WASHINGTON, United States — Google painted a bleak picture of cybersecurity trends Monday, saying the number of websites hacked rose 32 percent last year, with little relief in sight.

“We don’t expect this trend to slow down. As hackers get more aggressive and more sites become outdated, hackers will continue to capitalize by infecting more sites,” Google said in a post on its webmaster blog.

Google, which inserts security warnings when it detects hacked sites, said most of those warned can clean up their pages, but that 61 percent are not notified because their sites are not verified by the search engine.

“As always, it’s best to take a preventative approach and secure your site rather than dealing with the aftermath,” the blog said. “Remember a chain is only as strong as its weakest link.”

The news comes amid growing concerns over cybersecurity in the wake of massive hacks affecting Yahoo, the US government and major e-commerce firms.

Google said certain website hacks often follow similar patterns — some insert “gibberish” on a page, while others create Japanese text that links to fake brand merchandise sites.

“Hacking behavior is constantly evolving, and research allows us to stay up to date on and combat the latest trends,” Google said. CBB

Source : http://technology.inquirer.net/60132/hacked-websites-rise-google

Categorized in Internet Privacy

University of Washington researchers have shown that Google’s new machine learning-based system to identify toxic comments in online discussion forums can be bypassed by simply misspelling or adding unnecessary punctuation to abusive words, such as “idiot” or “moron.”

Perspective is a project by Google’s technology incubator Jigsaw, which uses artificial intelligence to combat internet trolls and promote more civil online discussion by automatically detecting online insults, harassment and abusive speech.  The company launched a demonstration website on Feb. 23 that allows anyone to type in a phrase and see its “toxicity score” — a measure of how rude, disrespectful or unreasonable a particular comment is.

In a paper posted Feb. 27 on the e-print repository arXiv, the UW electrical engineers and security experts demonstrated that the early stage technology system can be deceived by using common adversarial tactics. They showed one can subtly modify a phrase that receives a high toxicity score so that it contains the same abusive language but receives a low toxicity score.

Given that news platforms such as The New York Times and other media companies are exploring how the system could help curb harassment and abuse in online comment areas or social media, the UW researchers evaluated Perspective in adversarial settings. They showed that the system is vulnerable to both missing incendiary language and falsely blocking non-abusive phrases.

“Machine learning systems are generally designed to yield the best performance in benign settings. But in real-world applications, these systems are susceptible to intelligent subversion or attacks,” said senior author Radha Poovendran, chair of the UW electrical engineering department and director of the Network Security Lab. “We wanted to demonstrate the importance of designing these machine learning tools in adversarial environments. Designing a system with a benign operating environment in mind and deploying it in adversarial environments can have devastating consequences.”

To solicit feedback and invite other researchers to explore the strengths and weaknesses of using machine learning as a tool to improve online discussions, Perspective developers made their experiments, models and data publicly available along with the tool itself.

In the examples below on hot-button topics of climate change, Brexit and the recent U.S. election — which were taken directly from the Perspective API website — the UW team simply misspelled or added extraneous punctuation or spaces to the offending words, which yielded much lower toxicity scores. For example, simply changing “idiot” to “idiiot” reduced the toxicity rate of an otherwise identical comment from 84% to 20%.

graphic showing examples

In the examples below, the researchers also showed that the system does not assign a low toxicity score to a negated version of an abusive phrase.

Examples of negated text

The researchers also observed that the duplicitous changes often transfer among different phrases — once an intentionally misspelled word was given a low toxicity score in one phrase, it was also given a low score in another phrase. That means an adversary could create a “dictionary” of changes for every word and significantly simplify the attack process.

“There are two metrics for evaluating the performance of a filtering system like a spam blocker or toxic speech detector; one is the missed detection rate and the other is the false alarm rate,” said lead author and UW electrical engineering doctoral student Hossein Hosseini. “Of course scoring the semantic toxicity of a phrase is challenging, but deploying defensive mechanisms both in algorithmic and system levels can help the usability of the system in real-world settings.”

The research team suggests several techniques to improve the robustness of toxic speech detectors, including applying a spellchecking filter prior to the detection system, training the machine learning algorithm with adversarial examples and blocking suspicious users for a period of time.

“Our Network Security Lab research is typically focused on the foundations and science of cybersecurity,” said Poovendran, the lead principal investigator of a recently awarded MURI grant, of which adversarial machine learning is a significant component. “But our expanded focus includes developing robust and resilient systems for machine learning and reasoning systems that need to operate in adversarial environments for a wide range of applications.”

Co-authors include UW electrical engineering assistant professors Sreeram Kannan and Baosen Zhang.

The research is funded by the National Science Foundation, the Office of Naval Research and the Army Research Office.

Author : Jennifer Langston

Source : http://www.washington.edu/news/2017/02/28/uw-security-researchers-show-that-googles-ai-platform-for-defeating-internet-trolls-can-be-easily-deceived/

Categorized in Internet Privacy

What happens if a bad actor turns off your heat in the middle of winter, then demands $1,000 to turn it back on? Or even holds a small city’s power for ransom? Those kinds of attacks to personal, corporate, and infrastructure technology were among the top concerns for security experts from the SANS Institute, who spoke Wednesday during the RSA conference in San Francisco.

Some of these threats target consumers directly, but even the ones that target corporations could eventually “filter down” to consumers, though the effects might not be felt for some time.

The seven deadly attacks

Here are the seven most dangerous attack vectors, according to SANS, and what, if anything, you can do about them:

1. Ransomware: Ransomware surfaced more than 20 years ago, but it has since evolved into a seriously scary form of malware: crypto-ransomware, which encrypts your files and demands payment to unlock them. It’s an ideal way for bad guys to attack: Ransomware spreads like a virus, locks up your data independently, and forces you to contact the criminals for payment and recovery, according to Ed Skoudis, an instructor at the SANS Institute.

What you can do: Practice “network hygiene:” patching your system, using antimalware, and setting permissions and network-access controls to limit exposure—once a PC is infected, you don’t want the infection spreading to other PCs on the network. Remember that ransomware is being monitored by actual people, with whom you can negotiate: “Your best bet is to appear small and poor,” Skoudis said, to try to reduce the amount you’ll pay.

2. The Internet of Things. The next stage of the evolution in consumer products is connectedness: Everything from baby cameras to toothbrushes are using wireless protocols to connect to each other and the internet. That, in turn, has left them vulnerable to hacks. Worse still, IoT devices are now attack platforms, as the Mirai worm demonstrated.

What you can do: Change the default passwords. If your smart-home gadget doesn’t allow it, either return it or wait (or petition the manufacturer) for firmware that allows a custom password. You can also take further steps to insulate connected devices by disabling remote access, using a separate dedicated home LAN for IoT devices, as well as a dedicated cloud account for controlling them, Skoudis said.

3. The intersection of ransomware and IoT. Last year, an Austrian hotel was hacked, disrupting its keycard system. Such attacks could eventually migrate to your home, holding your smart thermostat hostage (and set at 40 degrees, say) until you pay up.

What you can do: Right now, this sort of attack is more theoretical than anything else. But it’s something to think about as you start building out your home: How much automation is too much? “You have to ask yourself, what is the right balance between man and machine?” said Michael Assante, director of industrials and infrastructure for SANS.

A summary of the 2015 attack on then Ukraine power stations, as provided by the SANS Institute.

4. Attacks against the industrial Internet of Things. In 2015 and again in 2016, unknown hackers took down power stations in the Ukraine, leveraging the growing trend of automated, distributed systems against the power company. Fortunately, first responders were quickly able to manually flip the breakers and restore power. But there’s no guarantee that will always be the case—and what happens if Pacific Gas & Electric or Con Edison’s infrastructure is hacked?

What you can do: As consumers, not much. Infrastructure organizations are going to have to decide whether to operate with intelligent systems, or shut them down. Scaling up with increased automation can help lower your power costs—but the penalty may be increased vulnerability to outside attacks, Assante warned.

A summary of the 2015 attack on Ukraine power stations, as provided by the SANS Institute.

5. Weak random number generators. Truly random numbers are the basis of good encryption, securing Wi-Fi and a broad range of security algorithms, according to Johannes Ulrich, the director of the SANS Internet Storm Center. But  “random” number generators aren’t truly random, which makes the encryption they’re based upon easier to crack. This gives an edge to criminals, who may exploit this and unlock “secure” encrypted connections.

What you can do: This is a problem for device manufacturers to solve. Just keep in mind that your “secure” network may in fact be weaker than you think.

6. An over-reliance on web services. More and more, apps and software are talking to and incorporating third-party services, such as Docker or Azure. But there’s no real certainty that those apps are connecting to the expected entity, or whether an attacker is stepping in, stealing data, and returning false information.

What you can do: Again, this is a problem for developers. But Ulrich warned that mobile apps are becoming increasingly vulnerable—so even if an app isn’t trying to steal your data, the “service” that it thinks it’s connecting to may be.

7. SoQL Attacks against NoSQL databases. This is another developer problem, but it could affect data collected about you. For years, SQL injections, where executable code was forced inside of a SQL database entry field, were one of the scourges of the internet. Now, as developers move away from SQL to NoSQL databases like MongoDB, they’re finding that those databases aren’t as secure as they should be. 

Author : Mark Hachman

Source : http://www.pcworld.com/article/3170201/security/what-happens-if-your-thermostat-is-hacked-researchers-name-the-top-7-security-threats.html

Categorized in Internet Privacy

Google Chrome users need to be on the lookout for websites trying to trick them into downloading a font update package for their browser, as most chances are that the file is laced with malware.

This infection technique was discovered by Proofpoint researchers, who say that only Chrome users on Windows are targeted, only from specific countries, and only if they navigated to a compromised website using a specific route (referrer), such as search engine results.

Attack replaces HTML tags, destroys web pages

The technique relies on attackers compromising websites and adding their own scripts to the site's source code.

These scripts filter out the incoming traffic and load another malicious script only for Chrome users on Windows.

This second script will replace HTML tags with "& # 0," which ruins the site's content and displays "�" characters all over the page.

These characters are often encountered on websites and in software when there's a font and character rendering problem. As such, the crooks display a popup telling the user that a specific font wasn't found on their device, and the user will need to download and install a font package update.

To give it legitimacy, the popup is marked with Google Chrome's logo and uses classic button styles, as seen on the official Google Chrome website. A GIF showing the entire infection chain is available below:

EITest infection chain targeting Chrome users

According to Proofpoint, this technique was regularly found on hacked sites, as part of the EITest infection chain. EITest is the nickname given to a malware distribution campaign, similar to pseudo-Darkleech.

The group behind EITest works by compromising a large number of websites, usually WordPress or Joomla, using known vulnerabilities.

They act by stealing small amounts of traffic (users) from these sites and redirecting them to a malicious payload.

The EITest campaign appeared in 2014, and across time, the final payload has varied greatly, hinting that the EITest group is renting out their traffic source to multiple other cyber-criminal operations.

For the vast majority of its lifespan, the EITest group has rented traffic to exploit kit operators, who used Flash, Silverlight, IE, and other vulnerabilities to install malware on the users' devices automatically, without the user ever noticing anything wrong.

Chrome users infected with Fleercivet click-fraud malware

These recent "font wasn't found" attacks on Chrome users are different because they rely on users clicking a download button, something that doesn't guarantee the same high level of successful infections that exploit kits assure.

Proofpoint says that the font update packages that users download via this technique are infected with the Fleercivet click-fraud malware, which works by navigating to preset URLs and clicking on hidden ads behind the user's back, earning crooks money.

This same malware was advertised on underground cybercrime services under the name of Simby in early 2015, and Clicool in late 2015 and in 2016.

Author: Catalin Cimpanu
Source: https://www.bleepingcomputer.com/news/security/chrome-users-targeted-with-malware-via-new-font-wasnt-found-technique

Categorized in Internet Privacy

A new phishing technique is fooling internet users into giving hackers access to their Gmail accounts. According to WordPress security plugin creator Wordfence, the way that the attack works is that hackers send emails to the contacts of compromised accounts containing a seemingly innocuous attachment. When the user clicks the attachment, a new tab opens in the browser that looks nearly identical to the Google sign-in page. If the user inputs their log-in information, it goes straight to the attacker.

On Hacker News, a commenter describes an incident that occurred at his school last year in which several employees and students were tricked into handing over their account information to attackers after receiving compromised emails and opening the attachments, thus perpetuating the cycle:

“It’s the most sophisticated attack I’ve seen. The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”

While the idea of having your Gmail account serve as a host for the chain of hacks to continue is frightening enough, the hackers will also have the ability to download and read through all of your private emails, as well as gain access to other information connected to your Google account (or whichever service is hacked).

Here’s what you need to look out for in your address bar to avoid this attack:

As you can see, not only is the beginning of the string odd, but there is a script hidden behind a long wall of whitespace. You won’t be able to see the script in your address bar without tapping on it and scrolling to the right, but there are several other signs to watch out for that are even more obvious.

For example, here’s what my address bar looks like when I navigate to Gmail in Chrome:

See the green text and the “Secure” label in front of the address? That indicates that I’ve reached a safe, secure website, as opposed to the black text up above. Not every site is going to be certifiably secure like that, but if you are visiting a Google log-in page specifically and don’t see it, alarms should go off in your head. Google might fix this eventually, but for now, just pay attention and look for green text.

Furthermore, if you don’t have two-factor authentication on your Google account (or any other account which contains sensitive information), treat this as a wake up call and set it up immediately.

Author: Jacob Siegal
Source: https://www.yahoo.com/tech/insidious-gmail-phishing-attack-tricking-even-most-careful-151309071.html

Categorized in Internet Privacy

WHETHER IT WAS a billion compromised Yahoo accounts or state-sponsored Russian hackers muscling in on the US election, this past year saw hacks of unprecedented scale and temerity. And if history is any guide, next year should yield more of the same.

It’s hard to know for certain what lies ahead, but some themes began to present themselves toward the end of 2016 that will almost certainly continue well into next year. And the more we can anticipate them, the better we can prepare. Here’s what we think 2017 will hold.

Consumer Drones Get Weaponized

Given how frequently the US has used massive flying robots to kill people, perhaps it’s no surprise that smaller drones are now turning deadly, too—this time in the hands of America’s enemies. In October the New York Times reportedthat in the first known case, US-allied Kurdish soldiers were killed by a small drone the size of a model airplane, rigged with explosives. As drones become smaller, cheaper, and more powerful, the next year will see that experiment widened into a full-blown tactic for guerrilla warfare and terrorism. What better way to deliver deadly ordnance across enemy lines or into secure zones of cities than with remote-controlled accuracy and off-the-shelf hardware that offers no easy way to trace the perpetrator? The US government is already buying drone-jamming hardware. But as with all IEDs, the arms race between flying consumer grade bombs and the defenses against them will likely be a violent game of cat-and-mouse.

Another iPhone Encryption Clash

When the FBI earlier this year demanded that Apple write new software to help crack its own device—the iPhone 5c of dead San Bernadino terrorist Rizwan Farook—it fired the first shots in a new chapter of the decades-long war between law enforcement and encryption. And when it backed off that request, saying it had found its own technique to crack the phone, it only delayed any resolution. It’s only a matter of time until the FBI or other cops make another legal demand that an encryption-maker assist in cracking its protections for users, setting the conflict in motion again. In fact, in October the FBI revealed in October that another ISIS-linked terrorist, the man who stabbed ten people in a Minnesota mall, used an iPhone. Depending on what model iPhone it is, that locked device could spark Apple vs. FBI, round two, if the bureau is determined enough to access the terrorist’s data. (It took three months after the San Bernadino attack for the FBI’s conflict with Apple to become public, and that window hasn’t passed in the Minnesota case.) Sooner or later, expect another crypto clash.

Russian Hackers Run Amok

Two months have passed since the Office of the Director of National Intelligence and the Department of Homeland Security stated what most of the private sector cybersecurity world already believed: That the Kremlin hacked the American election, breaching the Democratic National Committee and Democratic Congressional Campaign Committee and spilling their guts to WikiLeaks. Since then, the White House has promised a response to put Russia back in check, but none has surfaced. And with less than a month until the inauguration of Putin’s preferred candidate—one who has buddied up to the Russian government at every opportunity and promised to weaken America’s NATO commitments—any deterrent effect of a retaliation would be temporary at best. In fact, the apparent success of Russia’s efforts—if, as CIA and FBI officials have now both told the Washington Post, Trump’s election was the hackers’ goal—will only embolden Russia’s digital intruders to try new targets and techniques. Expect them to replicate their influence operations ahead of elections next year in Germany, the Netherlands, and France, and potentially to even try new tricks like data sabotage or attacks on physical infrastructure.

A Growing Rift Between the President and the Intelligence Community

Though the US intelligence community—including the FBI, NSA, and CIA—has unanimously attributed multiple incidents of political hacking to Russian government-sponsored attackers, President-elect Donald Trump has remained skeptical. Furthermore, he has repeatedly cast doubt on digital forensics as an intelligence discipline, saying things like, “Once they hack, if you don’t catch them in the act you’re not going to catch them. They have no idea if it’s Russia or China or somebody.” Trump has also caused a stir by declining daily intelligence briefings. Beyond just the current situation with Russia, Trump’s casual dismissal of intelligence agency findings is creating an unprecedented dissonance between the Office of the President and the groups that bring it vital information about the world. Current and former members of the intelligence community told WIRED in mid-December that they find Trump’s attitude disturbing and deeply concerning. If the President-elect permanently adopts this posture, it could irrevocably hinder the role of intelligence agencies in government. President Obama, for one, says he is hopeful that the situation is temporary, since Trump has not yet felt the full responsibility of the presidency. “I think there is a sobering process when you walk into the Oval Office,” Obama said recently in a press conference. “There is just a whole different attitude and vibe when you’re not in power as when you are in power.” If Trump does eventually embrace the intelligence community more fully, the next question will be whether it can move on from what has already transpired.

DDoS Attacks Will Crash the Internet Again (And Again, And Again)

This was the year of Internet of Things botnets, in which malware infects inconspicuous devices like routers and DVRs and then coordinates them to overwhelm an online target with a glut of internet traffic, in what’s known as a disrupted denial of service attack (DDoS). Botnets have traditionally been built with compromised PCs, but poor IoT security has made embedded devices an appealing next frontier for hackers, who have been building massive IoT botnets. The most well-known example in 2016, called Mirai, was used this fall to attack and temporarily bring down individual websites, but was also turned on Internet Service Providers and internet-backbone companies, causing connectivity interruptions around the world. DDoS attacks are used by script kiddies and nation states alike, and as long as the pool of unsecured computing devices endlessly grows, a diverse array of attackers will have no disincentive from turning their DDoS cannons on internet infrastructure. And it’s not just internet connectivity itself. Hackers already used a DDoS attack to knock out central heating in some buildings in Finland in November. The versatility of DDoS attacks is precisely what makes them so dangerous. In 2017, they’ll be more prevalent than ever.

Ransomware Expands Its Targets

Ransomware attacks have become a billion-dollar business for cybercriminals and are on the rise for individuals and institutions alike. Attackers already use ransomware to extort money from hospitals and corporations that need to regain control of their systems quickly, and the more success attackers have, the more they are willing to invest in development of new techniques. A recent ransomware version called Popcorn Time, for example, was experimenting with offering victims an alternative to paying up—if they could successfully infect two other devices with the ransomware. And more innovation, plus more disruption, will come in 2017. Ransomware attacks on financial firms have already been rising, and attackers may be emboldened to take on large banks and central financial institutions. And IoT ransomware could crop up in 2017, too. It may not make sense for a surveillance camera, which might not even have an interface for users to pay the ransom, but could be effective for devices that sync with smartphones or tie in to a corporate network. Attackers could also demand money in exchange for ceasing an IoT botnet-driven DDoS attack. In other words, ransomware attacks are going to get bigger in every possible sense of the word.

Source: https://www.wired.com/2017/01/biggest-security-threats-coming-2017

Categorized in Internet Privacy


Why hack Android devices one at a time when you can infect local Wi-Fi access points with an Android Trojan and use DNS hijacking to hack every device connected to that network?

Researchers at Kaspersky Lab reported their encounter with a new type of Android malware, which they call "Trojan.AndroidOS.Switcher" and which is doing almost exactly that: Once it wakes up and determines it's on a targeted wireless network, the malware runs a brute force attack on the local Wi-Fi router password. If successful, the malware resets the default domain name system (DNS) servers to its own servers. From there, almost any kind of attack is possible on other devices or systems connected to that network.

"Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network," wrote Nikita Buchka, mobile malware analyst at Kaspersky, in a blog post. The new Android Trojan gains access to the router by a brute-force password-guessing attack on the router's admin web interface. "If the attack succeeds, the malware changes the addresses of the DNS servers in the router's settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals -- such an attack is also known as DNS hijacking."

Because devices usually reset their default DNS server configuration to reflect the defaults configured in the local Wi-Fi router, this new Android Trojan can force devices connected through the router to point to rogue DNS servers under the control of the attacker. The result, Buchka wrote, is that "after gaining access to a router's DNS settings, one can control almost all the traffic in the network served by this router."

If successfully installed on a router, Buchka wrote, the Switcher malware can expose users to "a wide range of attacks" such as phishing schemes. "The main danger of such tampering with routers' [settings] is that the new settings will survive even a reboot of the router, and it is very difficult to find out that the DNS has been hijacked," he wrote. "Even if the rogue DNS servers are disabled for some time, the secondary DNS, which was set to, will be used, so users and/or IT will not be alerted."

By setting the secondary DNS server to Google's DNS service, located at IP address, the attackers ensure that even if their own malicious DNS server is unavailable, users won't experience any outage.

Once in place on a user's Android device, Switcher checks for the local wireless network's basic service set identifier -- the MAC address of the local network's access point -- and reports it to the Trojan's command and control network before going to work on brute-forcing, and reconfiguring, the router. The malware also attempts to identify which internet service provider is being used so that it can reconfigure the router to use one of three rogue DNS servers, and then it runs the brute-force attack on the router's web interface for system administration.

The Kaspersky researchers reported two versions of the Android Trojan: One masquerading as a mobile client for the Chinese search engine Baidu, and the other a fake version of another popular Chinese app used to share Wi-Fi access information. Based on its analysis of input field names hardcoded in the malware, as well as the structure of HTML files the Android Trojan attempts to access, Kaspersky judged that Switcher affects only TP-LINK Wi-Fi routers.

The actor responsible for Switcher piggybacked its command and control system on top of a website it set up to promote its fake Wi-Fi access app; according to Kaspersky, the site also includes an infection counter for Switcher. Kaspersky reported that 1,280 Wi-Fi networks had been successfully infiltrated. Kaspersky recommended users check their DNS configurations to see if any of the rogue DNS servers (, and have been configured. If a network has been infected, the attack can be mitigated by resetting the DNS server configuration and resetting the default router administration password; the attack can also be prevented by changing the default user ID and password for administering vulnerable routers.


Author: Peter Loshin
Source: http://searchsecurity.techtarget.com/news/450410127/Switcher-Android-Trojan-targets-routers-with-rogue-DNS-servers



Categorized in Internet Privacy

Last week I speculated that the current horrible state of internet security may well be as good as we're ever going to get. I focused on the technical and historical reasons why I believe that to be true. Today, I'll tell you why I'm convinced that, even if we were able to solve the technical issues, we'll still end up running in place.

Global agreement is tough

Have you ever gotten total agreement on a single issue with your immediate family? If so, then your family is nothing like mine. Heck, I have a hard time getting my wife to agree with 50 percent of what I say. At best I get eye rolls from my kids. Let's just say I'm not cut out to be a career politician.

Now think about trying to get the entire world to agree on how to fix internet security, particularly when most of the internet was created and deployed before it went global.

Over the last two decades, just about every major update to the internet we've proposed to the world has been shot down. We get small fixes, but nothing big. We've seen moderate, incremental improvement in a few places, such as better authentication or digital certificate revocation, but even that requires leadership by a giant like Google or Microsoft. Those updates only apply to those who choose to participate -- and they still take years to implement.

Most of the internet's underlying protocols and participants are completely voluntary. That's its beauty and its curse. These protocols have become so widely popular, they're de facto standards. Think about using the Internet without DNS. Can you imagine having to remember specific IP addresses to go online shopping?

A handful of international bodies review and approve the major protocols and rules that allow the internet to function as it does today (here's a great summary article on who "runs" the internet). To that list you should add vendors who make the software and devices that run on and connect to the Internet; vendor consortiums, such as the FIDO Alliance; and many other groups that exert influence and control.

That diversity makes any global agreement to improve Internet security almost impossible. Instead, changes tend to happen through majority rule that drags the rest of the world along. So in one sense, we can get things done even when everyone doesn't agree. Unfortunately, that doesn't solve an even bigger problem.

Governments don't want the internet to be more secure

If there is one thing all governments agree on, it's that they want the ability to bypass people's privacy whenever and wherever the need arises. Even with laws in place to limit privacy breaches, governments routinely and without fear of punishment violate protective statutes.

To really improve internet security, we'd have to make every communication stream encrypted and signed by default. But they would be invisible to governments, too. That's just not going to happen. Governments want to continue to have unfettered access to your private communications.

Democratic governments are supposedly run by the people for the people. But even in countries where that's the rule of law, it isn't true. All governments invade privacy in the name of protection. That genie will never be put back in the bottle. The people lost. We need to get over it.

The only way it might happen

I've said it before and I'll say it again: The only way I can imagine internet security improving dramatically is if a global tipping-point disaster occurs -- and allows us to obtain shared, broad agreement. Citizen outrage and agreement would have to be so strong, it would override the objections of government. Nothing else is likely to work.

I've been waiting for this all to happen for nearly three decades, the most recent marked by unimaginably huge data breaches. I'm not getting my hopes up any time soon.

Author : Roger A. Grimes

Source : http://www.infoworld.com/article/3152818/security/the-real-reason-we-cant-secure-the-internet.html

Categorized in Internet Privacy

Presents under the tree or in the stocking, like health devices, smart watches and virtual reality kits all have huge potential for marketers but could also pose problems

The Chartered Institute of Marketing (CIM) is warning marketers to fully consider the ‘naughty’ and ‘nice’ aspects of the multitude of smart devices that are set to be given as presents this Christmas.

This year’s Black Friday sales indicated that there will be a lot of smart devices making their way down chimneys this Christmas, promising new ways to connect with customers, opening up interesting fresh lines of communication and engagement.

However, the CIM is warning that although new technologies offer exciting new prospects, putting them to use won’t be without its pitfalls. Three key technologies will step into the mainstream this Christmas: health apps and devices, smart watches and Virtual Reality (VR).

These have the potential to be both ‘naughty’ and ‘nice’ for marketers, as the CIM explains:

1) Health apps and devices – fitness trackers are hitting the mainstream, with more brands competing to offer a way to track your exercise, diet and more.

Naughty: Brands need to be careful because health apps and devices grant them access to data of a personal nature.

This is potentially incredibly sensitive and every step must be taken to ensure it does not fall into the wrong hands and that data is secured appropriately.


It seems not a day goes by without a data breach being reported in the press, and with research showing 57% of consumers do not trust organisations to use their data responsibly, marketers need to ensure they are handling data in a sensible, secure manner.

Nice: However, these can provide a great opportunity for brands, and their partners, to offer incentives or rewards, such as discounts, based on health targets being met.

Some insurers are already using health trackers to encourage people to lower risk by exercising more in exchange for lower premiums and lifestyle rewards.

There is also potential to personalise the customer experience using this type of data, for example using geo-location to target regional consumers.

2) Smart watches – research has shown that more than half of smart watch owners use them every day, so clearly there’s potential for a regular flow of data and interactivity points from them.

Naughty: Just like when there was the move from desktop to mobile, marketers need to take the time to understand the best way to interact with customers through their watch – you cannot just take your mobile offering and think it will work on a smart watch.

Smart watches allow consumers to activate and control them with their voice, useful when the screen fits on your wrist.

This is why it will be vital for brands to take a ‘watch-first’ approach to areas such as app development and watch-friendly marketing if they are to succeed.

Nice: Gone are the days when watches were just used merely for telling the time.

Now they are starting to take on many functionalities of smart phones, making them increasingly practical for use on the go.

Reaching smart watch users can provide a way to engage consumers outside of their phones, and offers a novel way to reach them.


3) Virtual reality – between cardboard offerings and Oculus’s full virtual reality platform, mid-range virtual reality sets are finally here, making them a realistic option for Christmas.

Naughty: Just because the technology is available, it doesn’t mean marketers should rush to implement it without fully considering how it can be used.

VR is an expensive technology to use and so marketers need to establish how valuable it is for their brand and whether using it will add value to the bottom line.

Essentially, is virtual reality an appropriate way to engage your customers, or are you just jumping on the bandwagon?

Nice: The immersive experience of VR offers a great opportunity for marketers to interact with their customers, allowing them to experience the brand in a unique way.

For example, John Lewis has tied its Christmas advert to a VR experience in-store, allowing consumers to be part of the advert and building the relationship with the brand.

Maria Heckel, marketing director, The Chartered Institute of Marketing, commented that “It’s exciting to see technology continue to provide new opportunities for marketers to engage with consumers”.

“If people are viewing data as ‘the new oil’, smart devices are wells they can use to pull it from the ground. However, just as drilling for oil carries great risk, these new data sources must also be treated with caution and handled in the right way to ensure accidents don’t happen.”

“It’s vital for marketers to ensure that they have fully considered the use of this tech, including the potential positives and negatives, before launching into a full roll-out.”

Author:  Nick Ismail

Source:  http://www.information-age.com/privacy-digital-age-123463728

Categorized in Internet Privacy

Ian Kilpatrick, chairman of security specialist Wick Hill Group and EVP cyber security for Nuvias Group, looks at the rapidly changing security scenario faced by companies in 2017

1. Security reaches the boardroom

In 2017, security breaches will be a regular occurrence.

Organisations will continue to struggle to deal with them, causing board-level executives to pay more attention to security, as the financial and reputational consequences become more apparent – the average cost of a serious data breach to a company is now $3.5 million.

The fact is that many company boards have abdicated their responsibility regarding IT security for a long time, and are only now overtly recognising that breaches are a business risk, the same as a foreign exchange risk or a fire risk, and they need to understand it and manage it.

Business leaders will increasingly demand clarity around the security risks that their organisations are exposed to, and how secure they are in response to those risks, particularly around issues like PCI compliance. Alongside this, they will require ongoing monitoring and board level reporting.

As such, IT professionals will need to deliver a clear-cut definition of proper measures to tackle the risks.

2. Tackling existing threats and employee behaviour

Most vulnerabilities will continue to either be known vulnerabilities or down to employee behaviour, and organisations shouldn’t be distracted by the big cyber-attack headlines in the press, or knee-jerk responses and marketing hype from security vendors.

Organisations need to address their vulnerability management in a structured fashion so they are progressively working their way through managing their own vulnerabilities, rather than getting distracted by the latest data breach that’s making the news.

Keeping a core focus on the key elements of security, while still responding to upcoming threats, isn’t easy, but CISOs need the strength to push back to the board to say, “We need to deal with this first.”

3. More cloud breaches

There will be continued growth in cloud breaches. It’s an attack vector that contains significant vulnerabilities around identity management and mobility or off-site access.

Consequently, cloud access security broking will experience significant growth and there will be more interest in Identity-as-a-Service (IDaaS).

Indeed, Gartner predicts that 40 percent of identity and access management (IAM) purchases (see below) will use the identity IDaaS delivery model by 2020, up from just 20 percent in 2016.

4. Identity access management comes of age

Across all areas, identity access management will at last move into where it should have been ten years ago, and experience strong growth.

Organisations are starting to recognise that simple passwords have always been insecure but in this new world they now are totally insecure. Particularly with user passwords being harvested in the hundreds of millions from social media sites.

Identity access management involves a range of solutions based on multi-factor authentication, linking between physical access and logical access, e.g. card systems, tokens, mobile phone biometrics, etc.

While biometrics can appear as a panacea, bear in mind that that your biometric is a core unique identifier, and if the underlying database is breached, that identifier is useless from that point on.

5. Total security still not achievable

Companies will realise total security is not achievable, and that they will be breached. The consequence of that is that they will increasingly move to secure key assets rather than try to protect everything.

They will increasingly invest in technology such as data leakage protection and encryption, as they look to protect their security perimeter against attack, from both inside and outside the organisation.

6. IoT insecurity

The Internet of Things (IoT) will continue to show the stupidity of rolling out applications prior to considering security.

The challenge for organisations will be both dealing with the security threat of IoT technology getting into the organisation – probably through shadow IT implementation – which is a nightmare scenario for CISOs.

IoT will also drive growth in DDoS solutions, particularly following the recent high profile attacks on Twitter, Spotify and Reddit using ‘smart’ home devices.

7. Growth in user training

One much overlooked area is user training, testing and awareness, but one that continues to experience strong growth, as organisations realise that insecure behaviour at home leads to insecure behaviour in work-mode.

More than 60% of all network intrusions stem from compromised user credentials, so education, awareness training and user testing will increase as companies realise employee behaviour is a key vulnerability – but it can be resolved by teaching and managing employees’ awareness skills and competence.

Measurements show that, for most organisations, initial testing of employee skills demonstrates average failure rates of 20%, which slowly declines over time – but worryingly rarely reaches zero!

8. Mobility and wireless worries

Mobility security will continue to represent an ever-increasing challenge to organisations both with device management and user interaction – as will the use of wireless networks.

A large majority of mobile device users will connect to Wi-Fi networks without considering the risks that involves and the credentials they are exposing. Inside organisations, first generation wireless deployments are, in many cases, particularly insecure.

There is an increasing focus on providing high capacity and high performance networks but that carries with it not only the need to do it securely, but also to offer the right user credentials, particularly in distributed organisations where there have been many high-profile breaches.

9. GDPR preparation

In 2017, General Data Protection Regulation (GDPR) will drive a lot of changes within organisations in preparation for the May 2018 deadline, as the consequences of not meeting the deadline sink in.

If an organisation fails to protect their data, they will be liable to a fine that represents a percentage of their turnover.

Bear in mind there are organisations only making two or three percent profit as a percentage of their turnover, so that’s going to hurt – and possibly cause a collapse of share prices. Companies need to start thinking about how to mitigate that risk.

10. Implementing best practice

There will be more press coverage of stolen data in 2017, which for many organisations, will expose unresolved issues around passwords, content, and payment card vulnerabilities.

In most cases, companies are unaware when they’ve been breached. Just because you think you’re safe, doesn’t mean you are; if nothing appears to have happened, it doesn’t mean it didn’t happen or isn’t still happening.

Shockingly, the average length of time an attacker stays inside a network before detection is more than 140 days – that’s if the attacker doesn’t just copy the data and disappear.

As a result, you may not find out you were breached for a long time. Some recently discovered breaches date back over four years.

Organisations need to look at encrypting their data, changing login credentials, removing user privilege, etc., on a regular basis.

At worst, you will have spent the time implementing best practice, and at best you’ve stopped potential attackers using your own data against you.

If you’re waiting for a breach before implementing these safeguards, you might want to think about the financial and reputational consequences compared to the cost of fixing it before it happens.

Auhtor : Nick Ismail

Source : http://www.information-age.com/top-10-security-predictions-2017-123463621/

Categorized in Internet Privacy
Page 4 of 7

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media