Loading...

Follow Infosecurity Magazine - Information Security &.. on Feedspot

Continue with Google
Continue with Facebook
or

Valid
Tech Giants Charged with Tracking Children

New Mexico’s attorney general, Hector Balderas, announced a lawsuit, filed against Google, Twitter, Tiny Lab Productions, MoPub, AerServ, InModi PTE, AppLovin and IronSource, on allegations that nearly 100 gaming apps targeting children contain illegal tracking software.

The apps, designed by Tiny Lab Productions, are marketed in the Google Play Store and are reported to collect personal data from children under 13 without first acquiring parent consent. Collecting the data give not only the defendants but also whoever they sell the data to the ability to track and profile children who can then be targeted for marketing purposes.

“These apps can track where children live, play, and go to school with incredible precision,” said Balderas. “These multi-million-dollar tech companies partnering with app developers are taking advantage of New Mexican children, and the unacceptable risk of data breach and access from third parties who seek to exploit and harm our children will not be tolerated in New Mexico.”

In total, 91 gaming apps are developed by Tiny Lab. Of all the apps, only five have not been a part of Google’s Designed for Families (DFF) program. Some of the apps include Angry Bunny Race: Jungle Road, Arctic Roads: Car Racing Game, DexLand, Dragon Fight: Boss Shooting Game, Dragon Panda Racing, Fun Kid Racing, Magic Elf Fantasy Forest Run and Pet Friends Park Racing.

As children gain more access to the internet both at home and in school, the games they download can pose unique risks to them, which has long been a concern for Balderas.  

“Parents should be aware of these risks and should know how to protect their children before purchasing an internet connected device for their children. Parents should be extremely selective of the apps they choose for their children,” Balderas’s office wrote in a press release.  

In addition to listing all 91 apps, the AG’s office included six pages with instructions on how to limit ad tracking across multiple devices.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
SMBs Fear Phishing, Fall Short on Cyber Training

In surveying 500 small to medium-sized businesses (SMBs) across the US, Webroot discovered that many businesses fail to recognize the many cybersecurity threats their businesses face, in large part because they lack in-house security expertise. According to The 2018 Webroot SMB Pulse Report, phishing scams ranked the number-one threat to SMBs.

The report also found that while 24% of respondents viewed phishing as the number-one threat to their organization, 20% of smaller businesses – those with up to 19 employees – believed they should be focused on defending against ransomware.

Overall, 24% of SMBs were unable to identify their top threat, with the smallest organizations being the least likely to state their greatest risk. Of those companies classified as medium-sized (20-99 employees), 28% fear human error as their greatest threat. However, SMBs do realize that implementing awareness training programs would potentially help mitigate risks from cyber threats.

“Phishing is a tried-and-true tactic for bad actors. Employees are likely to click on things they shouldn’t, despite what businesses try to do to prevent it,” said Gary Hayslip, chief information security officer, Webroot, in a press release.  

“But humans get taken in by phishing scams out of simple curiosity or lack of security awareness, which underscores the need for continuous awareness training. For SMBs who feel overwhelmed by all the new cybersecurity challenges they face, partnering with an MSP is a great option to provide security expertise and management.”

Despite their fears of falling victim to a phishing scam or a ransomware attack, SMBs aren’t providing comprehensive, ongoing security awareness training for their employees, according to the report. The majority (66%) of participating businesses with up to 19 employees offer no cybersecurity training to employees.

As businesses grow in size, the numbers tend to get a little bit better, with only 29% of companies in the medium-sized and 13% of large companies (those with 100 to 500 employees) failing to provide a cybersecurity training in the workplace.

“Phishing attacks are one of the most common security challenges companies face in keeping their information secure. It’s easy and it’s effective. Cybercriminals set the bait and people click. Security awareness training with phishing simulations improve user behavior and get people to think before they click,” said Aaron Sherrill, senior analyst at 451 Research.

