source:  technewsworld.com

With much of the workforce conducting business from home to escape the pandemic, scammers have revved up their trickery to scare victims into falling for credential harvesting schemes.

Two new reports lay bare the new twists digital scammers are putting on old approaches to get you to unwittingly give up login credentials for your personal or company online banking and server portals. The two reports focus on how to avoid becoming a corporate or consumer victim.

One new twist detailed by Armorblox threatens to recycle inactive addresses unless the would-be victims immediately update and confirm their account details. This results in fearful recipients entering their legitimate email addresses and password information.

The second report, by email phishing protection firm INKY, reveals the intricate directives of a credential harvesting phishing email. These emails impersonate the United States Department of Justice by using a malicious link with real logos mimicking government websites.

phishing email pretending to be the DoJ

A phishing email scam which gives the appearance that the sender is the U.S. Department of Justice.

Credential harvesting is largely considered the foundation of email phishing. It is the easiest way for anyone to get into your secure files. They simply use your password that you gave them, explained Dave Baggett, CEO and co-founder of INKY.

“In terms of the overall rate of phishing generally, we have seen nearly a three-times increase in phishing emails since the pandemic started,” Baggett told TechNewsWorld.

 

Banking on Phishing

Last week, Armorblox, a cloud office security platform that protects inbound and outbound enterprise communications, released its latest discovery of a new credential phishing attempt. The report details how cybercriminals use an email with a malicious link leading to a fake website. The landing page painstakingly resembles the Bank of America login page.

Continue reading “EMAIL SCAMMERS USING OLD TRICKS WITH NEW TWISTS”

source: wired.com

YOU ARE, WE hope, already protecting your phone with a PIN, a fingerprint, or a face (or all three), but sometimes you’ll want to add an extra barrier to particular apps—if you’re lending your phone to a friend, say, or if your kids or partner are always borrowing your phone for whatever reason.

How you want to apply this additional protection is up to you. Some apps come with it built in; in other cases you’ll need to enlist the help of a third-party app. The process is also different depending on whether you’re using Android or iOS, and so we’ve split our guide up into two sections.

Locking Apps on iOS

Apple doesn’t give third-party apps quite as much leeway on iOS as Google does on Android, so you won’t find any general-purpose locking tools in the App Store. Instead, you’re relying on the individual apps themselves—many apps that can hold sensitive information will give you additional options.

Apple’s own Notes app for the iPhone is one example. You can lock individual notes by tapping the Share button (inside a note) or long-pressing on a note (on the notes list) and then choosing Lock Note. Notes are locked using Face ID, Touch ID, or a PIN code, and you can set this via Notes in the iOS Settings app.

screenshot from Dropbox

You can lock Apple Notes individually on an iPhone.DAVID NIELD VIA APPLE

WhatsApp has protections in place as well to keep prying eyes out of your messages. From the main screen, you need to tap Settings, Account, Privacy, and Screen Lock—you’ll then be able to set up Touch ID or Face ID to guard access to your conversations. If either of those methods fail, you’ll get pushed back to your phone’s lock screen passcode.

Another third-party app with this same security measure is Dropbox, which is handy if you don’t want your toddler accidentally wiping all your files with an ill-judged finger push. Tap Account, then the cog icon (top left), then Turn Passcode On. When you’ve set a passcode, you’ll also be given the option to use Touch ID or Face ID as well.

We can’t guide you through every app on iOS, but have a look inside your favorite ones to see if an extra security layer has been included. Evernote, Amazon, and PayPal are three other apps that can be locked with Touch ID or Face ID, and many banking apps now have the same feature too, so even if someone gets access to your phone (with or without your permission), they can’t access all of your apps.

screenshot from iphone

Dropbox is one of the apps that supports Face ID and Touch ID on iOS.DAVID NIELD VIA APPLE

You have a couple of other tools you can turn to in iOS: They weren’t primarily intended for securing apps, but they can do the same job. The first is Screen Time, which you can access from Settings: If you tap Use Screen Time Passcode to set a passcode, then select App Limits and set the daily limit for an app to zero hours zero minutes, you’re effectively locking other people out of the app without the passcode.

Your second option is Guided Access, which you’ll find in the Accessibility menu in Settings. Once you’ve enabled it, open an app and triple-tap the side button or home button—you then won’t be able to switch to any other app without entering the phone’s passcode. It’s ideal if you want to let one of the kids play a game, but don’t want them to venture onto any other apps.

 

Locking Apps on Android

Android does let third-party apps control access to other apps, so you can install one of these app lockers and block access to any apps you don’t want other people snooping around inside. A passcode is usually required to gain access, though some locking tools can work with fingerprint sensors or face recognition.

Continue reading “HOW TO PASSCODE-LOCK ANY APP ON YOUR PHONE”

source: nakedsecurity.sophos.com

It’s simple: Boston doesn’t want to use crappy technology.

Boston Police Department (BPD) Commissioner William Gross said last month that abysmal error rates – errors that mean it screws up most particularly with Asian, dark or female skin – make Boston’s recently enacted ban on facial recognition use by city government a no-brainer:

Until this technology is 100%, I’m not interested in it. I didn’t forget that I’m African American and I can be misidentified as well.

Thus did the city become the second-largest in the world, after San Francisco, to ban use of the infamously lousy, hard-baked racist/sexist technology. The city council voted unanimously on the bill on 24 Jun – here’s the full text, and here’s a video of the 3.5-hour meeting that preceded the vote – and Mayor Marty Walsh signed it into law last week.

The Boston Police Department (BPD) isn’t losing anything. It doesn’t even use the technology. Why? Because it doesn’t work. Make that it doesn’t work well. The “iffy” factor matters most particularly if you’re Native American, black, asian or female, given high error rates with all but the mostly white males who created the algorithms it runs on.

Continue reading “BOSTON BANS GOVERNMENT USE OF FACIAL RECOGNITION”

source:  thecyberwire.com

At a glance.

  • FBI Director offers a harsh appraisal of Chinese cyberespionage.
  • Official concerns about Chinese cyber operations in France and India.

FBI Director offers a harsh appraisal of Chinese cyberespionage.

At a speech before the Hudson Institute yesterday, US FBI Director Wray denounced Chinese intelligence operations as serving Beijing’s ambitions to become the world’s dominant power. The Communist Party of China, Director Wray said, believes it’s in a “generational fight” to become the world’s sole superpower, and that Beijing’s assertiveness in cyberspace is a consequence of the strategy that flows from that belief. 

Continue reading “THE FBI’S TAKE ON CHINA’S CYBER OPERATIONS”

source: threatpost.com

 

A new devilish malware is targeting Windows systems with cryptojacking and DDoS capabilities.

Security experts have identified a self-propagating malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.

The never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of  taking advantage of an “exhaustive” list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” said researchers with Palo Alto Networks’ Unit 42 team, onWednesday in a blog post. “Applying the updates and patches to the affected software are strongly advised.”

The vulnerabilities targeted by Lucifer include Rejetto HTTP File Server (CVE-2014-6287), Oracle Weblogic (CVE-2017-10271), ThinkPHP RCE (CVE-2018-20062), Apache Struts (CVE-2017-9791), Laravel framework  CVE-2019-9081), and Microsoft Windows (CVE-2017-0144CVE-2017-0145, and CVE-2017-8464).

Continue reading “SELF-PROPAGATING LUCIFER MALWARE TARGETS WINDOWS SYSTEMS”

source: securityweek.com

 

image - phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, and therefore provides the intruder with “the keys to the kingdom”.

According to a 2019 study, 74 percent of respondents whose organizations have been breached acknowledged the incident exploited privileged account access. This number closely aligns with Forrester’s estimate that 80 percent of security breaches involve compromised privileged credentials. By leveraging a “trusted” identity a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks are front ended by phishing campaigns. So, what can organizations do to prevent their users from falling for the bait of these attacks? 

The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security defines phishing as “an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails [or text messages] are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails [or SMS messages] often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user may then be asked to provide personal information, such as account usernames and passwords that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.”

Continue reading “PHISHING ATTACKS: BEST PRACTICES FOR NOT TAKING THE BAIT”

source:  technewsworld.com

 

United States government agencies and cloud technology providers are heading toward a reset in how they cooperate on cybersecurity challenges. The expected growth of cloud use will create a more complex federal security landscape, according to a recent report from Thales Group.

Federal agencies actually have moved ahead of businesses in cloud adoption, with 54 percent of agency data already embedded in the cloud, the report notes. Furthermore, cloud technology is central to a broader “digital transformation” goal in the federal government, recently highlighted by ramping up remote workplace sites in response to the COVID-19 virus.

“Data security requirements will only continue to be more stringent as more and more data and services are migrated to the cloud,” said Brent Hansen, federal chief technology officer at Thales.

“This year registers the first year where more federal data is stored in the cloud versus on premises. This is a huge turning point and the trajectory will only continue to favor cloud,” he told the E-Commerce Times.

Continue reading “‘NEW NORMAL’ SECURITY ERA BEGINS FOR US AGENCIES, CLOUD PROVIDERS”

source:  independent.co.uk

 

Facial recognition technology is becoming an “epidemic” across shopping centres, museums and public spaces in the UK, campaigners have warned.

Following the revelation that hundreds of thousands of visitors to the area around King’s Cross railway station in London were being covertly scanned, Big Brother Watch said other private companies had also used the controversial technology.

Owners of Sheffield’s Meadowhall shopping centre have trialled facial recognition, as have the World Museum in Liverpool and the Millennium Point conference centre in Birmingham.

Last year, the Trafford Centre in Manchester was pressured to stop using live facial recognition after six months of monitoring visitors following an intervention by the surveillance camera commissioner, Tony Porter.

Silkie Carlo, director Big Brother Watch, said: There is an epidemic of facial recognition in the UK.

The collusion between police and private companies in building these surveillance nets around popular spaces is deeply disturbing.

Facial recognition is the perfect tool of oppression and the widespread use we’ve found indicates we’re facing a privacy emergency.”

Continue reading “FACIAL RECOGNITION BECOMING ‘EPIDEMIC’ IN BRITISH PUBLIC SPACES”

source: wired.com

The so-called lamphone technique allows for real-time listening in on a room that’s hundreds of feet away. 

THE LIST OF sophisticated eavesdropping techniques has grown steadily over years: wiretaps, hacked phones, bugs in the wall—even bouncing lasers off of a building’s glass to pick up conversations inside. Now add another tool for audio spies: Any light bulb in a room that might be visible from a window.

Researchers from Israeli’s Ben-Gurion University of the Negev and the Weizmann Institute of Science today revealed a new technique for long-distance eavesdropping they call “lamphone.” They say it allows anyone with a laptop and less than a thousand dollars of equipment—just a telescope and a $400 electro-optical sensor—to listen in on any sounds in a room that’s hundreds of feet away in real-time, simply by observing the minuscule vibrations those sounds create on the glass surface of a light bulb inside. By measuring the tiny changes in light output from the bulb that those vibrations cause, the researchers show that a spy can pick up sound clearly enough to discern the contents of conversations or even recognize a piece of music.

“Any sound in the room can be recovered from the room with no requirement to hack anything and no device in the room,” says Ben Nassi, a security researcher at Ben-Gurion who developed the technique with fellow researchers Yaron Pirutin and Boris Zadov, and who plans to present their findings at the Black Hat security conference in August. “You just need line of sight to a hanging bulb, and this is it.”

In their experiments, the researchers placed a series of telescopes around 80 feet away from a target office’s light bulb, and put each telescope’s eyepiece in front of a Thorlabs PDA100A2 electro-optical sensor. They then used an analog-to-digital converter to convert the electrical signals from that sensor to digital information. While they played music and speech recordings in the faraway room, they fed the information picked up by their set-up to a laptop, which analyzed the readings.

side by side images of telescope pointing to window and aerial of bridge

The researchers’ experimental setup, with an electro-optical sensor behind the eyepiece of a telescope, pointing at a lightbulb inside an office building more than 80 feet away.COURTESY OF BEN NASSI

The researchers found that the tiny vibrations of the light bulb in response to sound—movements that they measured at as little as a few hundred microns—registered as a measurable changes in the light their sensor picked up through each telescope. After processing the signal through software to filter out noise, they were able to reconstruct recordings of the sounds inside the room with remarkable fidelity: They showed, for instance, that they could reproduce an audible snippet of a speech from President Donald Trump well enough for it to be transcribed by Google’s Cloud Speech API. They also generated a recording of the Beatles’ “Let It Be” clear enough that the name-that-tune app Shazam could instantly recognize it.

Continue reading “SPIES EAVESDROP BY WATCHING LIGHT BULB VIBRATE”

source:  defenseone.com

The crypto agency has a list of questions for federal employees and contractors to ask as they choose a collaboration tool.

Video conferencing platforms Zoom and Microsoft Teams are both FedRamp approved, but while Zoom offers end-to-end encryption, Microsoft Teams does not, according to the National Security Agency. 

These are just two of nine factors the NSA cites in creating a guide to help federal workers choose commercial telework tools for “safely using collaboration services,” as necessitated by the coronavirus pandemic.

The guide, which NSA released Friday, applies only to commercial applications, and one strong recommendation from the agency is that, when possible, workers use U.S. government services such as Defense Collaboration Services, Intelink Services and others, which were designed specifically for secure government communications. But government workers still need to interact with external entities which might be sending them invitations via commercial applications, and the NSA has detailed a number of factors for them to weigh in deciding which ones to facilitate:

  • Does the service implement end-to-end encryption?
  • Are strong, well-known, testable encryption standards used?
  • Is multi-factor authentication (MFA) used to validate users’ identities?
  • Can users see and control who connects to collaboration sessions?
  • Does the service privacy policy allow the vendor to share data with third parties or affiliates?
  • Do users have the ability to securely delete data from the service and its repositories as needed?
  • Has the collaboration service’s source code been shared publicly (e.g. open source)? 
  • Has the service and/or app been reviewed or certified for use by a security-focused nationally recognized or government body? 
  • Is the service developed and/or hosted under the jurisdiction of a government with laws that could jeopardize USG official use?

Continue reading “ZOOM OR NOT? NSA OFFERS GUIDANCE”