STE WILLIAMS

The source of breaches has fluctuated significantly over the past nine years, but organized crime has almost always topped nation-state actors each year. The gap narrowed significantly in 2018, according to the annual report.

The share of breaches attributed to nation-state attacks doubled in 2018, but organized criminal hacks were still more common, according to the annual “Data Breach Investigations Report” (DBIR), released by Verizon on May 8.

Nearly seven out of every 10 breaches involved an outside attacker, rather than an insider, slightly down from the previous year, according to the report. Of those external breaches, nation-state groups accounted for 23%, up from 12% in 2017.

Those estimates are likely on the low side, says Bob Rudis, chief data scientist of security management firm Rapid7. Security professionals are leery of attributing attacks to nation-state actors unless they have a significant body of supporting evidence, says Rudis, a former Verizon data scientist who has helped compile the DBIR in the past.

“My gut tells me, from what I have seen, I actually think the nation-state estimates are low across the board, because it is hard to say 100% that an attack is a nation-state,” he says. “We [researchers] also are less likely to commit to the attribution, because companies and governments may act on that information.”

The report highlights the resurgence of nation-state activities in the past year. Nation-state attackers have almost always come in second to organized criminals over the past decade. For the nine years included in Verizon’s data, only once — in 2012 — did nation-state attackers garner a greater share of breaches than organized crime.

While nation-state attacks climbed as a share of breaches, organized crime fell to 39%, from 50% in 2017.

The resurgence of nation-state attackers can leave companies as a loss, says Nathan Wenzler, senior director of cybersecurity at Moss Adams, a Seattle, Washington-based accounting, consulting, and wealth management firm. With nation-state attackers, companies feel that, no matter how well they defend, the attackers will keep coming back, while security professionals believe that they have some recourse against attacks perpetrated by organized criminals — there is a chance, if unlikely, that the perpetrators will be arrested, he says.

“We can’t arrest ‘China’ — so it is a much harder problem for people to solve, even though the groups are essentially using the same tactics, in terms of the breaches,” Wenzler says.

The public sector saw the most attention from nation-state actors, with 79% of all breaches involving external actors coming from state-affiliated attackers, the DBIR stated. While all other attack patterns — such as attacks on web applications or privilege misuse — occurred less frequently or stayed the same, cyber espionage surged to account for 42% of all breaches in the public sector, up from 25% in 2017, a significant increase.

“Given the sheer number of incidents in this sector, you would think that the government incident responders must either be cape-and-tights-wearing superheroes, or so stressed they’re barely hanging on by their fingernails,” according to the report.

Perhaps coincidentally, the greatest surge in the share of breaches caused by nation-state attacks has coincided with US election years, peaking in 2012 and 2016. 

At the other end of the spectrum, the education sector saw a smaller share of attacks from nation-state actors in 2018. Espionage-related attacks dropped to 12% of all breaches in 2018, down from 43% in 2016. Financially motivated attacks, however, became much more common, with 79% of attacks in 2018 having some financial motivation, up from 45% in 2016, per Verizon’s report.

The information industry fell somewhere in between the public and education sectors. Cyber espionage accounted for 13% of all attack types, according to the DBIR. In addition, 36% of all external attackers were state-affiliated, Verizon said, calling the figure “eye-opening.”

“Sir Francis Bacon once famously stated ‘knowledge is power,'” the report stated. “Perhaps a better definition for 2019 would be ‘to gain and to control information is power.’ Therefore, we should probably not be shocked that the organizations that own and distribute that information are the target of such attacks.”

Most state-sponsored and espionage attacks begin with a phishing e-mail. In the information industry, for example, 84% of such attacks start have a genesis in social engineering. However, employees click on such e-mail far more often than they report the fraudulent messages, according to Verizon.

While the latest trends change somewhat, the advice for companies remains the same year to year, says Wenzler. Companies need to establish a security program that strongly supports the basics: asset discovery, patch management, and application security controls. Still, he often runs into clients that have no idea what is running inside their network.

“The security stuff is always the afterthought,” Wenzler says. “If you worry about nation-states, you should be doing the basics right.”

For companies already doing the basics, the data from the Verizon report suggests some areas on which to focus. The report shows what areas attackers are exploiting for each industry.

