Category Archives: Internet Security
Durham prosecutors detail criminal probe into tech executive who worked on Trump-Russia back channel claims – CNN
Correction: This story has been updated to correctly reflect which cyber researchers had access to the internet data and the timing of the DARPA contract.
Washington CNN
Special counsel John Durham has an active and ongoing criminal probe into a tech executive who worked with a Hillary Clinton 2016 campaign lawyer to share claims of a cyber back channel between Donald Trump and Russia, prosecutors said in court Wednesday.
Prosecutors said the Durham team is still looking closely into whether Rodney Joffe, a tech executive and leading cybersecurity expert, defrauded the US government by misusing internet data from government contracts to search for derogatory information about Trump and Russia.
We have not, to this point, charged a crime but we are not able to say that a crime was not committed, prosecutor Andrew DeFilippis told a judge Wednesday, adding that the statute of limitations for Joffes potential conduct has not expired and the probe is still underway.
These comments at a hearing about the upcoming trial of Clinton campaign lawyer Michael Sussmann were the first time Durhams team publicly detailed their investigation into Joffe. It means prosecutors are considering new defendants and additional charges as part of their sprawling investigation into the origins of the Trump-Russia probe, now in its fourth year.
Joffe worked on the Trump-Russia material with Sussmann, the Clinton campaign lawyer who was charged in September with lying to the FBI during a 2016 meeting where he passed along the data. Prosecutors claim Sussmann falsely told the FBI he shared the data as a concerned citizen, but he was really there on behalf of his clients: the Clinton campaign and Joffe.
The trial against Sussmann is scheduled to take place next month in DC federal court. He pleaded not guilty and says he never had any reason to doubt the data that came from Joffe and his researchers. The FBI looked into Sussmanns tip about a potential server back channel between Trump and the Moscow-based Alfa Bank but did not find any improper cyber links.
Responding to Wednesdays hearing, a spokesperson for Joffe said the latest comments from prosecutors were baseless and reckless and accused Durham of pushing an unfounded political narrative through false innuendo to connect Joffe to a supposed anti-Trump plot.
Mr. Joffe did not defraud or mislead any branch of the US Government, the spokesperson said in a statement. Furthermore, the data at issue did not belong to the Government and did not contain private or personal information about any individual, nor was it manipulated in any way.
Lawyers for Sussmann say Joffe is a key part of their defense and will offer testimony that helps exonerate Sussmann. Sean Berkowitz, a Sussmann attorney, accused the prosecutors of making a tactical decision by holding the criminal probe over Joffes head as a way of blocking him from testifying at trial. Because of the potential criminal exposure, Joffe intends to plead the Fifth, according to his lawyers.
Theyve been looking at this forever, Berkowitz said. They ought to be able to make a (charging) decision.
Berkowitz has asked federal Judge Christopher Cooper to dismiss the case if prosecutors dont give Joffe immunity to testify. Cooper said Wednesday that hell try to issue a ruling soon.
Lawyers representing Joffe previously told CNN that Durham is pushing a cherry-picked narrative to make it look like Joffe fudged the data to harm Trump and help Clinton get elected. Instead, they said it was his patriotic duty to share the data with the FBI. He and Sussmann maintain that they funneled the data to the US government out of national security concerns.
It has been known for a while that Sussmann shared the data from Joffe and his researchers with the FBI and later with the CIA after Trump was inaugurated in January 2017. Prosecutors said Wednesday for the first time that the material had been later shared with Congress as well.
Prosecutors have previously said that Joffes associates at Georgia Tech had access to the internet data ahead of a pending contract with DARPA, a Pentagon research agency. The contract was intended to hunt for cyber intrusions by hostile countries. Durham has said Joffe and his associates exploited their access to domain name system information to find dirt on Trump.
Some of the internet data also pertained to Russian-made Yota phones that were allegedly pinpointed near the Trump campaign headquarters and the White House offices. Past Durham filings about the Yota phones stirred a frenzy in right-wing media about supposed spying on Trump, which led to a rebuke from the judge and a partial walk-back from prosecutors.
A spokesman for Joffe previously said he is an apolitical internet security expert with decades of service to the U.S. Government and that his dealings with the data were perfectly legal. In court filings, Joffes lawyers said he has received harassing and threatening messages in the wake of the Sussmann indictment, in which he was repeatedly referred to as Tech Executive 1.
Go here to see the original:
Durham prosecutors detail criminal probe into tech executive who worked on Trump-Russia back channel claims - CNN
The Increase in Credit-Relevant Cyber Events – S&P Global
Risk management has historically been comprised of independent disciplines, with professionals focused on credit, market or operational risk. Over time, firms have been moving to a true enterprise view, with disciplines converging. This was underscored by the Financial Accounting Standards Boards latest Current Expected Credit Loss(CECL) standard that links credit, accounting and reputational risk assessments to help financial institutions estimate expected lifetime credit losses.
As this convergence has been taking place, new areas of risk have continued to emerge requiring credit and risk management professionals to widen their scope to effectively assess potential vulnerabilities within companies, supply chains and loan and investment portfolios. We now hear a great deal about climate and regulatory risk, for example. In addition, there is an ever-increasing focus on cyber risk, which escalated during the COVID-19 pandemicwith the move to remote work environments and the migration of company data to the cloud.
