US State Department issues guidance on implementing UN Guiding Principles for transactions linked to foreign government end-users for surveillance technology

source: business-humanrights.org

 

 

“U.S. Department of State Guidance on Implementing the ‘UN Guiding Principles’ for Transactions Linked to Foreign Government End-Users for Products or Services with Surveillance Capabilities”, 30 September 2020

The U.S. Department of State is committed to the promotion and protection of human rights. In that spirit, U.S. businesses should carefully review this voluntary guidance and consider whether to participate in, or continue to participate in, transactions if they identify a risk that the end-user will likely misuse the product or service to carry out human rights violations or abuses. The responsibility of U.S. businesses to respect human rights does not depend on the size, sector, operational context, ownership, or structure of the business…

U.S. businesses are encouraged to integrate human rights due diligence into compliance programs, including export compliance programs…

Review the capabilities of the product or service in question to determine potential for misuse to commit human rights violations or abuses by foreign government end-users or private end-users that have close relationships with a foreign government…

Review the human rights record of the foreign government agency end-user of the country intended to receive the product or service…

Review, including through in-house or outside counsel, whether the foreign government end-user’s laws, regulations, and policies that implicate products and services with surveillance capabilities are consistent with the UDHR…

 

A Look Into the Pricing of Stolen Identities For Sale on Dark Web

source:  securitymagazine.com

 

After a data breach, much of that stolen personal and sometimes highly personally identifiable information (PII) is sold on markets residing within the dark web. But, how much does the sale of stolen information work, exactly, and how much money are criminals making from stolen data?

Comparitech researchers analyzedlistings across 40+ dark web marketplaces gathering data on how much stolen identities, credit cards and hacked PayPal accounts are worth to cybercriminals. 

Here are some key findings:

  1. Americans have the cheapest “fullz” (full credentials e.g. SSN, name, DOB etc), averaging $8 per record. Japan and the UAE have the most expensive identities at an average of $25. Not all fullz are the same. While SSN, name, and DOB are all fairly standard in fullz, other information can be included or excluded and thereby change the price. Fullz that come with a driver’s license number, bank account statement, or utility bill will be worth more than those without, for example. Some fullz even include photos or scans of identification cards, such as a passport or driver’s license.
  2. Prices for stolen credit cards range widely from $0.11 to $986. Hacked PayPal accounts range from $5 to $1,767.
  3. The median credit limit on a stolen credit card is 24 times the price of the card.
  4. The median account balance of a hacked PayPal account is 32 times the price on the dark web.

Credit cards, Paypal accounts, and fullz are the most popular types of stolen information traded on the dark web, but they’re far from the only data worth stealing, says Comparitech. Other types of stolen information usually for sale are: passports, driver’s licenses, frequent flyer miles, streaming accounts, dating profiles, social media accounts, bank accounts, and debit cards.

This data – most often stolen through phishing, credential stuffing, data breaches, and card skimmers – is bought and sold on dark web marketplaces. Here’s a few tips for avoiding those attacks, from Comparitech researchers: 

  • There’s not much an end user can do about data breaches except to register fewer accounts and minimize your digital footprint.
  • Keep an eye out for card skimmers at points of sale, particularly unmanned ones such as those at gas stations.
  • Learn how to spot and avoid phishing emails and other messages.
  • Credential stuffing can be avoided by using strong, unique passwords on all of your accounts.

For the full blog, please visit https://www.comparitech.com/blog/vpn-privacy/dark-web-prices/

The best Windows 10 antivirus protection for 2021

source: cnet.com

Your Windows PC needs protection against malware, and free antivirus software may be enough. Here’s the best antivirus protection for Windows 10, and what’s worth paying extra for.

An online security quiver needs plenty of arrows — a VPN to protect your internet traffic, a password manager to keep track of login credentials and an end-to-end encrypted messaging app to stop others from spying on your communications. But if you’re running Windows, that list should also include antivirus tools such as malware protection and antivirus software that monitors downloads and observes your system’s activity for suspicious behavior and malicious software.

If you’re looking for the best malware protection and antivirus software, here’s the first thing you need to know: Microsoft Defender Antivirus — the free internet security software and virus protection program that comes with Windows 10 and until recently was called Windows Defender — does a decent job of protecting your PC and offering internet security. (Amazingly, Microsoft provided no built-in protection for Windows back in the days of Windows 98 and XP.) Using Microsoft Defender for threat detection should be your starting point for the best antivirus security on Windows, and most people will find they don’t need to go any further when it comes to nailing down an antivirus solution.

However, keeping your personal data safe and guarding your privacy extends beyond virus protection, and that’s where third-party antivirus software shines. A full protection package can monitor your Windows computer as well as MacOS, iOS and Android devices and include a password manager, a VPN, parental control, secure online backup, identity theft protection, protection against phishing and malicious websites and more — all worthwhile tools that can guard your privacy and keep your data secure.

Continue reading “The best Windows 10 antivirus protection for 2021”

Photo by ThisIsEngineering from Pexels

Breach Data Shows Attackers Switched Gears in 2020

source:  darkreading.com

Attackers focused more on ransomware, while the consolidation of data into large databases led to fewer reported breaches but more records leaked.

The number of data breaches declined by half last year — to less than 4,000 events — yet the number of leaked records more than doubled, as did the number of breaches that included a ransomware component, according to an annual analysis of breach events by Risk Based Security.

The diverging trends suggests that attackers are focusing more on ransomware, which is often not reported as a data breach if information is not exfiltrated. In addition, more than 80% of the at-risk records came from five events caused by misconfigured databases, suggesting that consolidation in the cloud may have led to more severe, if less frequent, data breaches.

 

Continue reading “Breach Data Shows Attackers Switched Gears in 2020”

Strong Passwords Aren’t As Easy As Adding 123. Here’s What Experts Say Really Helps


source:  cnet.com

Creating a good password isn’t as simple as putting an exclamation mark at the end.

You’ve seen all the familiar rules for strong passwords almost every time you create an online account. Use capital letters, numbers and special characters, and make it at least 8 characters long (or 10, or 12). These requirements are designed to make it harder for hackers to get into your accounts. However, they don’t really make your password stronger, say researchers at Carnegie Mellon University.

Lorrie Cranor, director of the CyLab Usable Security and Privacy Laboratory at CMU, says her team has a better way, a meter that websites can use to prompt you to create more-secure passwords. After you’ve created a password of at least 10 characters, the meter will start giving suggestions, such as breaking up common words with slashes or random letters, to make your password stronger. 

These tips set the password strength meter apart from other meters that provide an estimated password strength, often using colors. The suggestions don’t come from a checklist, but instead respond to common pitfalls Cranor’s team has seen people make when they set up passwords during experiments run by the lab over several years.

One of the problems with many passwords is that they tick all the security checks but are still easy to guess because most of us follow the same patterns, the lab found. Are numbers required? You’ll likely add a “1” at the end. Is it capital letters? You’ll probably make it the first one in the password. And special characters? Frequently exclamation marks.

CMU’s password meter will offer advice for strengthening a password like “ILoveYou2!” — which meets the standard requirements. The meter also offers other advice based on what you type in, such as reminding you not to use a name or suggesting you put special characters in the middle of your password. 

“It’s relevant to what you’re doing, rather than some random tip,” Cranor said. 

Continue reading “Strong Passwords Aren’t As Easy As Adding 123. Here’s What Experts Say Really Helps”

Data Leak Exposes Details of Two Million Chinese Communist Party Members

source: infosecurity-magazine.com

Sensitive data of around two million members of the Communist Party of China (CPC) have been leaked, highlighting their positions in major organizations, including government agencies, throughout the world.

According to reports from The Australian newspaper, featured in the Economic Times, the information includes official records such as party position, birthdate, national ID number and ethnicity. It revealed that members of China’s ruling party hold prominent positions in some of the world’s biggest companies, including in pharmaceutical giants involved in the development of COVID-19 vaccines like Pfizer and financial institutions such as HSBC.

The investigation by The Australian centred around the data leak, which was extracted from a Shanghai server in 2016 by Chinese dissidents.

It noted that CPC members are employed as senior political and government affairs specialists in at least 10 consulates, including the US, UK and Australia, in the eastern Chinese metropolis Shanghai. The paper added that many other members hold positions inside universities and government agencies.

The report emphasized there is no evidence that spying for the Chinese government or other forms of cyber-espionage have taken place.

image - china tech

 

 

Beulah Graves

Product Management

In her report, The Australian journalist and Sky News host Sharri Markson commented: “What’s amazing about this database is not just that it exposes people who are members of the Communist Party, and who are now living and working all over the world, from Australia to the US to the UK, but it’s amazing because it lifts the lid on how the party operates under President and Chairman Xi Jinping.

“It is also going to embarrass some global companies who appear to have no plan in place to protect their intellectual property from theft, from economic espionage.”

In September, the Cybersecurity and Infrastructure Security Agency (CISA) and the US Department of Justice issued a joint advisory warning US government agencies and private sector companies to be on high alert for cyber-attacks by threat actors affiliated with the Chinese Ministry of State Security (MSS).

Jane May

Photographer

 

SolarWinds hack: Amid Hardened Security, Attackers Seek Softer Targets

image - hacking

source: scmagazine.com

 

Reported theories by SolarWinds hack investigators that federal agencies and private companies were too busy focusing on election security to recognize vulnerabilities tied to the software supply chain are unfair and misleading, say cybersecurity experts that used to work in government.

And yet, those same experts acknowledge that such accusations offer an important cybersecurity lesson for businesses: organizations must ensure that their entire attack surface receives attention.

“There are a range of potential adversaries working against admins – nation states, hackers, criminal competitors – all with varying degrees of skill,” said John Caruthers, business information security officer at Evotek and a former supervisory special agent at the FBI. “Without addressing all components, the bad guys will find your network’s Achilles heel.”

Criticism unfair and unfounded?

The premise that election security efforts diverted attention and funding away from other federal cyber initiatives – thereby helping the SolarWinds attack go unnoticed as thousands of corporations and government agencie were compromised – was brought up last weekend in a New York Times article that cited comments from unnamed investigators.

Continue reading “SolarWinds hack: Amid Hardened Security, Attackers Seek Softer Targets”

Facial Recognition And Beyond: Journalist Ventures Inside China’s ‘Surveillance State’

source:  NPR.org

Security cameras and facial recognition technology are on the rise in China. In 2018, People’s Daily, the media mouthpiece of China’s ruling Communist Party, claimed on English-language Twitter that the country’s facial recognition system was capable of scanning the faces of China’s 1.4 billion citizens in just one second.

German journalist Kai Strittmatter speaks fluent Mandarin and has studied China for more than 30 years. He says it’s not clear whether or not the Chinese government is capable of using facial recognition software in the way it claims. But he adds, on a certain level, the veracity of the claim isn’t important.

“It doesn’t even matter whether it’s true or not, as long as people believe it,” he says. “What the Communist Party is doing with all this high-tech surveillance technology now is they’re trying to internalize control. … Once you believe it’s true, it’s like you don’t even need the policemen at the corner anymore, because you’re becoming your own policeman.”

Strittmatter’s new book, We Have Been Harmonized: Life in China’s Surveillance State, examines the role of surveillance in China’s authoritarian state. He warns that Chinese President Xi Jinping, who came to power in 2012, has embraced an ideological rigidity unknown since the days of Mao Zedong.

Continue reading “Facial Recognition And Beyond: Journalist Ventures Inside China’s ‘Surveillance State’”

How to ‘Disappear’ on Happiness Avenue in Beijing

On a busy Monday afternoon in late October, a line of people in reflective vests stood on Happiness Avenue, in downtown Beijing.


Moving slowly and carefully along the pavement, some crouched, others tilted their heads towards the ground, as curious onlookers snapped photos.

It was a performance staged by the artist Deng Yufeng, who was trying to demonstrate how difficult it was to dodge CCTV cameras in the Chinese capital.

As governments and companies around the world boost their investments in security networks, hundreds of millions more surveillance cameras are expected to be installed in 2021 – and most of them will be in China, according to industry analysts IHS Markit.

By 2018, there were already about 200 million surveillance cameras in China.

And by 2021 this number is expected to reach 560 million, according to the Wall Street Journal, roughly one for every 2.4 citizens.

China says the cameras prevent crime.

And in 2018, the number of victims of intentional homicide per head of population in China was 10 times lower than in the US, according to the UN Office on Drugs and Crime.

But a growing number of Chinese citizens are questioning the effect on their privacy.

They also wonder what would happen if their personal data was compromised.

‘Recruited volunteers’

It is rare for Chinese citizens to stage protests against government surveillance.

And it is not without risk.

But creative types such as Deng are coming up with innovative ways to bring the issue out into the open.

Before the performance, he measured the length and width of Happiness Avenue with a ruler.

He then recorded the brands of the 89 CCTV cameras alongside it and mapped out their distributions and ranges.

image - hacking

Billions Spent on U.S. Defenses Failed to Detect Giant Russian Hack

source:  nytimes.com

The broad Russian espionage attack on the U.S. government and private companies, underway since spring and detected only a few weeks ago, is among the greatest intelligence failures of modern times.

 

WASHINGTON — Over the past few years, the United States government has spent tens of billions of dollars on cyberoffensive abilities, building a giant war room at Fort Meade, Md., for United States Cyber Command, while installing defensive sensors all around the country — a system named Einstein to give it an air of genius — to deter the nation’s enemies from picking its networks clean, again.

It now is clear that the broad Russian espionage attack on the United States government and private companies, underway since spring and detected by the private sector only a few weeks ago, ranks among the greatest intelligence failures of modern times.

Einstein missed it — because the Russian hackers brilliantly designed their attack to avoid setting it off. The National Security Agency and the Department of Homeland Security were looking elsewhere, understandably focused on protecting the 2020 election.

The new American strategy of “defend forward” — essentially, putting American “beacons” into the networks of its adversaries that would warn of oncoming attacks and provide a platform for counterstrikes — provided little to no deterrence for the Russians, who have upped their game significantly since the 1990s, when they launched an attack on the Defense Department called Moonlight Maze.

Something else has not changed, either: an allergy inside the United States government to coming clean on what happened.

Continue reading “Billions Spent on U.S. Defenses Failed to Detect Giant Russian Hack”