STE WILLIAMS

A new report on malware says that the majority of companies globally have been victims of ransomware in the last 12 months.

A new report says that ransomware attacks are the new normal for IT and for the most part, attacks are coming from criminals in the same country as the victim. There are many more numbers to chew on in the report, but the sheer enormity of the problem may be the most surprising result.

SentinelOne’s new Global Ransomware Report 2018 found that ransomware is now something that more than half (56%) of companies have faced in the past two months. That’s up from 48% who said the same thing in the firm’s 2017 report.

And when it comes to being a ransomware victim, how you respond matters:  45% of US companies hit with a ransomware attack last year paid at least one ransom, but only 26% of these companies had their files unlocked. Companies paying the ransom were attacked again 73% of the time. 

Almost every company reporting an attack (97%) said that they had backups for the files affected by the ransomware, and 51% said backups and the ability to self-recover were their reason for not paying the ransom.

For more read here.

 

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code CF200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/report-shows-ransomware-is-the-new-normal/d/d-id/1331382?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In first trip to Mid-Atlantic Collegiate Cyber Defense Competition, University of Virginia’s Cyber Defense Team defeats reigning national champs from University of Maryland, Baltimore County.

Will it go down as the greatest upset in Mid-Atlantic Collegiate Cyber Defense Competition history? As newcomers to the competition, the University of Virginia’s Cyber Defense Team were surely not the favorites to defeat reigning national champions University of Maryland Baltimore County – but in their first competiton, UVA took home the victory.

The win may have been particularly sweet because UMBC had crushed UVA in a historic 74-54 route one day earlier in the first round of the men’s NCAA basketball tournament – the first time ever that a No. 16 defeated a No. 1 seed.

UVA also took down six other teams in the regional event, presented by Raytheon and the National Science Foundation’s National Cyberwatch Center, and therefore progresses to the national competition.   

Most importantly, these young computer scientists were awarded for a skillset most needed, but less frequently lauded with oohs and aahs from a crowd: blue teaming. 

Each competitor played as a blue team for an online news site and had to protect their entire network from a red team made of industry professionals. The competition official served as company CEO, demanding status updates from the captain of each blue team. 

“We had a pretty solid game plan,” team captain Mariah Kenny told UVAToday. “We split into different groups. We had a Windows group, a firewall group, a Linux group, and so on.” 

“In order to win, we had to show we could maintain business continuity while defending against professional hackers,” Kenny she told UVAToday. “…Unlike other teams, we didn’t focus too much in one category, because they all mattered. We focused on all of them. And we were in constant communication.”

In addition to the standard punishments of trying to shut down their systems, the red team tried to shake the first-timers’ confidence – hacking the competition hall security cameras and sending the team UVA team photos of themselves. They tried trash-talking, defacing the company website with messages that the CEO was a moron who was “driving the entire company into the ground.” 

Teams were rated on a variety of factors related to their skill at identifying malware, reporting to their CEO, and most of all, keeping their business running, with all critical services and customer access available. 

Congratulations to UVA on the win. While the Capture the Flag contests may reward the slam dunks and buzzer beaters of the security world, we applaud those who supply help defense and good spacing, who box out, and hustle for loose balls.     

For more information, see here. 

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/uva-defeats-umbc-in-stunning-upset/a/d-id/1331379?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s been less than two weeks since the dramatic news emerged that Facebook had allowed a company called Cambridge Analytica to commercially data mine the profiles of 50 million Facebook users.

As the days progressed, talk of deleting Facebook accounts grew. (You can see how to do this here.)

Before a user deletes their account, they have the option to download all the data that Facebook has on them.

One who took that route was a user from Houston, Texas called Mat Johnson, who later tweeted an unexpected discovery about his archive:

Oh wow my deleted Facebook Zip file contains info on every single phone cellphone call and text I made for about a year- cool totally not creepy.

— Mat Johnson (@mat_johnson) March 23, 2018

First, the invisible tracking of internet visitors, then dubious data mining, and now phone calls and texts being collected, something (judging by the Twitter reaction), not many Facebook users realised the company would have any reason to do.

Just another behaviour that fits a suspicious pattern.

But is it?

Facebook responded to point out that logging call and text data is something people “expressly agree to” for their own convenience when they download the Facebook app on Android:

Call and text history logging is part of an opt-in feature for people using Messenger or Facebook Lite on Android.

Users can opt out but doing so would reduce the ability of Facebook Messenger or Facebook Lite on Android to connect to friends using the app or recommend new ones on the service, the company said.

Facebook users on Android could turn this setting off with the result that shared call and text history would be deleted. Furthermore:

We never sell this data, and this feature does not collect the content of your text messages or calls.

In defence of Facebook this seems reasonable, although it’s interesting that Apple’s iOS doesn’t allow access to this kind of data on an ongoing basis.

Perhaps Facebook has simply become tangled in a development sequence of its own making, with it being suggested that giving the app permission to read contacts before Android 4.1 (i.e. before mid-2012) would have allowed logging to continue since then without anyone realising that.

With people getting more and more worried about what happens to their personal data on Facebook, it’s clear that many have started objecting to permissions that they once barely thought twice about granting.

Of course, Facebook is not the only company whose business model involves watching what its users do, where they go, what they buy and who they know. Many other companies do it, as do a growing number of governments, ostensibly on our behalf.

To borrow the over-used fable, when you boil a frog you don’t tell it you plan to raise the water temperature. And yet there is fundamentally nothing stopping the frog from jumping out before it’s too late.

Anyone who wants to adjust their Facebook settings, or even leave the service, will want to read our guide.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZdcCmXjCUFk/

What’s Facebook for?

Thanks to Cambridge Analytica, it’s a question on a lot of people’s minds right now, minds that have fingers hovering tentatively over “delete” buttons.

It’s been bugging me since the middle of the last decade, when everyone was suddenly very excited about a new website that gobbled up your entire life and shared it with your just your friends.

It seemed like a terrible idea.

The proposition was this: everything would be fine… so long as your friends never did anything stupid with your data and you never fell out with any of them, so long as Facebook never shared your data with anyone, never changed its mind about what it wanted to do with your data, was never hacked, never got into financial trouble and was never purchased by another company.

I couldn’t wait to not open an account so I rushed out and didn’t (didn’t fail to not open one, that is).

Mercifully, after people joined Facebook they stopped talking about it so much (or anything else… too busy… sorry… what did you say? Sorry, I’m checking Facebook).

Still, they did seem to be mostly having a nice time making their lives appear more enriching than they actually were while worrying about how just much more enriching everyone else’s life looked.

When that wasn’t exciting enough they harvested wheat, read made up news stories or handed over wads of personal data in the name of discovering which Disney princess they were.

Mark Zuckerberg even helped his users to stave off platform fatigue by periodically turning off everyone’s privacy settings without asking.

As the membership grew it became clear that Facebook was an amazing platform for collaborating on, and sharing and spreading ideas. But some of the those ideas were really, truly, bafflingly bad.

Facebook then, is the world’s biggest petri dish for culturing hair-brained hoaxes.

Proving that the so-called wisdom of crowds has its limits, here are three Facebook hoaxes that are dumb with a capital “um?”

Talking Rubbish

Talking Angela is the eponymous feline star of her own smartphone app.

To your kids, she’s a cat with a big face that sits very still and asks a fairly limited range of questions.

To the guardians of Facebook she’s a vile temptress whose dark secret is hiding in plain sight. Literally in her sight, that is…

Did you see it?

In her eyes?

Google Play reviewer Yianni Vasilounis can help if you didn’t:

DO NOT DOWNLOAD THIS APP I AM WARNING YOU DO NOT DOWNLOAD THIS APP. IT IS TOTALY DANGEROUS AND DONT LISTEN TO WHAT THE MAKERS OF THE APP TELL YOU… IF U ZOOM IN HER EYES U WILL SEE A ROOM WITH A GUY IN IT, AND IT TAKES RANDOM PICTURES…. IF U WISH TO DOWNLOAD MAKE SURE U COVER UR CAMERA WITH UR FINGERS

They say the eyes are the window to the soul but in Talking Angela’s case they’re just a window – one that’s got a tiny weeny man behind them (all of them that is, on every copy of the app), taking your picture.

Had the man snuck Tron-like into the very bits and bytes of the Talking Angela app and replicated himself across every copy of it? Were there millions of separate tiny people? There were no answers, just lots of FURIOUS, SPITTLE-FLECKED CAPITAL LETTERS.

Put down the Giraffe, it’s loaded

We’ve all had it: that urge you get when you’re just sitting at work or at home with the laptop open, when there’s nobody else there – the itch that can only be scratched by changing your Facebook profile picture to a giraffe.

Am i right?

No, of course not.

Which is why it’s truly bizarre that the warning “don’t change your profile picture to a giraffe” ever gained any traction. But traction it got, somehow. Thanks Facebook.

The tortured logic ran something like this:

1. Facebook users are challenging friends to solve a riddle. Losers have to display their failure to solve the riddle by changing their profile picture to a giraffe.
2. Crooks have milked this by flooding the internet with pictures of giraffes that are poisoned with malware.
3. If you accidentally choose one of these pictures the you set off the crooks’ booby trap and lose your username and password.

Who knows how many pictures of these majestic animals we were all deprived of seeing on the vast savannah of Facebook profile pics.

Facebook ends 15 March

The Cambridge Analytica crisis has Zuckerberg reeling, with some calling it the beginning of the end for Facebook.

Sorry folks, you’re seven years too late – Facebook’s ending on 15 March 2011, don’t ya know.

Long ago, before the terms “fake” and “news” had formed their all-conquering super group and were still enjoying their modest solo careers, an online news outlet called Weekly World News proclaimed the end of The Social Network.

Like all good hoaxes, it came with a made up quote from Somebody Important:

After March 15th the whole website shuts down,” said Avrat Humarthi, Vice President of Technical Affairs at Facebook. “So if you ever want to see your pictures again, I recommend you take them off the internet. You won’t be able to get them back once Facebook goes out of business.

They were, sadly, quite wrong.

The story was snuggled up next to a big fat clue that it was probably not true: the slightly less devastating news that 2011 would also see aliens attacking the Earth.

Follow @NakedSecurity
Follow @MarkStockley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Lky5WJgpzMg/

Police have arrested the alleged mastermind behind the Carbanak gang: a group of cybercrooks that’s targeted banks since late 2013, phishing their way into networks, infecting servers and gaining control of automated teller machines (ATMs) that they’ve caused to spew cash to waiting money mules.

According to Europol, the alleged crime boss, whom it didn’t name, was arrested in Alicante, Spain, following a joint investigation by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Belarussian and Taiwanese authorities and private cybersecurity companies.

Since 2013, the gang has gone after banks, e-payment systems and financial institutions using their malware, which is known as Carbanak and Cobalt. They’ve hit banks in more than 40 countries: attacks that have resulted in cumulative losses of over €1 billion (USD $1.24 billion).

Europol said in an announcement on Monday that just the Cobalt malware alone allowed the crooks to steal up to €10 million per heist.

A spokesman for the European Banking Federation (EBF) noted in a conversation with Fortune that the gang’s sophisticated Cobalt malware campaign only began in 2016, making it “fair to say” that the total amount stolen must be significantly above €1 billion at this point.

The gang’s malware evolution started with the launch of the Anunak malware campaign.

As security journalist Brian Krebs noted when, in December 2014, he wrote up the gang’s technique of hacking ATMs from within the banks themselves, the hackers didn’t go after bank account passwords or other information. Rather, they cored out the banks by starting with phishing attacks on bank employees, got control of the ATMs, transferred money into their own accounts, and inflated account balances that money mules then picked up at ATMs.

Europol provided this infographic that shows how the criminal network, and their malware, work.

First, they targeted financial transfers and ATM networks of financial institutions around the world. Within their first year, they’d improved the initial Anunak malware into a more sophisticated version, known as Carbanak, which was used until 2016. After that they focused on developing an even more sophisticated wave of attacks with tailor-made malware based on the Cobalt Strike penetration testing software, which emulates threats.

In spite of all the malware coders’ tweaks, the modus operandi stayed the same:

1. Send spear-phishing emails, purporting to come from legitimate companies but bearing malicious attachments, to bank employees.
2. Once bank employees fell for it and clicked on the attachments, the malicious software allowed the criminals to remotely control the victims’ infected machines, giving them access to the internal banking network.
3. From there, the attackers infected servers controlling the ATMs. They’d send commands to specific ATMs to spit out cash, and money mules would be waiting to pick it up.

Besides having money mules pick up the cash from ATMs, the crooks also had these tricks up their sleeves:

1. They’d use the e-payment network to transfer money into criminal accounts.
2. Databases with account information were modified so account balances would be inflated, with money mules collecting the money.
3. They laundered some stolen funds via cryptocurrencies, by means of prepaid cards linked to the cryptocurrency wallets that they used to buy things like luxury cars and houses.

Europol says this investigation was one tangled bowl of spaghetti: with the mastermind, coders, mule networks, money launderers and victims all located in different locations around the world, it involved international police cooperation, coordinated by Europol and the Joint Cybercrime Action Taskforce.

It was the first time that EBF worked in partnership with Europol on an investigation, according to EBF CEO Wim Mijs:

It clearly goes beyond raising awareness on cybersecurity and demonstrates the value of our partnership with the cybercrime specialists at Europol. Public-private cooperation is essential when it comes to effectively fighting digital cross border crimes like the one that we are seeing here with the Carbanak gang.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WjOlHwEgC3M/

A 30-year-old, US-based operator of multiple piracy-focused websites – including Sharebeast.com, Newjams.net, and Albumjams.com – has been sentenced to five years in prison, three years of supervised release, and more than $642,000 in restitution and forfeiture.

According to the copyright cops – the Recording Industry Association of America (RIAA) – Sharebeast was the largest online file-sharing website specializing in the reproduction and distribution of pirate copyrighted music operating out of the US.

In September, Artur Sargsyan pleaded guilty to one felony count of criminal copyright infringement related to Sharebeast, which the Department of Justice (DOJ) said facilitated unauthorized distribution and reproduction of over one billion copies of copyrighted works.

If he thought that his guilty plea would lighten his sentence, Sargsyan thought wrong.

You can see why the government might have gotten pretty fed up with him by that point: As the DOJ noted in its announcement of his sentencing, from 2012 to 2015, the RIAA sent Sargsyan over 100 takedown notices.

He kept on chugging along, though, illegally storing and distributing works from scores of big-name artists, including Bruno Mars, Linkin Park, Pitbull, Pharrell Williams, Gwen Stefani, Maroon 5, Ariana Grande, Destiny’s Child, Ciara, Katy Perry, Beyoncé, Jennifer Hudson, Kanye West, and Justin Bieber.

The RIAA’s “conservative” estimate of how much that costs its member companies is $6.3 billion. Take that estimate with a boatload of salt: the industry group is notorious for cooking up damage estimates that bounce around like kangaroos on amphetamines.

Take, for example, the first US jury trial for a file-sharing suit, brought against a Minnesota woman in 2012: Jammie Thomas-Rasset wound up being fined $222,000 after being accused of downloading and distributing more than 1,700 songs on the file-sharing site KaZaA.

Prosecuting 1,700 songs might have been a bit unwieldy, so the RIAA instead focused on 24 illegally downloaded and shared music files. The fine bounced from court to court and from $222,000 on up to $1,920,000, back down to $54,000, back up to $1.5 million, until finally, it came to rest again at $222,000.

Well, that doesn’t sound so bad, the defendant said, particularly when compared with that potential high of $1.9 million.

But back to Sargsyan: The DOJ says that he pirated “thousands of songs” that hadn’t yet reached their official release dates. That means that he was making songs available for download before they were made commercially available to paying customers.

The government shut his sites down in August 2015. Police in the UK and the Netherlands helped the FBI to seize the servers Sargsyan was using to illegally distribute the pirated music worldwide.

He was ordered to pay restitution in the amount of $458,200 and ordered to forfeit $184,768.87. Much of that money must have come from the pop-up ads on his sites: a source that “generated significant profit for him when visitors accessed the websites to illegally download copyrighted works,” the DOJ said.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/p7E5BGpjyKk/

As a Naked Security reader, you might find it hard to believe that this is really a thing…

There’s a rumor floating around in certain corners of the internet that you can “prove” your Facebook account is secure by triggering an animation in the comments section.

Unfortunately, memes like this do make the rounds, and though they might strike the more security-savvy amongst us as silly or trivial, let’s instead examine why these memes might be capturing peoples’ attention.

One of the security-related claims making the rounds is this:

Mark Zuckerberg, CEO of Facebook, invented the word BFF. To make sure your account is safe on Facebook, type BFF in a comment. If it appears green, your account is protected. If it does not appear in green, change your password immediately because it will be hacked.

If you haven’t used Facebook in a while (or are team #NeverFacebook or #DeleteFacebook), you might not know about a little UI feature that has been slowly rolling out across the social network in the past few months. Basically, if you type a certain phrase – like “congratulations” or “happy birthday” – in a Facebook post or comment, Facebook will automagically bold and add color to the text, and if you click the highlighted phrase, a little animation will appear in your browser. (“Congratulations” will shower confetti, that kind of thing.)

So according to the meme above, if a comment or post has the term “BFF” in it (BFF, meaning “Best Friends Forever”), a “secure” account will see that text turn green. (Presumably, an “insecure” account would see no change at all.)

Hopefully the vague nature of this claim has set off all your alarm bells. What does “your account is protected” mean in the context of Facebook? Why on earth would this be a hidden feature, only to be mysteriously conjured via mirth injection when typing in “BFF”? Is Facebook really our BFF when it comes to security?

Just to be crystal clear, there’s absolutely no truth to this claim, though that hasn’t stopped the rumor from spreading.

So why does a rumor like this have any staying power? Perhaps it’s a secret conspiracy of highly security-minded users trying to use a meme to get people to change their passwords frequently, as a sort of backdoor method to better security, but that sounds about as likely as Zuck inventing the BFF acronym.

It’s more likely that the segment of Facebook users who think a claim like this might be true might also be unaware that the power to better secure their account from hacking attempts, and to verify the security of their Facebook account, lies entirely within their control and it never requires typing in a magic acronym.

The keys to the kingdom for your Facebook account’s security are all in the Security area of Facebook settings. From there, you can change your password to something unique to your account and enable two-factor authentication when you log in. These changes would do a lot of good to protect a Facebook account, and will certainly make a bigger impact than typing “BFF” in a comment box.

If you see this meme making the rounds with your friends and family, chances are they’re concerned about their Facebook account’s security but might not know that they can do something about it.

Resist the urge to ignore and move on (or snark, if you’re more that type), and instead make this meme a teaching moment: Encourage them to check out their account’s security settings and help them gain some real peace of mind.

And, if you want to read about some of the most ridiculous examples we’ve seen, read our article about 3 of Facebook’s dumbest hoaxes.

Follow @mvarmazis
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RVMk326S_-0/

There was a big drop in exploit kit development last year, and experts have equated this to the phasing out of Adobe Flash.

In 2017, exploit kit development declined 62 per cent, with only a few kits including AKBuilder, Disdain and Terror showing significant activity, according to a study by threat intel firm Recorded Future.

In contrast to previous years, criminal exploit kits and phishing campaigns favoured Microsoft products in 2017, rather than Adobe Flash vulnerabilities. Exploiting Java and Adobe Flash flaws to push malware after tricking surfers into visiting booby-trapped websites has been the staple of so-called drive-by hacking attacks for years.

Java vulnerabilities dropped steadily between 2013 and 2016, prompting cybercriminals to switch over to Adobe Flash. Now that route has also been throttled.

“The observed drop in exploit kit activity overlaps with the rapid decline of Flash Player usage,” said Scott Donnelly, VP of technical solutions at Recorded Future. “Users have shifted to more secure browsers, and attackers have shifted as well. Spikes in cryptocurrency mining malware and more targeted victim attacks have filled the void.”

The Flash suite is over 20 years old and slated for retirement at 2020 at the latest. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/27/exploit_kit_decline/

Some say we need a more consistent approach, while others worry a national law might supersede and water down some state laws already on the books.

The demand for a national data breach disclosure law is, in part, a broader topic about privacy management and regulation on a national basis. The United States’ approach to privacy management is largely industry-sector driven — and, as a result, mandates are fragmented.  

At a fundamental level, we all have personal identities and, as an extension, digital identities. They can be thought of as personal possessions — basically, as assets. The fact that our identities can be misused makes them a potential liability, as well, creating the legal basis for harm, neglect, and damages. The point of a national data breach disclosure law is focused on promising a consistent approach that gives the public more assurance.

Modern consumers need more confidence in how their identities are used and managed on the Web, and they need reassurance that, when necessary, they will be notified so they can take actions to protect themselves from the dark side of the Internet world. The Internet is not inclined to protect the public, so laws are necessary.

Identity, the protection of our identity, and what is the basis for privacy management is not a new topic, or something created by an out-of-control, artificial intelligence-driven computer society. Early writing on the topic includes “The Right to Privacy,” written by Samuel Warren and Louis Brandeis and published in an 1890 issue of the Harvard Law Review. At that time, a new technology, photography, was all the rage in claims of privacy invasion. A picture is — and will continue to be — personal identifiable information (PII). PII instantiates your identity, which in turn can be used to violate your privacy without your consent. However, as technology pushes endless boundaries, we find that principles and laws are strained to remain up to date and relevant.

Right now, the US does not have a national privacy management standard, per se, and certainly there is no uniform breach notification law. Instead, the United States treats the regulation of privacy as an industry-centric issue. We have healthcare laws that address privacy, but only when the privacy data is protected health information, a form of PII. We also have commercial credit laws mandated by the Consumer Credit Protection Act, enacted in 1968. Of course, there are other examples, which demonstrate that the federal government does not have a single, uniform approach.

Instead, the federal government has left this up to the states, creating a patchwork of laws. The National Conference of State Legislatures website depicts the wide ranging approach of the states. This creates a tremendous burden on the business community.

An Incentive Not to Report
In the US, an identity is compromised every two seconds. Globally, in 2017, 26.1% of all companies confidentially surveyed in the 2017 Thales Data Threat Report reported a breach, up from 21.5%. Across all companies worldwide, 67.8% confide that they have experienced a breach at one point. Within the US, that number is 73%. These numbers, startling or not, do not set aside the fact that companies have incentives not to report without a compliance mandate. Note the logic: if there is no penalty for failing to report a breach, why would a company want to report a breach? If nobody else knows, then damage to reputation, the cost to address the breach, and action against a company may be avoided. Without legal mandates, companies have incentives not to report.

In recent weeks, both retailers and financial services firms have called on the US Congress to create a federal data breach disclosure notification law that supersedes state data breach notification laws. They contend a federal standard would simplify compliance and make the threshold for disclosure clear to businesses and consumers alike. However, there are alternative views.

Some would argue that 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation already. Therefore, Congress need not rush in to fill a vacuum that does not exist.

Others, such as the American Bankers Association, argue that the patchwork approach, rules, criteria, response, and definition of terms are inconsistent, and put an ever-increasing burden on US businesses.

However, many of the states that have breach notification laws are concerned that a federal approach could supersede and reduce protections enacted to protect their state citizens. Remember, the states took action because the federal government failed to do so.

Some argue for a national law that would allow each state to enhance the protections. The net results, though well intended, may be even more convoluted.

Then there is the state revenue dilemma. Superseding state laws and invoking federal standards, rules, fines, and penalties would deplete revenue generated by state jurisdiction and venue for legal redress.

Others would continue the argument that a data breach depends on the nature and type of data. A healthcare breach is not the same as a financial system breach or a retail data breach. Those that trade in stolen identities might support this argument, noting that a compromised healthcare identity trades on the black market at a higher price premium than other compromised identity.

Here is what cannot be argued: your identity is an asset and, when violated, can be a liability that enables identity theft and general invasion of privacy. If I, as an individual, entrust my identity to the charge of another individual or entity, I have a reasonable expectation for responsible behavior. If an entity loses control over my identity, I have a reasonable expectation to be informed in a timely manner so that I, too, can take actions to mitigate the risks of any compromise and adverse outcome to my identity.

That starts with timely notification so that I can act defensively. There may be many perspectives on privacy, but there’s undeniably a need for timely breach notification.

Related Content:

• 6 Tips for Building a Data Privacy Culture
• A Data Protection Officer’s Guide to the GDPR Galaxy
• DevSecOps: The Importance of Building Security from the Beginning

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Dallas Bishoff manages security consulting services for PCM. He is responsible for profit/loss, utilization, staff growth and capabilities, customer satisfaction, and both creation and oversight of standardized security offerings including: vCISO, GRC assessments, PCI … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/privacy-do-we-need-a-national-data-breach-disclosure-law/a/d-id/1331325?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Humans accounted for nearly 58% of website traffic in 2017 – the rest were bad and good bots.

Bots became a household name last year in the wake of Russian election-meddling in the US and their inordinate presence on social media platforms. The population of these malicious bots also grew by nearly 10% last year, accounting for one-fifth of all website traffic.

So-called bad bots also execute online fraud, data theft, and distributed denial-of-service (DDoS) attacks, and despite more awareness as well as moves by Twitter and others to purge them, they continue to dog ecommerce and evolve their tactics to evade detection, according to a new analysis of bot activity by Distil Networks that studied hundreds of billions of bad bot requests on thousands of websites.

Humans accounted for nearly 58% of website traffic in 2017, with the rest bad bots (21.46%) and good bots (20.74%). Good bots include tools like search engine crawlers, while bad bots are everything from trolls to illicit data-scraping tools and proxies for cybercrime. Most bad bots live on gambling (53.1%) and airline (43.9%) websites, and most (83.2%) pose as Web browser users including Chrome, Firefox, Internet Explorer, and Safari, and 10.4% as mobile browsers (Safari, Android, and Opera).

The biggest shift in 2017 was bots hiding out in data centers: some 82.7% are now operating out of cloud-based accounts versus 60.1% in 2016, the data shows.

Anna Westelius, senior director of security research at Distil, says bad bots are waging credential-stuffing attacks en masse. While account takeover attacks on average occur two to three times per month, after a data breach occurs, account takeover attacks increase threefold, according to Distil’s data.

“They are trying them wherever they can,” Westelius says of the stolen credentials.

They’re also mimicking human behavior more convincingly, by executing JavaScript like a browser, or faking mouse movements. “A lot of the time bad bots are utilizing human connections, like human smartphone connections,” Westelius says. “A lot of these are malware-related botnets” that want to appear as human as possible in their communications and behaviors, she says.

Distil found that 5.8% of all mobile devices on cellular networks are used in bad bot attacks. These bots are considered the most advanced or sophisticated because they are less likely to get detected. Overall, 74% of bad bot traffic today is sophisticated or moderately sophisticated, the report says.

But operating out of cloud data centers is all the rage for bot runners now. It’s inexpensive to spin up a cloud server, for example, and it appears legit. “Hosting provides really offer them a legal way to highly distribute themselves. It’s cheap and accessible,” Westelius says.

The move to the cloud coincided with a decrease in residential bot traffic, according to Distil. “The economics and success of using low-cost, cloud data centers probably explains why there was a drop in the amount of traffic from residential ISPs, falling from 30.5% to 14.8% in 2017,” the report  said.

Related Content:

• How to Live by the Code of Good Bots
• 10 Ways to Prevent Your Mobile Devices From Becoming Bots
• Bad Bots Up Their Human Impersonation Game
• Majority Of Bad Bots Behave Like Humans

 

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop ITX and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/cloud/bad-bots-increasingly-hide-out-in-cloud-data-centers/d/d-id/1331375?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple