Mobile apps are used in nearly 80% of attacks targeting mobile devices, followed by network and operating system attacks.
Cybercriminals targeting mobile devices most frequently use apps to break in, as seen in 79% of mobile-focused attacks in 2019 and 76% of those in 2020 so far, Pradeo Labs researchers found.
The data comes from its 2020 “Enterprise Mobile Threat Landscape” report, which says 10% of 50,000 Android devices host zero-day malware and 3,890 host known malware. In a company mobile fleet of 50,000 iOS devices, only 55 host a zero-day malware. Researchers warn against “leaky and intrusive applications” and emphasize how mobile apps can perform unwanted actions because of external libraries they host: 79% of mobile apps embed third-party libraries.
“Android devices tend to exfiltrate more data than iOS ones, but still, both overly process the data they are granted access to,” researchers say in the report. Both operating systems most often leak user files, contact information, location data, and audio or video recordings.
Network attacks have increased by 4% in the past year, researchers report, a trend driven by ongoing growth of man-in-the-middle attacks across North America and Asia. In the former, 15,605 devices connected to unsafe Wi-Fi hotspots; in the latter, 19,750 devices did the same. Four percent of devices in North America, and 9.28% in Asia, have faced a man-in-the-middle attempt.
Attacks targeting the operating system of mobile devices has slightly decreased; they now represent 8% of attacks. Researchers report 54% of Android devices run an outdated operating system, compared with 23% of iOS devices.
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
There is no one-size-fits-all strategy for security, but a robust plan and the implementation of new technologies will help you and your IT team sleep better.
With limited security budgets and overworked IT teams, small and midsize businesses (SMBs) are an obvious target for cyberattacks. As a business grows and its software systems scale, so do its vulnerabilities and attack surface. Nearly half of all cyberattacks target small businesses for this very reason, and 60% of those attacked go out of business within six months.
Most business leaders know their IT security systems are lacking, but overhauling and improving them is a daunting task, and many simply don’t know where to start. Here are five tips for SMBs to establish a security strategy and protect their assets.
1. Be honest in your assessment. The first step to addressing vulnerabilities is understanding them. A robust security assessment should encompass all IT systems and business processes, identifying the most vulnerable aspects to attack and the most critical assets for the business. Consider implementing security assessment software, which should not only identify vulnerabilities, but provide clear, concise benchmarks and offer recommendations to lower the risk of attack.
When weighing the options, effective security assessment tools should have the ability to identify the following:
External vulnerabilities that could allow malicious actors to gain access to the network
Flawed outbound protocols, which may leak sensitive data
Inadequate web browser controls
Wireless network vulnerabilities
Network sharing and user access permissions
2.Time is money: Automate patching to reduce risks quickly. Most recent cyberattacks have been caused by inadequate or delayed patching. Establishing and maintaining patch management process is a key aspect of overall security, but with small, multifunction IT teams, often without dedicated security personnel, many small businesses struggle to manually patch vulnerabilities in a timely manner. Automated patching, on the other hand, is a cost-effective alternative to patching manually and greatly reduces the risk of prolonged patching processes, which allow hackers to take advantage of known vulnerabilities.
Kaseya’s 2019 State of IT Operations Survey data showed that automated software patch management is a key area for improvement in most SMBs. Only 42% of respondents automate or plan to automate patch management and, similarly, just 42% monitor third-party software and apply critical patches within 30 days. Given that big security breaches are frequently a result of failure to patch in a timely manner, automated patching stands as a significant area for improvement for more than half of respondents.
3. Strength in numbers: Make multifactor authentication (MFA) a priority. While it may seem comical, weak passwords — such as the painfully obvious “password” — are a major security risk and a leading cause of data breaches. WeWork, a shared workspace company, recently came under fire for using a “laughably weak” password in its national and international locations, which put thousands of customers and their sensitive data at risk. Old, weak passwords are ripe targets for brute-force attacks, where hackers use bots to systematically try to enter every possible password until they “guess” correctly.
MFA is a simple way to dramatically reduce the risk of unauthorized access by requiring an additional form of identification, typically in the form of smartphone app or token, which is commonly known as two-factor authentication (2FA). Over 80% of data breaches in 2017 were caused by hacked passwords, many of which could have been prevented by simply installing an identity and access management solution with 2FA.
4. Be aware of threats from within. Insider threats are another common source of security breaches that can be difficult to detect and are typically unaffected by traditional antivirus and antimalware tools. While many insider threats involve malicious attacks, employee negligence is also a contributor. Because the actors already have access to the system, it’s critical for small businesses in particular to identify and respond to issues that may indicate an internal threat.
Specialized software is required to monitor and flag signs of insider threats, which include:
Suspicious, unnecessary, or unauthorized logins
Changes to user permissions or device access
New or unrecognized devices on restricted networks
New installations on locked or restricted systems
5. Back up your systems — all of your systems. Ransomware, which denies users access to their systems until a ransom is paid, is a favored tool for hackers seeking financial gain. While large companies, states, and even local city governments recently have fallen victim to ransomware, small entities make ideal targets because they’re less likely to have adequate security and backup systems in place, and more likely to fork over the money. Today’s distributed software architectures offer hackers a multitude of critical systems and data lakes that can be held for ransom, making a business continuity and disaster recovery solution a crucial aspect of any security strategy. Look for a solution that’s capable of securely backing up every system in the IT stack, from on-premises to cloud.
Evolved malware and hacker capabilities coupled with the sheer number of vulnerabilities and points of access make an entirely secure system next to impossible for giant corporations and small businesses alike. There is, unfortunately, no one-size-fits-all strategy for securing a small business, but a robust plan and the implementation of new technologies such as automation will help you and your IT team sleep better.
Mike Puglia brings over 20 years of technology, strategy, sales, and marketing experience to his role as Kaseya’s chief strategy officer. He is responsible for overall customer marketing, management, and development across Kaseya’s portfolio of solutions. Prior to joining … View Full Bio
Security pros need to impress upon the staff that high-profile hacks can and do happen during tax season. The most famous one – the Office of Personnel Management (OPM) hack – happened during the 2014 and 2015 tax seasons. Some 21.5 million people had their social security numbers and employment, health, and financial histories exposed.
In preparation for tax season, the IRS has posted its Identity Theft Central page, which serves as an excellent resource for individuals, professional tax professionals and businesses. The site offers step-by-step instructions on what to do if you receive a suspicious IRS-related email or phone call.
Read on for ways to help keep your company and staff secure during tax season.
Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio
Nest owners, if you aren’t already flying with two-factor authentication (2FA) on your accounts, get ready for Google to push you into spreading those security wings.
On Tuesday – which, appropriately enough, was Safer Internet Day – Google announced that in the spring (or in the fall, for those in the Southern Hemisphere), it will start forcing users of its Nest webcams and other products to use 2FA to secure their accounts.
Nest users who haven’t yet enrolled in the 2FA option or migrated to a Google account will be required to take an extra step by verifying their identity via email, Google said in a blog post. When a new login hits your Nest account, you’ll get a login notification from [email protected] containing a six-digit verification code. Without that code, anybody trying to get into your account will be locked out.
That should help with, say, keeping creeps from talking to your baby through a Nest security cam, or trying to crank up your Nest thermostat to tropical levels, both of which have happened to people who say they weren’t aware that 2FA is an option.
Google:
This will greatly reduce the likelihood of an unauthorized person gaining access to your Nest account.
Google started sending out login notifications for Nest accounts in December 2019. Sometimes, simply being told that somebody’s logged into your account is all it takes to spot suspicious activity, Google said:
Every time someone on your account logs in you’ll receive an email notification. That way if it wasn’t you, you can take action immediately.
Credential-stuffing-b-gone
Earlier this year, Google also addressed the problem of automated attacks such as credential stuffing – a type of attack that’s on the rise. Between November 2017 and June 2018, internet content delivery company Akamai estimated that its customers fielded 30 billion credential-stuffing attempts.
As Akamai went on to report in April 2018, three of the largest credential stuffing attacks against streaming services in 2018 – ranging in size from 133 million to 200 million attempts – followed close on the heels of reported data breaches, indicating that hackers were likely testing stolen credentials before selling them.
Google said on Tuesday that Google accounts already come with protection against credential-stuffing, but earlier this year, it began applying an anti-stuffing-attack technology on Nest accounts that haven’t migrated to Google accounts. That technology – called reCAPTCHA Enterprise – sniffs out attacks from bots that scrape email addresses and content, post spam and try to brute-force stolen user credentials on a huge scale.
And, just like reCAPTCHA v3, reCAPTCHA Enterprise can tell the difference between bots and humans without forcing users to jump through hoops – no ticking of boxes, no tedious visual puzzles that force you to check all the boxes with a bus or crosswalk in them.
Google’s also been proactively checking lists of breached passwords when users supply a password for their Nest accounts, to see if the password has been exposed in credential breaches outside of Google – a tactic it had already been using for months on its browser via a Chrome extension. It’s one way to keep users from committing the all too common security sin of reusing passwords.
Google says it’s also proactively resetting accounts when it detects suspicious activity. It is also issuing automatic updates, disallowing default or easy-to-guess device passwords, and performing verified boot: a way to ensure that all executed code comes from a trusted source (usually device OEMs), rather than from an attacker or code corruption.
Best practices to secure Nest devices
Finally, Google provided this list of security best practices for your Nest products:
Migrating to a Google account gets you more security features, and it lets you integrate the products so you can issue “OK, Google” commands to your Nest devices, such as telling Google to turn up the heat.
Enable 2FA whenever possible. Here’s an informative podcast that tells you all about 2FA, if you’d like to learn more:
LISTEN NOW
(Audio player above not working? Download MP3 or listen on Soundcloud.)
If you have multiple people in your non-migrated Nest household who need access to your Nest devices, create a Family account so you don’t need to share your personal credentials with anyone. Remind them to sign up for 2FA, too.
Don’t reuse passwords. Ask people you’ve added to your devices to do the same.
Don’t try to memorize passwords. Instead, use a password manager, like the one offered in the Chrome browser. Password managers store your passwords securely, and some even generate complicated passwords for you. They’re certainly not perfect, as multiple glitches have made clear. Still, we recommend using them, given that whatever issues have turned up are still heavily outweighed by the known advantages of using one. At any rate, the issues get tidied up through updates.
Check on whether your passwords or accounts have been compromised using the new tool offered by Chrome; another great tool is haveibeenpwned.com.
Avoid clicking on suspicious-looking emails, and never provide personal information when senders hit you up for it.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Why do online swindlers rob people over the age of 60?
Because that’s where the money is.
According to the FBI’s 2019 Internet Crime Report, released on Tuesday by the bureau’s Internet Crime Complaint Center (IC3), the total amount of money clawed out of victims through a smorgasbord of cybercrime types just keeps climbing, with 2019 bringing both the highest number of complaints and the highest dollar losses reported since the center was established in May 2000.
Those of us with gray hair tend to have the most money, and thus we have the dubious honor of being the most targeted and of having the biggest holes torn in our pockets. There were 68,013 people over the age of 60 who reported being victimized last year, and their total reported loss was $835,164,766.
The number steadily increases with age after the age of 20, but the younger amongst us – under 20 – are right up there when it comes to how much money they lose. Though only 10,724 victims under the age of 20 reported cybercrime in 2019, they reported stiff losses, at a total of $421,169,232.
More specifics from one of the report’s charts:
Victims by age group. IMAGE: FBI’s 2019 Internet Crime Report
In all, the IC3 received 467,361 complaints last year – an average of nearly 1,300 every day, at a total swindle tally of more than $3.5 billion. Phishing and similar ploys were the most frequently reported complaints, along with non-payment/non-delivery scams and extortion.
But while crooks preyed on both individuals and businesses, businesses proved to be their most profitable targets, along with people who fell for romance or confidence scams. Spoofing was also how much of the money was made to disappear: used in business email compromise (BEC), spoofing is when crooks pose as known people or vendors in order to get personal or financial information out of their targets.
An ever-growing money-making racket
BEC has been a big money-maker for criminals for quite a while, and BEC scammers just keep getting more and more sophisticated at it. This is the second year in a row that the FBI cited increasing skill with these scams, which typically involve legitimate business email accounts that have been compromised, be it through social engineering or computer intrusion, to initiate unauthorized transfers.
Donna Gregory, the chief of IC3, said that the center didn’t see an uptick in new types of fraud last year, but it did see new tactics and techniques to carry out existing scams like BEC, which is also referred to as Email Account Compromise (EAC).
Criminals are getting so sophisticated. It is getting harder and harder for victims to spot the red flags and tell real from fake.
Specifically, spoofers aren’t just using email as a point of attack anymore, though that attack vector is still common. One example: in September 2019, we heard about scammers who used a deepfake of a CEO’s voice to talk an underling into a $243,000 transfer.
BEC can happen to any company, regardless of how hip to the inner workings of cybercrime they are. Even Facebook and Google have been fooled by these kind of scammers.
BEC/EAC scam isn’t the most reported crime (that would be Phishing/Vishing/Smishing/Pharming)…
Crime types reported in 2019, by victim count. IMAGE: FBI’s 2019 Internet Crime Report
…but it’s definitely the most profitable, accounting for nearly $1.78 billion of the total lost to cybercrime last year:
Crime types reported in 2019, by victim loss. IMAGE: FBI’s 2019 Internet Crime Report
Last year, the IC3 saw BEC scammers increasingly focusing on diverting payroll funds. The crooks target a company’s human resources or payroll department, sending an email spoofed to look like it was sent from an employee requesting to update their direct deposit information for the current pay period, thus causing employees’ checks to get diverted into accounts that the swindlers control.
We saw a trio of alleged robbers in Australia get busted for this kind of fraud last week: they were charged with identity theft that netted AU$11 million (US$7.41m, £5.73m) – ill-gotten loot they allegedly ripped off by hacking into businesses and modifying their payrolls, pension payments (known as superannuation in Australia) and credit card details.
Phishing/Vishing/Smishing/Pharming
As far as the most commonly reported type of cybercrimes go, the IC3 notes that they’re seeing swindlers do it by texting – a crime called smishing – or via fake websites, a tactic called pharming.
Here’s Gregory again:
You may get a text message that appears to be your bank asking you to verify information on your account. Or you may even search a service online and inadvertently end up on a fraudulent site that gathers your bank or credit card information.
In order to protect ourselves, we’ve got to be “extremely skeptical” and “double-check everything,” the IC3 advises.That means independently verifying everything as if we were walking, talking authentication fobs – those gadgets used in two-factor authentication (2FA).
Gregory:
In the same way your bank and online accounts have started to require two-factor authentication, apply that to your life. Verify requests in person or by phone, double-check web and email addresses, and don’t follow the links provided in any messages.
Don’t suffer in silence – REPORT IT!
A few years ago, a report came out that detailed how elders, in spite of being the ones who suffer most often in these crimes, are often too embarrassed to speak up about it. Such underreporting is unfortunate. When the FBI gets a timely report, it can sometimes stop fraudulent transactions before the money is gone for good.
That’s what the FBI’s Recovery Asset Team (RAT) is all about: streamlining communication with financial institutions and FBI field offices. Last year, the RAT managed to recover more than $300 million for victims.
Gregory said that victims can help by giving as much detail as possible when they report crimes to the IC3: email addresses, account information given to them by the crooks, the phone numbers that the scammers called from, and anything else that might help.
The more information IC3 can gather, the more it helps combat the criminals.
Tech-support fakers
People over 60 are the ones targeted most frequently in some scams. One such is the tech-support scumbaggery of spooking older people by shoving scary “Your computer has a virus, call us!!!!” pop-ups in their faces and then fleecing them for services they didn’t need and never got.
In 2019, the IC3 received 13,633 complaints of tech support fraud, coming from victims in 48 countries who lost a total of more than $54 million. In spite of efforts from the tech companies to stop criminals from pretending to be legitimate support staff – Microsoft, for one, is devoted to battling these logo-absconding name ripper-offers – the IC3 says that the scams increased 40% in 2019 compared with the previous year. The majority of victims were over 60 years old.
Please do report any and all of these crimes, the IC3 asks, be they tech-support, EAC or phishing, so investigators can figure out how the scams work and how to stop them. Matt Gorham, assistant director of the FBI’s Cyber Division:
Information reported to the IC3 plays a vital role in the FBI’s ability to understand our cyber adversaries and their motives, which, in turn, helps us to impose risks and consequences on those who break our laws and threaten our national security. It is through these efforts we hope to build a safer and more secure cyber landscape.
Weeks after the world first got wind of it, Microsoft has finally patched the Internet Explorer (IE) zero-day flaw the company said in January was being used in “limited targeted attacks”.
The fix is part of the February Patch Tuesday update that features a record 99 security vulnerabilities including 12 marked as ‘critical’ and 87 ‘important’.
The first indication of the IE zero-day, now identified as CVE-2020-0674, appeared when Mozilla fixed a very similar issue in Firefox on 8 January, less than two days after the appearance of version 72.
The attacks were reported to Mozilla by a third party which, in a later deleted reference, mentioned that the same issue also affected IE. On 17 January, Microsoft issued its own alert regarding the Scripting Engine memory corruption flaw, citing IE’s Enhanced Security Configuration protection as mitigation against attacks.
This matters because IE code is buried inside Windows 10, which means it presents a risk even to those not using it. In the last year, IE has had other similar troubles, including CVE-2019-1367, a zero-day in September, and a proof-of-concept vulnerability reported in April.
Another running theme in recent times has been Microsoft fixing the holes that keep appearing in its Remote Desktop Protocol (RDP) client, which has become one of the first doors cybercriminals try when trying to get inside a network.
Sure enough, this month brings CVE-2020-0734 and CVE-2020-0681, both critical flaws which could be exploited in a number of ways, including convincing users to connect to servers under their control. A third, CVE-2020-0660, is a denial-of-service flaw marked important, while the fourth, CVE-2020-0655, affects the Remote Desktop Service.
February also sees another critical .LNK shortcut flaw fixed, CVE-2020-0729. Microsoft says:
The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive (or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system.
This basic flaw covers the same ground as CVE-2019-1280 from last September, not to mention the Stuxnet malware’s exploitation of CVE-2010-2568 in 2010.
Another critical is CVE-2020-0738 – a memory corruption flaw in Windows Media Foundation, while CVE-2020-0689, marked important, could offer attackers a way around Microsoft Secure Boot.
Flash!
Adobe’s February update features 42 CVEs, including 21 criticals in Framemaker alone. Acrobat and Reader, meanwhile, feature 17, including 12 rated critical. There’s even one critical fix, CVE-2020-3757, for Flash Player.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
A trio of boffins at Singapore University this week disclosed 12 security vulnerabilities affecting the Bluetooth Low Energy (BLE) SDKs offered by seven system-on-a-chip (SoC) vendors.
The flaws, collectively dubbed SWEYNTOOTH (because every bug has to have its own name these days), allow a suitably skilled attacker to crash or deadlock BLE devices, or to bypass pairing security to gain arbitrary read and write access to device functions.
The bug branding epithet comes from Sweyn Forkbeard, the son of King Harald “Bluetooth” Gormsson, the namesake of the wireless specification.
“SWEYNTOOTH potentially affects IoT products in appliances such as smart-homes, wearables and environmental tracking or sensing,” explain Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang, in a research paper [PDF] describing the BLE bugs. “We have also identified several medical and logistics products that could be affected.”
The SDKs at issue come from Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor; they support BLE versions 4.1, 4.2, 5.0, and 5.1.
The researchers say they followed responsible disclosure practices by notifying as many affected vendors as they could and patches have been made available in some cases. About 480 products use the affected SoCs though not all are necessarily affected.
Devices verified to be vulnerable include the Fitbit Inspire smartwatch, the Eve Energy smart plug, the August Smart Lock, the eGee Touch TSA Lock, and the CubiTag item tracking tag.
There’s PoC code and a video demonstrating how an attack might work:
Garbelini, Chattopadhyay, and Wang voiced concern about the potential impact on medical products.
“VivaCheck Laboratories, which manufactures blood glucose meters, has many products listed to use [Dialog’s] DA14580,” they say in their paper, “Hence all these products are potentially vulnerable to the Truncated L2CAP attack. Even worse, Syqe Medical Ltd. and their programmable drug delivery inhalation platform (Syqe Inhaler v01) is affected alongside the latest pacemaker related products from Medtronic Inc.”
The boffins say that they’re aware of additional bugs that they’re not yet ready to make public. However, not all of the publicly disclosed flaws have been fixed, since vendors haven’t moved in time for the disclosure deadline.
“We urge action from vendors due to the reliance of the BLE IoT market on such unpatched SoCs,” the researchers say in their paper. “For example, August Home Inc and Eve Systems products rely almost entirely on DA14680, which is still unpatched even after a responsive disclosure period of more than 90 days.”
The Dialog DA1469X, DA14585/6, and DA14580, the Microchip ATSAMB11, and the STMicroelectronics WB55 and BlueNRG-2 are also unpatched. ®
The implications of chaos form the basis of a new approach to encryption that promises quantum-proof perfect secrecy. But first, your current crypto needs some tidying up.
The specter of quantum-powered cyberattacks that can break even the most powerful encryption algorithms looms ever-larger and ever-darker. Chances are, nation-state attackers will be equipped with quantum computing long before the average enterprise has rolled it out. Future-thinking organizations wonder what to do now to defend themselves from that inevitability.
Order First step: Maintain order.
As JD Kilgallin, KeyFactor’s senior integration engineer, recently wrote for Dark Reading, threats posed by quantum computing will demand that organizations can react quickly.
“At the very least, this requires knowing where your digital certificates are, what cryptographic algorithms their keys are using and what quantum computing means for them, and what systems need to trust those certificates and might experience an outage if the certificate and its chain suddenly change,” he wrote. “It also requires the ability to quickly coordinate changes between entity certificates and the trust anchors of other endpoints that rely on those certificates. Administrators should keep a careful inventory of these keys and certificates and employ automated techniques to securely deploy updates en masse.”
Companies like Thales, Fortanix, ManageEngine and HashiCorp, and IBM Security all have tools to aid with encryption key management. Further, cloud providers supply key management capabilities; for example, AWS Key Management Service, Microsoft Azure Key Vault, and Google Cloud Key Management Service.
Chaos Chaos, however, might also play a role in fighting quantum-powered attacks.
Researchers recently published a technique for encryption that promises to go beyond perfect secrecy to encryption that is unbreakable, even if quantum computing is brought into the picture. The technique, which takes advantage of chaos and the second law of thermodynamics mixed with the speed of optical chips, doesn’t require quantum power to achieve quantum-proof results. Less-powerful or traditional-architecture devices could therefore, theoretically. protect their secure communications from attacks launched by quantum computers.
A. Di Falco, V. Mazzone, A. Cruz, and A. Fratalocchi, the inventors of the technique and authors of a paper in Nature, describing their findings, use correlated chaotic wavelengths as the basis of both the encryption key and the technique for not transmitting it between the two participants in the communication.
Beyond Perfection In the context of encryption, “perfect secrecy” is a description of a scheme, not a qualitative judgment. Invented back when the telegraph was the fastest form of communication, The Vernam cipher encrypts a message with a key that has three qualities:
The key is as long as the message encrypted
The key is never reused in whole or in part
The key is kept secret.
Claude Shannon proved mathematically that a properly implemented Vernam cipher is, in fact, unbreakable. So why aren’t we all using this “perfect” method?
The Vernam cipher isn’t widely used because the key, of whatever length, still has to be shared. And anything that must be transmitted can be captured and used. That is the vulnerability addressed in the new technique.
Shared Chaos So how do the two ends of an encrypted communication come up with the same key if one doesn’t create the key and share it with the other? Here’s where it gets a bit complicated (OK, the math is a lot complicated), but Cruz and Quelita Moreno of CUP Sciences walked Dark Reading through the process several times.
The sender and receiver of the encrypted message will communicate frequently, each time communicating a light pulse that will be unique in amplitude, frequency, and a variety of other qualities. Now, the pulses sent between the systems are never the same; in fact, physics tells us that, with randomization of the start conditions for the pulse, it would be impossible for them to be the same. Those differences are critical for the scheme to work.
Since the key is based on the difference in randomly generated light pulses, the second requirement for perfect secrecy is met. And because the key is never transmitted between the two ends of the conversation, the third quality required for perfect secrecy is satisfied.
From Theory to Practice The researchers who developed the technique present mathematical proof that the encryption is resistant to both time-domain and spectral attacks. More attack resistance comes in the physical implementation of the encryption chip, which turns a fingerprint into a random number seed through a process involving, among many other things, reflective nanodisks, chaotic billiards, and a fully chaotic fingerprint resonator.
Researchers are engaging in exercises such as this because of the certainty among many in the cryptography community that the advent of widely available quantum computing marks the end of all currently useful encryption. At this time, the researchers who developed this technique are in the early stages of working with chip manufacturers to bring the chip to production and distribution.
Other Possibilities The NSA has begun exploring “quantum-resistant” and “quantum-proof” encryption algorithms, and NIST is running a contest to solicit the best post-quantum cryptographic algorithms. Nevertheless, in a recent interview with NextGov Dr. Deborah Frincke, director of the NSA’s research branch, warned against rushing into new “quantum-resistant” or “quantum-proof” algorithms too quickly, lest organizations open themselves up to even more vulnerabilities.
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio
BEC attacks comprised nearly half of cybercrime losses last year, which totaled $3.5 billion overall as Internet-enabled crimes ramped up.
Business email compromise (BEC) attacks cost organizations an estimated $1.77 billion in losses in 2019, reports the FBI, which received a total of 23,775 complaints related to this threat.
The FBI’s Internet Crime Complaint Center (IC3) this week released its “2019 Internet Crime Report,” which digs into cybercrime trends throughout the year. In 2019 the IC3 received 467,361 complaints, which cost organizations $3.5 billion overall – up from $2.7 billion in 2018.
The most frequently reported complaints relate to phishing and similar attacks, non-payment/non-delivery scams, and extortion, officials say. But the most expensive complaints are related to BEC, romance or confidence fraud, or copying the account of a person or vendor to collect personal or financial data about a victim familiar with them, according to the report.
BEC attacks, also known as email account compromise (EAC), are constantly evolving as adversaries become more sophisticated. Back in 2013, scams often started with the spoofing of a CEO’s or CFO’s email account. Fraudsters sent emails appearing to come from these execs to convince employees to send wire transfers to fake accounts.
Since then, BEC has evolved to include the compromise of personal and vendor emails, spoofed lawyer email accounts, and requests for W-2 data. Attackers often target the real-estate sector and/or make requests for expensive gift cards. In 2019 IC3 saw an increase in BEC complaints related to the diversion of payroll sums: Attackers send a fake email to a human resources or payroll department requesting an update to a specific employee’s direct deposit information.
Gift card attacks are especially popular toward year’s end. In the fourth quarter of 2019, they made up 62% of all BEC attacks, Agari researchers point out in its Q1 2020 “Email Fraud and Identity Deception Trends” report, published today. The weeks leading up to the holidays are prime for gift card fraud because attackers can target any department, not just HR or payroll. In the last three months of 2019, gift cards requested in BEC scams averaged more than $1,600, according to AGari.
“The attackers are looking for new sources of revenue from people,” says Erich Kron, security awareness analyst at KnowBe4. “For example, instead of just going after wire transfers, something that people are becoming aware of, they have changed to redirecting paychecks to different accounts or getting people to purchase a large number of gift cards, then having them send the card numbers and information under the guise of an executive rewarding employees or thanking vendors.”
Kron also points to a rise in hybrid attacks in which a victim receives an email making a request and simultaneously receives a text message from a spoofed number designed to seem like the same person, saying they sent an email. It’s a highly targeted but effective technique, he says, and it’s less commonly known than wire transfers. Victims trust the second request source.
Agari also noticed a rise in impersonation attacks. Phishing and BEC attacks impersonating specific people reached 32% between October and December 2019, up from 12% in the second quarter. Now these threats are around the same level as brand impersonation (36%).
Other Forms of Cybercrime to Watch The IC3 reports cases of “elder fraud,” or financial schemes that target or disproportionately affect people over 60, are increasingly common. They may be the victims of investment fraud, romance scams, tech support scams, or government impersonation fraud. In 2019 the IC3 received 68,013 complaints from elderly victims, with adjusted losses exceeding $835 million.
Tech support scams, in which a criminal poses as a technical pro to defraud victims, are a growing problem on their own. The IC3 received 13,633 complaints related to tech support fraud in 2019 from victims across 48 countries, with losses amounting to more than $54 million.
Then there is ransomware, another type of cyberattack undergoing evolution as attackers grow increasingly sophisticated. In 2019 the IC3 received 2,047 complaints identified as ransomware, with adjusted losses of more than $8.9 million. It urges victims to not pay ransom to attackers.
A variety of new techniques are helping attackers bypass security tools and launch successful ransomware campaigns, says Tal Zamir, founder and CTO at Hysolate. They target non-email applications like Slack, WhatsApp, and Teams, as well as existing vulnerabilities in antivirus products. Attackers are also known to build fileless malware designed to slip past endpoint security agents. User devices have a huge code base for attackers to target, including the operating system code and middleware.
“Losses will continue to increase as ransomware becomes more sophisticated and can cause greater harm,” says Zamir. “If in the past ransomware was limited to encrypting local files and demanding a ransom for decrypting, next-generation ransomware might automatically leak some of the data to show the potential damage or even go further and encrypt or leak data in cloud systems that aren’t available locally on the endpoint.”
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio
The software security maker is suspected of selling data about more than 100 million users to companies including Google, Microsoft, and Home Depot.
The Czech Office for Personal Data Protection is investigating the actions of Prague-based Avast in collecting and selling personal information of those using its security products. Avast is accused of selling the browser history, online map searches, and YouTube viewing habits, among other data, of more than 100 million users to companies including Google, Microsoft, and Home Depot.
In January, Motherboard and PCMag released the results of a joint investigation that found details of the data sales through “Jumpshot,” a division that Avast has since closed. In a statement, Avast said it is cooperating with the government’s request.
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Chaos Order: The Keys to Quantum-Proof Encryption“
Check out 
Check out