers are already upgrading their networks alongside existing 4G hardware. On the consumer side, the first 5G-capable smartphones hit the market last year, and the UK has allowed Huawei to help build non-core parts of the 5G network.

This has been met with concern, because China seems to be building a surveillance state that is tracking, ranking and controlling its entire population. The fear is that the Chinese government could leverage that data flowing through the parts of the network they build to expand its propaganda and censorship regime beyond its shores.

Read more about 5G:

For example, in early February, the US Department of Justice charged four members of the Chinese military of hacking into the Equifax credit agency in 2017 and stealing the data of 145 million Americans.

Pervasive connectivity of the Internet of Things raises security and human rights concerns, as the confidentiality of citizens data may be at risk.Back in 2007, local authorities in Estonia removed a Soviet-era statue; in response, Russian servers paralysed the Estonian banking system.

Similarly, if there was a diplomatic or military crisis between Chinese and European powers whether about Taiwan, Hong Kong or the Uighurs Huawei may not be able to resist pressures by the Chinese government to disrupt public transportation, industry, or energy grids in Paris, Berlin or London.

To alleviate the UK governments concerns, Huawei opened its source code to selected experts in 2010. So far, audits have revealed poor software engineering practice rather than malicious intent. However, manufacturers can always remotely update the software running on these platforms.

Usually, this is done to improve performance, introduce new features or fix vulnerabilities. Yet, they could be used to covertly introduce back door access, as well. This is particularly critical for 5G platforms, due to their dependence on software configurability.

At best, it is possible to balance these risks by diversifying providers and segregating virtual networks depending on their sensitivity. Even then, the UK National Cyber Security Centre states they are only able to provide limited assurance that the risks of embracing Huawei solutions could be mitigated. It is thus a matter of trust and risk balancing.

One of the reasons why Europeans are facing difficult policy decisions is down to under-investment in research and development of 5G.

Huawei has become one of the largest telecommunication companies, with tremendous financial capabilities. Huawei spends a third more on 5G research and development than its European competitors, Ericsson and Nokia, combined.

Read more about the internet:

But the Chinese government may have helped the company. A recent investigation by The Wall Street Journalfound that Huawei had received $75bn (58bn) worth of state aid in various forms.

In early February, France, Germany, Italy and Poland asked the EU Commission to push back against what they deemed to be unfair competition from both US and Chinese firms. But Europes weakness on 5G, and new technological development more widely, cannot only be attributed to skewed competition. It is as much the result of a lack of strategic vision and industrial policy.

If anything, this controversy emphasises the importance of political will. Without it, in the UK just as elsewhere, market forces are likely to take precedence over considerations of sovereignty or strategic autonomy.

Visit the BBCs Reality Check website at bit.ly/reality_check_ or follow them on Twitter@BBCRealityCheck

Here is the original post:
5G and the Huawei controversy: is it about more than just security? - BBC Focus Magazine

Akamai: API Attacks by Cybercriminals are on the Rise – Media & Entertainment Services Alliance M&E Daily Newsletter

Application programming interfaces (APIs) are increasingly being targeted in hostile takeover attempts, according to Akamai Technologies.

We have a really consistent amount of credential abuse going on, Steve Ragan, Akamai editor-security research and publications, said Feb. 20 during a webinar on the State of the Internet/Security: Financial Services Hostile Takeover Attempts.

Although the focus of the webinar, like the firms latest State of the Internet security report, released one day earlier, was on the financial services sector, its clear that the media and entertainment industry ought to be aware of the threat also, based on comments by Ragan and other Akamai representatives on the webinar and data in the report.

Akamais research findings showed that from May 2019 and continuing on until the end of the year, there was a dramatic shift by criminals who started targeting APIs in an effort to bypass security controls.

And, according to Akamais data, up to 75% of all credential abuse attacks against the financial services industry targeted APIs directly.

From December 2017 through November 2019, Akamai observed 85.4 billion credential abuse attacks, Ragan pointed out on the webinar. Almost 20% (more than 16.5 billion) of them, were against hostnames that were clearly identified as API endpoints, he said.

However, 20% was a conservative estimate, Martin McKeay, editorial director and security researcher, stressed on the webinar, adding that the actual number could actually be as high as 80%. After all, the 20% were just those that could obviously be identified as API endpoints.

Of the attacks, 473.5 million targeted organizations in the financial services industry, according to Akamai.

There were tens of millions and even up to hundreds of millions of API attacks a day, Ragan said, adding it was consistent all throughout the reporting period.

It started to spike around May 2019, he pointed out. The peak period happened in August, shortly after Akamai published its previous financial services report, he noted. That was the largest spike in targeted credential abuse since the firm started tracking these types of attacks, he said.

Part of the reason was a flood of credential lists that hit the criminal market, he said. There were many markets that were shut down due to law enforcement activity last summer, he pointed out. That led to fire sales by the criminals who didnt get arrested, who, he added, were dumping their lists and selling them really cheap and lower-tier criminals were scooping them up and just running them everywhere.

Another explanation: Criminals are very hyper-focused on their target, so if somethings not working, theyre going to try something else, he said, adding: Traditional means of credential stuffing just wasnt cutting it for them, so now they started targeting APIs in an effort to bypass mitigations that were up on the front end. Cybercriminals, after all, tend to be good at shifting their tactics on the fly, he noted.

When it comes to all vertical enterprise sectors, structured query language injection (SQLi) is the dominant type of attack that we see, but in financial services they make up a much lower percentage, he noted. The top type of web attack in financial services, he said, are ones that instead involve Local File Includes (LFI), a local file inclusion vulnerability that enables an attacker to include files that exist on the target web server.

Gaming is the largest distributed denial of service (DDoS) vertical when it comes to attack events, he pointed out. However, when looking at unique targets by verticals, financial services jumps to first place, he said.

Moving on to discuss the Zero Trust framework that was designed to address these attacks, Patrick Sullivan, senior director of global security strategy at Akamai, said that one major benefit is that, with this system, where you are is irrelevant in terms of the access that is granted to you.

Or, as Ragan said, Zero Trust is trust no one ever not even if theyre on your network.

High tech is the sector adopting Enterprise Application Access (EAA) to enable access and identity controls the fastest, according to Akamai, which pointed out in its report that high tech firms make up 27.7% of EAA customers. Video media trails far behind, at 7.1%, with other digital media at just 2.9%. Therefore, media organizations clearly have a long way to go to catch up.

What is key to combat API attacks are using multifactor authentication and rate limiting on APIs because these initiatives make the criminals look elsewhere, Ragan said during the webinars Q&A. That is because when an attempt fails, they tend to move on, he said.

However, those initiatives still are not a silver bullet you have to constantly keep up with your security program, he told listeners.

One more suggestion by the company at the end of the webinar: Stop recycling and sharing passwords.

Original post:
Akamai: API Attacks by Cybercriminals are on the Rise - Media & Entertainment Services Alliance M&E Daily Newsletter

CoinGeek London: When Bitcoin SV came of age – CoinGeek

The whole Internet can work this way, said Twetch CEO Josh Petty in his presentation at the CoinGeek London conference. It was a typically bullish sentiment from the two days in which dozens of speakers demonstrated their confidence in the momentum building around Bitcoin SV (BSV).

Superficially, that momentum was felt in the more than doubling of the number of attendees since the last conference in Seoul six months ago. Even more superficially, it was seen the extraordinary width and clarity of the screen at the back of the stagedesigned to be viewed by creatures with at least three eyes.

More importantly, it was noticeable in the way BSV technology and businesses were discussed on stage. Petty announced new features for Twetch, taking the social media app to a slicker, more user-friendly form: Everything you touch and feel is going to be a microtransaction, he said, with no more swipe.

Familiar faces from previous conferences spoke with new certainty about what they were doing and had new achievements to report and announcements to make. Jack Liu of the RelayX wallet provided a moment of drama when he unveiled the new look of his appwhich is essentially a blank screen, the idea being that your camera opens to scan a QR code. More broadly, users will access Relay through other apps, making the integration of money functions almost invisible for users.

Newcomers, such as Thomas J. Lee, from Fundstrat, endorsed and elaborated themes previously only heard from those inside the Bitcoin SV tent. With detailed financial graphs, he predicted a parabolic moment when institutions get serious about cryptosimilar to the effect on Teslas share price when Wall Street started paying attention to its potential (below):

Lee highlighted BSVs transaction growth over the past months and the potential of its nascent businesses as evidence of his prediction that the growth of BSV would be more than another speculative bubble. He singled out the coming Maxthon browser, the Baemail, email service and True Reviews as examples of more than 400 projects building on BSV, with more in prospect using the increased functionality provided by the Genesis fork.

The first day ended with a rousing speech by Dr. Craig Wright, which, apart from the odd swipe at the French, provided a laser-focused summary of his original intentions for Bitcoin as Satoshi Nakamoto and his present-day assessment of the prospects for BSV from microtransactions.

On Friday, there was more. Jeff Chen, the founder and CEO of Maxthon talked about his BSV browser. With his long track record of successful Internet browsers, this is no pipe dream, but a solid business proposition in development.

If you thought BSV innovation was limited to the world as seen through a computer screen, Stephan Nilsson and Ken Hill took us out into the real world. Hill described EHR Data, a new business that plans to revolutionise health information, putting patients in charge. And Nilsson, of UNISOT, demonstrated his app to track an item through a complex supply chain in this case, a haddock.

Finally, at the end of the second day, the veteran economist and technology commentator George Gilder, another newcomer to BSV gatherings, put Satoshis ideas into perspective. He was confident that BSV solves the two-fold scandal in the world economy, namely Internet security and the excesses of global currency trading.

Were now engaging in forging a new system of the world, he said. Its a system to replace the failed economic model of Google. In an information age, economies can change as fast as minds. Were moving to a world in which security comes first, everything is correctly valued and nothing is free.

Gilder gave an account of how he had been persuaded that Dr. Craig Wright is Satoshi. Sitting next to him in the final session of the day, he said, to applause that I think you can safely celebrate Craig. It was a fitting tribute to the man who had already changed the lives of everyone at CoinGeek London, all of whom are convinced that the best is yet to come.

202024BSV

CoinGeek.comCoinGeek

Go here to see the original:
CoinGeek London: When Bitcoin SV came of age - CoinGeek

What the Hell Is That Device, and Is It Spying on You? This App Might Have the Answer – VICE

Theres really no escaping the internet of broken things.

On any given day, Americans connect thousands of internet-enabled devices to the internet, despite repeated warnings from cybersecurity experts that such devices often lack even the most rudimentary privacy and security protections.

The results havent been pretty. From smart televisions that hoover up your living room conversations to webcams that can be hacked and used in DDoS attacks in a matter of seconds, the problem is monumental. And its enabled by companies that routinely prioritize profits over consumer privacy, security, or the well being of the internet.

Researchers at Carnegie Mellon University have released a beta of an app they hope can address some of these problems. Dubbed the The Internet of Things (IoT) Assistant, (iOS, Android) the app will scan any unidentified IOT nearby, tell you what they do, and guide you toward the ability to opt out of data collection (assuming such an option exists).

IOT devices are often designed with little to no end user transparency into what devices do once theyre connected to the internet. Studies have shown IOT devices routinely collect far more data than consumers realize, then sell and share that data with a laundry list of companies.

One recent study showed a popular IOT camera made contact with 52 unique global IP address destinations when transmitting data, while one Samsung television made contact with 30 different IP addresses. Some of these points of contact are innocuous, and some arent. Few are revealed to consumers, and often the data isnt secure in transit.

Many people do a pretty poor job disclosing what data they collect and what they do with it, Professor Norman Sadeh, a CyLab faculty member in Carnegie Mellons Institute for Software Research told Motherboard. Sometimes this is intentional, sometimes it's due to a lack of expertise, and sometimes it's a combinationprivacy engineering is challenging.

Some efforts, like Princetons open source IOT Inspector, have tried to help consumers take a closer look at IOT device traffic itself in a bid to see whats collected and where its sent.

Sadeh says his groups new app takes a different approach.

We don't rely on scanning in this release, Sadeh said. In general, it's not sufficientespecially when the traffic is encrypted, which ideally would always be the case. Even if traffic is unencryptedwhich is a red flagthis will not tell you how long the data is retained.

Instead, the new app relies on a database compiled by volunteers, cybersecurity experts, and companies trying to simplify compliance with new privacy legislation like the California Consumer Privacy Act (CCPA) or Europes General Data Protection Regulation (GDPR).

People need to be informed about what data is collected about them and they need to be given some choices over these processes, Sadeh said. We have built an infrastructure that enables owners of IoT technologies to comply with these laws, and an app that takes advantage of this infrastructure to empower people to find out about and control data collected by these technologies.

Sadeh said such solutions are particularly important in bringing some transparency to the ever expanding use of IOT surveillance in public areas, where signs will sometimes inform the public theyre being watched, but little else.

These signs tell you nothing about what is being done with your footage, how long its going to be retained, whether or not it uses facial recognition, or with whom this is going to be shared, Sadeh said. Hes hopeful his app, once the database is fleshed out, can help fix that.

Sadehs team at Carnegie Mellon arent the only ones trying to address the IOT problem. Consumer Reports has also been building an set of open source standards to include privacy and security issues in product reviews, letting consumers avoid dubious products before they even have a chance to make it into your home.

