STE WILLIAMS

With National Cybersecurity Awareness Month as a backdrop, industry leaders weigh in on how SMBs can more effectively protect themselves from cyberattacks.

(Image Source: profit_image via Adobe Stock)

Here we are, nearly midway through the 16th annual National Cybersecurity Awareness Month (NCSAM), and while the good news is many large enterprises are more locked down than they were five or six years ago, it’s clear SMBs need some help.

An August report by Untangle examining the current state and trends of IT security for more than 300 SMBs bears that out. Among the findings: While 80% of SMBs ranked IT security as a top business priority, 52% admitted they didn’t have an in-house IT security professional on staff, and another 29% said they spend $1,000 or less annually on IT security.

They’ve also become targets for hackers, according to Heather Paunet, Untangle’s vice president for product management. “For SMBs, if they do get attacked, it could cripple their business,” she says.

In honor of NCSAM, we asked industry leaders how SMBs can more effectively protect themselves from cyberattacks. You’ll find that many of their tips involve standard cyber hygiene and apply across the board to companies of all sizes.

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/endpoint/7-smb-security-tips-that-will-keep-your-company-safe---------------/d/d-id/1336067?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Mail provider discovered customer data being used in spam messages.

Email service Click2Mail today said it is alerting customers of a data breach that may have exposed their personal data. 

The company initially discovered the breach after some customer user names and email addresses were found being abused in spam messages. Names, organization names, account mailing addresses, email addresses, and phone numbers “may have been compromised” in the cyberattack, the company said in its notification to customers.

Word of a possible breach at Click2Mail first was reported earlier this week on Databreaches.net. 

Read more here. 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Works of Art: Cybersecurity Inspires 6 Winning Ideas“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/click2mail-suffers-data-breach/d/d-id/1336072?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

55% of US adults couldn’t identify an example of 2FA, and only 30% knew that starting a URL with https:// means that the information sent to that site is encrypted.

… and the Pew Research Center discovered plenty of other sobering facts about what Americans know and don’t know about cybersecurity and privacy.

The survey

The Pew Research Center conducted a survey which tested Americans and their digital knowledge, asking 4,272 adults in the US a series of 10 questions about a range of digital topics, such as cybersecurity or who the bearded guy in the photo was (answer: Twitter co-founder Jack Dorsey. Only 15% got that one right, but how that fits into cybersecurity and privacy concerns is a question that Pew didn’t address.)

How well the respondents did depended a great deal on what the topic, term or concept was, as well as how old they were and what their level of educational attainment was. Young people, you did better. College-educated people, you did better, too.

Respondents did A+ work when it came to identifying where you can get phished, for example. In an email? On social media? In a text message? On a website? Or how about the correct answer: “all of the above?” Ding-ding-ding, we have a winner! 67% of Americans knew that you can get phished all over the place.

Respondents aced the question about what cookies are, as well – 62% correctly said that websites that use cookies can track your visits and activity on the site.

Where we fall flat on our 2FA faces

Here’s where we aren’t so smart: only 28% of adults could identify an example of 2FA, which is one of the most important ways that people can protect their personal information on sensitive accounts.

To be fair, the question tossed a number of images of security strategies together: if you go to pages 14-15 of the survey, which you can download here, you’ll see that respondents were asked to pick the image that represented 2FA.

In the mix were a reCAPTCHA image with wavy words you need to type in to prove you’re not a bot; a customer login asking for a username, password, and a six-digit code (the correct choice); a request to confirm a security image (pretty flowers!) and keyword before entering your password; one of those security questions prompts that wants you to fill in your “who was your childhood best friend” type questions (the answers for which, all too often, can be easily mined from social media, unless you do the smart thing and answer with Goobledygook Galore); “all of the above” or “Not sure.”

Forty-two percent said “all of the above.” Only 28% spotted the request for a code and knew that it, and it alone, was indicative of 2FA.

What is this https:// of which you speak?

Only 30% knew that starting a URL with https:// means that the information sent to that site is encrypted. 53% weren’t sure, but at least they didn’t choose some of the incorrect guesses: that the content on the site is safe for children (wrong, and, thankfully enough, chosen by only 1% of respondents), that the site is only accessible to people in certain countries (wrong, and chosen by only 2%), or that the site has been verified as trustworthy (wrong, and chosen by 12%).

HTTPS sites are more secure because they use Transport Layer Security (TLS), which establishes an encrypted link between the browser and the web server before any HTTP requests are sent. As we’ve explained, TLS protects your HTTP traffic from eavesdropping and manipulation as it moves over a network, between you and the site you’re using. It doesn’t say anything about the security or legitimacy of the site itself, though.

Unfortunately, the padlock symbol that your browser displays when you’re using HTTPS can fool users into thinking it does. Many assume (not least because security professionals spent years telling them to) that the padlock means the website they’re looking at must be the real thing, rather than a fake.

The FBI recently warned that phishing sites are preying on this misunderstanding and using TLS to appear more legitimate to victims.

More takeaways

These are some of the other subjects the Pew Research Center quizzed Americans on, along with the results:

• 59% know that advertising is the largest source of revenue for most social media sites, rather than things such as exclusive licensing deals (4%) or corporate consulting (2%).
• 48% of adults correctly answered that a privacy policy is a contract between websites and users regarding how their data will be used.
• 45% know that net neutrality refers to the principle that internet service providers should treat all traffic on their networks equally.
• 24% are aware that “private browsing” or “incognito mode” only hides online activity from other individuals using the same computer. That doesn’t mean that the user’s activities are masked and not being captured by the websites, the internet provider, or an employer if the browsing is being done on a work computer. (We pointed that out recently when Google brought Incognito mode to Maps).
• Just 29% of Americans correctly named WhatsApp and Instagram as two companies owned by Facebook.
• Only 15% correctly identified Jack Dorsey. 77% reported being unsure of who was in the photo. Sorry, Jack.

A brief explanation of 2FA

So, about that 2FA question that so many of us got wrong: If you want a technical deep-dive into what 2FA is, please do check out Chester Wisniewski’s 2FA article here. If you’re feeling TL;DR, check out Maria Varmazis’s 2FA article, which breaks it down into simple but helpful terms.

In essence, 2FA is when you prove who you are to a website or service using two out of these three things:

• Something you know – like a password
• Something you have – like a numerical keycode
• Something you are – like a fingerprint

As Maria explains, many of us who’ve worked in the corporate world at some point have carried a small key fob or token with us, and typed in the displayed numbers when logging in to a core work system. That’s one example of a 2FA factor: that code is something you have.

Similarly, if your favorite shopping or banking website has been asking you to verify your identity by typing in a numerical code texted to you, that’s also 2FA at work.

2FA works as an additional layer of security on top of things like passwords, which are all too frequently stolen by hackers or exposed in databases left unprotected, without a password, online.

If you’re offered a chance to secure an account with 2FA, we think it’s a smart idea to do so. It’s a good security technique to recognize and to get to know better if you aren’t sure just exactly what it is and isn’t.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/pS7Yk0iqaXE/

Episode 12 of the Naked Security podcast is now available.

This week host Anna Brading is joined by Sophos experts Mark Stockley and Greg Iddon.

We discuss a malicious lightning cable that’s about to hit the mass market [5’50”], the bust of darknet hosting provider CyberBunker[14’33], and in honour of National Cybersecurity Awareness month Anna shares how to secure your new laptop [26’10”].

Listen now!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oPZOvi9QmuE/

Four steps outlining how security teams can better understand their company’s cyber-risk and demonstrate to company leadership what’s being done to mitigate the resulting business risk.

In my role as CISO of a security company, I travel around the US and abroad quite a bit and have the opportunity to meet with security practitioners from many industry sectors. I also give talks and present to people on the front lines about the importance of treating cybersecurity like any other business operation.

With the number and types of cyberattacks on the rise, and the growing numbers of companies that experience some sort of breach, cyber-risk has become equivalent to business risk. As such, a company’s vulnerability to cyber threats is now a top-of-mind issue for C-level executives, which puts increased pressure on CISOs I talk with to ensure their security controls work as they should. Yet there seems to be a large gap between how companies should address cyber-risk and what they’re actually doing.

How do I know this? Aside from conversations and interactions with security leaders that point to this trend, I also collect security statistics from hundreds of audience members via real-time polling software when I’m making a presentation. My audiences generally include red and blue security teams, auditors, security executives, and individuals representing various non-technical, non-security leadership roles across government organizations, financial services, transportation, telecom, retail, healthcare, and oil and gas, just to name a few — providing an interesting cross-section of perspectives.

Recently, I posed this question: “Does your leadership leverage security metrics for business decisions?” Surprisingly, 49% voted that they “rarely or never” use security metrics for business decisions, while 51% said “half the time,” “usually,” or “always.” While just over half of the respondents said they use security metrics for business decisions at least half the time — which is a positive statistic — just under half said that they rarely or never use security metrics, which shows there is a lot of room for improvement in helping business leaders understand the impact of cyber-risk on the financial, operational, and brand risk — and how it can be measured.

Another polling question — “How good is your organization’s security team at mapping cybersecurity risks to business risks?” — revealed that 77% of respondents felt that their security teams did a poor to fair job of mapping cybersecurity risks to business risks. This number shows that while security is maturing and playing a greater role in critical business functions, as an industry, we’re not far enough along. Most people likely know that it’s a good idea to map cyber-risk to business risk, and want supporting evidence-based data so cybersecurity can be measured like other business units. But there clearly is a disconnect when it comes to how to do this.

While companies are beginning to understand all that’s at stake when a breach occurs — loss of brand trust, compromised customer data, millions of dollars stemming from lawsuits to name a few — there is little understanding of how to measure and understand an organization’s cyber-risk and what actionable steps to take to improve the company’s security posture.

Here are my recommendations for how security teams can better understand their company’s cyber-risk and demonstrate to company leadership what’s being done to mitigate the resulting business risk.

1. Stop assuming and start measuring.
It used to be enough for security teams to think only of performance and speed when evaluating security solutions. But that’s no longer true because there is increasing complexity in the environment to manage while also measuring and reporting on security effectiveness to the rest of the organization (including sales, marketing, human resources, and finance). This reporting must be based on quantitative, data-driven measurements, not assumption-based metrics, to provide the evidence needed that validates that security controls are working as they should.

2. Conduct and automate tests on an ongoing basis.
Given point No. 1 above, evidence is needed on an ongoing basis to demonstrate what is working or not working. Companies tend to look to audits and penetration tests for this, but these approaches are limited — they provide only a one-time snapshot of security controls rather than an end-to-end picture. Testing options exist that will not only identify vulnerabilities but also prescriptively fix them and validate that the fix is successful — and then automate the process for continued validation, particularly as environmental drift occurs, to ensure that what’s working stays working. In other words, fix it the right way, make sure it’s fixed, and keep it fixed.

3. Be sure you’re evaluating and implementing the right security solutions.
When considering any security solution, it’s important to know if you’re evaluating the right products for your environment and to enable the business. Think of it this way: You only create internal processes, build apps, or hire people if doing these things will improve the overall effectiveness of the company. Security has been excluded from this type of evaluation for too long, simply because there haven’t been the right tools to rationalize investments. These tools now exist and give security leaders insights into how security components both enable and improve business.

4. Report actionable information to the executive team.
If you’re a security professional, you likely know that key stakeholders in the company — the audit committee, the C-suite, and the board — want assurance that the security controls that are in place are effectively protecting the company and its digital assets. Look for systems and platforms that provide the kind of evidence-based, practical reporting your executive team requires, and convey with confidence that the security infrastructure is continually monitored and optimized to minimize business risk.

If you’re like the nearly half of respondents who said they “rarely or never” use security metrics for business decisions, or if you’re in the 77% bucket of people who say their security teams do a poor to fair job of mapping cybersecurity risks to business risks, the above steps can help you better manage your organization’s cyber-risk and business risk, and ultimately protect the company and preserve its brand, operations, and financial position.

Related Content:

• 7 Steps to Start Your Risk Assessment
• Predicting Vulnerability Weaponization
• 4 Reasons to Take an ‘Inside Out’ View of Security
• Security Analysts Are Only Human

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Works of Art: Cybersecurity Inspires 6 Winning Ideas“

Brian Contos is the CISO VP of Technology Innovation at Verodin. With over 20 years of security industry experience, working across more than 50 countries and six continents, he is a seasoned executive, board adviser, security company entrepreneur, and author. After getting … View Full Bio

Article source: https://www.darkreading.com/risk/close-the-gap-between-cyber-risk-and-business-risk-/a/d-id/1335996?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Now’s the time to start planning what to see and do at Black Hat Europe, which is jam-packed with relevant Briefings and Arsenal demos.

Black Hat Europe kicks off in London this December, so it’s time to start looking over the Briefings schedule and Arsenal lineup to ensure you make the most of the event. Both are jam-packed with notable speakers and interesting content, so take advantage of the “Tracks” feature of the schedule to sort and filter the list to find the Briefings and Arsenal demos most relevant to your interests.

If you’re focused on reverse engineering, for example, you might be interested in checking out Trust in Apple’s Secret Garden: Exploring Reversing Apple’s Continuity Protocol, in which an independent security researcher will dive deep into the inner workings and weaknesses of Apple’s Continuity protocol. Or you could check out Unleashing the Power of My 20+ Years Old Car, a reverse engineering track Briefing in which a vulnerability researcher will walk you through the process of reverse-engineering and bypassing a speed limiter (set to kick in at speeds in excess of ~180 km/hour) installed in his 1997 Subaru Impreza to make it comply with Japanese law.

If you stop by the Arsenal, located in the Business Hall, check out live demos for products and services like CrackQ: Intelligent Password Hacking, a Python-based queuing system for managing hash cracking using Hashcat. There are several tools available for this purpose but CrackQ was born from the frustration of using these tools on a daily basis. It adds some new and interesting features as solutions to these frustrations. Y ou can learn all about it at Black Hat Europe in December.

Find further details on these and many other useful presentations in the Briefings schedule and the Arsenal lineup for Black Hat Europe, which returns to The Excel in London December 2-5, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/build-your-cybersecurity-toolkit-at-black-hat-europe-in-december/d/d-id/1336069?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Let’s see a hacker figure out one of these.

Source: iwearyourshirt

What security-related videos have made you laugh? Let us know! Send them to [email protected].

Beyond the Edge content is curated by Dark Reading editors and created by external sources, credited for their work. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/creative-wi-fi-passwords/b/d-id/1336061?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Apple was under fire this week after banning an app that tracked the location of both police and protesters in Hong Kong on a live map.

Apple had initially rejected the app, called HKMap.live, from inclusion in the app store on 2 October 2019, reportedly because it “facilitates, enables, and encourages an activity that is not legal,” enabling users to avoid law enforcement. It then reversed its decision on Friday 4 October, allowing the app into the Apple store after all.

Apple then backtracked on that decision soon after an article appeared in the State-run People’s Daily newspaper criticizing the company for helping rioters. It said:

The developers of the map app had ill intentions by providing a “navigation service” for the rioters. Apple’s approval for the app obviously helps rioters. What was its true intention?

Apple has reportedly issued the following public statement:

The app displays police locations and we have verified with the Hong Kong Cybersecurity and Technology Crime Bureau that the app has been used to target and ambush police, threaten public safety, and criminals have used it to victimize residents in areas where they know there is no law enforcement. This app violates our guidelines and local laws.

The app’s developer was quick to respond, arguing:

1. We disagree @Apple and @hkpoliceforce ‘s claim that HKmap App endanger law enforcement and residents in Hong Kon… twitter.com/i/web/status/1…

—
HKmap.live 全港抗爭即時地圖 (@hkmaplive) October 10, 2019

In a string of tweets, the developer added that there “is 0 evidence” to support the Bureau’s claims.

Apple’s removal of the app highlights growing tensions between US businesses and the Chinese government, which has been battling ongoing protests in Hong Kong since March 2019. The protests began over a bill that would have allowed China to transfer people arrested in Hong Kong to the mainland. After the bill was cancelled, the protests expanded into a broader pro-democracy push that led to increasingly violent clashes between police and protesters.

The crisis seemed to grow yesterday when Quartz told journalists that Apple has removed its app from the Chinese app store after complaints from the Chinese government. The publication, which said that its website had also been blocked in China, added that Apple had told it the app “includes content that is illegal in China.”

Apple also now reportedly hides the Taiwanese flag emoji from iOS users in Hong Kong or Macau. The mainland People’s Republic of China (PRC) has a tense relationship with Taiwan, which considers itself part of an alternative Republic of China government.

Around 18% ($9.61bn) of Apple’s revenue came from China in its third quarter. The company didn’t respond to requests for comment yesterday.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NGy6SSRh_9k/

We know that Facebook tracks what we do to flag our interests for use in targeted advertising.

But the algorithm it uses to do so is marking thousands of kids as being interested in booze and gambling, which could lead to them being targeted with ads that aren’t appropriate to show to minors, according to a joint investigation by The Guardian and the Danish Broadcasting Corporation (DBC).

The investigation found that Facebook’s ad tools flag 740,000 children under the age of 18 as being interested in gambling. Another 940,000 kids are marked as interested in alcoholic beverages.

As the Guardian points out, such interests are automatically generated, based on what the platform observes of a user’s activity. That data then gets fed to advertisers, who can use it to target specific subgroups that show signs of potentially being interested in whatever the advertisers are pushing.

Facebook said in a statement that advertising alcohol or gambling to minors on the social network is forbidden:

We don’t allow ads that promote the sale of alcohol or gambling to minors on Facebook and we enforce against this activity when we find it. We also work closely with regulators to provide guidance for marketers to help them reach their audiences effectively and responsibly.

But there are reportedly instances where Facebook will, in fact, let kids be targeted for interests in these age-inappropriate areas. The investigation’s reporters got input from a Facebook insider who gave the example of an anti-gambling service that might reach out to offer support to children who might have a gambling problem.

The Guardian also highlights a more insidious example of how such targeting might be used. The publication pointed to young people who are addicted to video games such as Fortnite, Candy Crush and Call of Duty – addicts whom the UK’s National Health Service (NHS) recently opened up a clinic to treat.

Developers of such games, with their profitable loot boxes of consumable virtual items that can be redeemed to get yet more virtual loot, could target their ads to children who’ve been flagged as having an interest in gambling – all without breaching Facebook’s regulations about not marketing gambling to kids.

Facebook actually got in trouble earlier this year for knowingly refusing refunds to parents whose kids didn’t realize that the money they were spending in games like Ninja Saga was real. That naivete led to kids unknowingly racking up thousands of dollars in charges.

For advertisers of content prohibited on Facebook who decide to skirt Facebook’s rules about advertising to children, they’ve got preselected audiences thanks to Facebook’s flagging users by interest. Nor does the platform have a proactive way to stop them. It relies primarily on automated review to flag prohibited ads, but those reviews don’t necessarily stop the ads from running in the first place.

The Guardian points to a recent lawsuit Facebook settled over this failing. In January, it got lawsuited into creating a scam ads reporting tool, and donating £3m to a consumer advocate group, by UK financial celeb Martin Lewis.

Lewis’s name and face had been slathered on all sorts of financial scams that he’d never endorse – scams that Facebook’s detection tools repeatedly failed to block. In fact, Lewis’s suit claimed that Facebook had published over 50 fake advertisements that used his face and name without his permission.

The boozy, gambling kids story isn’t the first time Facebook’s been called out for improperly tagging users, the Guardian points out. In May 2018, it was found to be letting advertisers target its users based on sensitive categorizations that are supposed to be off-limits according to data laws.

Just one month later, The Guardian and the DBC found that Facebook had algorithmically tagged 65,000 Russians as being “interested in treason,” potentially putting them at risk of retribution in their homeland. Following inquiries from journalists, Facebook removed the “treason” category.

Will the multi-algorithmically armed beast do the same for “alcohol” and “gambling,” or figure out some way to keep such terms as being available to advertisers who might use them to target minors?

Right now, Facebook doesn’t seem inclined to admit there’s a problem, but if it does, and if it does anything about it, we’ll let you know.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DxndeahDmYs/

Some types of two-factor authentication (2FA) security can no longer be guaranteed to keep the bad guys out, the FBI is reported to have warned US companies in a briefing note circulated last month.

FBI reporting identified several methods cyber actors use to circumvent popular multi-factor authentication techniques in order to obtain the one-time passcode and access protected accounts.

The simplest and therefore most popular bypass is SIM swap fraud, in which the attacker convinces a mobile network (or bribes an employee) to port a target’s mobile number, allowing them to receive 2FA security codes sent via SMS text.

Naked Security now regularly covers this kind of hack, almost always because it was used to empty people’s bank accounts, steal cryptocurrency from wallets or exchange accounts, or to attack services such as PayPal.

From the victim’s point of view, it’s the ultimate gotcha – a security weakness caused by the failings of a service provider they can do little to prevent.

A second technique is the man-in-the-middle phishing attack that tricks people into entering their credentials and OTP code into a fake site which then instantly passes it to the real one. A good example of this is last months’ attack on YouTube users, some of whom had 2FA turned on.

More advanced still is session hijacking where the site is genuine, but the credentials and codes are stolen from traffic travelling to and from the user.

According to the FBI, in one case from 2019, a security vulnerability on the website of a bank allowed a hacker to bypass PIN and security questions after phishing basic credentials.

Warning overload

Do US companies really need warnings that 2FA isn’t perfect from the Feds?

More likely, they already understand the risks but adopt the pragmatic stance that 2FA security based on SMS, PINs and codes still works well for their customers and employees most of the time.

On that point, they are correct – using any form of 2FA is always better than relying on a password and username on its own.

The question is what the broader mass of end users will make of all this. Although sounding the alert isn’t a bad policy per se, there’s always a risk of exaggerating the everyday risk to users.

Perversely, that might deter the very people who would benefit from 2FA, namely the large majority who don’t use it in the first place.

Meanwhile, anyone who wants the strongest possible 2FA security will probably have to consider using FIDO2 hardware tokens, a technology that has yet to be undermined by hackers in real-world attacks.

Longer term, the solution might be to make the authentication part of logging in the primary process using a standard such as WebAuthn, which allows websites and devices (including smartphones, biometrics, Windows Hello, etc) to authenticate one another.

The plus of this approach is that users will authenticate themselves without having to really do anything, or even know this process is happening at all.

That might lead in time to the ultimate security technology – one that is so invisible even hackers struggle to see it.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/M0mTuBNjc54/