What you cannot see you cannot secure: Shining a light on cybersecurity threats in a work-from-home environment

source: securitymagazine.com

A quick “work from home new normal” search on Google will return results somewhere in the ballpark of 2 billion. On the other hand, searches for “cybersecurity risks work from home” result in far less—around 32 million. While that may seem like a lot of coverage on any scale, it reflects the chasm between what we focus on and what we understand about this new environment as we begin 2021.

By now, most companies recognize there is no turning back the hands of time to the way it was before the pandemic. The digital transformation is not just upon us but part of life moving forward. That’s likely to mean digital or hybrid workforces, digital currency and digital content, all of which can be hacked, causing significant damage to enterprises and employees alike. And while cybersecurity has been a concern for as long as the Internet became a staple of life, the difference now is that instead of organizations considering a strong culture of cybersecurity “nice to have,” it is a necessity—regardless of where workers are located.

Continue reading “What You Cannot See You Cannot Secure”

Google Warning: North Korean Hackers Breach Windows And Chrome Defenses To Attack Security Researchers

source: forbes.com

North Korean hackers have been masquerading as cybersecurity bloggers in order to target researchers in the field, according to Google. They’re doing so by exploiting mysterious weaknesses in computers running the most up-to-date versions of  Microsoft Windows and Google Chrome, the tech giant warned Monday.

Adam Weidemann, a researcher at Google’s Threat Analysis Group, said the attacks have been ongoing over the last three months. The hackers set up fake Twitter accounts to show off security research and link to a blog. One of the accounts—@br0vvnn—claimed to be the founder of @BrownSec3Labs and looked to be posting innocuous research as well as promoting others’ work, including Google’s own researcher Ben Hawkes. Earlier this month, another Google researcher, Thomas Shadwell, was sent a Twitter direct message by one of the hackers’ personas, Zhang Guo, though it’s unclear what they wanted. While the blog did contain some legitimate research (as well as faked material), it also hosted an exploit that would install a backdoor on the victim’s PC. Only Windows PCs have been attacked thus far.

Continue reading “Google Warning: North Korean Hackers Breach Windows…”

How Email Attacks are Evolving in 2021

source:  threatpost.com


The money being wire transferred by business email compromise victims is on the rise, as cybersecurity criminals evolve their tactics.

Hundreds of thousands of dollars lost. Financial and emotional ruin. And in some cases, suicide. These are some of the outcomes business email compromise (BEC) attacks have on victims, said Ronnie Tokazowski, senior threat researcher with Agari.

These type of attacks don’t garner the same attention as high-profile hacks, he said. Why? Because BEC attacks are simple – yet potent. Instead of having to develop malware or complex attack chains, all attackers need to do is send an email – usually mimicking a coworker’s email account or using a compromised account –  and con victims to wire transfer money, for example. But the fallout from these types of attacks are devastating.

Continue reading “How Email Attacks are Evolving in 2021”

There Are Spying Eyes Everywhere—and Now They Share a Brain

source: wired.com

Security cameras. License plate readers. Smartphone trackers. Drones. We’re being watched 24/7. What happens when all those data streams fuse into one?

ONE AFTERNOON IN the fall of 2019, in a grand old office building near the Arc de Triomphe, I was buzzed through an unmarked door into a showroom for the future of surveillance. The space on the other side was dark and sleek, with a look somewhere between an Apple Store and a doomsday bunker. Along one wall, a grid of electronic devices glinted in the moody downlighting—automated license plate readers, Wi-Fi-enabled locks, boxy data processing units. I was here to meet Giovanni Gaccione, who runs the public safety division of a security technology company called Genetec. Headquartered in Montreal, the firm operates four of these “Experience Centers” around the world, where it peddles intelligence products to government officials. Genetec’s main sell here was software, and Gaccione had agreed to show me how it worked.

Continue reading “There Are Spying Eyes Everywhere—and Now They Share a Brain”

Netlab, the networking security division of Chinese security firm Qihoo 360, said it had discovered a new fledgling malware operation that is currently infecting Android devices for the purpose of assembling a DDoS botnet, according to a ZDNetreport. 

The botnet, Matryosh, is going after Android devices that have left their ADB debug interface exposed on the internet. Netlab says Matryosh is a ADB-targeting botnet, using the Tor network to hide its command and control servers. The encryption algorithm implemented in this botnet and the process of obtaining C2 are nested in layers, “like Russian nesting dolls,” why is why Netlabnamed it Matryosh. 

Commenting on the news, Burak Agca, Engineer at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, says, “The key feature of this attack is the exploitation of ADB, a long standing Android feature that’s meant to provide developers a simple method to communicate with, and remotely control devices. ADB allows anyone to connect to a device, install apps and execute commands, without authentication.

Continue reading “New Matryosh Botnet Targeting Android Devices”

In a Topsy-Turvy Pandemic World, China Offers Its Version of Freedom

source:  nytimes.com

Surveillance and censorship bolster Beijing’s uncompromising grip on power. But in the country’s cities and streets, people have resumed normal lives.

 

Duncan Clark’s flight was rolling down the runway in Paris in late October when President Emmanuel Macron announced a second national lockdown in France. The country had nearly 50,000 new Covid-19 infections that day. The United States had almost 100,000.

He sighed with relief. He was headed to China. That day, it had reported 25 new infections, all but one originating abroad.

Mr. Clark, a businessman and an author, returned to China after spending nine months in the United States and France, his longest time away from the country since he moved to Beijing in 1994. He had been spending more time outside China over the past few years to get away from air pollution, censored internet and an increasingly depressing political environment.

But when he returned in October, he felt something new: safe, energized and free.

“The ability to just live a normal life is pretty amazing,” he said.

Continue reading “In a Topsy-Turvy Pandemic World, China Offers Its Version of Freedom”

No More Needles for Diagnostic Tests? Engineers Develop Nearly Pain-Free Microneedle Patch

source: scitechdaily.com

Nearly pain-free microneedle patch can test for antibodies and more in the fluid between cells.

Blood draws are no fun.

They hurt. Veins can burst, or even roll — like they’re trying to avoid the needle, too.

Oftentimes, doctors use blood samples to check for biomarkers of disease: antibodies that signal a viral or bacterial infection, such as SARS-CoV-2, the virus responsible for COVID-19, or cytokines indicative of inflammation seen in conditions such as rheumatoid arthritis and sepsis.

These biomarkers aren’t just in blood, though. They can also be found in the dense liquid medium that surrounds our cells, but in a low abundance that makes it difficult to be detected.

Until now.

Engineers at the McKelvey School of Engineering at Washington University in St. Louis have developed a microneedle patch that can be applied to the skin, capture a biomarker of interest and, thanks to its unprecedented sensitivity, allow clinicians to detect its presence.

The technology is low cost, easy for clinicians or patients themselves to use, and could eliminate the need for a trip to the hospital just for a blood draw.

Continue reading “No More Needles for Diagnostic Tests?”

SpaceX Will Launch Billionaire Jared Isaacman on a Private Spaceflight This Year

Isaacman chartered a Crew Dragon flight and is donating the other three seats.

 source:  space.com

SpaceX continues to blaze new paths to the final frontier.

Billionaire tech entrepreneur Jared Isaacman has chartered a trip to Earth orbit with Elon Musk’s company, which last year became the first private outfit to fly astronauts to the International Space Station.

The 37-year-old Isaacman, who’s also an accomplished pilot, will command the four-person “Inspiration4” mission aboard a SpaceX Crew Dragon capsule, he and SpaceX announced today (Feb. 1). There will be no professional astronauts aboard; Isaacman is donating the other three seats.

“It will be the first-ever all-private crewed orbital mission in history,” Musk said during a teleconference with reporters today (Feb. 1).

SpaceX will use the Crew Dragon spacecraft “Resilience” for Inspiration4, Musk added. Resilience is currently docked at the International Space Station on the Crew-1 mission, SpaceX’s first contracted crewed flight to the orbiting lab for NASA.

 

US State Department issues guidance on implementing UN Guiding Principles for transactions linked to foreign government end-users for surveillance technology

source: business-humanrights.org

 

 

“U.S. Department of State Guidance on Implementing the ‘UN Guiding Principles’ for Transactions Linked to Foreign Government End-Users for Products or Services with Surveillance Capabilities”, 30 September 2020

The U.S. Department of State is committed to the promotion and protection of human rights. In that spirit, U.S. businesses should carefully review this voluntary guidance and consider whether to participate in, or continue to participate in, transactions if they identify a risk that the end-user will likely misuse the product or service to carry out human rights violations or abuses. The responsibility of U.S. businesses to respect human rights does not depend on the size, sector, operational context, ownership, or structure of the business…

U.S. businesses are encouraged to integrate human rights due diligence into compliance programs, including export compliance programs…

Review the capabilities of the product or service in question to determine potential for misuse to commit human rights violations or abuses by foreign government end-users or private end-users that have close relationships with a foreign government…

Review the human rights record of the foreign government agency end-user of the country intended to receive the product or service…

Review, including through in-house or outside counsel, whether the foreign government end-user’s laws, regulations, and policies that implicate products and services with surveillance capabilities are consistent with the UDHR…

 

A Look Into the Pricing of Stolen Identities For Sale on Dark Web

source:  securitymagazine.com

 

After a data breach, much of that stolen personal and sometimes highly personally identifiable information (PII) is sold on markets residing within the dark web. But, how much does the sale of stolen information work, exactly, and how much money are criminals making from stolen data?

Comparitech researchers analyzedlistings across 40+ dark web marketplaces gathering data on how much stolen identities, credit cards and hacked PayPal accounts are worth to cybercriminals. 

Here are some key findings:

  1. Americans have the cheapest “fullz” (full credentials e.g. SSN, name, DOB etc), averaging $8 per record. Japan and the UAE have the most expensive identities at an average of $25. Not all fullz are the same. While SSN, name, and DOB are all fairly standard in fullz, other information can be included or excluded and thereby change the price. Fullz that come with a driver’s license number, bank account statement, or utility bill will be worth more than those without, for example. Some fullz even include photos or scans of identification cards, such as a passport or driver’s license.
  2. Prices for stolen credit cards range widely from $0.11 to $986. Hacked PayPal accounts range from $5 to $1,767.
  3. The median credit limit on a stolen credit card is 24 times the price of the card.
  4. The median account balance of a hacked PayPal account is 32 times the price on the dark web.

Credit cards, Paypal accounts, and fullz are the most popular types of stolen information traded on the dark web, but they’re far from the only data worth stealing, says Comparitech. Other types of stolen information usually for sale are: passports, driver’s licenses, frequent flyer miles, streaming accounts, dating profiles, social media accounts, bank accounts, and debit cards.

This data – most often stolen through phishing, credential stuffing, data breaches, and card skimmers – is bought and sold on dark web marketplaces. Here’s a few tips for avoiding those attacks, from Comparitech researchers: 

  • There’s not much an end user can do about data breaches except to register fewer accounts and minimize your digital footprint.
  • Keep an eye out for card skimmers at points of sale, particularly unmanned ones such as those at gas stations.
  • Learn how to spot and avoid phishing emails and other messages.
  • Credential stuffing can be avoided by using strong, unique passwords on all of your accounts.

For the full blog, please visit https://www.comparitech.com/blog/vpn-privacy/dark-web-prices/