STE WILLIAMS

Video Boffins have sprung the bonnet on the weak crypto used in the keyless entry system in Tesla’s Model S car.

Researchers from the Computer Security and Industrial Cryptography (COSIC) group – part of the Department of Electrical Engineering at Belgian university KU Leuven – were able to clone a key fob, open the doors, and drive away the electric sports car.

Essentially, using some software-defined radio kit, it is possible to extract enough information over the air from a nearby victim’s wireless fob to create a copy of it – and use this to steal their flash motor. This is done by probing the legit fob into thinking it is talking to its car, when really it’s talking to a Raspberry Pi 3 B+ connected to transceiver equipment and running special software.

The above link has all the technical details, if you’re interested. It takes a couple of seconds to break the cryptography.

The problem was reported to Tesla, and resolved in June when the car maker pushed out a software upgrade: this update strengthened the weak encryption that permitted the attack. Last month Tesla added an optional PIN as an additional defence. Below is a video demo’ing the attack.

Youtube Video

In a statement, Tesla confirmed the fix, adding the researchers involved had earned an unspecified bug bounty for their efforts:

Due to the growing number of methods that can be used to steal many kinds of cars with passive entry systems, not just Teslas, we’ve rolled out a number of security enhancements to help our customers decrease the likelihood of unauthorized use of their vehicles.

None of these options would be possible for any traditional automaker – our ability to update software over the air to improve functionality and security is unique.

Based on the research presented by this group, we worked with our supplier to make our key fobs more secure by introducing more robust cryptography for Model S in June 2018. A corresponding software update for all Model S vehicles allows customers with cars built prior to June to switch to the new key fobs if they wish.

In addition, we had already been working on several other over-the-air updates to help protect our customers from thefts – last year we introduced an update that allows all customers to turn off passive entry entirely, and this year we introduced PIN to Drive, which allows customers to set a unique PIN that needs to be entered before their vehicle is driven.

Tesla added it plans to add the security researchers to its Hall of Fame.

It was not a key relay attack (PDF), an established way to hack keyless cars, but rather an exploit of DST40, a 40-bit-key technology shown to be weak 13 years ago by a group including (PDF) noted cryptographer Matthew Green.

“I really feel like doing further research is redundant at this point, since my 2005 papers are apparently still good enough to pwn Tesla,” Green noted this week.

The research aimed to probe the resilience of Passive Keyless Entry and Start (PKES) systems, which allow drivers to unlock and start their vehicle once a paired key fob is within range – no additional interaction required.

Tesla was used as a proof of concept. However, other automakers rely on keyless entry technology from the same vendor – Pektron – meaning their vehicles potentially could be at risk, too.

“Everybody is making fun of Tesla for using a 40-bit key (and rightly so). But Tesla at least had a mechanism we could report to and fixed the problem once informed. McLaren, Karma, and Triumph use the same system and ignored us,” said Tomer Ashur, a member of the research team.

El Reg asked Karma and Triumph Motorcycles to comment on the researcher’s criticism. ®

Updated to add

Mclaren has been in touch with The Reg to tell us: “Our experts feel the paper is credible and does demonstrate a theoretical vulnerability in our vehicle security systems. As yet, however, the vulnerability as described in the paper has not been proven to affect our vehicles and we know of no McLaren that has been compromised in such a way.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/12/tesla_hack/

A misconfigured server at data recovery and backup firm Veeam exposed millions of email addresses.

Reel talk: You know what’s safely offline? Tape. Data protection outfit Veeam inks deal with Quantum

READ MORE

Security researcher Bob Diachenko discovered the 200GB cache of email addresses, names and (in some cases) IP addresses before notifying Veeam. The resource, which might easily have lent itself to spam and (perhaps) phishing attacks in the hands of cyber criminals, has since been pulled offline.

Diachenko discovered the Amazon-hosted MongoDB resource using Shodan, the machine data and IoT search engine. The data – seemingly collected between 2013 and 2017 – was neither password-protected nor encrypted. The researcher initially assessed the records breached to number 445 million, which seems a little unlikely judging by the disaster recovery specialist’s size. In January this year, Veeam told investors it had an installed base of 282,000 customers.

Just last month, the data protection company was boasting about hooking up with tape storage outfit Quantum to produce a converged tape appliance. Ironically, it recommended the gear to customers as a “best practice data protection strategy” because of tape’s status as an “offline” storage medium. Things like ensuring sensitive stuff is “not physically connected to the network” are indeed part of a solid plan of action on safeguarding data, sort of like one where you encrypt or at least password-protect the information which must be networked. Ah well, perhaps it should have consulted a data protection, er…

El Reg approached Veeam for comment on the apparent inadvertent server leak snafu.

In a canned statement, Veeam confirmed the stray database is now inaccessible, adding a variant of the standard corporate mantra on the occasion any breach that it takes security seriously.

It has been brought to our attention that one of our marketing databases, leaving a number of non-sensitive records (i.e. prospect email addresses), was possibly visible to third parties for a short period of time. We have now ensured that ALL Veeam databases are secure. Veeam takes data privacy and security very seriously, and a full investigation is currently underway.

Veeam refused to comment on the number of emails exposed as it is currently probing the debacle.

In related technology news, unsecured and internet accessible MongoDB databases are being wiped by crooks who subsequently make extortionate demands. Some victims have been paying ransoms demanded through the so-called Mongo Lock scam, as evidenced by the payment of funds in Bitcoin wallets linked to the racket. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/12/veeam_database_config_snafu_exposed_millions_email_addresses/

Cryptojacking attacks at the hands of cryptomining malware is on the rise as these variants of Trojans, worms, and exploit kits make their rounds.

Image Source: Adobe Stock (TTstudio)

Cryptojacking activities that bleed off victims’ compute power to mine for cryptocurrency have skyrocketed, as cybercriminals find it to be one of the most profitable low-key attacks on the Web today. It has even pushed out ransomware as cybercriminals’ favorite means of raking in cash.

While cryptomining malware may not be calibrated specifically to steal data, it should remain on the radar of enterprise defenders. Campaigns carried out by these malicious tools do real damage to computing equipment and siphon off vast amounts of electricity, never mind the fact that their infections are the perfect foothold to carry out other kinds of devastating lateral attacks. Here are some of the most prevalent and powerful cryptomining malware families active today.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/8-cryptomining-malware-families-to-keep-on-the-radar/d/d-id/1332771?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

One-third of all fraud targets are mobile, a growing source of all digital transactions.

The proportion of mobile-vs.-desktop transactions has nearly tripled in the last three years, and instances of mobile fraud and cyberattacks have grown as attackers go where their victims are.

More than half (58%) of digital transactions now originate from mobile devices, ThreatMetrix researchers discovered in their Q2 Cybercrime Report 2018. One-third of all fraud now targets mobile, with global attacks up 24% compared with the first half of 2017. The United States saw a far higher growth rate: Mobile cyberattacks increased 44% during the same time period.

The financial services sector has been hit hard with the growth of mobile cybercrime. Of the 81 million attacks to hit the industry in the first half of 2018, 27 million targeted mobile devices as fraudsters capitalize on the rise of mobile banking adoption. The biggest threat to financial services, researchers report, comes from device spoofing. Attackers attempt to trick banks into thinking fraudulent login attempts are coming from new customer devices.

Identity spoofing is a broad problem, especially on social networks and dating websites, which have the highest mobile footprint across industries: 85% of total transactions, and 88% of account creations, for social sites happened on mobile devices. Identity spoofing makes up 13.3% of attacks on this sector; attackers often use proxy servers to trick their victims into thinking they’re geographically closer than they are.

Read more details here.

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/mobile/mobile-attack-rates-up-24--globally-44--in-us/d/d-id/1332798?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

IoT attacks, budget shortfalls, and the skills gap are among the problems keeping security pros up at night.

The world of cybersecurity gets more intriguing every year. In 2017, security professionals saw their share of attacks, but the increasing sophistication of the skirmishes is notable — with almost machine-like weaponization of code on the attackers’ side and an increasing alliance with the forces of machine learning and artificial intelligence on the defenders’ side.

As we continue through 2018, figures remain similar to last year’s. While the security industry struggles to fill more than a million jobs, attackers — including sophisticated criminal organizations and nation-states — have more than enough talent to continue their efforts.

We’re seeing changes in the nature of cyberattacks arising from the continuing “digital transformation” going on in all markets. As companies make their devices intelligent, and as more consumers welcome intelligent devices and digital assistants into their homes, attack vectors are multiplying and bad actors are finding new ways to exploit those platforms.

Here are some of the trends affecting security pros in 2018:

1. Attacks involving IoT are increasing, resulting in a call for increased IT security budgets.  
The Internet of Things (IoT) is the next great frontier in the business world, and it’s making its way into people’s homes as well, in the form of smart thermostats, refrigerators, and even complete home control systems. IoT is a high-growth industry that is looking to cross the $1 trillion mark sooner than later.

For hackers, all those connected “things” represent a vast source of new code to exploit. IoT devices are a tantalizing backdoor to gain entry and reach more powerful systems with critical information. For example, earlier this year Kaspersky Lab released results from a study exposing the risk when Bluetooth devices don’t require basic security protocols such as authentication and authorization of encrypted tokens and coordinates. Hackers could exploit these vulnerabilities to take the devices over, spread malware, and gain access to critical data or physical entry to homes and buildings — and could even do so wirelessly.

At a fundamental level, consumers and companies are at risk of having financial information stolen. Attacks on critical infrastructure such as transit centers or dams can be even more costly or even life-threatening.

This makes securing an IT environment more complicated as companies must consider not just the connected devices and products themselves, but sensors, firmware, applications, application programming interfaces (APIs), networks, and databases. With that in mind, device-makers need to ensure their engineers and developers understand the various security vulnerabilities in the IoT devices they’re putting on the market. This challenge is a central focus for security orgs in the coming months — and until the industry really gets a handle on this, there will be breaches.

2. The security skill-set gap continues to widen due to talent scarcity, leading more companies to adopt AI and machine learning technology to detect and manage attacks.
Like everyone else in IT, security organizations have to search for efficiencies. Throughout 2018, we’re continuing to expect much of those efforts to come from either outsourced services or machines.

As the industry scrambles to solve the talent shortage, one strategy is to automate as much as possible. In doing so, companies would be wise to pay attention to the respective strengths of humans (creativity) and machines (consistency), and build both into their strategies.

Through 2018 and beyond, good security practices will seek to automate functions that are based purely on large sets of data, and bring in more people with diverse opinions, perspectives, and backgrounds to perform the lateral, out-of-the-box thinking that’s necessary to combat today’s sophisticated adversaries.  

3. Security orgs are prioritizing risk-reducing solutions and consumption-based services in an attempt to relieve sagging budgets.
It’s not just talent that the security industry is struggling to find enough of, it’s also dollars. In response, CISOs are having to get inventive. One of the top emerging trends we’re seeing in 2018 is the continued maturation of security-as-a-service models. It’s not just web application firewall and DDoS mitigation, but also ID- and access-as-a-service, compliance-as-a-service, encryption, and more.

These tactics provide some cost predictability and make it easy to determine total cost of ownership. But there’s a limit to how much can be done in this manner, and companies will always need to consider the risks unique to their industry and way of operating.

In addition, we’re seeing the security industry taking on other efficiency-improving efforts, such as the adoption of modern infrastructure as code or “NoOps” capabilities normally found in advanced cloud-based development environments. This has become possible because of the availability of APIs in standard security software and gear, and the rise of security automation tools, including Phantom and Demisto. When four lines of code can replace 40 manual entries in a management user interface, the opportunity and the appeal are hard to ignore.

4. More enterprises are relying on CISOs to devise strategies and set provisions for security requirements that abide by GDPR standards.
The EU’s General Data Protection Regulation (GDPR) recently kicked into gear, and noncompliance carries the potential for significant penalties. Globally, organizations have been actively assessing the impact of GDPR on their business and data privacy and management operations. Any organization doing business in the EU or processing personally identifiable information from EU residents has needed to deploy additional processes, policies, and technologies to avoid significant fines.

CISOs are accountable for data security and must provide confidence to executives, auditors, and regulators that personal information is secure. This means maintaining (or achieving) full visibility into where data resides and determining if proper controls are in place.

Longer term, expect similar regulations to arise in other regions as GDPR becomes a prototype for a new class of privacy regulations worldwide.

Related Content:

• 10 Lessons From an IoT Demo Lab
• The Role of Incident Response in ICS Security Compliance
• Automation Exacerbates Cybersecurity Skills Gap
• There’s No Automating Your Way Out of Security Hiring Woes

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Mike Convertino has nearly 30 years of experience in providing enterprise-level information security, cloud-grade information systems solutions, and advanced cyber capability development. His professional experience spans security leadership and product development at a wide … View Full Bio

Article source: https://www.darkreading.com/risk/4-trends-giving-cisos-sleepless-nights/a/d-id/1332782?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In a sign that we’re actually all living in a science fiction novel, millions of smart TVs may soon be forced to admit to viewers that they have been spying on them.

TV manufacturer Vizio is working on the feature to help satisfy a class action suit against it by disgruntled customers.

Back in 2015, investigative journalism site ProPublica revealed that Vizio’s smart TVs were just a little too smart for their own good. The TVs included a feature – switched on by default in 11 million devices – called ‘Smart Interactivity’, which tracked its customers’ viewing habits.

Vizio’s Inscape data services operation collected data including snippets of the programs that the viewers watched, along with the date, time, channel, and whether they were viewed live, or as recordings. It also gathered data on over-the-top services such as Netflix, along with data from DVDs and even streaming devices. In short, if you watched it on a Vizio TV, Vizio knew about it.

The company then linked that data to your IP address and sold the whole package to advertisers, who could then combine it with information about other devices associated with that IP address. So if, as most of us do, you connected your phone or your home computer to your home Wi-Fi network, advertisers could use your viewing data to serve you ads via those devices too.

The manufacturer, which was preening itself for an IPO at the time, argued that laws preventing cable TV companies from selling their customers’ viewing data didn’t apply to its business. In fact, it doubled down by using data brokers to append more information to its customers’ viewing data, including sex, age, income, marital status, household size, education level, home ownership, and household value. It then promoted “highly specific viewing behavior data on a massive scale with great accuracy” as a way to boost its margins for investors.

The company’s frankly anti-privacy stance got it into hot water. It was investigated by the Federal Trade Commission, which along with the New Jersey Attorney General made it agree to a $2.2m settlement in February 2017. Alongside the hefty fine, the federal court order forced the company to delete data collected before 1 March 2016, implement a privacy program, and to get explicit consent for its data slurping.

Customers also hit Vizio with a class action lawsuit. It had maintained that associating the data with an IP address didn’t make it identifiable data, but customers in California disagreed. The lawsuit – which Vizio tried and failed to quash – has now reached the preliminary settlement stage. In a court document filed 5 September, the plaintiffs and Vizio said:

The Parties are developing a class notice program with direct notification to the class through VIZIO Smart TV displays, which requires testing to make sure any TV notice can be properly displayed and functions as intended. The additional time requested will allow the parties to confirm that the notice program proposed in the motion for preliminary approval is workable and satisfies applicable legal standards.

This means that Vizio customers affected by this privacy mess – even those that were not involved in the class action lawsuit – will read about it on the same TV that spied on them in the first place. Exactly what it will say remains subject to speculation, but class action notices, which typically run in the newspapers, on TV and on radio, are a way of informing unknown affected parties that they may be entitled to compensation.

The document moves the deadline for this measure from today to 3 October while they work out the technical and legal details.

It’s a sorry end to a cautionary tale for Vizio, and a clear example of what happens when companies clumsily try to monetize IoT data. Selling the information that connected devices collect can turn paying customers into unwitting products, violating their privacy while making them pay for the privilege. It will be difficult to get that goodwill back.

Companies are still building out business models in a nascent IoT industry. If they want to have their cake and eat it by selling devices and then monetizing the customers that bought them, they’ll have to be a lot smarter about how they do it.

Follow @DannyBradbury
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XcDNPrxIjrw/

Post-Cambridge Analytica, Facebook users have been taking a break from their relationship with the “we didn’t know what all those scampy apps were doing with our users’ data!” platform.

According to a new study from the Pew Research Center, 42% of adult users – those 18 and older – have taken a break from checking the platform, for several weeks or more.

The survey, conducted from 29 May to 11 June, asked 4,594 people just how much arm’s-length they’ve been holding Facebook at. If you’ve been following the news…

…wait, scratch that. Unless you’ve been on sabbatical for the past few months – say, vacationing in the Mariana Trench – you can’t have missed the news that’s been boiling around Facebook, what with some 50 million users getting their personal data scraped by psychographic tests (whether they’d agreed to it or not), CEO Mark Zuckerberg getting dragged in front of Congress to answer some pointed questions about that and how Russians played hacky-election-sack with the platform, and a rash of fines that may well hit it as a result of data slurping.

Given all that, you might imagine that users have been like rats jumping the sinking Facebook ship. And indeed, the Pew Research Center study found that 54% of adults have adjusted their privacy settings in the past 18 months.

Facebook, to its credit, updated its privacy settings in the wake of the Cambridge Analytica revelations. (Make that “Cambridge Analytica et al.” – remember, there were more data slurpers suckling at the Facebook teat than just that one, as it turned out).

Unfortunately, to Facebook’s dis-credit, it’s also told some people that it can’t give them all the data it’s collected – specifically via Facebook Pixel: a tiny but powerful snippet of code embedded on many third-party sites that Facebook has lauded as a clever way to serve targeted ads to people, including non-members.

It’s too hard, Facebook says. Our data warehouse is too ginormous.

At any rate, the updates were designed to make it easier for users to download the data the site has collected about them. But according to the Pew data, only 9% of Facebook users have availed themselves of the ability to download whatever limited data Facebook can muster up the technology to fetch.

But you have to hand it to the 9% – they’re smart about their privacy, Pew Research Center says.

Despite their relatively small size as a share of the Facebook population, these users are highly privacy-conscious. Roughly half of the users who have downloaded their personal data from Facebook (47%) have deleted the app from their cellphone, while 79% have elected to adjust their privacy settings.

Deleted the app from their phones, eh? So does that mean that half of the privacy cognoscenti have divorced Facebook? Have they wiped their hands of the platform for good? Well, no. We have no idea how many people got miffed at Facebook, deleted the app, and then reinstalled it later.

As far as older users are concerned, they just can’t seem to muster the miff to break it off with Facebook. Well, that is to say, they can’t be bothered to delete the app from their phones. The Pew Research Center study found that 44% of younger users (ages 18 to 29) say they’ve deleted the Facebook app from their phone in the past year, which is nearly four times the share of users aged 65 and older – 12% – who’ve done it. Similarly, older users are much less likely to say they’ve adjusted their Facebook privacy settings in the past 12 months: Only a third of Facebook users 65 and older have done so, compared with 64% of younger users.

Pew Research Center says that earlier research has found that a larger share of younger than older adults use Facebook. But as far as taking a break from Facebook goes, spry or creaky, we’re all doing it: similar shares of older and younger users have taken a break from the social network for a period of several weeks or more.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hphhwDj2sQ8/

Somebody calling themselves “Olivia” is sending WhatsApp messages to kids, claiming to be from a friend of a friend who has a new phone number. However, she soon cuts the small talk short and starts sending links to porn sites.

Last week, British police in Cheshire asked parents to check their kids’ messages if they use the app:

I have been made aware of worrying WhatsApp messages being sent from a number registered overseas. The sender prete… twitter.com/i/web/status/1…

—
Halton Brook Police (@HaltonBrookPol) September 04, 2018

People replied to the Halton Brook Police tweet with their own versions of Olivia messages, such as this one:

@HaltonBrookPol Also have recieved this ! https://t.co/url5XG7ySK

—
Katie Wright (@__katiewrightt) September 05, 2018

It’s been dubbed the “Olivia hoax” and it’s apparently specifically targeting children… which means that parents, you have yet one more thing to watch out for when it comes to your kids being online, as if you don’t have enough to worry about already!

What to do

“Olivia” isn’t the only hoax message that’s made the rounds on WhatsApp. The Facebook-owned messaging app was recently forced to limit message forwarding in response to a rash of lynchings in India that were being caused by fake news being spread virally.

To help thwart the spread of hoaxes on the platform, WhatsApp has released some guidance on the most common types of scam message. WhatsApp says that if you receive messages like this, you may have been targeted by a scammer:

• The sender claims to be affiliated with WhatsApp.
• The message content includes instructions to forward the message.
• The message claims you can avoid punishment, like account suspension, if you forward the message.
• The message content includes a reward or gift from WhatsApp or another person.

If you’ve received one of these Olivia hoaxes or any that match WhatsApp’s list, you should block the sender, disregard the message and delete it, WhatsApp says. Also, to keep this stuff from harming your friends, don’t ever forward these hoax messages.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nAD0fn-eNQk/

Analysis If Equifax’s mother-of-all-security-disasters last year underlined one thing, it was that big companies think they can weather just about anything cybercriminals – and regulators – can throw at them.

One unpatched web server, 147 million mostly US customer records swiped, and a political beating that should pulverise a company’s reputation for good (“one of the most egregious examples of corporate malfeasance since Enron,” said US Senate Democratic leader Chuck Schumer), and yet Equifax is not only still standing but perhaps even thriving.

While it’s true the full financial consequences yet to unfold, it’s hard not to notice that its shares last week rode back to within spitting distance of where they were before the breach was made public.

It all stands in fascinating contrast to what is happening in the UK and Europe, where the mood over database security breaches is darkening. It’s not that there are necessarily more of them so much as the speed with which they are being revealed.

Last week’s British Airways hack makes an interesting case study, not simply because of the technically embarrassing fact cybercriminals were able to skim up to 380,000 transactions in real time but the speed with which the company owned up to the calamity.

Confessions

According to BA, the attack began at 22.58 BST on August 21, and was stopped at 21:45 BTS on September 5. This meant BA had taken 15 days to notice hackers were grabbing its customers’ card numbers, but under 24 hours to tell the world via Twitter and email – a contender for a world record for computer security breach confessions.

Security analysts RiskIQ have speculated that the same gang was behind June’s Ticketmaster web breach, which took a still fairly rapid five days to surface after being discovered on June 23. Perhaps the best example of how the security breach atmosphere is changing is T-Mobile US, which uncovered miscreants slurping account records of 2.2 million customers on August 20 and revealed that fact only four days later.

Compare this haste to Equifax, which detected its breach on July 29 last year, but only told the world months later on September 7.

Why the sudden hurry? In the case of BA, officially, the answer is Article 33 of Europe’s GDPR, under which cyber-break-ins involving personal data must be reported within 72 hours. Security breaches are now understood as having their own lifecycle. At the user end, a recent report from EMW Law LLP found that complaints to the UK’s Information Commissioner after May’s GDPR launch reached 6,281, a doubling compared to the same period in 2017.

British Airways hack: Infosec experts finger third-party scripts on payment pages

READ MORE

“This is definitely due to the awareness and the run up to the GDPR,” agreed Falanx Group senior data protection and privacy consultant Lillian Tsang. But there’s more to it than that. “Reporting a breach shows awareness, the notion of “doing” something – even if the breach cannot be mitigated quick enough. It does show pragmatism, rather than a reactive stance of yesteryears.”

Breaches will never become just another battle scar to be marked up to experience – they are too serious and expensive for that no matter what the shareholders think when share prices recover. What is becoming stressful is the speed of disclosure.

“Crisis management is a relatively new yet vitally important area to focus on. As more chief staff realise that it’s a case of when rather than if a breach occurs, it is highly possible that more businesses have a ready-made crisis procedure waiting for a potential strike,” said ESET security specialist, Jake Moore.

As the breaches keep coming however, he believes an example will eventually be made of someone. “The ICO are likely to want to stick the GDPR message to a high-profile company to show its magnitude and therefore companies are ready to show that they are more compliant than ever before.”

It could be that BA’s rapid breach disclosure has set the benchmark at the sort of uncomfortable standard many, including its competitors, will struggle to match. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/12/ba_equifax_breach_notification_speed/

Parliament’s influential Public Accounts (PAC) Committee reckons UK Armed Forces need to recruit more digitally able folk to halt a widening skills gap, warning the military does not have a “coherent plan” to do so.

With an existing 26 per cent shortfall in the target number of full-time intelligence analysts in the ranks of the Royal Navy, British Army and Royal Air Force, the PAC said “a challenging external environment, including national skill shortages in areas such as engineering, means that the Department faces strong competition from other government bodies and the private sector to recruit specialist skills”.

Issued today, the PAC’s report, titled “Skill shortages in the Armed Forces”, paints a bleak picture of life in the military, warning that as well as shortages of personnel in 102 trades across the three armed forces, annual turnover of personnel approached 15 per cent in five key trades.

Though the Ministry of Defence was said to “understand the main reasons why people leave the armed forces”, it does not “understand fully whether there are specific issues in those trades with more significant shortfalls” of people. Just 50 people have, so far, been recruited laterally into higher-ranked posts.

The MoD also acknowledged the difficulty of “attracting more people with … cyber skills” to life in the Armed Forces. Last year we reported that 77 Brigade, the Army unit which does psyops and online work, was 40 per cent under its target strength, while earlier this summer Defence Secretary Gavin Williamson issued what he imagined was a stirring call-to-arms for the Great British Techie to join up.

Key to the forces’ skill shortages, whether in digital or otherwise, is an employment and training model based on the practices of the early 20th century. The PAC noted that “it takes the Armed Forces many years to develop the experienced military personnel they need.” This is because the Armed Forces are built around a model where every individual is expected to fight in the front line of a shooting war, regardless of their day-to-day trade. Techies, infosec specialists and mechanics are all expected to be able to grab a rifle and jump into a trench.

Young people join and are trained from scratch to do whatever the Services need of them, with age limits and an infamously hierarchical rank structure preventing virtually all lateral recruitment, something informed thinkers within military circles have begun to question.

When it comes to “cyber skills professionals”, the PAC said the MoD “is developing a new long-term career structure specifically in this field, reviewing the entry requirements and considering whether these posts need to be military roles,” meaning it may end up hiring techies on civil service terms and conditions.

Military recruitment over the past year or two has also been strangled by the MoD’s infamous Capita IT contract. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/12/armed_forces_digital_skills_gap_pac/