“Yet 451 Research Voice of the Enterprise surveys reveal that a large majority of businesses are cobbling together homegrown (and often ineffective) awareness solutions, wasting a lot of time and resources in the process. Small to medium-sized businesses need a solution that is cost effective, quick to deploy and easy to manage. Effective training programs do not need to be time consuming, cumbersome or costly.”

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
In the Battle Against IoT Threats, AI Is a Key Weapon

The concept of defending a perimeter to thwart off cyber-attacks has long been disappearing. Since the advent of the internet of things (IoT), connected devices have created gaps in security by opening up new attack vectors. According to a new study, How AI and Automation Can Close the IT Security Gap in the Era of IoT, IT security teams are increasingly relying on artificial intelligence to close IoT-era cybersecurity gaps.

The global research study, conducted by the Ponemon Institute on behalf of Aruba, a Hewlett Packard Enterprise company, surveyed 4,000 security and IT professionals across the globe and found that when security systems incorporate machine learning and other AI technologies, they are better able to detect and stop IoT-targeted attacks.

According to the study, more than three-quarters of respondents believe their IoT devices are not secure. More than half (60%) said that IoT devices – even seemingly superfluous ones – pose a threat, yet two-thirds of respondents lack the ability to protect their devices.

“AI comes in because changes are not something that standard security techniques are well versed in. It’s hard to create visibility, but enabling technology like AI or ML [machine learning] is going to be so important for organizations attempting to achieve a strong security posture,” said Larry Lunetta, vice president of security solutions marketing, at Aruba.

The majority (68%) of respondents said AI-based products help reduce false alerts, while 63% said the technologies increase the overall effectiveness of the security team. For 60% of survey participants, AI-based technologies augment their investigation efficiencies, and 56% reported that implementing machine learning tools has afforded faster discovery of and response to attacks in which malicious actors have evaded perimeter defense systems.

Of the respondents, 25% are currently using some form of AI-based security solution, and an additional 26% have plans to deploy the tools within a year.

“Despite massive investments in cybersecurity programs, our research found most businesses are still unable to stop advanced, targeted attacks, with 45% believing they are not realizing the full value of their defense arsenal,” said Larry Ponemon, Ponemon Institute founder and primary researcher, in a press release.

“It’s become a perfect storm, with nearly half of respondents saying it’s very difficult to protect complex and dynamically changing attack surfaces, compounded by a lack of security staff with the necessary expertise to battle today’s attackers who are persistent, sophisticated, well trained and financed. Against this backdrop, AI-based security tools were viewed as a key weapon to help businesses keep up with increasing threat levels.”

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
IoT Malware Detections Soar 273% Since 2017

New IoT malware detections have soared over 200% since 2017 to reach over 120,000, according to new stats from Kaspersky Lab.

The Russian AV vendor claimed to have spotted 121,588 modifications of malware targeted at smart devices in the first half of 2018, a 273% increase on the 32,614 detected for the whole of last year.

The most popular way to spread malware is brute-forcing of passwords: used in 93% of detected attacks. Most of the remaining cases used well-known exploits to access the devices, according to the vendor.

The most commonly compromised devices were routers, accounting for 60% of the total, followed by a long tail of other connected devices including DVRs, printers and even smart washing machines.

IoT endpoints represent an attractive target for hackers as they’re always on, connected to the internet and often not secured adequately with strong passwords and updated firmware.

The threat is such that the FBI was forced to issue a public service announcement recently warning home users of the dangers of unsecured devices: most notably that they could be conscripted into botnets to launch DDoS attacks, crypto-mining, click fraud and more.

“For those people who think that IoT devices don’t seem powerful enough to attract the attention of cyber-criminals, and that won’t become targets for malicious activities, this research should serve as a wake-up call. Some smart gadget manufacturers are still not paying enough attention to the security of their products, and it’s vital that this changes — and that security is implemented at the design stage, rather than considered as an afterthought,” argued Kaspersky Lab principal security researcher, David Emm.

“At this point, even if vendors improve the security of devices currently on the market, it will be a while before old, vulnerable devices have been phased out of our homes. In addition, IoT malware families are rapidly being customized and developed, and while previously exploited breaches have not been fixed, criminals are constantly discovering new ones.”

Earlier this year the British Standards Institution launched a kitemark scheme designed to improve baseline security in the IoT space by making it easier for buyers to spot reliable kit.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Europol: Ransomware Will be Top Threat for Years

Ransomware continues to be the biggest malware threat to businesses around the world, but mobile threats and crypto-jacking are emerging as serious challenges, according to Europol.

The law enforcement organization’s annual Internet Organised Crime Threat Assessment (IOCTA) provides a good snapshot of current industry trends. It reflects the findings of many security vendors: that ransomware is slowing but still the most widespread financially motivate threat out there, ahead of banking Trojans — and will be so for several years.

DDoS attacks were second only to malware in terms of volume in 2017, as infrastructure becomes more “accessible, low-cost and low-risk.”

On the wane as a means of infection are exploit kits, with “spam, social engineering and newer methods such as RDP brute-forcing coming to the fore.”

Europol also highlighted the emerging threat of crypto-jacking as one to watch, as it offers cyber-criminals a “regular, low risk revenue stream.” Mobile malware was also flagged.

“Mobile malware has not been extensively reported in 2017, but this has been identified as an anticipated future threat for private and public entities alike,” said the report.

As for the underground economy fueling these threats, Europol claimed success in shutting down three major marketplaces in 2017 and said that nine others closed or “exit scammed." However, new sites have unsurprisingly emerged to take their place.

“The almost inevitable closure of large, global darknet marketplaces has led to an increase in the number of smaller vendor shops and secondary markets catering to specific language groups or nationalities,” the report explained.

Javvad Malik, security advocate at AlienVault, said the report is a good validation of many of the trends security experts in the vendor and research community are seeing.

“Collaboration appears to be one of the biggest and most prominent takeaways. Being able to establish trustworthy channels to collaborate and share information and intelligence is vital,” he continued.

“Notable by its omission, there is no mention of the role of bots by organized crime and state to push agendas and misinformation, even though there are increasing industry studies that points to these as being tools in the arsenal of attackers.”

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
State Department Email Breach Hit Hundreds of Staff

The US State Department has confirmed an email security breach which may have affected hundreds of employees, exposing their personal information to attackers.

Reports emerged on Monday that the incident earlier this year affected “less than 1% of employee inboxes.”

“We have determined that certain employees’ personally identifiable information (PII) may have been exposed,” it reportedly noted. “We have notified those employees.”

According to State Department figures, it employees nearly 70,000 staff, meaning in the region of 700 could be affected by the breach.

It’s not known how the attack occurred, although it affected the department’s cloud-hosted email service and not a nominally more secure classified system.

Government auditors have criticized the department in the past for failing to meet cybersecurity best practice standards.

As a result, several senators wrote to secretary of state Mike Pompeo last week demanding an update on its efforts to comply.

“According to a 2018 General Service Administration (GSA) assessment of federal cybersecurity, the Department of State had only deployed enhanced access controls across 11% of required agency devices. This despite a law — the Federal Cybersecurity Enhancement Act — requiring all executive branch agencies to enable MFA for all accounts with ‘elevated privileges’,” they noted.

“Similarly, the Department of State’s Inspector General (IG) found last year that 33% of Diplomatic Missions failed to conduct even the most basic cyber threat management best practices, like regular reviews and audits. The IG also noted that experts who tested these systems ‘successfully exploited vulnerabilities in email accounts of department personnel as well as department applications and operating systems'.”

Gary McGraw, vice president of security technology at Synopsys, argued that the department is not alone in lagging on cybersecurity.

“If the State Department has trouble rolling out two-factor authentication to protect the majority of its users, something that many corporations have had in place for years, how can we expect other aspects of its operations to be secure?  This breach provides more evidence that leadership in computer security can more likely be found in the private sector than in the public sector,” he added.

Sam Curry, chief security officer at Cybereason, claimed that the US government procurement process is holding it back.

“It is very difficult for State to buy new technology and continually improve the way the Global 1000 companies do," he argued. "Fundamentally this is likely a hack that led to a breach and not some type of insider issue."

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Injunction to Secure Georgia Elections Denied

A request for a preliminary injunction in the Georgia election security lawsuit was denied by a federal judge late last night. The plaintiffs, who have long been battling to have the state switch to using paper ballots, had their request denied by US District Judge Amy Totenberg.

In a 46-page order, Totenberg ruled against switching to paper ballots for the November election, but the court wrote frankly about the flaws of state officials and Georgia’s election systems.

“While Plaintiff’s motions for preliminary injunction...are DENIED, the Court advises the Defendants that further delay is not tolerable in their confronting and tackling the challenges before the State’s election balloting system,” Totenberg wrote in the order. She added that testimony and evidence “indicated that the Defendants and State election officials had buried their heads in the sand.”

“A wound or reasonably threatened wound to the integrity of a state’s election system carries grave consequences beyond the results in any specific election, as it pierces citizens’ confidence in the electoral system and the value of voting.”

While the preliminary injunction to secure the midterm elections in Georgia was denied, the judge’s recognition that the current system is critically unsecured is a partial win for the plaintiffs.  

“The court takes election officials to task for their 'head in the sand' approach to the extraordinary threat facing Georgia voters this fall and the little understanding they exhibited about election security. The court emphasizes that our case will move forward expeditiously with discovery in pursuit of a permanent injunction,” said the attorney for the Curling plaintiffs, David Cross, partner at Morrison & Foerster.

“Unfortunately, the court concluded that it’s too late to implement paper ballots this fall (the court noted that the timing of our motion for preliminary injunction was delayed by forces beyond our clients’ control). Ironically, the ineptitude demonstrated by certain state election officials in this case likely played a significant part in the decision that those officials could not manage a change now. We will continue the fight for all Georgia voters – and the Court makes clear that while we lost this initial battle, we are on track to win the war for safe, secure, transparent, honest elections in Georgia.”

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Former Anonymous Hacker Raises $2.5m for Startup

After being convicted of hacking-related crimes related to the Guy Fawkes Night campaign in 2012, Adam Bennett, a former Anonymous hacker, received a two-year suspended prison sentence and 200 hours of community service, according to the Australian Financial Review. Fast-forward to 2018, and Bennett has successfully raised $2.5 million dollars from investors for his cyber startup, Red Piranha.

“I’ve always been a privacy advocate and passionate about keeping Australian businesses secure,” Bennett said in an email interview. “I wanted to build a company that helped those struggling to afford the right cybersecurity controls or didn’t have the knowledge or resources to implement them.”

According to Bennett, small and midsized business (SMBs) are largely overlooked when it comes to the development of cybersecurity products, particularly with regard to affordability and ease of use. Red Piranha was founded with the goal of giving SMBs a slight advantage in fighting off cyber-criminals in mind.

“After the conviction, I was approached directly by a number of people asking for help. It was clear that the SMBs that I was speaking to needed something affordable. That’s what led me to found Red Piranha and develop Crystal Eye, our main cybersecurity product and the first Australian-made unified threat management (UTM) platform designed specifically for SMBs,” said Bennett.

The company was born out of the frustration that SMBs are left open to attack because they lack the money and resources to protect themselves. Since Bennett founded the company, it has grown from a startup of just two people to a company with over 55 employees in just a few years.

“Investors and all our new clients are eager to work with us. Given that we’re the only company in Australia doing what we do, we don’t expect to be slowing down anytime soon,” he said.

Working to cement its position in Australia's cybersecurity landscape, the company has also found ways to help increase Australia’s national intelligence ecosystem. To that end, the company is working in partnership with organizations set up by a federal government initiative, such as AustCyber, the growth center for Australia’s cybersecurity industry.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Hackers Say Windows 8 and 10 Easiest Entry Points

According to a newly released survey conducted at Black Hat 2018, 50 percent of hackers said that Windows 8 and Windows 10 have been the easiest attack vectors to exploit this year.

Thycotic surveyed more than 300 hackers – nearly 70 percent of whom identified as white hats – to understand the hacker perspective with regard to vulnerabilities and attack vectors.  

In 2018 Black Hat Hacker Report, Thycotic reveals that hackers often leverage the reality that operating systems are only as secure as the people using them. 

“The 2018 Black Hat Hacker Report indicates that our operating systems and endpoints remain woefully vulnerable to hackers and threats from cyber-criminals,” said Joseph Carson, chief security scientist at Thycotic, in today’s press release.

While the two Windows operating systems provided easy access, the survey found that 26 percent of hackers infiltrated Windows 10 most often, while 22 percent hacked Windows 8 the most. Linux lagged behind in popularity, with hackers exploiting vulnerabilities in the OS only 18 percent of the time. Less than 5 percent of respondents said that Mac was their easiest or most often-used attack vector.

To take control of privileged accounts, 56 percent of hackers said that social engineering is the fastest account seizing technique. Most often hackers are able to elevate privilege by either using default vendor passwords or exploiting application and OS vulnerabilities, the survey stated.

In addition, survey participants reported that nearly two-thirds (74 percent) of companies are lagging when it comes to implementing the principle of least privilege. In an email interview, Carson said, “Most companies are failing at applying the principle of least privilege as they are trying to solve this challenge with a technology-only approach, which tends to focus more on security without considering employee usability.”

The problem with such an approach is that the focus is most often on security rather than employee usability. “This typically creates a conflict between employee productivity and the need for better cybersecurity, resulting in a poor security experience and employees look for ways around it.”  

Because lagging behind in privileged access policies could result in more data breaches, Carson said a failure to implement least privilege will mean a higher cost for companies when they experience a data breach.

Thycotic recommends using a combination approach between people and technology, as it provides the chance to create an experience in which productivity and security work together. “Least privilege can only be successful when employee productivity is not impacted, allowing them to continue doing their job without the need to call the IT help desk continuously,"  he said.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Think Tank: Urgent Oversight Needed for Police AI

A leading think tank has called for urgent regulatory and oversight mechanisms to be introduced to govern the use of machine learning technology by UK law enforcers.

The Royal United Services Institute for Defence and Security Studies (RUSI), is the world’s oldest independent defense and security think tank. Its latest report, Machine Learning Algorithms and Police Decision-Making: Legal, Ethical and Regulatory Challenges was published with the Centre for Information Rights, University of Winchester.

It argued that although machine learning is currently being used in limited scenarios such as supporting custody decisions, there’s potential for a much wider expansion of its role in policing, with forces currently trialing its use in a variety of decision-making processes.

It described the lack of a regulatory and governance framework for its use as “concerning.”

“A new regulatory framework is needed, one which establishes minimum standards around issues such as transparency and intelligibility, the potential effects of the incorporation of an algorithm into a decision-making process, and relative ethical issues,” it continued. “A formalized system of scrutiny and oversight, including an inspection role for Her Majesty’s Inspectorate of Constabulary and Fire and Rescue Services is necessary to ensure adherence to this new framework.”

The report also warned that machine learning algorithms require “constant attention and vigilance” to make sure any predictions they provide are as unbiased and accurate as possible. To help in this, RUSI recommended the setting up of local ethics boards to assess each new implementation for police.

The use of emerging technologies in policing has been controversial over the years, as regulatory oversight often struggles to catch-up with day-to-day operations.

In May this year, rights groups called on the police to stop using facial recognition technology, claiming that FOI responses from forces proved it was “dangerous and inaccurate.”

False positives at the Metropolitan Police stood at 98%.

Read Full Article

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview