• Skip to main content

PC PORTAL

Experienced. Trusted. Solutions.

  • Learn More
  • Solutions
  • Services
  • Testimonials
  • Partnership
  • Contact Us
    • Employment Opportunities
    • Support
    • Download Remote Support
  • Blog

Wireless Security

July 10, 2018 By PC Portal

Security newsround: July 2018

We round up reporting and research from across the web about the latest security news and developments. This month: stress test for infosec leaders, cybercrime by the numbers, financial fine for enabling cyber fraud, third party risk leads to Ticketmaster breach, Privacy Shield in jeopardy, and a win for Wi-Fi as security improves.

Under pressure: stress levels rise for security professionals

Tense, nervous headache? You might be working in information security. A global survey of 1,600 infosec leaders has found that the role is under more stress than ever. Rising malware threats, a shortage of skilled people, and budget constraints are producing a perfect storm of pressure on professionals. The findings come from Trustwave’s 2018 Security Pressures Report. It found that the trend of increasing stress has been edging steadily upwards since its first report five years ago.

Some 54 per cent of respondents experienced more pressure to secure their organisation in 2017 compared to the previous year. More than half (55 per cent) also expect 2018 to bring more pressure than 2017 did. Dark Reading quoted Chris Schueler of Trustwave saying the pressure to perform will push security leaders to improve performance or burn out. SecurityIntelligence led with the angle that the biggest obligation facing security professionals is preventing malware. Help Net Security has a thorough summary of the findings.

There was some good news: fewer professionals reported feeling pressure to buy the latest security tech compared to past years. The full report is available to download here.

CEO fraud scam hits companies hard

CEO fraud, AKA business email compromise, was the internet crime most commonly reported to the FBI during 2017. Victims lost a combined amount of more than $676 million last year, up almost 88 per cent compared to 2016. Total cybercrime-related losses totalled $1.42 billion last year. The data comes from the FBI’s 2017 Internet Crime Report, which it compiles from public complaints to the agency. (No vendor surveys or hype here.)

The next most prominent scams were ransomware, tech support fraud, and extortion, the FBI said. Corporate data breaches rose slightly in number year on year (3,785 in 2017, up from 3,403 in 2016) but the financial hit decreased noticeably ($60.9 million in 2017 vs $95.9 million in 2016). There were broadly similar numbers of fake tech support scams between 2017 and 2016, but criminals almost doubled their money. The trends in the report could help security professionals to evaluate potential risks to their own organisation and staff.

Asset manager’s lax oversight opens door to fraud and a fine

Interesting reading for security and risk professionals in the Central Bank of Ireland’s highly detailed account of a cyber fraud. Governance failings at Appian Asset Management led to it losing €650,000 in client funds to online fraud. Although Appian subsequently replaced the funds in the client’s account, the regulator fined the firm €443,000. A CBI investigation uncovered “significant regulatory breaches and failures” at the firm, which exposed it to the fraud. It’s the first time the Irish regulator has imposed such a sanction for cyber fraud.

The fraud took place over a two-month period, starting in April 2015. The CBI said a fraudster hacked the real client’s webmail account to impersonate them during email correspondence with an Appian employee. The fraudster also used a spoofing technique to mimic that employee’s email address. The criminal intercepted messages from the genuine client and sent replies from the fake employee email to hide traces of the scam.

The press release runs to more than 3,200 words, and also goes into great detail about the gaps in policy and risk management at Appian.

Tales from the script: third-party app flaw leads to Ticketmaster data breach

As growing numbers of websites rely on third-party scripts, it’s vital to check they don’t put sites’ security at risk. That’s one of the lessons from the data breach at Ticketmaster UK. The company discovered malicious code running on its website that was introduced via a customer chat feature. This exposed sensitive data, including payment details, of around 40,000 customers. Anyone who bought a ticket on its site between September 2017 and June 2018 could be at risk, Ticketmaster warned.

On discovering the breach, Ticketmaster disabled the code across all its sites. The company contacted all affected customers, recommending they change their passwords. It published a clearly worded statement to answer consumer questions, and offered free 12-month identity monitoring.

Although this first seemed like good crisis management and proactive breach notification, the story didn’t end there. Inbenta Technologies, which developed the chat feature, weighed in with a statement shifting some blame back towards Ticketmaster. The vulnerability came from a single piece of custom JavaScript code Inbenta had written for Ticketmaster. “Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customised script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability,” Inbenta CEO Jordi Torras said.

Then Monzo, a UK bank, blogged in detail about the steps it took to protect its customers from the fallout. This included the bombshell that Ticketmaster knew about the breach in April, although the news only went public in June. Wired said these developments showed the need to thoroughly investigate potential breaches, and to remember subcontractors when assessing security risks.

Privacy Shield threat puts EU-US data sharing in doubt

US authorities have two months to start complying with Privacy Shield or else MEPs have threatened to suspend it. The EU-US data sharing framework replaced the Safe Harbor framework two years ago. Privacy Shield was supposed to extend the same rights for protecting EU citizens’ data as they have in Europe. In light of the Facebook-Cambridge Analytica scandal (both of which were certified under Privacy Shield), it seems that’s no longer the case.

MEPs consider privacy and data protection as “fundamental rights … that cannot be ‘balanced’ against commercial or political interests”. They voted 303 to 223 in favour of suspending the Privacy Shield agreement unless the US complies with it.

This could have implications for any organisation that uses a cloud service provider in the US. If they are using Privacy Shield as an adequacy decision for that agreement, they may no longer be GDPR-compliant after 1 September. Expect more developments on this over the coming months.

Welcome boost for Wi-Fi security

The Wi-Fi Alliance’s new WPA3 standard promises enhanced security for business and personal wireless networks. It will use a key establishment protocol called Simultaneous Authentication of Equals (SAE) which should prevent offline dictionary-based password cracking attempts. Announcing the standard, the Wi-Fi Alliance said the enterprise version offers “the equivalent of 192-bit cryptographic strength, providing additional protections for networks transmitting sensitive data, such as government or finance”. Hardware manufacturers including Cisco, Aruba, Broadcom and Aerohive all backed the standard.

Tripwire said WPA3 looks set to improve security for open networks, such as guest or customer networks in coffee shops, airports and hotels. The standard should also prevent passive nearby attackers from being able to monitor communication in the air. The Register said security experts have welcomed the upgrade. It quoted Professor Alan Woodward, a computer scientist at the University of Surrey in England. The new form of authentication, combined with extra strength from longer keys, is “a significant step forward”, he said.

 

The post Security newsround: July 2018 appeared first on BH Consulting.

Filed Under: Breach Disclosure, Cyber Crime, Data Protection and Privacy, Information Security News, IT Security, Security newsround, Wireless Security Tagged With: Breaches, Compliance, InfoSec, News, Privacy, syndicated, Uncategorized

February 6, 2018 By PC Portal

ISP’s Wi-Fi weakness highlights privacy and security shortfalls as GDPR approaches

Having been involved in GDPR preparation work for clients, I’ve become more conscious of how other people and organisations access my data. That brings me to how I first noticed one way our privacy could be at risk without us realising.

It was quite by chance I even noticed. I had left my house and forgot to turn my phone’s Wi-Fi network connection off and my data back on. Walking down the street and browsing my phone (obstacles be damned), I suddenly noticed I’d connected to a Wi-Fi network. Turns out it was some random network in one of the houses I happened to be walking past.

How did this happen? Because my ISP provides customers with an option for giving visiting guests free Wi-Fi for up to five devices. They don’t need to be authenticated on your network; they just have to be a customer of the same ISP already. (I hadn’t known about that option until recently, probably due to my own lack of research and not reading the documents my ISP sent me.)

Security fail

Because I work in the information security industry, I’m usually more sensitive to, and aware of, what technologies I use. (Just not in this case.) So, I was a bit miffed that this got past me so easily without my ISP drawing more attention to it.

While connected to that random network, I had no clue who was managing it, who could intercept my traffic, or what else they could do with the data. What if I was logging in to my bank, or downloading sensitive data? What if I sit on Wireshark on my neighbour’s Guest network when I know they are having a party or have people over?

More worryingly, it’s not possible to disable this “feature” on your router manually. You have to log in  to your ISP account with that ISP and ask them to deactivate it. This then stops you from being able to connect to others’ networks, as well as them connecting to yours. Deactivation can take “up to” 72 hours.

Putting privacy first

My ISP has an “opt out” policy for its Wi-Fi sharing feature. I don’t know about you, but for me to opt out of something, I need to be made aware of it properly. Other customers of the same ISP complained on Twitter they weren’t aware of these terms and conditions. When an ISP enables a feature giving random people I don’t know access to my network, without me having input over the controls in place to protect both my and my guests’ data, it really needs to consider having an “opt in” policy instead.

There are two sides to the privacy debate. Many of us want to live in a future where we are all connected. Some want that “Smart City” utopia with a free flow of useful information. But we also want to know when this occurs – and that we have consented to sharing our information. With GDPR fast approaching, it’s never been more important to know who has access to your data and who they share it with.  Let’s head towards utopia by all means – provided we keep our fundamental rights to privacy intact along the way.

The post ISP’s Wi-Fi weakness highlights privacy and security shortfalls as GDPR approaches appeared first on BH Consulting.

Filed Under: Data Protection and Privacy, IT Security, Wireless Security Tagged With: Privacy, syndicated, Uncategorized

  • Data Recovery Services
  • Subscribe
  • Blog
  • Who We Are
  • Virtual CIO Services

Copyright © 2021 · PC PORTAL · Log in