Excerpt from:
What the Hell Is That Device, and Is It Spying on You? This App Might Have the Answer - VICE

Most credential abuse attacks against the financial sector targeted APIs – Help Net Security

From May 2019 and continuing on until the end of the year, there was a dramatic shift by criminals who started targeting APIs, in an effort to bypass security controls. According to data from Akamai, up to 75% of all credential abuse attacks against the financial services industry targeted APIs directly.

According to the reports findings, from December 2017 through November 2019, 85,422,079,109 credential abuse attacks were observed. Nearly 20 percent, or 16,557,875,875, were against hostnames that were clearly identified as API endpoints. Of these, 473,518,955 attacked organizations in the financial services industry.

But not all attacks were exclusively API focused. On August 7, 2019, the single largest credential stuffing attack against a financial services firm was recorded, consisting of 55,141,782 malicious login attempts.

This attack was a mix of API targeting, and other methodologies. On August 25, in a separate incident, the criminals targeted APIs directly, in a run that consisted of more than 19 million credential abuse attacks.

Criminals are getting more creative and hyper-focused on how they go about obtaining access to the things they need to conduct their crimes, said Steve Ragan, Akamai security researcher and principal author of the State of the Internet / Security report.

Criminals targeting the financial services industry pay close attention to the defenses used by these organizations, and adjust their attack patterns accordingly.

Indicative of this fluid attack dynamic, the report shows that criminals continue to seek to expose data through a number of methods, in order to gain a stronger foothold on the server and ultimately achieve success in their attempts.

SQL Injection (SQLi) accounted for more than 72% of all attacks when looking at all verticals during the 24-month period observed by the report. That rate is halved to 36% when looking at financial services attacks alone. The top attack type against the financial services sector was Local File Inclusion (LFI), with 47% of observed traffic.

LFI attacks exploit various scripts running on servers, and as a consequence, these types of attacks can be used to force sensitive information disclosure. LFI attacks can also be leveraged for client-side command execution (such as a vulnerable JavaScript file), which could lead to Cross-Site Scripting (XSS) and DoS attacks.

XSS was the third-most common type of attack against financial services, with a recorded 50.7 million attacks, or 7.7% of the observed attack traffic.

The report also shows that criminals continue to leverage DDoS attacks as a core component of their attack arsenal, particularly as it relates to targeting financial services organizations.

Observations from November 2017 until October 2019, show the financial services industry ranking third in attack volume, with gaming and high tech being the most common targets. However, more than forty percent of the unique DDoS targets were in the financial services industry, which makes this sector the top target when considering unique victims.

Security teams need to constantly consider policies, procedures, workflows, and business needs all while fighting off attackers that are often well organized and well-funded, Ragan concluded. Our data shows that financial services organizations are constantly improving by adopting fluid security postures, forcing criminals to change their tactics.

See the original post:
Most credential abuse attacks against the financial sector targeted APIs - Help Net Security

The Cannabis Industrys Next Big Threat: Hacks And Fraud – CBS Denver

(CNN) Cannabis is an emerging industry with stratospheric growth expectations. Like the California Gold Rush, the dot-com boom and every other new market with boundless potential, the cannabis industry also has the tendency to attract some sketchy characters with dubious motives.

Security experts have long warned that the cannabis industry is susceptible to both cybercriminal and fraudulent activities. Its not exactly the Wild West anymore: Businesses and state-legal markets have matured. But risks and concerns about criminal activity and fraud havent waned.

Just weeks into 2020, the cannabis industry has been the subject of several high-profile incidents: a reported dispensary point-of-sale system hack that potentially exposed the data of 30,000 people; the US Securities and Exchange Commission charging two men who allegedly used a fake cannabis company as a front for a Ponzi scheme; and the conviction of a former Colorado cannabis entrepreneur in one of the states largest fraud cases.

These industries are targets just because theyre new and there is lots of controversy whether its political or social with some of the things theyre doing, Michael Bruemmer, the vice president of data breach resolution and consumer protection for consumer credit reporting company Experian, told CNN Business.

Experts are cautioning companies to shore up their security practices and for consumers to be mindful of opportunities that seem too good to be true.

FraudCannabis emerging market status makes it a prime target fraud, said Jodi Avergun, a former federal prosecutor and DEA chief who now heads law firm Cadwalader, Wickersham & Tafts white-collar defense and investigations group.

Consumer and retail investors are not taking appropriate precautions, she said.

The cannabis industry is teeming with interest and speculation, she said. Most cases brought by the US Securities and Exchange Commission involve operations that purport to be cannabis businesses but instead are schemes typically of the Ponzi and pump-and-dump variety, she said.

The recent cannabis cases include allegations of a Ponzi scheme tied to a fictitious cannabis company and charges of securities fraud tied to an alleged criminal ring in Colorado.

The unscrupulous people who have always existed the out-and-out fraudsters take advantage of investors who want to make a buck quickly, Avergun said.

Although cannabis remains illegal under federal law and largely unregulated, some federal agencies continue to keep a close watch for potential nefarious activity. The US Federal Bureau of Investigation last year warned that it saw a public corruption threat emerge in the expanding cannabis industry, and agencies such as the SEC have sought criminal charges.

In 2014, when Colorado and Washington State started selling recreational cannabis, the SEC suspended several cannabis stocks and issued an investor alert to warn of questionable practices, alleged illegal stock sales and market manipulation. The agency issued yet another investor alert in 2018 highlighting past enforcement actions and continued warnings.

The SEC Office of Investor Education and Advocacy regularly receives complaints about marijuana-related investments, and the SEC continues to bring enforcement actions in this area, the SEC warned then. If you are thinking about investing in a marijuana-related company, you should beware of the risks of investment fraud and market manipulation.

The hype and potential for fraudulent investing schemes may have abated in recent months as valuations have sunk and companies have restructured to ensure near- and long-term stability.

But as soon as demand returns, so will the opportunistic fraudsters who seek to take advantage of those who see dollar signs in the cannabis industry, Avergun said.

CybercrimeExperians Data Breach Industry Forecast for 2020 predicted that emerging industries such as cannabis, green energy and cryptocurrency would be increasingly become targets for cyberattacks. In 2019, these industries accounted for fewer than 10% of the breaches tracked by Experian, but they remain vulnerable because theyre emerging industries, Experians Bruemmer said.

These controversial industries make great targets because theyre more focused on growing their business and starting up than they are necessarily putting the appropriate focus on cybersecurity, he said.

Three years ago, a leading seed-to-sale tracking software provider was hit with two cyberhacks in a six-month period. The incidents consisted of a sophisticated sequence of malicious attacks directed against the company, an attorney for the targeted company MJ Freeway, now named Akerna, said at the time.

The company spent at least $200,000 to upgrade its cybersecurity and enterprise software capabilities following the 2017 breaches, according to financial filings made with the SEC.

Jessica Billingsley, chief executive officer of Akerna, told CNN Business in December that the company no longer uses the software targeted in the attack and the next generation program is far more robust.

In January, internet security researchers for vpnMentor reported a breach at THSuite, a cannabis point-of-sale provider. The vpnMentor researchers said that more than 30,000 individuals had their information exposed, including photo IDs, addresses and protected health information.

Officials for THSuite did not return multiple calls and emails for comment. Some of the dispensary clients identified in the vpnMentor report told CNN Business that they were quickly taking action to determine how much of their customers information might have been affected.

RJ Starr, compliance director for Bloom Medicinals, said he was aware that his companys technology vendor experienced a data breach and was conducting a thorough investigation.

Once weve identified any affected patients, we will notify each individual patient and follow HIPAA breach notification protocols, Starr said. Bloom Medicinals serves tens of thousands of patients in multiple states, and we take patient privacy very seriously. Rest assured, we will implement any corrective action necessary to both remedy and ensure that this doesnt happen again.

SolutionsConsumers and companies can be proactive in protecting themselves from fraud and cybercriminal activity, Avergun and Bruemmer said.

Avergun said that consumers should check the price history of companies stocks and research the background of the advisers and executives who are selling shares and running the company.

If it sounds too good to be true, it probably is as with any investment, she said.

As for business investors, it comes down to due diligence.

There is nothing to substitute for adequate research into company financials, its state compliance policies and processes, and its management before investing in an emerging cannabis company, she said, noting to be aware of special state-specific risks. If a manager or owner of a cannabis company was previously operating before cannabis was state legal, that causes problems with licensing in state and may raise the risk of federal prosecutions.

Bruemmer highlighted three key tips for companies to button-up their security: Ensure that everyone not just the information technology experts keeps data security in mind and not make simple mistakes such as clicking on a nefarious link; research and employ credible security technology but dont be reliant on solely the software; have a proactive plan in place if a security breach occurs.

A lot of businesses think about it as an after-thought, he said. But they should pre-plan.

By Alicia Wallace, CNN Business

The-CNN-Wire & 2020 Cable News Network, Inc., a WarnerMedia Company. All rights reserved.

Read the original post:
The Cannabis Industrys Next Big Threat: Hacks And Fraud - CBS Denver