A recent survey polling independent ATM deployers confirms that card skimming is ‘very limited’ at retail ATMs … or does it?
via https://ift.tt/28TbroT
Hacking Cars Getting Easier and More Dangerous
If your car is in any way connected to the Internet, it can get hacked into. You know it’s only a matter of time before hackers begin infiltrating motor vehicles in droves, being that vehicles are plagued with hundreds to thousands of security vulnerabilities.
via https://ift.tt/28TFrzL
Indonesian and South Korean central banks hit by cyber attack: Officials
Indonesian and South Korean officials said that central banks of the two nations have been hit by cyber attacks on their public websites, reported Reuters.
via https://ift.tt/28V5s1a
(IN)SECURE Magazine issue 50 released
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Issue 50 has been released today.
Table of contents
- Securing the future: Best practices for keeping corporate information safe during an M&A
- Executive hot seat: Ron Green, Executive VP, CISO at MasterCard
- 7 tips to get the absolute best price from security vendors
- How CISOs can bridge the gap between their organizations’ IT and security needs
- Risk management: Risks are lurking everywhere
- Report: Infosecurity 2016
- Internet of Fail: How modern devices expose our lives
- Executive hot seat: Sumedh Thakar, Chief Product Officer at Qualys
- Security: Missing from DevOps thinking?
- The life of a social engineer: Hacking the human
- What 17 years as an infosec trainer have taught me.
via https://ift.tt/28Z4wdk
Tenable Supports ISO/IEC 27001/27002 and CIS Critical Security Controls
According to the Trends in Security Framework Adoption Survey, research conducted by Dimensional Research on behalf of Tenable, adoption of security frameworks is at an all-time high. Your organization might adopt a security framework for many good reasons, including:
- Identifying security gaps requiring additional investment. Comparing existing security controls to those recommended by an established security framework can highlight weaknesses that require additional controls.
- Communicating business risk to executives and board members. Business leaders are often familiar with financial controls and will quickly grasp the concept of security controls. They will understand budget requests to implement controls needed to mitigate cyber risk.
- Building a foundation to efficiently meet multiple compliance requirements. Rather than tackling each compliance requirement with ad hoc controls, a security framework can provide a single, extensible foundation to meet multiple compliance requirements.
- Discussing security with external stakeholders. Major customers, cyber insurance suppliers and other business partners may have questions about an organization’s security program, and security frameworks provide a structured format for discussion.
- Meeting due care/due diligence standards to limit liability. Many organizations have a legal obligation to understand the cybersecurity risks they face and then to implement appropriate controls that manage that risk. Failure to adequately manage risk may expose the organization, its executives and board members to legal action. For example, a U.S. appeals court recently ruled that the Federal Trade Commission has authority to pursue lawsuits accusing organizations of failing to properly safeguard consumers’ information.
Using multiple frameworks
Many organizations—44% according to the above mentioned survey—are using more than one framework. Some organizations are using a different framework in different parts of their businesses. However, many organizations are using multiple frameworks in a single business area. They are creating their own composite framework based on multiple published frameworks. This makes sense because the Center for Internet Security Critical Security Controls (CSC), ISO/IEC 27001/27002 (ISO 27K) and NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) frameworks are just that—frameworks. They are not strict standards designed to be adopted without at least some tailoring. The following snippets taken from each standard substantiate this:
- CSF: “The Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources,” and “The Framework is adaptive to provide a flexible and risk-based implementation that can be used with a broad array of cybersecurity risk management processes.”
- ISO 27002: “This International Standard may be regarded as a starting point for developing organization-specific guidelines. Not all of the controls and guidance in this code of practice may be applicable.”
- CSC: “But this is not a one-size-fits-all solution, in either content or priority. You must still understand what is critical to your business, data, systems, networks, and infrastructures… ”
Tenable solutions
Recognizing the flexibility of these frameworks, Tenable has just released a comprehensive set of report, dashboard and Assurance Report Card (ARC) templates that support ISO 27K and CSC (formerly referred to as the SANS Top 20). You can easily tailor them to meet your specific needs. For example, you can mix and match components designed to support various frameworks, as the dashboard below shows. It includes components initially created for CSF, ISO 27K and CSC frameworks, which you could rename as desired to match your internal language. Additionally, you could easily design your own dashboards leveraging a template or by starting from scratch.
In addition to customizing reports, dashboards and ARCs, you can apply dynamic asset lists to reuse a single template with assets for different business systems. This is especially useful with ARCs because you can set different pass/fail thresholds for different business systems as needed to mitigate different risk levels. The following example displays the status of three different business systems relative to the CSC Foundational Cyber Hygiene controls. Notice the different thresholds for the CRM system and the financial reporting system.
More information
If your organization is using one or more security frameworks, Tenable can help you automate your technical controls and help you assess and communicate their status. Please visit the following pages for additional information:
Keep up with the latest from Tenable! Subscribe to the Tenable Blog by clicking Blog email updates on the Blog Home Page.
via https://ift.tt/28Mrs1b
Gmelius Adds Tons of Scheduling, Snoozing, Tweaking, and Customization Options to Gmail
Chrome/Opera/Safari/Firefox (Beta): It’s been a while since we highlighted Gmelius, the add-on that cleans up Gmail’s interface and strips out ads. It’s grown since then, and now has features to send emails later on a schedule, snooze them, bundle in useful reminders, block email trackers, and more.
Back in the day, Gmelius’ biggest feature was that it removed ads from Gmail. Now, it can do a lot more. For example, it blocks email tracking attempts, and lets you “snooze” emails you want to deal with later to get them out of your inbox and have them reappear when you want to see them, and it can schedule drafts to send at a later date and time.
The add-on also makes email templates and canned responses much easier to use, and includes support for rich elements like GIFs and attachments to those canned replies. Finally, Gmelius includes a built-in to-do list manager. There are also other smaller features, like the option to generate return receipts if you tend to get emails from someone who nags you over and over about whether you got their message, and the option to send and label, so you can both reply to a message and organize it at once. It also includes a search plug-in, so you can search your Gmail inbox right from your browser’s URL bar.
To be fair, there are other apps, like Boomerang or Google’s own Inbox, that offer similar functionality, many of them for free. By comparison, you can sign up for Gmelius for free, but its best and most useful features are behind a $5/month price tag. Even so, if you use a Gmail or Google account for work, or just like all of that control in one place, it’s might be worth the dough. It’s available for Chrome, Opera, and Safari, with a beta version for Firefox available now.
via https://ift.tt/28QSa5R
Google makes 2-Factor Authentication a lot Easier and Faster
When it comes to data breaches of major online services like
,
,
and
, it’s two-factor authentication that could save you from being hacked.
Two-factor authentication or 2-step verification is an effective way to secure online accounts, but many users avoid enabling the feature just to save themselves from irritation of receiving and typing a six-digit code that takes their 10 to 15 extra seconds.
Now, Google has made the 2-Step Verification (2FV) process much easier for its users, allowing you to login with just a single tap instead of typing codes.
Previously, you have had to manually enter a six-digit code received via an SMS or from an authenticator app, but now…
Google has
a new method called “
Google Prompt
” that uses a simple push notification where you just have to tap on your mobile phone to approve login requests.
Also Read: Google Plans to Kill your Passwords
.
In other words, while signing in to your account, just enter your password, and you will get a pop-up message on your mobile phone asking you if you want to sign in. If you want, then press “Yes” and you’re in.
How to Set Up Google Prompt
Here’s how you can enable Google Prompt for your Google accounts:
Before enabling Google Prompt, first enable two-step verification for your Google account and you have already enabled two-step verification, you can skip this part.
- Go to myaccount.google.com and sign in to your Google account.
- Select ‘Signing in to Google,’ using 2-Step Verification.
- Click on ‘Get started’ and enter your password once again.
- Now provide your phone number you want to use for authenticating, and choose either an SMS or phone call for verification, and click on ‘Try it.’
- Enter the 6-digit code from the SMS or phone call and select ‘Next.’
- For setting up two-step verification, click ‘Turn ON.’
Now, once you have enabled
, follow these simple steps that will just take a few second. All you need is an Android or iOS device nearby.
- Under ‘Set up alternative second step,’ click on the Google prompt option
- Add phone and click Get started.
Then just follow the on-screen instructions and you’re all set to go.
If you have an iPhone, you are required to download the
app first and sign in before using Google Prompt. But, if you are an Android user, just update your Google Play Service.
Two-step verification has become so easier to use, so what are you now waiting for?
via https://ift.tt/28NkTbx
One Million IP Addresses Used In Brute-Force Attack On A Bank
Cisco says in just one week in February they detected 1,127,818 different IP addresses being used to launch 744,361,093 login attempts on 220,758,340 different email addresses — and that 93% of those attacks were directed at two financial institutions in a massive Account Takeover (ATO) campaign.
Crooks used 993,547 distinct IPs to check login credentials for 427,444,261 accounts. For most of these attacks, the crooks used proxy servers, but also two botnets, one of compromised Arris cable modems, and one of ZyXel routers/modems. Most of these credentials have been acquired from public breaches or underground hacking forums.
For more information, read the full article here.
Cryptocurrency raider takes $60 million in digital cash
A cryptocurrency is only as reliable as the technology that keeps it running, and Ethereum is learning this the hard way. An attacker has taken an estimated $60 million in Ethereum’s digital money (Ether) by exploiting vulnerabilities in the Decentralized Autonomous Organization, an investment collective. The raider took advantage of a "recursive call" flaw in the DAO’s code-based smart contracts, which administer the funds, to scoop up Ether many times in a single pass.
Ethereum’s Vitalik Buterin has revealed a planned software fork that would prevent the intruder from using the ill-gotten goods, but there are still plenty of headaches in store for both contract creators and investors. Contract makers will have to take extra care to avoid the flaw and limit the value of their contracts so that a bad actor doesn’t make off with a huge sum of cash. Buterin says that Ethereum itself is safe — miners can carry on, and users should "sit tight and remain calm" while they wait to trade again. Still, it’s easy to imagine everyone being nervous.
The kicker? People were convinced that the bug posed no risk to DAO funds just a few days prior. Clearly, that wasn’t true. While the invader didn’t get away scot-free, the breach has caused a lot of chaos. And while one person’s claims that they legitimately took the funds is sketchy, Bloomberg notes that the code defining the smart contracts may have explicitly allowed this attack even if that’s not what the DAO wanted. This may not be so much a hack as exploitation of poorly-defined terms, and there may not be a legal recourse. In short: basing an investment framework around code instead of human-made contracts may have been too optimistic.
Read the full article here.
Corporate Email Phishing Scams Result in $3.1B Loss, Near 1300% Increase in 18 Months
Total number of Business Email Compromise (BEC) related crimes have reached epidemic levels, at nearly $3.1 billion in losses and involving 22,143 victims worldwide since January 2015, according to a new FBI report.
BEC or Business Email Compromise is defined by FBI as "a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds."
Most victims, according to reports to FBI, "use wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment. The fraudsters will use the method most commonly associated with their victim’s normal business practices."
The BEC scam continues to grow, evolve, and target businesses of all sizes the FBI reports. Since January 2015, there has been a 1,300% increase in identified exposed losses (i.e. Exposed dollar loss which includes actual and attempted loss in United States dollars.) The scam has been reported by victims in all 50 states and in 100 countries. Reports to FBI indicate fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong.
Characteristics of BEC Complaints
The IC3 has noted the following characteristics of BEC complaints
• Businesses and associated personnel using open source email accounts are predominantly targeted.
• Individuals responsible for handling wire transfers within a specific business are targeted.
• Spoofed emails very closely mimic a legitimate email request.
• Hacked emails often occur with a personal email account.
• Fraudulent email requests for a wire transfer are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.
• The phrases “code to admin expenses” or “urgent wire transfer” were reported by victims in some of the fraudulent email requests.
• The amount of the fraudulent wire transfer request is business-specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as to not raise doubt.
• Fraudulent emails received have coincided with business travel dates for executives whose emails were spoofed.
• Victims report that IP addresses frequently trace back to free domain registrars.
The FBI recommends victims to always file a complaint regardless of dollar loss or timing of incident at www.IC3.gov.
Read the full article here.