British Online Security Expert Pleads Guilty To Writing Malware *:

  • A British security researcher who was hailed as a hero for helping to stop a global ransomware cyberattack in 2017 has pleaded guilty to charges in the United States of writing malicious software in a separate case.
  • The researcher, Marcus Hutchins, was arrested in Las Vegas in 2017 as he was on his way back to Britain from a conference.
  • Hutchins faces up to five years in prison and $250,000 in fines for each of the charges, according to court documents.
  • In 2017, a federal grand jury in the United States returned a six-count indictment against Hutchins.
  • The indictment said he and an unidentified accomplice conspired to create and sell malware intended to steal log-in information and other financial data from online banking sites.
  • A version of the program, known as Kronos banking Trojan and created by Hutchins, was sold by the accomplice for $2,000 in June 2015, the indictment said.
  • But the document did not include details of how widely the malware was used.
  • The government has said it will move to dismiss the remaining charges in exchange for Hutchins’ guilty plea.
  • The global cyberattack that Hutchins helped stop disrupted Britain’s National Health Service and hundreds of other organizations worldwide, spreading to more than 70 countries.
  • It used a variant of WannaCry, a piece of malicious software that locks victims out of their systems and demands ransoms. Hutchins was credited with disabling it.
  • In a blog post at the time, he explained that he had noticed the malicious software trying to contact a particular internet address, discovered the address was unregistered and bought it, which turned out to trigger a “kill switch” in the software.
  • Researchers at Symantec, a security company, attributed the attack at the time to a team of hackers known as the Lazarus Group, which U.S. intelligence experts say is most likely linked to North Korea.
  • “Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes,” Hutchins said in his statement.

*Source: SF Gate, April 21, 2019

 

 

EmCare Sends Notifications Of Data Security Incident*:

  • EmCare, Inc. and its affiliates (EmCare) today announced that they are addressing a data security incident that involved the personal information of some patients, employees and contractors.
  • EmCare has launched an internal investigation, notified individuals who may have been impacted and implemented additional security measures to prevent future occurrences.
  • EmCare recently became aware that an unauthorized third party obtained access to a number of EmCare employees’ email accounts.
  • Upon learning of the incident, EmCare promptly launched a comprehensive investigation and obtained a leading forensic security firm to help determine the scope of the incident and those impacted.
  • In addition, EmCare is taking measures to help prevent this type of incident from occurring in the future, including implementing advanced information technology (IT) solutions and providing all employees further training and reminders about email and IT security.
  • On Feb. 19, 2019, EmCare determined that the impacted email accounts contained some patients’, employees’ and contractors’ personal information, including name, date of birth or age, and for some patients, clinical information.
  • In addition, in some instances, Social Security and driver’s license numbers were impacted. 
  • There is no evidence to suggest that the information has been misused, or that anyone will attempt to misuse the information.
  • In addition, EmCare is not aware of any individual who has been impacted by fraud or identity theft as a result and does not know if any personal information was actually obtained by an unauthorized party.
  • For the subset of patients and employees whose Social Security or driver’s license numbers were impacted, EmCare has arranged for identity protection and credit monitoring services.
  • Beginning April 19, 2019, EmCare is sending written notification to all impacted individuals for whom it has contact information.

*Source: APN News, April 21, 2019

 

GDPR And CCPA Are Businesses Biggest Risks*:

  • Gartner’s latest Emerging Risks Monitor Report shows concerns around privacy regulations were consistently spread across the globe, denoting the increasingly numerous and geographically specific regulations that companies must now comply with.
  • “With the General Data Protection Regulations (GDPR) now in effect, executives realise that complying with privacy regulations is more complex and costly than first anticipated,” said Matt Shinkman, managing vice president and risk practice leader at Gartner.
  • “More budget dollars from IT, legal and information security are going to address GDPR compliance, just as the California Consumer Privacy Act (CCPA) is set to take effect, adding another layer of complexity for companies to navigate in this area.”
    • Sector Concern:
      • With sixty-four per cent of overall respondents indicating privacy regulation as a key risk, the data showed an elevated concern among executives from the banking, financial services, technology & telecommunications and food, beverage & consumer goods sectors, with at least 70 per cent of executives in each sector indicating it as a top risk. 
    • In addition to being rated the top risk this quarter, accelerating privacy regulation was also rated as a risk with ‘very rapid velocity’, meaning that the risk would have high impact if it were to materialise.
    • This may hint at a wariness among executives of the potentially large fines and reputational damage associated with violations of GDPR and similar legislation.
    • Privacy regulation was also rated as the highest-probability risk of any of the top 10 in this quarter’s report, demonstrating that executives view it as a concrete threat.
    • For those concerned about complying with emerging data privacy regulations, Gartner has produced a series of recommendations for GDPR, including developing a data security governance strategy and guidelines for the appointment of a chief data privacy officer.