“Look and see what the actions that the nation-state actors did prefer,” says Rapid7’s Rudis. “Then maybe you can use that to see how your defenses stack up.”

The Verizon DBIR is based on 41,686 incidents reported from more than 73 contributors and includes information on 2,103 breaches. 

Related Content

• Social Engineering Slams the C-Suite: Verizon DBIR
• Orgs Are Quicker to Disclose Breaches Reported to Them Via External Sources
• Russian Nation-State Group Employs Custom Backdoor for Microsoft Exchange Server
• New Executive Order Aims to Grow Federal Cybersecurity Staff

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/nation-state-breaches-surged-in-2018-verizon-dbir/d/d-id/1334671?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Fujie Wang allegedly worked as part of a hacking team out of China that stole information on nearly 80 million Americans in the massive healthcare breach.

The US Department of Justice (DoJ) today unsealed an indictment of a Chinese national who allegedly was part of a hacking group in China behind the massive 2015 data breach of Anthem, as well as attacks on three other large US businesses.

As part of the hacking group, Fujie Wang, aka Dennis Wang and Wang Fujie, 32, allegedly helped steal names, identification numbers, birthdates, Social Security, and other personal information about 78.8 million people in the Anthem breach, as well as in attacks on unnamed technology, communications, and materials sector companies, according to the indictment. Also included in the filing is an unnamed individual named John Doe, aka Deniel Jack, Kim Young, and Zhou Zhihong, who, along with Wang, was charged with one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer.

While the DoJ indictment did not name the Chinese hacking team, Symantec previous had identified the Anthem hackers as part of the so-called Black Vine group that has been active since around 2012, targeting healthcare, aerospace, and energy organizations. The group was believed to have some ties to a China-based IT security organization named Topsec.

The findings documented in this report lead Symantec to believe that Black Vine is an attack group that has working relationships with multiple cyberespionage actors. The group is well-funded and organized, according to Symantec, and comprises at least a few members, some of whom may have a past or present association with a China-based IT security organization called Topsec.

“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Brian Benczkowski. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors, and violated the privacy of over 78 million people by stealing their PII.”

But like most DoJ indictments of foreign nationals living in nations where the US has no extradition agreement, it’s unlikely Wang will be apprehended by US authorities unless he travels outside China or Chinese officials turn him over to the US. Even so, the DoJ began executing its indictment strategy five years ago, starting with the historic indictment of five Chinese military officers for leading cyberattacks that stole intellectual property from major American steel, solar energy, and other manufacturing companies, including Alcoa, Westinghouse Electric, and US Steel.

Patiently Waiting
According to the indictment, the hackers began their attacks with spear-phishing emails that contained malicious URLs to employees at the victim businesses: Clicking on that link sent backdoor malware to the victim’s machine. “Defendants sometimes patiently waited months before taking further action,” the indictment said.

The attackers then began moving laterally and gathered intelligence, including from Anthem’s data warehouse during October and November of 2014, where it stored PII information

In 2015, they ultimately siphoned the stolen data from Anthem in encrypted archive files and sent them to several locations in China, via the Citrix ShareFile data storage and transfer service as part of that transport. The attackers later deleted the archive files from the victim networks to cover their tracks.

Main Domain Man
Wang allegedly managed and controlled two domain names associated with the hacking group’s operation. The attackers were tossed from Anthem’s network around Jan. 31, 2015, when the healthcare company began its incident response operation.

Related Content:

• Cyber Espionage Campaign Reuses Code from China’s APT1
• One American, One Chinese National Indicted for Conspiracy to Commit Theft of Trade Secrets and Wire Fraud
• APT10 Indictments Show Expansion of MSP Targeting, Cloud Hopper Campaign
• The 2019 State of Cloud Security

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/us-doj-indicts-chinese-man-for-anthem-breach/d/d-id/1334676?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

If you’ve ever found the back button on your Chrome browser not working, Google will soon have a fix for you. Or more accurately, the developers behind the Chromium open source browser that underpins Chrome will soon have a fix for you.

Your Chrome back button sometimes fails because of sneaky behaviour by nuisance websites. These sites are the Roach Motels of the web: you can check in, but you can’t check out. Once you stumble into their dark corner of the internet and try to leave, they hijack your browser’s back button, blocking the exit.

They achieve their nefarious goals in two ways: using redirects or history manipulation.

Redirects are simple – on the way in you’re bounced through a redirect you don’t notice that sits in your browser history between the page you started on and the page you’re on now. When you hit the back button your browser goes back one URL in its history, which loads the redirect which bounces you forwards again.

History manipulation is sneakier. It sounds fun, like playing heavy metal for fifties high school kids in Back to the Future. Or going back to 1990 and putting all your money into Cisco shares (you’d be worth over $1.3m today on a $1000 initial investment). But no, nuisance websites ruin everything, including history.

Here’s how it works. Your browser keeps a stack of records showing which pages you’ve visited in the current window’s session. When you press the back button on your browser, it goes to the last page in that stack.

HTML5 allows a nuisance web page to hijack that process by adding entries to the session history using the pushState command. It can pile these dummy entries pointing to itself on top of the stack. The result? You either click madly on the back button to get back through the stack faster than the site can update it, or you just give up and close the window. Either way, it’s frustrating.

Participants in the Web Incubator Community Chapter (WICG) first identified this in 2016. WICG is a forum for discussing how to improve the web experience for users. In November, Chromium’s developers took up the mantle and pledged to fix the problem.

There’s a feature in the works that will stop pages from redirecting users or messing with the stack used for the back/forward button UI after the page has loaded, unless the user explicitly gives permission with a “user gesture”. According to this announcement:

The new behavior of the browser’s back button will be to skip over pages that added history entries or redirected the user without ever getting a user gesture.

Previously, if you were on site A and clicked a link to go to nuisance site B, site B could automatically use pushState to add itself to your history and keep doing it, meaning you’d never get back to site A. Now, if the user didn’t click on something to request it, the browser will ignore the entry. As soon as the user clicks the back button, they can return to site A.

That means clingy web sites will fail miserably as they try to gum up your back button. Google has also pledged to collect metrics on inappropriate history manipulation entries. Wouldn’t it be great if it used those to penalise nuisance sites in its mysterious search ranking algorithm?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KdA_Bsg_FY8/

When authorities last week announced an international bust of the Dark Web drugs-n-stuff marketplace Wall Street Market (WSM), they said stay tuned: there’s more where this came from.

Well, that didn’t take long: Europol announced on Wednesday that two suspected admins of DeepDotWeb – a site that indexes Dark Web marketplaces – were arrested on Monday, in Paris and Israel.

They were charged in the US on Wednesday. The FBI seized the DeepDotWeb site, which is now displaying the logos of 10 law enforcement agencies that helped pull off the investigation and the busts.

It’s not illegal to provide a directory to markets selling illegal things on the Dark Web. It’s another thing entirely if you make money off those sites, though. According to Europol, authorities believe that DeepDotWeb’s admins made millions of dollars in kickbacks from the Dark Web sites they referred people to.

Money laundering

In its take-down notice, the FBI cites federal statutes on money laundering conspiracy and civil and criminal forfeiture.

Both of the suspects arrested on Monday are Israeli citizens. They’ve been charged with money laundering conspiracy for allegedly receiving commissions on sales of illegal narcotics such as fentanyl and heroin, weapons, hacked data, hacking tools, payment cards, other illegal counterfeit items, and other illegal goods.

The two allegedly owned and operated DeepDotWeb since 2013. The WSM was just one dark web market for which DeepDotWeb provided news, reviews and direct access for interested buyers. Authorities estimate that the site funnelled hundreds of thousands of users to dark web markets over the years.

Europol says the payments were made in virtual currency and paid into a Bitcoin wallet controlled by DeepDotWeb. The suspects allegedly hid the money by transferring it into other Bitcoin accounts and to bank accounts taken out in the name of shell companies.

The pair allegedly took in a total of about €7.5 million worth of bitcoins – about USD $8.4 million – when adjusted for the trading value of the currency at the time of each transaction.

Gathering in the admins

The three German men whose arrests were announced on Friday are suspected of being the admins of WSM: a platform that hosted about 5,400 sellers and more than 1 million customer accounts, according to what Frankfurt prosecutor Georg Ungefuk told reporters in Wiesbaden.

Authorities showed off a slew of luxury watches and banknotes when they laid out the evidence they seized in the international raids. The investigation had taken nearly two years and is considered to have broken up one of the world’s largest online criminal trafficking operations.

Besides the three German men arrested last week and the two Israelis arrested this week, police also charged a Brazilian man who they allege was the moderator for WSM. In the US, Los Angeles law enforcement say they arrested two men alleged to have been major drug dealers and top WSM vendors. Europol said in its press release:

This is yet another law enforcement success in the fight against the sale of illegal goods on the dark web.

You can hide, but you might still have to run

It’s also yet another reminder that in spite of the anonymity provided by the dark web’s clever encryption, you can still be tracked down. There have been many criminals who have thought pretty highly of their own skills at covering their tracks… yet still left tracks that investigators followed to their computers.

Take, for example, the case of Ryan S. Lin: a then-25-year-old who pleaded guilty in April 2018 to seven counts of cyberstalking, five counts of distribution of child abuse imagery, nine counts of making hoax bomb threats, three counts of computer fraud and abuse, and one count of aggravated identity theft.

Lin, a computer science graduate from Rensselaer Polytechnic Institute, was savvy enough to use a two-pronged approach to protecting anonymity: both a virtual private network (VPN) and an anonymizing service to mask his true IP address. He was also smart enough to know that VPNs keep logs.

Fortunately for the FBI, he did a terrible job at hiding his tracks in spite of all his supposed tech smarts. When investigators got access to Lin’s Gmail account, they found that he’d sent himself two screenshots of what looked to be his iPhone. The images showed what apps were installed, including several apps for anonymous texting, encrypted email, and free burner telephone numbers.

Lin thought the IP address-anonymizing Tor service would protect him. He thought VPNs would hide him. He also seemed to put his faith in anonymous overseas texting services and overseas encrypted email providers that don’t respond to law enforcement and/or don’t maintain IP logs or other records.

In October 2018, he was sentenced to 17.5 years in jail.

The DeepDotWeb and WSM busts were just the latest notches in the belts of international law enforcement agencies who’ve learned a thing or two about shining a light into the web’s dark corners.

This was a big bust, and DeepDotWeb was drowned by just one resulting ripple. We can no doubt expect yet more ripples from the WSM investigation.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/LVKzV_NVnYs/

A security researcher has demoed a new way to track web visitors’ mouse movements even when they’re using ad blockers or plugins that block JavaScript.

As explained on Twitter by Davy Wybiral and in conversation with Bleeping Computer, this works by exploiting the CSS hover effect, which can be used to activate a visual effect when the user’s mouse moves over it. If that visual effect is used to loading images from a remote server, he realised he could use it for tracking movement:

It occurred to me that you can remotely monitor the cursor location without JavaScript by using some CSS :hover selectors to change hidden background images (causing a GET request).

As the mouse moves over different areas of an invisible HTML grid on the page, different background images are requested from the server. The server owner can look at the names of the images being requested and map them to the different parts of the grid to see how the user’s mouse moved over the page.

The background images don’t need to be shown to the end user, leaving them unaware of the mouse tracking. It should even work against the privacy-focussed Tor browser, Wybiral believes. Using it wouldn’t be entirely straightforward. However:

The browser won’t reload the background image so this version only tracks the movement on the first :hover [in each element of the grid] … but… Since the request is chunked the server can send more CSS to add new :hover selectors each time one triggers.

In the demo, this could even be used in real time. Why would an advertiser care? Because mouse movements tell them a lot about what interests users on pages, including how long they spent on different elements when performing actions such as scrolling.

Moreover, :hover was not the only CSS selector that could be used in this way with :focus another possibility, he said.

The technique is intriguing because HTML and CSS (Cascading Style Sheets) aren’t programming languages and don’t usually figure in conversations about tracking. The fancy tricks, interaction and programming that turns static web pages into apps is the domain of the web’s third major language, JavaScript.

That puts JavaScript at the frontline of tracking, which is why adblockers and privacy plugins offer the option to block it at the risk of disabling some page elements.

Wybiral’s technique is like an ad-oriented version of the hypothetical notion (we hope) of keylogging passwords using CSS, another idea that’s been doing the rounds.

At first, it sounds like a lot of effort to capture data this way, and it would still need interpretation. It would also be easy to spot in source code. But the fact it would bypass today’s blockers might give it legs.

Alternatively, website owners already have plenty of established ways to tracks users that inventing a new one seems unnecessary.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/u6VxeIbXVd0/

A group of tenants in New York City who complained that they’ve been virtually locked out of their Hell’s Kitchen apartment complex by mobile phone controlled, perplexing, privacy-invading, tough or impossible for the visually impaired to use smart locks have prevailed in a lawsuit against their landlords.

You win, a judge said in a settlement released on Tuesday: you get to use your chunks of metal instead of a phone app to get into the building. As part of the settlement, the landlords are required to provide physical keys, CNET reports.

In October 2018, the tenants sued their landlord for installing Latch smart locks. As CNET reports, the decision announced on Tuesday – reached in a preliminary settlement – marks one of the first times courts have weighed in on how landlords can use smart home technology.

As the New York Times tells it, two of the tenants who brought the suit are a couple of elderly artists who’ve been living in what was once a “sprawl of rotting wood” for over four decades.

Mary Beth McKenzie, 72, told the Times that her 93-year-old husband, Tony Mysak, became a virtual shut-in after the landlords installed the Latch smart locks last year. He doesn’t use a cell phone and is blind in one eye, she said. He also has a tough time with the three flights of stairs he needs to climb – stairs that, unlike the elevator, you can get to without having to go through the smart-lock-accessible lobby.

Comings goings are none of your beeswax

But it’s not just the technology-challenged that rebelled against the smart locks: central to the tenants’ demands is a wider debate over privacy.

Latch requires that users – in this case, tenants – download an app and create a profile. That enables them to unlock doors via their phone or a key card or by punching in a code on the device’s numeric keypad. Luke Schoenfelder, a co-founder of the New York-based company, has said that the app doesn’t capture, store or use the location data of its users. Nor does it share personal data with third parties for marketing purposes, he’s said.

That’s not what its privacy policy says, however – or, at least, not how the tenants interpreted it. According to the plaintiffs, Latch’s privacy policy said that the app could collect location data and use it for marketing purposes. Schoenfelder says that Latch is revising the policy to remove any ambiguity. At this point, it says this about location data:

We do not track your location over time or when you are not using Latch, and we do not share your location with third parties.
‍
We also never capture, store, or use GPS location data of our users. To better understand how your personal device manufacturer uses your location information, we recommend familiarizing yourself with their privacy policies and terms of service.

…and as far as marketing goes, the privacy policy now states that Latch “may use anonymized and aggregated information to better understand industry trends and better market our products and services.”

Latch also pointed out that all of its products work with mechanical keys.

No precedent

Given that this was a preliminary settlement, as opposed to a court-ordered action, this give-them-keys decision won’t set a legal precedent over how landlords can use smart-home technology.

It’s still considered a win for tenants. CNET quoted a statement from Michael Kozek, the attorney representing the five tenants who brought the suit, who called it a “huge victory” for both his clients and tenants throughout New York City.

These types of systems, which landlords have used to surveil, track and intimidate tenants, have been used frequently in New York City. These tenants refused to accept the system, and the negative impact it had on their lives. Hopefully they will be an inspiration for other tenants to fight back.

The landlords’ attorney, Lisa Gallaudet, begged to differ. She said that characterizing this as a win for tenants is “misleading.” She told CNET that the smart lock was only installed on a single door, that tenants could choose to enter a numeric code to get in without using the app, and that they’d been offered codes to use without a phone.

The only reason this settled is because my client didn’t want to waste more time and energy on this. This was by no means a reflection of the court’s opinion on how it would rule on this issue. It is my opinion that we would have succeeded on our motion. However, when parties come to an agreement to resolve litigation, it’s a win for both sides.

Regardless of how the two sides spin it, and regardless of the fact that the settlement doesn’t set a legal precedent, this issue has caught the attention of at least one NYC politician. In March, a member of the New York State Assembly who represents the area where the Hell’s Kitchen building is located introduced a bill that would limit how companies such as Latch use personal data.

The bill, introduced by Assemblywoman Linda Rosenthal, would also require that landlords provide “traditional” means of entry so tenants have the option of not using Internet of Things (IoT) technology such as the Latch smart lock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RwnGBdS7Mxk/

Over the past few months, we’ve written and spoken many times about a scam known as sextortion.

Sextortion is an online crime that combines sex and extortion – the crooks say that they have embarrassing pictures of you, and they’ll send the pictures to your friends and family…

…unless you pay them blackmail money.

To make the scam seem more believable, the crooks typically claim to have acquired the pics via your own webcam by hacking into your computer using malware and snooping on your online activities.

Sadly, this sort of malware, known as a remote access trojan (RAT), is not only technically possible, but has been used in the past in a number of widely publicised attacks.

One well-known RAT attack involved a college student called Jared James Abrahams, who supposedly spied on 150 young women including Miss Teen USA. Abrahams was caught, pleaded guilty and went to prison back in 2014. More recently, Jonathan Lee Eubanks got seven years for RATting his former employer’s business, wiping servers, diverting the website and ripping off company funds after he was fired.

Even if you never look at porn, sextortion emails are pretty confronting, and raise the question, “How much might the crooks know about me?”

Sometimes, sextortion emails arrive apparently from your own account, which frightens a lot of people into thinking the crooks already have access to their computer.

So we thought we’d make a short video that you can show to friends and family, just to clarify that the From: line in an email is as much under the control of the sender as the Subject: line or the text in the email itself:

(Watch directly on YouTube if the video won’t play here.)

What to do?

Most email programs, including webmail services such as Outlook.com and Gmail, automatically fill in the From: part for you and won’t let you pretend to be someone else – but that’s your email software protecting you from yourself.

The crooks don’t use that sort of email software – they use spam-sending “mail cannon” progrms that let them structure their messages however they like, such as those spoofed emails you so often see.

So, don’t freak out! Just dump it in the trash.

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/R06eGhGOfZ0/

Margaret Thatcher would not let Huawei build Britain’s 5G networks, US foreign secretary Mike Pompeo claimed yesterday as British ministers suggested the rollout may be delayed for security reasons.

Pompeo was visiting Britain to deliver a bollocking over the government’s decision to continue allowing Huawei to build the edge, but not the core, equipment for future mobile phone networks.

His remarks invoking the late leader, one of the longest-serving prime ministers of the 20th century, used her political nickname of the Iron Lady.

“Ask yourself this. Would the Iron Lady be silent when China violates the sovereignty of nations through corruption and coercion? Would she have welcomed the Belt and Road initiative without demanding absolute transparency and the highest standards? Would she allow China to control the internet of the future?” Pompeo was reported as saying by political journalists.

Thatcher died in 2013 and never mentioned Huawei in Parliament. Her main concerns with China were the smooth return of Hong Kong to Chinese political control when tea-sucking, opium-dealing Britain’s 99-year lease on the colony came to an end in 1997.

“Look, I know it’s a sensitive topic,” Pompeo continued, “but we have to talk about sensitive things as friends. As a matter of Chinese law, the Chinese government can rightfully demand access to data flowing through Huawei and ZTE systems. Why would anyone grant such power to a regime that has already grossly violated cyberspace?”

Separately, Minister of Fun* Jeremy Wright told Parliament there is “certainly the possibility of a delay in the process of the rollout of 5G”, asserting that rushing into a live commercial deployment would end up being done “without any consideration for security”.

“I don’t exclude the possibility that there will be some delay,” he repeated. “The primary intention of this process is to get the security of the network right.” ®

*The Culture Secretary, also known as the Secretary of State for Culture, Media and Sport.

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/09/pompeo_invokes_thatcher_huawei_5g_security/

Staying a step ahead requires moving beyond the security techniques of the past.

It seems that a new fraud scheme emerges  every day. And with billions of compromised credentials, criminals have been implementing a high volume of fraud attacks on organizations across all industries.

The latest fraud scheme — known as credential stuffing — involves criminals who have access to advanced systems and technology using the stolen credentials to log in to online accounts. While credential stuffing has been around for a few years, the current iteration of the scheme is so advanced that criminals can make login requests appear to come from different IP addresses and different browsers. This helps bypass fraud prevention defenses that recognize multiple attempts from a single IP address.

But beyond the technological advances that criminals leverage, the challenge for most organizations is the tendency for people to reuse usernames and passwords across multiple sites. That means the credentials that were stolen may not have originated from the affected organization. And according to Experian’s “2019 Global Identity Fraud Report,” more than two in five consumers worldwide have already experienced a fraudulent event online at some point in their lives. To make matters worse, organizations still heavily rely on usernames and passwords as the primary security method — confirmed by the report, which showed passwords, PIN codes, and security questions remain the most widely used authentication methods by businesses.

While organizations can take the steps to educate consumers on best practices for online security and passwords, there needs to be more proactive measures to protect people’s accounts and information. If not, the risk of account takeover fraud could increase exponentially — especially with the prevalence among consumers to use mobile devices to access online accounts. According to Javelin Strategy Research’s “2019 Identity Fraud Study,” in 2018, 17% of account takeover victims had their mobile phone account compromised, compared with 10% in 2017.

As increasing numbers of people use smartphones and tablets for financial transactions and email, organizations must explore heightened fraud prevention measures, such as advanced device intelligence. The use of device characteristics needs to be more sophisticated than the traditional collection of high-level attributes like browser type, operating system version, and IP address. These characteristics are often easy to spoof, enabling criminals to mask the origin of the login request.

Organizations tend to prioritize identifying devices that they’re familiar with, but it may be more important to authenticate the devices that they don’t recognize. We have the advanced data and technology to help businesses analyze and assess characteristics that go beyond the use of cookies to verify an individual’s identity, letting an organization more accurately isolate credential-stuffing attacks.

For example, if most credentials are being used from a specific geolocation — particularly one that has been used in previous attacks — it could indicate fraudulent behavior. But businesses can also analyze the velocity at which the information and device is being used — criminals tend to reuse data and access multiple accounts from the same device at a high volume within a short period of time.

Device intelligence is only one component of a successful fraud prevention and identity management strategy. The combination of device identification technology with advanced analytics, such as biometrics, machine learning, digital tokenization, and document verification can help an organization uncover anomalies that may indicate fraudulent behavior. But more importantly, these advanced measures protect people’s information while requiring little effort on behalf of the consumer.

The earlier in the process that an organization can detect fraud, the more damage to a customer’s account and identity it can prevent. And that means a happy, loyal customer.

Criminals will always look to exploit weaknesses and vulnerabilities within an organization’s systems; however, technology and advanced analytics can help businesses counteract the threat. There is no silver bullet for fraud prevention, but there are multiple approaches that help businesses make the right fraud decisions and protect people’s identities.

Related Content:

• Credential Compromises by the Numbers
• Credential-Stuffing Attacks Behind 30 Billion Login Attempts in 2018
• TurboTax Hit with Credential Stuffing Attack, Tax Returns Compromised
• Attackers Continue to Focus on Users, Well-Worn Techniques

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Chris Ryan is a Senior Fraud Solutions Consultant at Experian. He delivers expertise that helps clients make the most from data, technology, and investigative resources to combat and mitigate fraud risks across the industries that Experian serves. Ryan provides clients with … View Full Bio

Article source: https://www.darkreading.com/endpoint/fighting-back-against-tech-savvy-fraudsters/a/d-id/1334558?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

End-to-end IoT security product aims to give manufacturers, systems integrators, and businesses a means to harden device security.

Sectigo, a major commercial certificate authority (CA) and Web security provider, today confirmed its acquisition of Internet of Things (IoT) security firm Icon Labs and the launch of its end-to-end IoT security platform.

Icon Labs offers cross-platform security tools for embedded OEMs and IoT device manufacturers. Its security modules can be used as point products to meet security standards or as a foundation for securing the device itself rather than depending on perimeter security.

Sectigo, formerly known as Comodo CA, wants to use Icon Labs’ capabilities to build out its IoT security platform. It currently provides scalable certificate issuance for connected IoT devices. As part of its expanded IoT platform, Sectigo will add specialized management capabilities so IoT vendors, service integrators, and consortiums can scale and manage device ecosystems.

Some of the features worked into the Sectigo IoT security platform include secure boot, which verifies the integrity of code and data before execution and before installing updates, an embedded firewall, TPM integration, secure remote updates and alerts, and on-prem CA.

“With the addition of Icon Labs, Sectigo ensures overall system integrity by enabling complete visibility and control over each IoT device lifecycle and providing embedded technologies to further secure the integrity of the device, its identity, and its data,” said Jason Soroko, CTO of IoT for Sectigo, in a statement. Icon Labs will keep its brand as a subsidiary of Sectigo.

Terms of the deal were not disclosed. Read more details here.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/sectigo-buys-icon-labs-to-expand-iot-security-platform/d/d-id/1334659?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple