STE WILLIAMS

Only 29% of US businesses have cyber insurance; Deloitte outlines steps for insurance companies to improve risk models, communication, and policy sales.

Sales of cyber insurance policies are suffering from a lack of shared data about security incidents, too few standard definitions, and not enough focus on risk mitigation for insurers or customers, according to a report from Deloitte released this week.

Value of the current cyber insurance market ranges from $1.5 billion to $3 billion, and remains a small fraction of the $505 billion revenues from all insurance premiums bought in 2015.

Many businesses have yet to purchase a cyber policy: not even a third of US businesses (29%) bought cyber insurance as of October 2016, according to a survey by the Council of Insurance Agents and Brokers that Deloitte cites. Of those companies or organizations that have purchased policies, many are often underinsured, according to Deloitte’s Demystifying Cyber Insurance Coverage report.

“A September 2015 CIAB study found only 40% of Fortune 500 companies had cyber insurance at that time, while those that did often bought limits that didn’t cover the full extent of their exposure,” the report said.

If those sound like scare tactics to induce customers to buy or add to their cyber insurance policies, they’re not. The Deloitte report is more focused on what the insurance industry might do to improve its own policy design, standardize the lexicon of coverage, and educate both customers and the agent/brokers that sell cyber insurance, explains Sam Friedman, insurance research leader for Deloitte.

Part of the problem stems from what exactly constitutes a cyber insurance policy. While there are plenty of stand-alone cyber insurance policies from which to choose, some customers buy cyber coverage as part of their business insurance. General liability policies sometimes also include modest cyber protection; cyber coverage is sometimes issued under a business disruption policy.

“Definitions are a big challenge,” Friedman says. “There’s a lack of standardization even among the policies themselves.”

With a stand-alone cyber insurance policy, for example, three carriers will have three vastly different offerings, with differences in terminology and types of coverage offered, he adds.

And despite more than 20 years of breaches, hacks, and malware attacks, Deloitte also points to a lack of sufficient cybersecurity data, which ultimately undercuts accurate underwriting. The problem is that most companies aren’t legally bound to disclose breaches unless they involve consumer data, which results in a reporting bias that impacts how policies are structured – and priced.

Friedman also attributes faulty data to regulatory rules that affect healthcare and financial services companies more frequently than other vertical industry sectors. So while there’s more data about those two industries security issues, it doesn’t accurately reflect what’s happening in the aggregate or across all industry sectors. And though there are centralized databases for workmen’s comp information, for example, which insurers rely on and access regularly, there isn’t a cybersecurity equivalent, Friedman notes.

As long as that condition persists, insurance carriers’ risk models will only be as good as the skewed data that does get shared.

Deloitte recommends that insurers implement different, risk-informed models, as opposed to definitive, predictive models, and “break down data silos across the industry to better pool underwriting resources,” the report states.

Insurers also aren’t very agile in tracking the constantly changing nature of the threat landscape, the consultancy notes. Those evolving threats, “risks,” in the insurance lexicon, run the gamut from ransomware to the Internet of Things, and even the advent of nation-states as instigators of cyberattacks.

“As underlying exposures continuously shift, insurers adapt to one type of attack only to face a new threat technique. This makes risk management an ongoing predicament,” Deloitte says. “The key to getting past this could lie in becoming a client’s full-service cyber risk manager as well as their chief risk-transfer vehicle.”

Friedman says that makes it hard for buyers to figure out exactly what they need and even harder to understand what they’re buying. “Most customers are very dependent on brokers for this, and in some cases the brokers aren’t that well-informed about the changing nature of the risk,” he says, adding that multi-level communication and education will be essential here.

Friedman encourages insurers to focus more on what the buyer is doing to lock down their cyber assets and resources and how they respond and recover from cyber incidents. “Insurers can help them with that and offer risk mitigation and support,” he says.

Insurance companies aren’t just cyber insurance sellers, but also consumers too, he notes. Many of them have very sophisticated security networks and protections and work with national organizations to share threat factors.

“They very rarely leverage what they do for themselves with what they do to sell coverage,” Friedman says. “They could bring that to bear in the risk assessment process with underwriters, but also to help service clients.”

Related Content:

• Average Breach Falls Below Cyber Insurance Policy Deductible, Study Shows 
• 12 Tips for Securing Cyber Insurance Coverage
• How To Bridge The Cyber Insurance Gap 

 

Save

Save

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain’s New York Business, Red Herring, … View Full Bio

Article source: http://www.darkreading.com/risk/cyber-insurance-uptake-hampered-by-skewed-data-poor-communication/d/d-id/1328265?_mc=RSS_DR_EDT

The acting head of the US Federal Trade Commission, Maureen Ohlhausen, has sought to assure people that the critical Privacy Shield data-sharing agreement will hold up despite President Trump’s recent executive orders on immigration.

Ohlhausen told reporters this week that the transatlantic agreement was unaffected by the president’s controversial decision and that the FTC “will continue to enforce the Privacy Shield protections, and we hope we will move ahead as planned.”

“In my opinion, nothing has changed,” she said, according to a report from Morning Consult.

That succinct view reflects a lengthier analysis published by her former FTC colleague Julie Brill, who argued that the executive order did not impact the core elements of what makes the Privacy Shield agreement work.

So everything’s fine? Nope.

Just as with Brill, Ohlhausen included a significant caveat when she noted “we hope we will move ahead as planned.”

Brill noted: “It will be important to pay attention to European officials’ reactions … It will also be important to watch how the EO may impact the Attorney General’s designations of countries covered under the Judicial Redress Act.”

In truth, there are three significant risks to the Privacy Shield agreement:

• Attorney General Jeff Sessions: Sessions can, if the mood takes him, remove countries from the list of designated countries on the Judicial Redress Act. This would immediately undermine the ability of those countries’ citizens to use US courts if they felt their data was being mishandled – a cornerstone of the new agreement. There’s no good reason for him to do so, but then the Trump Administration continues to make decisions based on ideology rather than rational analysis.
• The Schrems/Facebook court case in Ireland: This court case is what kicked the whole thing off when Max Schrems sued Facebook over its data sharing, and the European Court of Justice decided the Safe Harbor agreement covering transatlantic data flows was illegal. That court case is still going and could make a number of determinations that could undermine the “new” Privacy Shield agreement if it feels it doesn’t adequately protect consumers.
• The Article 29 Working Party: This important group of Europe’s data protection authorities was already unhappy with Privacy Shield, but decided to forego a formal opposition and adopt a wait-and-see approach when it was drawn up last year. It will have its first annual review in July this year, during which it plans to “not only assess if the remaining issues have been solved, but also if the safeguards provided under the EU-US Privacy Shield are workable and effective.” And if they’re not, it could blow up the whole deal.

Of course, there will be massive pressure not to tear up a new agreement that is so important to transatlantic trade. But with President Trump continuing to rile Europe in a dozen different ways, it is all too possible that the EU decides to use the Privacy Shield as a diplomatic hammer – especially since it will be US companies that are disproportionately affected. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/24/ftc_privacy_shield_is_fine_but_no/

NSA and US Cyber Command boss Mike Rogers has revealed the future direction of his two agencies – and for the private sector, this masterplan can be summarized in one word.

Kerching!

Speaking at the West 2017 Navy conference on Friday, Rogers said he is mulling buying up more infosec tools from corporations to attack and infiltrate computer networks. At the moment the online offensive wing of the US military develops most of its own cyber-weaponry, he claimed, and he figures the private sector has plenty to offer.

“In the application of kinetic functionality – weapons – we go to the private sector and say, ‘Build this thing we call a [joint directed-attack munition], a [Tomahawk land-attack munition].’ Fill in the blank,” he said.

“On the offensive side, to date, we have done almost all of our weapons development internally. And part of me goes – five to ten years from now is that a long-term sustainable model? Does that enable you to access fully the capabilities resident in the private sector? I’m still trying to work my way through that, intellectually.”

Businesses already flog exploits, security vulnerability details, spyware, and similar stuff to US intelligence agencies, and Rogers is clearly considering stepping that trade up a notch. For example, in 2013, it was revealed the NSA was buying up exploits from French company Vupen Security.

Vupen has since shut down, and its founders started up a US-based business called Zerodium. That outfit offers security researchers huge sums of cash for details of security bugs in products, and last year offered $1.5m for a remote iOS 10 jailbreak exploit. With bounties like that being thrown around, you can bet the biz is charging its bug list subscribers healthy fees – and the US military, with deep pockets, will only be too happy to cough up, if it isn’t already.

“I’m sure US companies are selling weapons to Cyber Command,” computer security guru Bruce Schneier told The Register. “After all, why wouldn’t they? We contract so much stuff out to private suppliers in the US military anyway.”

In 2015, Cyber Command spent $460m on “a broad scope of services needed to support the US Cyber Command mission,” according to the US General Services Administration. The specifics of the contract weren’t released, but the winners were named as The KEYW Corporation; Vencore; Booz Allen Hamilton; Science Applications International Corporation; CACI Federal; and Secure Mission Solutions.

Public/private partnerships

Bringing the US private sector fully on board doesn’t just mean buying from them, but also working with them, Rogers explained.

When it comes to critical infrastructure, Rogers said that he would like to see US Cyber Command and private IT security employees having “a level of integration where we have actual physical co-location with each other.”

“How do we take advantage of that and integrate at that level?” he said. “Because as an execution guy, my experience teaches me that you want to train, you want to exercise, you want to simulate as many conditions as you can before you actually come into contact with an opponent.”

Rogers also said he’s likely to see more help from the private sector on the defense side of online operations. He mentioned getting help on machine learning systems, something the head of Google-parent Alphabet isn’t too keen to supply.

Strike Force Cyber

Rogers also outlined his plans to put more online attack tools in the hands of more front-line troops over the next five or ten years.

“We should be integrating [cyber] into the strike group and on the amphibious expeditionary side,” he said. “We should view this as another toolkit that’s available … as a commander is coming up with a broad schema of maneuver to achieve a desired outcome or end state. That’s what I hope.”

He complained that at the moment, the decision to use online weaponry is too much like the use of nuclear weapons, “controlled at the chief-executive level and is not delegated down.” That should change in the coming years, he opined, and said he hoped to get them used on a tactical level.

Rogers suggested that lessons should be learned from the US use of Special Forces units. These were previously carefully guarded and rarely deployed. But after the formation of the US Special Operations Command they became integrated with the regular army command structure. Rogers said he foresaw the same thing happening on the cyber front.

“I would create Cyber Command much in the image of US Special Operations Command,” he said. “Give it that broad set of responsibilities where it not only is taking forces fielded by the services and employing them; it’s articulating the requirement and the vision and you’re giving it the resources to create the capacity and then employ it.”

That might sound good, but Schneier pointed out that it would mean that the US might be making a rod for its own back. After all, these are not typical weapons to use, and they come with their own set of problems.

“These are fundamentally fragile things,” Schneier said. “If you use a cyber weapon you have a very strong chance of rendering it unusable again. Do you want to give some second lieutenant the ability to do that?”

A few good hackers

Rogers said that the training and retention of human talent was going to be essential in the years ahead, and so far Cyber Command isn’t having too many problems getting the people it needs, thanks to the unique nature of the job.

“That’s a real selling point for us right now,” he said. “The self-image of this workforce is that they are the digital warriors of the 21st century. The way they look at themselves – we’re in the future, we’re the cutting edge, we’re doing something new, we’re blazing a path. Everybody responds well to that.”

He said that he tells staff they can do things within Cyber Command that they wouldn’t be allowed to do outside of the military. That said, the force is bound by the Law of Armed Conflict, which limits attack choices to purely military targets.

Cyber Command is currently staffed by about 80 per cent military and 20 per cent civilian employees, he said. By contrast, the NSA is about 60 per cent civilian and 40 per cent military. Getting civilian employees is slightly more difficult than getting qualified military staff, he said.

Part of that is, no doubt, down to increased levels of security vetting involved. After all, they don’t want another Snowden in the ranks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/25/us_government_to_spend_more_on_online_weapons/

Potential scope of issue evokes comparisons to Heartbleed.

Cloudflare, a content delivery network (CDN) used by millions of websites, leaked an undetermined amount of potentially sensitive information on many of those sites for months in a security snafu that has drawn comparisons with the Heartbleed flaw of 2014.

The leaked information potentially included emails, personally identifying information, user names, passwords, private chat messages, HTTP cookies, and authentication tokens from websites using Cloudflare. Among the thousands of websites believed impacted in the leak – which security experts have dubbed “Cloudbleed” – are Uber, FitBit, OKCupid, and IPassword.

Unlike typical data breaches, at least some of the leaked data subsequently ended up getting cached by search engines like Google and Yahoo and likely by Web-scraping tools as well. That makes the data searchable to anyone on the Internet until the search engine companies and other entities that might have the data in their caches, purges it completely, security experts cautioned today.

Cloudbleed stemmed from an error in Cloudflare’s handling of a component in its CDN services for parsing HTML pages passing through its edge servers. The company parses and modifies Web pages passing through its CDN as part of a process to make them more secure and easier to handle.

The bug resulted in Cloudflare’s servers returning random chunks of information from the memories of its reverse proxies in response to HTTP requests.

Tavis Ormandy, a member of Google’s Project Zero bug hunting team, stumbled upon the issue earlier this month when conducting other research. “It looked like that if an HTML page hosted behind Cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output,” Ormandy said in an alert.

Researchers from Arbor Networks described Cloudbleed as serious enough to require all Internet users to change passwords to online accounts as a precaution. “Basically, if user A accessed content from server X, user B could, in addition to the expected results from server Y, see what user A got in his responses from server X.”

According to Ormandy, the bug caused Cloudflare’s CDN to spew out encryption keys, cookies, passwords, and HTTPS from major Cloudflare hosted sites. “PII was actively being downloaded by crawlers and users during normal usage. They just didn’t understand what they were seeing,” he noted.

Ormandy promptly reported the bug to Cloudflare, which according to its chief technology officer John Graham-Cumming put in place an initial mitigation in 47 minutes and a complete fix in under seven hours. Graham-Cumming said that in order to prevent memory content to be returned in HTTP requests, the company had to turn off three “minor” Cloudflare features—email obfuscation, Automatic HTTPS Rewrites, and Server-side Excludes – which all were using the buggy parser chain.

Graham-Cumming said the period of maximum impact was between Feb. 13 and Feb. 18, when about 1 in 3.3 million HTTP requests through Cloudflare resulted in content from memory being accidentally leaked. The bug was nevertheless significant because it was possible that the leaked memory contained sensitive information that was then cached by search engines, he conceded.

Security experts reacting to the bug disclosure appeared in general agreement that it was a serious issue. One big concern: it’s not clear just how long Cloudflare’s servers have been leaking data.

Gunter Ollman, chief security officer of Vectra Network, says that based on Cloudflare’s description of the problem, it is likely that the issue has lasted for a year. “It is unclear whether the vulnerability had been exploited by malicious actors before Google’s alert to Cloudflare,” he said in a statement.

Regardless of how long the leaks may have been occurring, search engine companies and data caching providers will need to purge erroneous and confidential data from their caches, he said.

Online asset management firm OutsideIntel estimated that that over 5.3 million domains were potentially exposed to the issue. The site has a link to a master list of potentially exposed sites.

Because of the how widely used CloudFlare’s CDN service is, it is nearly impossible for Internet users to determine whether their data might have been caught up in the leaks, Arbor said in its alert.

“For most of us, the only truly safe response to this large-scale information leak is to update our passwords for the Web sites and app-related services we use every day,” Arbor said. “Pretty much all of them.”

Related Content:

• SSL After The Heartbleed
• Stagefright Android Bug: ‘Heartbleed for Mobile’ But Harder To Patch

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/cloudflare-leaked-web-customer-data-for-months/d/d-id/1328266?_mc=RSS_DR_EDT

Pity the IRS. It’s been strenuously warning us about increased tax fraud all month. A big chunk of taxpayers have responded by yawning.

The IRS saw a huge spike in phishing and malware attacks during the 2016 tax season, which came on top of a 400% increase in phishing and malware in 2015. And earlier in the month, the US tax agency sent out an urgent warning about a new type of tax fraud taco: CEO spearphishing fraud stuffed with W-2 tax form scamming and a dollop of wire fraud on top.

But according to the second annual Tax Season Risk Report from ID theft protection firm CyberScout, a recent survey shows that the public’s not using the security practices we need to protect ourselves from identity theft.

Highlights from the report:

58% of people in the US don’t worry about tax fraud. They should! In November, the IRS said that it had stopped 787,000 confirmed ID theft returns in 2016, totaling more than $4 billion in potential fraud.

Only a minority – 35% – of respondents demand MFA. Multifactor authentication (MFA), or two-factor authentication (2FA), is a good stumbling block for identity thieves. But the majority of respondents said that they’re not requiring that their tax preparers use it, instead leaving the preparers to use a single password to protect clients’ personal information. To read more about the hows and whys of 2FA, check out our Power of Two post.

Only 18% of respondents use an encrypted USB drive. Instead, people are saving important documents like tax worksheets, W-2s, 1099s or 1040s in unencrypted form, while another 38% either store tax documents on their computer’s hard drive or in the cloud, leaving them vulnerable to attack.

More than half – 57% – of consumers file late, giving tax fraudsters time to impersonate them online and steal their refunds.

We’re not locking our mailboxes. 51% of taxpayers who expect a refund check in the mail don’t use a locked mailbox, leaving their checks at risk of theft.

Half of taxpayers don’t know how to evaluate a tax preparer. They’ll choose someone online, or they’ll fail to screen them beforehand, leaving themselves vulnerable to getting ripped off.

Only 48% of taxpayers use online tax services. That’s because 24% of respondents say they don’t trust them. That’s bad, according to the report, which says that it’s a “misperception” to think that online tax services can result in exposure of sensitive information.

I have a bone to pick with that point. History has shown that putting your faith in online tax services doesn’t guarantee information security.

In 2015, Intuit, the makers of the popular TurboTax app, stopped the e-filing of all state tax returns due to a surge in fraudulent filings. The freeze came after several states saw a deluge of phony filings and hence refused to accept the returns. It took five days to clean up the mess before Intuit recommenced state filings.

Utah’s state tax commission had discovered 28 fraud attempts that “originated from data compromised through a third-party commercial tax preparation software process,” as well as 8,000 returns flagged as potentially fraudulent. Eighteen other states saw the same thing.

Intuit wasn’t initially implicated in the leak. At any rate, besides the unspecified third-party commercial tax prep software processes, there are plenty of data leaking sources: data breaches, for one, which are sadly common nowadays.

How to slam the tax scams

• File online directly with the IRS.
• File early! You can avert your gaze from that pile of forms and receipts, but the scammers won’t be procrastinating. The more you wait, the more time you’re giving them to file a bogus return and snatch your refund. CyberScout says that that 57% of people plan to file later than February or don’t know when they’ll file.
• Pick proper passwords. Even though strong passwords don’t help if you’re phished (the crooks get the strong password anyway), they make it much harder for crooks to guess their way in.
• Don’t reuse passwords. It’s bad enough when crooks get into one of our accounts. It’s multiple times worse when they can take our reused passwords to get into all our accounts. Limit the damage by using one strong, unique password per account. Use a password manager if you can’t remember them all: that way, you only have to remember the one, strong password you need to get into the manager.
• Never authenticate yourself to anyone who contacts you online or by phone. Say a nice man “from the IRS” calls and asks for your Social Security number. Or, say, threatens you about some purported student tax that you didn’t pay. He says “Pay it now” or else he’ll call the police! …um, no. That’s not how the IRS contacts people: it’s a dead giveaway that Mr “I’m from the IRS” is trying to fleece you.
• Use 2FA whenever you can. That way, even if the crooks phish your password once, they can’t keep logging back into your email account.
• Have your refund directly deposited into your bank account, or slap a lock on your mailbox if you’re having it mailed.
• Don’t give away your details on social media. It’s easy for hackers to figure out answers to security questions when you give away the answers online.

Also, because so many tax fraud attempts are coming through phishing attempts, you might want to consider using Sophos Home. The free security software for Mac and Windows blocks malware and keeps you away from risky web links and phishing sites.

Here are more tips to help you recognize, and steer clear of, phishing links.

To read up on the most current tax scams and cyber-attacks, check out this page from the IRS.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0p0dNgdEqDU/

Disillusion with chatbots has set in across the tech industry and yet Dropbox’s deep thinkers believe they have spotted the technology’s hidden talent: cybersecurity.

The company is so sure of the concept that it has announced plans to deploy something called Securitybot inside the Slack collaboration platform as a way of smoothing how its workforce interacts with a daily flow of security alerts and queries.

For security staff and employees alike, alerts have become a time-consuming hassle because users are often interrupted to verify what they are doing. Says Dropbox:

Alerts can lead to a deluge of information, making it difficult for engineers to sift through. Even worse, a large number of these alerts are false positives, caused by engineers arbitrarily running [Linux commands] sudo-i or nmap.

A year ago, someone at Slack suggested the answer: get a chatbot hosted on Slack to do the verification instead. Inspired, Dropbox built Securitybot.

For those not familiar with Slack, it is a collaboration platform that integrates channels such as IRC chat, file-sharing, direct messages and even Twitter feeds into one searchable system. Enthusiasts think the idea might one day be big enough to challenge email.

When an alert pops up from one of Dropbox’s security systems, Securitybot automatically sends the employee a message through Slack asking them to verify the action, collecting the response. Employees must authenticate themselves using SMS-based two-step verification so anyone unable to do that immediately stands out.

After testing Securitybot for some months, Dropbox claims it can now more rapidly separate important alerts from the larger number of routine ones.

Responding to a polite chatbot is much easier than responding, in full sentences, to a member of the security team. It not only saves our security engineers time but also all of our employees.

A caveat is that organisations must invest in two-step verification, without which there is no way to authenticate that a user is who they say they are. But Securitybot’s generous open-source status means that any organisation on Slack can benefit from it.

As far as we’re aware, this will be the only open-source project to automatically confirm and aggregate suspicious behaviour with employees on a distributed scale.

An intriguing question is whether a Securitybot, or something like it, could be used to verify and interact with any internet user and not just those working internally for companies.

Today, users are increasingly assailed by alerts (for example, when accessing Google on a new device) but these are universally static and informational. The communication channel is always one-way and taking action is a matter of user choice.

Superficially, security chatbots offer a way out of this impasse, giving security systems a simple way to verify users in real time without the expense of manual intervention – or the security risk of just letting things ride and hoping for the best.

It’s a compelling proposition but, as Securitybot hints, might come at the price or peace and quiet. In a future guarded by security chatbots working 24×7, it is machines that will be asking the important questions.

Follow @NakedSecurity
Follow @JohnEDunn

 

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2FqPEw7D91E/

Toxic comments, how do we detest thee? Let me count the ways.

Sites that have simply given up on scrubbing the nasty from their comment sections now include Vice, The Telegraph, Popular Science, Recode, Mic, The Week, Reuters, The Verge, and USA Today …to name a few.

But the war to establish comment section civility – I would say “reclaim”, but the notion that comment sections were ever less than unnerving is debatable – is far from over.

Google’s latest salvo: on Thursday, it released an artificial intelligence (AI) tool, Perspective,which is an API that uses machine learning models to identify how troll-like a comment is. The API was developed by Jigsaw – a Google division – and Google’s Counter Abuse Technology team.

Perspective learns by seeing how thousands of online conversations have been moderated. It’s been trained on data collected using online surveys and scored with the “toxicity” model. The toxicity model in turn was trained by asking people to rate comments on a scale, from a “very healthy” contribution on up to “That was rude, disrespectful, and or unreasonable, and I’m likely to leave this discussion.”

Jigsaw gave an example of how Perspective organized comments on three topics that get people pretty hot under the collar when they’re discussing them online: climate change, Brexit and the US election. Here’s an example of how it rated climate change-related comments:

The goal is to improve quality of debate, and that’s much more than an abstract concept. Online publishers have financial motivation to get people to stay on their sites, as opposed to closing site windows in disgust.

Researchers have found that rudeness, obscenities and attacks on other commenters create what they’ve dubbed the “nasty effect”. It’s an effect that results in a drop-off of how much readers trust and esteem content.

In other words, sites’ reputations are tinted, or tainted, by whatever’s bubbling up from the comment sections at the bottom of articles. That translates into lost money: it’s hard to get revenue-generating ads if steaming piles of comments scare away readers and sink site traffic numbers.

A number of online publishers are working with Jigsaw on Perspective and other tools, all of which are being developed to automate detection of toxic comments using machine-learning models. Jigsaw cites experiments being run by the Wikimedia Foundation, the New York Times, the Economist and the Guardian.

It’s hard to argue with AI that scores a given comment against similar comments that people have rated as being toxic. But if you want to argue with the AI logic, Google’s welcoming input, saying that these are still the early days, and it expects it will get things wrong.

You can give the tool a try for yourself: go to the Perspective page and scroll down to the Writing Experiment section. There, you can type in a comment that Perspective will rate with regards to how similar it is to comments that others have dubbed toxic.

I put in some variations of a comment, plus some insults penned by master insulter William Shakespeare. Their toxicity scores:

• Might there be a possibility that he’s not telling us the truth? 8%
• She is spherical, like a globe. I could find out countries in her. 9%
• I do believe he’s lying. 19%
• Thou cream-faced loon. 26%
• He’s lying. 29%
• Pants on fire! 35%
• Thou dost infect my eyes. 46%
• Out, you green-sickness carrion! 48%
• Lying blowhard. 55%
• Bald-faced liar. 62%
• Liar! 68%
• Better a witty fool than a foolish wit. 69%
• He is a liar. 70%
• Out, you baggage! You tallow face! 80%

So, yes, Capulet’s a troll, by the bot’s estimation. Sorry, WS: Romeo and Juliet has been deemed the Reddit of your day.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/y7F23b6ea_E/

Your daily round-up of some of the other stories in the news

Boeing worker shared 36,000 people’s data with spouse

Sometimes breaches aren’t the result of hacks by a malicious outsider – sometimes it’s an employee’s error. That’s what happened at the Seattle-based aerospace company Boeing, which has notified Washington State attorney-general of a breach in which 36,000 staffers’ personal data were accidentally shared with an employee’s spouse.

It turns out that the staffer sent the spreadsheet containing personal information including Social Security numbers and dates of birth in hidden columns to his spouse as a formatting template, The Register reported.

Email has got employees into trouble in the past: it’s less than a year since a London NHS trust was fined £180,000 after 56 Dean Street, a London sexual health clinic that’s part of the trust, accidentally sent out an HIV newsletter to more than 700 people including all the recipients’ email addresses in plain view.

It’s a good reminder that before you email something, check that you are allowed to send it, that it doesn’t contain personal information and that if it’s to more than one person, you’ve used the BCC field.

Russia steps up cyber-warfare efforts

Russia has boosted its firepower by creating a cyber-warfare branch of the military, defence minister Sergei Shoigu told the Russian parliament this week.

This is the first acknowledgment of the existence of cyber-warfare troops, and came as Shoigu set out to parliament the government’s current and planned future military capabilities.

Shoigu told Russian MPs that the country’s information troops are involved in “intelligent, effective propaganda” that needs to be “clever, smart and efficient”. The aim of these troops, said Vladimir Shamanov, the head of the defence affairs committee, is to “engage in information warfare”.

The news comes as concerns continue to rise about the role Russia played in November’s US general election, and about how it might seek to influence upcoming elections in the Netherlands, France and Germany.

Suspected router hacker arrested

A British man suspected of being behind an attack that knocked out nearly 1m routers belonging to Deutsche Telekom’s customers in November last year has been arrested near London.

The UK’s National Crime Agency arrested a 29-year-old man under a European arrest warrant at London’s Luton airport on Wednesday, said German police. Daniel Vollmert, Cologne’s public prosecutor, said: “He is accused of being the mastermind behind the attack.”

The alleged attacker was believed to have used the infamous Mirai botnet to attack some 900,000 routers, knocking out internet connections as well as fixed telephony and TV services in Germany.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fpcoqPV6xbg/

A substantial number of Gmail users have been affected by a potential but unconfirmed hack of unknown origin or purpose.

El Reg learnt of the issue following a tip from a self-described “very security conscious” IT professional who got locked out of his Gmail account. This happened after one of his security phone numbers was changed.

Apparently others have suffered somewhat similar problems and have posted their experiences to Reddit and elsewhere. Users are receiving messages saying that their account has been changed, and asking them to re-sign into Google on their mobile. It’s not clear if some sort of glitch or a hack is to blame.

This is more a case of being bounced out of accounts than being locked out as such.

In response to a thread on one of its official forums, Google said it was investigating the issue while downplaying concerns.

We’ve gotten reports about some users being signed out of their accounts, unexpectedly. We’re investigating, but not to worry: there is no indication that this is connected to any phishing or account security threats.

El Reg requested comment directly from Google on Friday morning but we’re yet to hear back. While we’ve been waiting for a response, we’ve canvassed security folks through Twitter, two of whom have said they’ve been been asked to reauthenticate themselves and log back into their Google accounts. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/24/gmail_hack_fears/

Timothy Sedlak also convicted in child pornography case and sentenced to 42 years in jail, Reuters reports.

Timothy Sedlak of Florida has pleaded guilty to the charge of attempting to gain unauthorized access to the network of the charitable organization run by the Clintons, allegedly making 390,000 unsuccessful tries to hack its server, reports Reuters, quoting prosecutors. This comes in the wake of a 42-year jail term handed down separately to Sedlak by Orlando court for producing and possessing child pornography.

When arrested in 2015 for the alleged hacking, Sedlak claimed he was researching charities that were making donations to Islamic militant groups. The prosecutors did not identify the charity which the defendant had targeted but Reuters gained access to files which referred to it as Bill, Hillary Chelsea Clinton Foundation.

The police also came across files of child pornography on Sedlak’s computer while investigating the hack charge, said prosecutors.

Read more on Reuters.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/florida-man-pleads-guilty-to-clinton-foundation-hack-attempts/d/d-id/1328260?_mc=RSS_DR_EDT