Cyber Risk is a Growing Concern
Statistics on cyber risk are astounding. The FBIs Internet Crime Complaint Center pointed to a 300% increase in reported cybercrimes during the pandemic,[1]while the U.N. disarmament chief pointed to a 600% increase in malicious emails.[2]In addition, in 2021 theWorld Economic Forum ran a survey among members of a cybersecurity leadership community (representing about 100 senior cybersecurity executives from around the globe) and found that 80% saw ransomware as a dangerous threat that is impacting public safety.[3]Moreover, 97% of this community pointed to business continuity as the main risk when it comes to ransomware attacks. Looking to recent events, the Russia-Ukraine conflict has raised alarm bells for the U.S. to prepare for Russian cyberattacks. "There is a growing concern that massive cyber warfare could be on the near-term horizon, which would certainly catalyze an increase in spending around preventing sophisticated Russian-based cyber attacks going after datacenters, networks, vulnerability points, and other highly sensitive data," wrote Wedbush analyst Dan Ives, who focuses on tech stocks, wrote in a Feb. 24 research note.[4]
Cybercrimes Impact Creditworthiness
As digital transformation takes hold across industries, cybersecurity is no longer the sole responsibility of IT departments and must be considered in assessments of credit risk. After all, computer-based systems are used to manage inventories and supply chains, communicate with customers and employees, generate online sales and much more. Technology breaches can result in a significant loss of revenue, large legal costs and damage to a companys reputation all on top of the time and expense associated with repairing networks and devices that have been affected. Such breaches can become a red flag for investors wanting to minimize vulnerabilities in their portfolios.
To help quantify the impact of cyber risk on a businesss creditworthiness, in 2021 S&P Global Ratings announced that it was further integrating the cyber risk expertise and insights of Guidewire Cyence Risk Analytics[5]into its product platforms to complement the companys own assessments.
Governance Plays a Critical Role
Boards of Directors are responsible for good corporate governance and the long-term viability of their organizations, and must take an active role in guarding against potential disruptions from cybercrimes. According to the World Economic Forum,[6]leaders need tools and guidelines in order to fulfill their obligations where cybersecurity issues threaten an organizations reputation and trust among players in an ecosystem. The Forum is therefore updating guidance for the corporate governance of cyber risk in response.
In addition, in recognition of the importance of governance in addressing cyber risks, the Cybersecurity andInfrastructure Security Agency's (CISA) CybersecurityDivision and the National Association of State Chief Information Officers (NASCIO) partnered to develop a state cybersecurity governance report, along with a series of case studies that explore how states govern cybersecurity. Together these pieces identify how states have used laws, policies, structures and processes to help better govern cyber risk as an enterprise-wide strategic issue, providing helpful insights for other states and organizations that face similar challenges.
All Firms Must Protect Their Businesses
Attacks are not only happening with large publicly listed companies, as sovereign states, government agencies and public institutions are acutely vulnerable, too.[7]There have been attacks on the U.S. city of Hartford and numerous Texas school districts, across municipal utility sectors and on the Irish healthcare system, to name a few.
Small private companies are not immune to attacks. A 2019 survey[8]found that an overwhelmingmajority of these businesses believed they were a target of cybercriminals, highlighting the growing awareness among this group about the impending threats. These attacks can cause small- and medium-sized enterprise to close their doors, evidenced by the fact that organizations with fewer than 500 employees spent an average of nearly $3 million per data breach incident in 2021, up 26.8% from the previous year.[9]
To help mitigate the potential negative credit impact of cyberattacks, robust cybersecurity remains vital. There is no substitute for a strong cybersecurity system from internal governance to IT software. Other key factors that determine how well entities manage cyber risk include: prompt remedial action, active detection, C-Suite support (including budget allocation) and a better understanding of risks arising from third-party providers or supply chains.
[4] Russian cyberattack risk may spur US cybersecurity investments, S&P Global Market Intelligence, February 24, 2022. Russian cyberattack risk may spur US cybersecurity investments | S&P Global Market Intelligence (spglobal.com)
[5] Guideware is a third-party firm and is not affiliated with S&P Global or any of its divisions. Guideware Cyence Risk Analytics are data listening and risk analytics products focused on understanding and modeling new and evolving 21st century risks.
See original here:
The Increase in Credit-Relevant Cyber Events - S&P Global
Some of tech’s biggest names want a future without passwords here’s what that would look like – CNBC
Managing your online passwords can be a chore.
Creating the sort of long, complicated passwords that best deter cyber-thieves especially for dozens of different online accounts can be tedious. But it's necessary, considering the record number of data breaches in the U.S. last year.
That's why it's so enticing to dream about a future where nobody has to constantly update and change online passwords to stay ahead of hackers and keep data secure. Here's the good news: Some of the biggest names in tech are already saying that the dream of a password-less internet is close to becoming a reality. Apple, Google and Microsoft are among those trying to pave the way.
In that hopeful future, you'd still have to prove your identity to access your accounts and information. But at least you wouldn't have to remember endless strings of unique eight-character (or longer) passwords, right?
Well, maybe not quite. The answer is still a little complicated.
In theory, removing passwords from your cybersecurity equation nixes what former Secretary of Homeland Security Michael Chertoff has called "by far the weakest link in cybersecurity." More than 80% of data breaches are a result of weak or compromised passwords, according to Verizon.
In September, Microsoft announced that its users could go fully password-less to access services like Windows, Xbox, and Microsoft 365. Microsoft users can instead use options like the Windows Hello or Microsoft Authenticator apps, which use fingerprints or facial recognition tools to help you log in securely.
Microsoft also allows users to log in using a verification code sent to your phone or email, or with physical a security key resembling a USB drive that plugs into your computer and features an encryption unique to you and your device.
Joy Chik, Microsoft's vice president of identity, wrote in a September company blog post that tools like two-factor authentication have helped improve users' account security in recent years but hackers can still find ways around those extra measures. "As long as passwords are still part of the equation, they're vulnerable," she wrote.
Similarly, Google sells physical security keys, and its Smart Lock app allows you to tap a button on your Android or iOS device to log into your Google account on the web. In May 2021, the company said these tools were part of Google's work toward "creating a future where one day you won't need a password at all."
Apple's devices have used Touch ID and Face ID features for several years. The company is also developing its Passkeys feature to allow you to use those same fingerprint or facial recognition tools to create password-less logins for apps and accounts on your iOS devices.
So, in a sense, a password-less future is already here: Microsoft says "nearly 100%" of the company's employees use password-less options to log into their corporate accounts. But getting every company to offer password-less options to employees and customers will surely take some time and it might be a while before everyone feels secure enough to dump passwords in favor of something new.
That's not the only problem, either.
Doing away with passwords altogether is not without risks.
First, verification codes sent via email or text message can be intercepted by hackers. Even scarier: Hackers have shown the ability to trick fingerprint and facial recognition systems, sometimes by stealing your biometric data. As annoying as changing your password might be, it's much harder to change your face or fingerprints.
Second, some of today's password-less options still ask you to create a PIN or security questions to back up your account. That's not much different from having a password. In other words, tech companies haven't yet perfected the technology.
And third, there's an issue of widespread adoption. As Wired pointed out last year, most password-less features require you to own a smartphone or some other type of fairly new device. And while the vast majority of Americans do own a smartphone, those devices range dramatically in terms of age and internal hardware.
Plus, tech companies still need to make online accounts accessible across multiple platforms, not just on smartphones and also to the people who don't own smartphones at all, roughly 15% of the U.S.
In other words, it will likely still be some time before passwords are completely extinct. Enjoy typing your long, complex strings of characters into login boxes while you can.
Sign up now: Get smarter about your money and career with our weekly newsletter
Don't miss:
If your passwords are less than 8 characters long, change them immediately, a new study says
These are the 20 most common passwords leaked on the dark web make sure none of them are yours
Excerpt from:
Some of tech's biggest names want a future without passwords here's what that would look like - CNBC
Statement on National Security Advisor Jake Sullivan meeting with Secretary Gustavo Beliz of Argentina – The White House
Today, National Security Advisor Jake Sullivan met with Argentine Secretary for Strategic Affairs Secretary Gustavo Beliz at the White House to discuss joint efforts to address the crisis in Ukraine, including Argentinas leadership at the Human Rights Council and addressing food security and energy resilience. They also spoke of the importance of responding to humanitarian crises. In addition, they continue their work on the roadmap for bilateral cooperation and a partnership for sustainable and inclusive development that has led to dialogues on information and communications technology, clean energy, satellite technology, and human rights since their first meeting in August 2021. They highlighted the importance of the knowledge economy and leading-edge technology in the recovery from the COVID-19 pandemic and promoted cooperation in strategic sectors such as green energy and lithium production. They noted the importance of a democratic and free internet and the importance of secure and trustworthy information and communications technology and services. They spoke about the importance of strengthening the multilateral development banks and attracting U.S. private investment to build a green, equitable, and inclusive recovery from the pandemic. Mr. Sullivan and Secretary Beliz discussed President Biden and President Fernandezs vison and shared commitments towards sustainable and inclusive development in the region that will be highlighted in the Summit of the Americas.
Read the original post:
Statement on National Security Advisor Jake Sullivan meeting with Secretary Gustavo Beliz of Argentina - The White House
1 High-Conviction Growth Stock Down Over 50% to Buy Now – The Motley Fool
You only need two things to make money in the stock market: time and a portfolio of high-quality stocks. To be clear, that doesn't mean you need to be right every time you buy a stock. It just means you need to research what you're buying before you invest. Look for businesses that have durable competitive advantages and big market opportunities.
Personally, once I've identified a stock I want to buy, I rank it as either gold, silver, or bronze based on my conviction. I tend to allocate a little less capital to my low-conviction ideas and a little more to my high-conviction ideas. Cloudflare ( NET -3.32% ) falls into the high-conviction category, and with the stock trading 52% below its high, you can buy a few shares on sale right now.
Here's what you should know.
Image source: Getty Images.
Cloudflare is the highway of the internet. Its global cloud platform interconnects with 10,000other networks -- including internet service providers, public cloud vendors, and large enterprises -- which positions its servers within 50 milliseconds of 95% of internet users worldwide. That infrastructure is a significant competitive advantage, and it allows Cloudflare to accelerate and secure its clients' applications and networks.
Despite facing intense competition from vendors like Amazon and Microsoft, Cloudflare has differentiated itself in a few key ways. For instance, its platform is designed to be infrastructure-neutral. Vendors like Amazon and Microsoft tend to favor their own technologies, but Cloudflare works with on-premise data centers and public clouds. Its platform gives clients visibility and control over their entire IT ecosystems.
Additionally, Cloudflare offers a free service tier that has drawn a significant number of non-paying users to its platform. In fact, its content delivery network powers 19%of the internet -- more than every other cloud vendor combined. How is that an advantage? Cloudflare leverages those free users to test new products and gather data, and it uses that data to inform and accelerate development decisions.
Finally, Cloudflare has innovated at an incredible pace over the last decade, building a robust portfolio of application, network, and security services. The company also offers developer tools that help clients build websites, software, and services on its cloud platform. In fact, Forrester Research recently recognized Cloudflare as the leader in edge development, citing its stronger current offering and stronger growth strategy.
Digital transformation has become an imperative. Enterprises must keep pace with technology if they hope to remain competitive, and that has Cloudflare growing like wildfire. It surpassed 140,000 paying customers in 2021, up 26%from the prior year, and the average customer spent 25% more. As a result, revenue soared 52% to $656 million and the company generated positive cash from operations of $65 million, up from a loss of $17 millionin the prior year.
Looking ahead, Cloudflare has plenty of room to grow. Management puts its addressable market at $86 billion in 2022, but expects that figure to reach $100 billion by 2024. And one product accounts for about half of that figure: Cloudflare One.
Organizations have traditionally protected their sensitive data by routing all traffic through a central corporate hub. That's where security policies have been enforced and threats have been blocked. But that approach is costly -- both in terms of hardware and IT manpower -- and it's becoming increasingly irrelevant, because many corporate resources now live in the cloud.
Cloudflare One, a secure access service edge (SASE), allows clients to provision network connectivity and security through the internet, without investing in costly on-premise appliances. That means traffic is no longer routed through a corporate hub. Instead, requests are routed through Cloudflare, where traffic is inspected and zero-trust security policies are enforced. That makes it possible for employees to quickly and securely connect to corporate resources (and the internet) regardless of device or location.
By 2025, research company Gartner believes at least 60%of enterprises will have plans to implement SASE solutions, up from just 10% in 2020. That accelerated adoption should be a powerful tailwind for Cloudflare.
Despite falling sharply from its high, Cloudflare stock still trades at a pricey 53 times sales. With a valuation like that, investors should expect volatility. The stock could easily get cut in half again. However, Cloudflare is an impressive business with a massive market opportunity, and despite the rich valuation, I think the stock is worth buying. In fact, if revenue continues to growat a rapid clip, I think this $36 billion business could grow fivefold (or more) in the next decade.
This article represents the opinion of the writer, who may disagree with the official recommendation position of a Motley Fool premium advisory service. Were motley! Questioning an investing thesis even one of our own helps us all think critically about investing and make decisions that help us become smarter, happier, and richer.
Read more from the original source:
1 High-Conviction Growth Stock Down Over 50% to Buy Now - The Motley Fool
As Europe Approves New Tech Laws, the U.S. Falls Further Behind – The New York Times
In just the last few years, Europe has seen a sweeping law for online privacy take effect, approved far-reaching regulations to curb the dominance of the tech giants and on Saturday reached a deal on new legislation to protect its citizens from harmful online content.
For those keeping score, thats Europe: three. United States: zero.
The United States may be the birthplace of the iPhone and the most widely used search engine and social network, and it could also bring the world into the so-called metaverse. But global leadership on tech regulations is taking place more than 3,000 miles from Washington, by European leaders representing 27 nations with 24 languages, who have nonetheless been able to agree on basic online protections for their 450 million or so citizens.
In the United States, Congress has not passed a single piece of comprehensive regulation to protect internet consumers and to rein in the power of its technology giants.
Its not for lack of trying. Over 25 years, dozens of federal privacy bills have been proposed and then ultimately dropped without bipartisan support. With every major hack of a bank or retailer, lawmakers have introduced data breach and security bills, all of which have withered on the vine. A flurry of speech bills have sunk into the quicksand of partisan disagreements over freedoms of expression. And antitrust bills to curtail the power of Apple, Amazon, Google and Meta, the owner of Facebook and Instagram, have sat in limbo amid fierce lobbying opposition.
Only two narrow federal tech laws have been enacted one for childrens privacy and the other for ridding sites of sex-trafficking content in the past 25 years.
Inertia is too kind of a word to describe whats happened in the United States; theres been a lack of will, courage and understanding of the problem and technologies, said Jeffrey Chester, the executive director of the Center for Digital Democracy, a public interest group. And consumers are left with no protections here and lots of confusion.
The prospects that any legislation will pass imminently are dim, though regulations at some point are almost inevitable because of the way tech touches so many aspects of life. Of all the proposals currently in front of Congress, an antitrust bill that would bar Apple, Alphabet and Amazon from boosting their own products on their marketplaces and app stores over those of their rivals has the best shot.
A co-author of the bill, Senator Amy Klobuchar, Democrat of Minnesota, said Democratic leaders had promised it would go to a vote by this summer. But even that bill, with bipartisan support, faces an uphill climb amid so many other priorities in Congress and a fierce tech lobbying effort to defeat it.
If history is a guide, the path toward U.S. tech regulation will be long. It took decades of public anger to regulate the railroads through the creation of the Interstate Commerce Commission in 1887. It took nearly 50 years from the first medical reports on the dangers of cigarettes to the regulation of tobacco.
Theres no single reason for the sludge of progress in Congress. Proposals have been caught in the age-old partisan divide over how to protect consumers while also encouraging the growth of business. Then there are the hundreds of tech lobbyists who block legislation that could dampen their profits. Lawmakers have also at times failed to grasp the technologies they are trying to regulate, turning their public foibles over tech into internet memes.
Tech companies have taken advantage of that knowledge blind spot, said Tom Wheeler, a former chairman of the Federal Communications Commission.
Its what I call the big con, where the tech companies spin a story that they are doing magic and that if Washington touches their companies with regulations theyll be responsible for breaking that magic, he said.
In the vacuum of federal regulations, states have created a patchwork of tech rules instead. California, Virginia, Utah and Colorado have adopted their own privacy laws. Florida and Texas have passed social media laws aimed at punishing internet platforms for censoring conservative views.
Amazon, Alphabet, Apple, Meta and Microsoft said they supported federal regulations. But when pressed, some of them have fought for the most permissive versions of the laws that have been under consideration. Meta, for instance, has pushed for weaker federal privacy legislation that would override stronger laws in the states.
Techs lobbying power is now on full display in Washington with the threat of the antitrust bill from Ms. Klobuchar and Senator Charles E. Grassley, a Republican of Iowa. The proposal passed its first hurdle of votes in January, much to the tech industrys surprise.
In response, many of the tech companies mobilized an extensive lobbying and marketing campaign to defeat the bill. Through a trade group, Amazon claimed in television and newspaper ads that the bill would effectively end its Prime membership program. Kent Walker, Googles chief legal officer, wrote in a blog post that the legislation would break popular products and prevent the company from displaying Google maps in search results.
Ms. Klobuchar said the companies claims were hyperbole. She warned that by fighting the proposal, tech companies might be choosing the worse of two difficult options.
They are letting Europe set the agenda on internet regulation, Ms. Klobuchar said. At least we listened to everyones concerns and modified our bill.
The inaction may appear surprising given that Republicans and Democrats are ostensibly in lock step over how tech companies have morphed into global powerhouses.
Consumers need confidence that their data is being protected, and businesses need to know they can keep innovating while complying with a strong, workable national privacy standard, said Senator Roger Wicker, Republican of Mississippi. The U.S. cannot afford to cede leadership on this issue.
Lawmakers have also forced many tech chief executives including Jeff Bezos of Amazon, Tim Cook of Apple, Sundar Pichai of Google and Mark Zuckerberg of Meta to testify multiple times before Congress in recent years. In some of those televised hearings, lawmakers of both parties have told the executives that their companies with a combined $6.4 trillion in market value arent above government or public accountability.
Some of these companies are countries, not companies, Senator John Kennedy, Republican of Louisiana, said in a January antitrust hearing, adding that they are killing fields for the truth.
But so far, the talk has not translated into new laws. The path to privacy regulations provides the clearest case study on that record of inaction.
Since 1995, Senator Edward J. Markey, Democrat of Massachusetts, has introduced a dozen privacy bills for internet service providers, drones and third-party data brokers. In 2018, the year Europes General Data Protection Regulation took effect, he proposed a bill to require a consumers permission to share or sell data.
Mr. Markey also tried twice to update and strengthen privacy legislation for youths following his 1998 law, the Childrens Online Privacy Protection Act.
With every effort, industry lobbying groups have denounced the bills as harmful to innovation. Many Republican lawmakers have opposed the proposals, saying they dont balance the needs of businesses.
Big Tech sees data as dollar signs, so for decades theyve bankrolled industry lobbyists to help them evade accountability, Mr. Markey said. Weve reached a breaking point.
Read more:
As Europe Approves New Tech Laws, the U.S. Falls Further Behind - The New York Times
UK government employees receive billions of malicious emails per year report – The Daily Swig
Jessica Haworth20 April 2022 at 13:31 UTC Updated: 20 April 2022 at 13:33 UTC
Phishing, malware, and spam are popular techniques deployed by attackers
A new report released today reveals that UK government employees receive an average of 2,400 malicious emails per year, as cybercriminals continue to use email as their vector of choice.
The study, from Comparitech, found that the central government departments across the UK received an estimated 2.6 billion suspicious emails in total last year.
These findings were taken from Freedom of Information (FOI) requests sent to 258 public-sector and national organizations including central government departments, the National Health Service and Network Rail.
Across just under 260 government organizations, we estimate that 764,331 government employees received a total of 2.69 billion malicious emails in 2021, the report reads.
Comparitech notes that it defines malicious emails as containing either malware (including ransomware), phishing, or spam.
An average of 0.32 percent of the malicious emails were opened by staff in 2021, meaning 8.62 million malicious emails were at least previewed. Of those opened, less than 1% (57,736) of these malicious emails resulted in staff members clicking on suspicious links.
Comparitech noted that some government departments responded with additional historical data, which showed that the years 2018 to 2019 saw an average increase in malicious emails of 24.5% (or around a quarter).
From 2019 to 2020, this jumped to an increase of just over 146% - more than doubling. From 2020 to 2021, the rate slowed again to just over 16%.
Read more of the latest security news from across the UK
Its perhaps no surprise that the biggest increase coincides with the pandemic and most people working from home (and emails, therefore, being their predominant method of communication), Comparitech noted in the study.
The company also noted, however, that central government departments with high volumes of malicious emails arent necessarily that bigger targets for hackers or have weaker security systems.
Rather, their IT systems may be doing a better job at filtering out malicious emails, the report states.
NHS Digital had a total of 357 million malicious emails received by 3,996 employees, equating to 89,353 emails per employee.
Other critical infrastructure services such as railway provider Network Rail Limited received 223 million malicious emails received by a total of 44,356 employees, at a rate of 5,033 emails per employee, while tax department HM Revenue & Customs received 27.9 million malicious emails received by 67,267 employees, or 415 emails per employee.
Paul Bischoff, privacy advocate at Comparitech, told The Daily Swig that government employees are targeted because they often work for critical services and systems that cant afford to go down for long.
That makes some government agencies more likely to pay ransoms, especially those in healthcare where lives are on the line, Bischoff added.
Governments also have a lot of employees and not all of them are trained to spot phishing emails. Attackers can target a large number of employees to increase their chances of success.
He advised: Every government employee who uses the internet for work, has a work email address, or connects to government networks should be trained to spot and handle phishing emails. Phishing is more of an operational problem than a cyber security one.
YOU MAY ALSO LIKE Critical infrastructure entities on red alert over exceptionally rare and dangerous ICS malware
Go here to see the original:
UK government employees receive billions of malicious emails per year report - The Daily Swig
Farrow: Ohio Republicans rather you focus on ‘kids with 2 dads’ than mountain of scandals – The Columbus Dispatch
Kenyon Farrow| Guest columnist
Republican Larry Householder talks to the press after his expulsion
Expelled and indicted, Republican Larry Householder didn't rule out running for political office again.
Laura A. Bischoff, The Columbus Dispatch
At this point most peopleare familiar with House Bill 616, which somehave nicknamed Ohio's Dont Say Gay."
The bill would ban "any curriculum or instructional materials on sexual orientation or gender identity" and "divisive or inherently racist concepts and any other concept that the state board of education defines as divisive or inherently racist."
More: What's in Ohio House Bill 616, the divisive concept bill that includes sexual orientation?
And while there is a lotof discussion to be had about why these bills are bad for students andeducation, thats not theirintended purpose.
More: Kenyon Farrow: 'Too smart' Dave Chappelle has fallen for 'old right-wing political device'
In addition to being a cheap and cynical political ploy to scapegoat the LGBTQ and Black and brown people whove fought for education curricula to represent the full experiences of people in the U.S. and in Ohio, these bills are really a way to keep the total and utter ubiquity of scandals the Republican legislators are facing out of the minds of Ohioans when they go to the polls this year.
TheGOP does not want Ohioansto think about House Bill 6as they enter the voting booth.
Passed in 2019, the billwas a $1.3 billion bailout for two nuclear plants and two coal plantsone of which is not even in the state of Ohioas ostensibly a favor to First Energy, who stood to make $170 million annually as a result (this isnt counting the $61 million in bribes that were used to push the bill through).
As of now, five people former House SpeakerLarry Householder of Glenford includedhave been arrested.
Sam Randazzo, whoGov. MikeDeWines appointedOhio Public Utilities Commission chair,was paid $4 million from FirstEnergy.
More: Top state regulator paid millions for part-time work, FirstEnergy agreement shows
Questions still remain as to what point DeWine knew about the alleged bribe being paid.
Instead of talking about this, were spending time talking about whether kids should learnone of their classmates may have two moms or dads.
But there is much worse.
.
In the middle of the COVID-19 pandemic, as Ohioans were dying by the dozens per day and millions were out of work due to stay at home orders, the lack of legislative approved funding for basic internet security and technology upgrades allowed for scammers to file fraudulent claims, costing the state $3.8 billion,and costing hunger and hardship to everyday Ohioans who were out of work and not able to meet their own basic needs.
Ohio Medicaid Director Maureen Corcoran, who owned stock in United Healthcare gave their Ohio subsidiary (United Healthcare Community Plan of Ohio) the state contract to manage the states Medicaid program, even while theyve been ranked almost dead-last on federal oversight reports and denying the contract of a company that ranked near the top.
In essence, Corcoran handed $1.2 billion in 2019 alone in funds paid for by Ohioans through taxes to a company ranked low in its transparency and oversight.
Corcoran has refused to hand over its oversight documents and even say if she took these federal oversight reports into consideration when she chose to hand the system over to them to manage.
Waittheres even more.
More: Our View: While your groceries go up, DeWine, LaRose, Huffman, Cupp waste millions to keep power
The Ohio voters overwhelmingly approved a measure in 2018 to put an end to partisan gerrymandering, and 2021 was the year to redraw the districts based on the then-newly released census data.
The Ohio Redistricting Commission, which is dominated by five Republicans, refused to sit down and create a transparent and open process for setting new maps to not break communities up and create oddly carved out districts merely to benefit one part or another.
More: In Ohio's redistricting battle, Gov. Mike DeWine said he'd take the lead. But did he?
They would not meet with the twoDemocrats on the commission and over and over, submitted maps that violated the spirit of the law and gave Ohio voters a big middle finger by creating maps that were heavily partisan.
So much so the Ohio Supreme Court, which has a Republican majority,rejected the maps over, and over and over and over again.
More: Top Ohio House Republican leader: 4 Supreme Court justices should be 'benched'
Thechaos is leading two primary elections instead of one.
The mess will cost Ohioans millions.
These are the issues the Republicans dont want on the minds of Ohioans when they go vote this year. But Ohioans have much on their minds.
Facing a precarious future with a virus that has killed over 38,000 Ohioans alone, most people I know are thinking aboutrising inflation resulting in outrageous food and gas prices.
More: Our view: Let Ohio teachers teach truth. Educators, kids casualties of raging culture war
The GOP is selling the most cynical agenda, scapegoating teachers trying to make sure students are academically and socially prepared to live in a world with other people who may in fact be different from themselves, instead of dealing with the mess theyve left the state after years of supermajorities that they created and are desperate to perpetuate for their own greed and power.
I hope Ohioans see the through the smokescreen.
Kenyon Farrow is a Black gay activist and writer based in Cleveland Heights.He serves on the board of the LGBT Center of Greater Cleveland.
Follow this link:
Farrow: Ohio Republicans rather you focus on 'kids with 2 dads' than mountain of scandals - The Columbus Dispatch
DiDi’s Delisting Plan Just the Start of a Tough Road Ahead – Benzinga – Benzinga
Key Takeaways:
By Ken Lo
It wasnt exactly whatDiDi Global Inc.DIDI had in mind when its shares debuted on the New York Stock Exchange last year. But one year later, a hasty exit from New York looks almost inevitable for Chinas answer to Uber. No matter what route it takes including a possible new listing somewhere else the road ahead for the former high-tech superstar will be pockmarked with challenges.
DiDi revealed the first part of its bumpy roadmap forward in astatementlast Saturday, saying it will hold an extraordinary shareholder meeting on May 23 to vote on officially abandoning its New York listing with a privatization. It said it was taking the step to comply with Chinas latest internet security rules. It added it wouldnt seek a listing on any other exchange before the exit is concluded, shooting down talk that it might go public in Hong Kong first before withdrawing from New York.
If shareholders approve the decision, Didi would become the shortest-lived U.S.-listed Chinese stock of all time. The company rushed to complete its IPO last June 30, one day shy of the 100thbirthday of China Communist Party. Its price soared from $14 to as much as $18.01 on its debut, though the euphoria was short-lived. On 4 July, Chinas cyber security regulator accused the company of illegally collecting personal information, touching off a prolonged run-in with regulators that has weighed heavily on its shares ever since.
The stock was already down to $2.46, more than 80% lower than its IPO price, by the end of last week. After announcing its plans to convene the shareholder meeting, the stock slumped further still to close at $1.71 on Thursday. Compared with its IPO valuation of $73 billion, its market cap has contracted nearly 90% to the latest $8.2 billion.
The reality is that Chinas new Cybersecurity Law, which sealed DiDis fate, will have much more impact on U.S.-listed Chinese stocks than U.S. disclosure concerns that have also made recent headlines, wreaking havoc on Chinese shares this year.
The law mandates companies that possess personal information on more than 1 million users must undergo internet security reviews if they plan to go public overseas. Internet platforms with hundreds of millions of users like Didi,AlibabaBABA,Tencent(700.HK),Meituan(3690.HK) and the not-yet-publicly-listedByteDancewill almost certainly be subject to such reviews at some point.
Lack of transparency in the new laws implementation has made it very difficult for internet companies to cope with the new dynamics, said Kenny Wen, a commentator at Everbright Sun Hung Kai Co. Ltd. He pointed out that DiDi was especially hard hit because it possessed a big trove of sensitive data, including the whereabouts of government officials and locations of sensitive institutions.
DiDi was put on the spot as a result of not knowing what exactly were the legal and illegal ways of using data, Wen said. Maybe exiting the U.S. was the only way it knew to get out of the regulatory quagmire.
Wen added that shareholders were likely to green-light the exit plan. Major investors that account for more than 40% of the companys voting shares are likely to vote in favor, even though small and institutional investors who have lost big sums on the stock may vote against. Anyone who refuses to surrender their DiDi shares once the exit is complete will only be able to trade over-the-counter, boding poorly for the price due to lack of liquidity. As a result, small investors may scramble to get out while they can.
The latest information shows that DiDis top four investors are Softbank with 20.08% of its shares, Uber with 11.93%, Tencent with 6.54% and the companys president and CEO Cheng Wei with 6.5%. With 45.1% of the companys shares between them and all in favor of a U.S. withdrawal, an exit is highly likely.
But rather than end its troubles, an exit would only mark the beginning of a cascade of new challenges. DiDi would still need to find ways to meet regulatory demands for its safe handling of sensitive data. At the same time, it will need to keep investing in its business operations to fend off competition at home and abroad, meaning its longer-term sustainability could be at stake.
And even if it can re-list in Hong Kong, the company is likely to fetch a far lower valuation than it initially got in New York. So, the exit is really just a first step to solve its immediate predicament. Additional challenges down the road could include shareholder lawsuits from small investors for failing to reprivatize at a premium, though the company has yet to announce a price for any buyout offer.
DiDis latest financial statementreleasedlast week showed it generated revenue of 173.8 billion yuan ($27 billion) last year, up 22.6% from 2020. But its losses grew far faster from 10.6 billion yuan in 2020 to 49.3 billion yuan last year. Regulatory shocks in the latter half of last year caused the company to log a net investment loss of 20.8 billion yuan in the third quarter, resulting in a 30.6 billion yuan loss for the period. That loss narrowed considerably to 171 million yuan in the fourth quarter, in a rare bit of good news for the company.
By the end of last year, the companys cash and cash equivalents totaled 43.4 billion yuan, up by 24 billion yuan in a single year, mainly due to the addition of 28 billion yuan in new funds from its IPO. Its negative cash flow from operations for the year totaled 13.4 billion yuan. At that rate of spending, the company has enough money to hold out for just two to three years. So, finding a road to breakeven and profitability is a top priority for its survival.
DiDis many China-specific woes might make comparisons with global peers somewhat moot. But to provide some perspective, we can compare its price-to-sales (P/S) ratio withUberUBER andGrabGRAB, two other top-tier ride-hailing services. In that regard, Didis P/S of 0.36 times a tiny fraction of Ubers 11.2 times and Grabs 16.7 times.
The bottom line is that Didi will face many more uphill roads if and when it delists from the U.S., led by the challenges of compliance with Chinas cybersecurity regulations and strengthening its business operations to become profitable. How it meets those challenges could well determine whether it can embark on a new and lucrative journey ahead, or whether its road might come to an abrupt dead end.
Read the original:
DiDi's Delisting Plan Just the Start of a Tough Road Ahead - Benzinga - Benzinga
How Russia Is Isolating Its Own Cybercriminals – DARKReading
Russian cybercriminals dominate the threat landscape, aided largely by a government that has heretofore turned a blind eye to their illicit dealings as long as their attacks target organizations and individuals outside of Mother Russia. However, since Russia's invasion of Ukraine on Feb. 24, the Kremlin has made a series of moves that threatens to disrupt the delicate balance that exists between them.
Without an extradition treaty with the United States, most of these cybercriminals operate with impunity or are nabbed when traveling outside of the United States. But in recent months this has not been the case. Several administrators and hosting providers were arrested in Russia in the past year for allegedly breaking the unspoken agreement between the government and cybercriminals. On Jan. 14, the Federal Security Service of the Russian Federation (FSB), in concert with US authorities, arrested members of the REvil ransomware-as-a-service (RaaS) collective that was responsible for the Kaseya attack. About a week later, the FSB detained four members of the Infraud Organization, including the group's founder, Andrey Novak, who was also wanted by the FBI. Though Russia is responsible for detaining these cybercriminals, these arrests and illicit marketplace takedowns have been few and far between and seem to signal more of a public relations ploy than a formal desire to stop cybercrime that affects its Western counterparts; there is no formal cyber alliance between Russia and the United States.
In some ways, Russian cybercrime has always been different, even in the underground. Russian cybercriminals, often young men, have had the autonomy to target foreign victims and establish various Dark Web-based marketplaces, card shops, and forums that attract like-minded threat actors. Wanted posters for these cybercriminals may very well be accompanied by images that showcase their Instagrammable lifestyles poses that include expensive luxury automobiles, exotic cats, and stacks on stacks of US dollars.
Connection to CybercrimeThere is a demonstrable connection between the Russian government and cybercrime. Public records show that Alyona Eduardovna Benderskaya is the wife of "Evil Corp" ringleader Maxim Yakubets and daughter of FSB agent Eduard Bendersky. The exotic cat-wielding Bogachev has also been associated with Yakubets regarding money laundering for various malware schemes. Former cybercriminal-cum-FSB officer Dmitry Dokuchaev sought the services of Shaltai-Boltai ringleader Vladimir Anikeyev and Yahoobreachers Alexsey Alexseyevich Belan and Karim Baratov. Dokuchaev was also sentenced to six years in prison for treason, so perhaps there is no love lost there. Aleksei Burkov, founder of cybercrime forum "DirectConnection" and co-administrator of "MazaFaka," was recently released from the United States and returned to Russia short of his nine-year sentence. Despite these indictments, all of these Russia cybercriminals remain at large, housed and protected in Russia.
But Russia may unconsciously be eating its own: Russia's war with Ukraine has resulted in a global effort to isolate Putin and, as a result, Russian cybercriminals are feeling the pressure.
For one, Russia has taken an aggressive stance on Internet blocking, which has increased since the start of the war and is affecting the ways in which cybercriminals operate. News and social media websites are actively being censored to create a filter bubble within Russia's borders. Previous reports indicate that Russia has attempted to block Internet protocols such as DNS over HTTPs (DoH) and DNS over TLS (DoT), threatening the security and privacy of Internet communications. Russia is also blocking access to the Tor network, which is having an effect on freedom of speech and the landscape through which cybercriminals can communicate. While dissidents are downloading VPNs in greater numbers, threat actors are actively seeking workarounds that bypass Russia's deep packet inspection (DPI) capability. Threat actor recommendations include "anti-DPI" technology, Tor bridges, and VPN-to-VPN services, though the effectiveness of these countermeasures remains to be seen.
Secondly, Russia previously faltered in implementing its "sovereign Internet," finding difficulty in going from an open global Internet to a closed one. Cybercriminals may be able to gamble on Russia unsuccessfully disconnecting from the Internet. While countries like China have been more successful in closing their borders to disinformation, dissent, and foreign influence, it has come at the cost of vast human, technical, and financial resources. Other examples, such as Iran's walled garden and North Korea's restricted Internet, have demonstrated that cybercrime can persist, though usually it is at the behest of the government.
Thirdly, foreign governments are also making it difficult for Russian cybercriminals to cash out and launder the proceeds of their criminal campaigns. On April 5, German law enforcement, in concert with the US Justice Department, shut down Hydra, Russia's largest cybercrime marketplace. The Treasury Department's Office of Foreign Assets Control (OFAC) followed by sanctioning over 100 cryptocurrency addresses and virtual currency exchange Garantex. The sanctions followed a September 2021 initiative to disrupt ransomware payments by sanctioning Suex, and then Chatex, which have helped facilitate ransomware payments to threat actors. All three were tied to the "Moscow tower," which has been a hub of money laundering and cash-out activity. These sanctions are affecting cybercriminals' ability, in combination with sanctions against Russian financial institutions, to move cryptocurrencies from illicit activities (such as ransomware payouts) into fiat currencies.
Changing Face of CybercrimeCybercrime has a way of transforming. When one threat actor group is taken offline, another one takes its spot. There has never been a shortage of victims, and despite increased cybersecurity, there are always loopholes that can be exploited. Russian cybercriminals will have a difficult time overcoming the recent sanctions, although they are not a panacea. Russia has benefited from an overly permissive stance on cybercrime, and cybercriminals have acted with impunity. However, the increased restrictions on protocols, illicit services, and cybercrime marketplaces will make it increasingly difficult to financially benefit from conducting cyberattacks within Russia's borders. The implicit treaty between Russia and cybercriminals has been broken, and it is yet to be seen how they respond.
View original post here:
How Russia Is Isolating Its Own Cybercriminals - DARKReading