*Source: This Week in FM, April 22, 2019

 

Here Are Some Of The Most Commonly Used Passwords. Is Yours Among One Of Them?*:

  • Hundreds of millions of internet users continue to put themselves at risk of having their accounts hacked by using incredibly simple and commonly used passwords which can easily be guessed by cyber criminals – or worse, just plucked from databases of stolen information.
  • An analysis of the 100,000 most common passwords made public by data breaches and hacking campaignssuggests that vast swathes of people still don’t understand the importance of having a strong password – or how to create one – using names, sports teams, bands and even just keys close together on the keyboard in an effort to secure accounts.
  • The passwords have been gathered using information from global data data breaches which are already in the public domain, having been leaked, shared or sold by hackers on the dark web.
  • The full list has been created and shared by the UK’s National Cyber Security Centre– the cyber arm of the GCHQ intelligence service – with the aim of encouraging users to create strong passwords to help protect sensitive data.
  • By far the most commonly used password revealed in data breaches is ‘123456’, with 23.2 million accounts using this password – made up of the first six numerical keys across the top of a keyboard; 7.7 million users went the whole hog and used almost all the numerical keys, opting to use ‘123456789’ as their password.
  • The remainder of the top five most commonly used passwords are each used by over 3 million users who’ve fallen data breaches – ‘qwerty’ appears 3.8m times, ‘password’ appears 3.6m times and ‘111111’ appears 3.1 million times.
  • Many of the top 50 most used passwords – almost all of which are used by over half a million people – are based around basic ideas, like being made up a simple series of numbers, or the same number repeated six or seven times.
  • Passwords ‘iloveyou’, ‘monkey’ and ‘dragon’ are among the top 20 most used, while ‘myspace1’ is ranked 26th on the list with 735,980 users selecting it as their password – it’s likely that they selected this as their password for MySpace, even if many have long forgotten about their account on the early social network.
  • Names are a common password theme, with hundreds of thousands of users just using a single name as a password. ‘ashley’ and ‘michael’ are used by over 400,000 users each, with ‘daniel’, ‘jessica’ and ‘charlie’ each used over 300,000 times.
  • It’s likely that these are the users’ own names – meaning that if a hacker gets hold of an email address and no password, cracking it by using the victim’s first name might blow the thing wide open.
  • Bands are also a common theme when it comes to users selecting simple passwords, with the password list detailing how 285,706 users opted for ‘blink182′ as their password – making the pop-punk band the most commonly selected music related password. ’50cent’, ‘enimem’, ‘metallica’ and ‘slipknot’ are all each used over 140,000 times.
  • Sports teams are another common theme amongst the most reguarly breached passwords. 
  • Liverpool wins the title of most used Premier League football team in passwords, with 280,723 users choosing ‘liverpool’ to lock their account.
  • The remainder of the top five Premier League football teams in the top five most commonly breached passwords are ‘chelsea’ ‘arsenal’ ‘manutd’ and ‘everton’.
  • People who use their favourite sports team as their password could easily find themselves the victim of a hack – many sports fans will talk about their favourite team on social media and it could therefore be relatively simple for a cyber criminal to seek this information out on Twitter or Facebook and use the information in an effort to crack the account.
  • A major problem with these simple passwords is that it’s incredibly likely that the users are using them across multiple accounts – meaning that if their email address and password are exposed in a breach they could easily be used to access other services they uses including social media and online shopping accounts.
  • The NCSC – which has released the password list ahead of it’s CYBERUK 2019 conference in Glasgow – recommends using three random words as a password.
  • The password list was created using breached usernames and passwords collected on Have I Been Pwned, a website by security expert Troy Hunt which allows users to check if their email address appears in major data breaches.
  • The NCSC has published advice on what makes a good password and how users can secure their accounts on the official NCSC website.

*Source: ZDNet, April 20, 2019

How Your Credit Card Data Gets Shared With Cyber CrIminals When You Book A Hotel*:

  • According to research recently conducted by Symantec Corp, two out of three hotels or 67%, mistakenly leak personal information and booking details to advertisers and analytics companies.
  • This compromised data is typically comprised of email addresses, last four digits of credit card, card type, and expiration date, mobile phone number, your full name, and even passport numbers.
  • The study’s lead researcher, Candid Wueest, works for Symantec’s Security Technology and Response division.
  • In his detailed analysis, he explained that the frequency of these errors of confidentiality is higher than many are aware of, and the consequences can end up being catastrophic if intimate details get into the hands of cybercriminals.
  • The study examined over 1,500 hotel websites in 54 different countries, from the two-star range to the five-star range, and included chains and independent properties.
  • Wueest surmises that our private information is commonly shared when hotels send emails to confirm bookings.
  • These emails contain direct links to our booking information, which is then made inadvertently available to over thirty different service providers.
  • Fifty-seven percent of the sites tested by Wueest observed a policy of sending confirmation emails with a direct link to the booking info of recent customers.
  • The report states: “Since the email requires a static link, HTTP POST web requests are not really an option, meaning the booking reference code and the email are passed as arguments in the URL itself.
  • On its own, this would not be an issue. However, many sites directly load additional content on the same website, such as advertisements.”
  • The research revealed that an alarming 176 requests are granted per booking. 
  • Additionally, in most instances, booking data remains visible, even in instances when customers cancel their reservations.

*Source: Ladders, April 19, 2019

 

How The Cybersecurity Industry Has Managed To Stay One Step Ahead Of Hackers*:

  • Cybercrime rates seem to have gone through the roof over the past couple of years, as reports of ransomware attacks like WannaCry and Petya continue to make headlines across the globe.
  • Hacking with a view to stealing valuable information or gaining money through extortion seems to have become a lucrative activity for professional cybercriminals.
  • Against this landscape, cybersecurity experts must constantly be on the lookout, developing new solutions and outsmarting malicious intruders.
  • Security techniques like data encryption and ethical hacking aim precisely at delivering a high level of cybersecurity.
  • Installing and reinforcing our defences against incoming hacker attacks has become a top priority for businesses – and one that claims an important portion of their budget.
  • According to research conducted by Gartner, global cybersecurity spending is expected to surpass a staggering $124 billionby the end of 2019.
  • In 2018, the same figure was estimated at $114 billion, marking an increase of 12.4% from 2017, and this means that the funds allocated will grow by a further 8.7% in 2019.
  • Out of the total sum projected to be invested in 2019, $3 billion will go towards securing applications, $459 million will be allocated to protect cloud computing and data security will claim over $3.5 billion.
  • The biggest segments are expected to be management solutions for identity access ($10.5 billion), equipment for network security ($13.3 billion), infrastructure security (over $15.3 billion), with security services ranking first and claiming roughly 50% of relevant funds ($64.2 billion).
  • The latter segment is expected to continue to dominate, as it will make for at least 50% of cybersecurity software solutions by 2020, while over 40% of companies will invest more funds in it by 2020 in order to accommodate for issues related to privacy and effective risk management.
  • Spending in the field is not only driven by the looming threat of cybercrime, but also by the added obligations imposed on organizations by new privacy legislation.
  • According to the same source, at least three out of 10 organizations will see funds invested towards consulting and implementation services related to the new EU General Data Protection Regulation rules.
  • In the never-ending race to be one step ahead of hackers, the cybersecurity industry has developed comprehensive solutions to protect sensitive data.
  • ne popular security technique is data masking, which uses fictitious data that looks like the real thing to replace valuable and critical data.
  • Data masking minimizes exposure to threats and can be implemented across a range of transformation techniques, allowing companies to comply with privacy and data protection laws.
  • It forms part of a wider array of defence techniques known as data pseudonymization, which is specifically recommended by regulations like the GDPR.
  • It is based on the concept of de-identifying personal data to make it impossible for intruders to determine which data subjects they refer to.
  • Thus, personally identifiable information is protected by rendering it of no value for hackers that do not have access to the pseudonymization key.
  • Data anonymization is another security technique, which conveys a higher level of security for data subjects since their information is rendered irreversibly anonymous.
  • This means that it can no longer be linked back to them, in contrast to pseudonymization techniques, a process that can be reversed.
  • For companies that still need to use the data they hold in sync with the data subjects, anonymization is not an option, whereas data pseudonymization techniques like data masking allow businesses to keep operating as usual and maintain referential accuracy in their work, without leaving sensitive information exposed to hackers.
  • Finally, data encryption has emerged as a staple approach for cybersecurity solutions.
  • Encrypted data cannot be read by anyone unless they know the encryption key, which makes data safer both at rest, in use, and in transit.
  • Several cybersecurity solutions like Virtual Private Networks use the technique to protect user information and it is also an option in most state-of-the-art smartphones.
  • Since hackers continue to develop new ways of attacking information systems, the cybersecurity community has turned to novel solutions for fighting back.
  • For several analysts, harnessing artificial intelligence promises to become a game-changer for the industry.
  • Machine learning technology could be employed to allow cybersecurity software to detect malware and other hacker attacks automatically and more efficiently.
  • That could in turn help ease the financial burden for companies, as less manpower would be required to supervise information security defences.
  • Ethical hacking is another major driving force in the industry, as benign cybersecurity specialists attempt to infiltrate and manipulate a client’s IT systems with the owner’s permission.
  • Ethical hacking now even forms part of the undergraduate studies curriculumin some universities and is set to become a major trend in the battle against cybercrime.
  • Hackers have been operating for years, but new technological developments have managed to make their attacks smarter and more effective at causing damage.
  • As the spotlight turns to sophisticated data protection techniques, the cybersecurity industry must continue to learn and adapt in order to offer a high level of protection that today’s users so desperately need.

*Source: The Tech News, April 16, 2019