Hackers Could Decrypt Your GSM Phone Calls

Researchers have discovered a flaw in the GSM standard used by AT&T and T-Mobile that would allow hackers to listen in.

Most mobile calls around the world are made over the Global System for Mobile Communications standard; in the US, GSM underpins any call made over AT&T or T-Mobile networks. But at the DefCon security conference in Las Vegas on Saturday, researchers from BlackBerry are presenting an attack that can intercept GSM calls as they’re transmitted over the air and then decrypt them to listen back to what was said. What’s more, this vulnerability has been around for decades.

Regular GSM calls aren’t fully end-to-end encrypted for maximum protection, but they are encrypted at many steps along their path, so random people can’t just tune into phone calls over the air like radio stations. The researchers found, though, that they can target the encryption algorithms used to protect calls and listen in on basically anything.

“GSM is a well-documented and analyzed standard, but it’s an aging standard and it’s had a pretty typical cybersecurity journey,” says Campbell Murray, the global head of delivery for BlackBerry Cybersecurity. “The weaknesses we found are in any GSM implementation up to 5G. Regardless of which GSM implementation you’re using there is a flaw historically created and engineered that you’re exposing.”

The problem is in the encryption key exchange that establishes a secure connection between a phone and a nearby cell tower every time you initiate a call. This exchange gives both your device and the tower the keys to unlock the data that is about to be encrypted. In analyzing this interaction, the researchers realized that the way the GSM documentation is written, there are flaws in the error control mechanisms governing how the keys are encoded. This makes the keys vulnerable to a cracking attack.

“It’s a really good example of how the intention is there to create security, but the security engineering process behind that implementation failed.” – CAMPBELL MURRAY, BLACKBERRY

As a result, a hacker could set up equipment to intercept call connections in a given area, capture the key exchanges between phones and cellular base stations, digitally record the calls in their unintelligible, encrypted form, crack the keys, and then use them to decrypt the calls. The findings analyze two of GSM’s proprietary cryptographic algorithms that are widely used in call encryption—A5/1 and A5/3. The researchers found that they can crack the keys in most implementations of A5/1 within about an hour. For A5/3 the attack is theoretically possible, but it would take many years to actually crack the keys.

“We spent a lot of time looking at the standards and reading the implementations and reverse engineering what the key exchange process looks like,” Murray says. “You can see how people believed that this was a good solution. It’s a really good example of how the intention is there to create security, but the security engineering process behind that implementation failed.”

The researchers emphasize that because GSM is such an old and thoroughly analyzed standard, there are already other known attacks against it that are easier to carry out in practice, like using malicious base stations, often called stingrays, to intercept calls or track a cell phone’s location. Additional research into the A5 family of ciphers over the years has turned up other flaws as well. And there are ways to configure the key exchange encryption that would make it more difficult for attackers to crack the keys. But Murray adds that the theoretical risk always remains.

Short of totally overhauling the GSM encryption scheme, which seems unlikely, the documentation for implementing A5/1 and A5/3 could be revised to make key interception and cracking attacks even more impractical. The researchers say that they are in the early phases of discussing the work with the standards body GSMA.

The trade association said in a statement to WIRED: “Details have not been submitted to the GSMA under our coordinated vulnerability programme. When the technical details are known to the GSMA’s Fraud and Security Group we will be better placed to consider the implications and the necessary mitigation actions.”

Though it may not be that surprising at this point that GSM has security issues, it’s still the cellular protocol used by the vast majority of the world. And as long as it’s around, real call privacy issues remain too.

Source | https://www.wired.com/story/gsm-decrypt-calls/?verso=true

RM67.6 million lost to cyber crimes in Q1 2019

LABUAN: Cyber crimes involving losses of RM67.6 million in 2,207 cases were reported in the first three months of this year, according to a senior officer of the Communications and Multimedia Ministry (KKMM) today.

Its deputy secretary-general (policy), Shakib Ahmad Shakir, said the ministry and agencies under it were concerned over the large amounts of money lost through such scams.

The three most common types of cyber crimes were cheating via telephone calls which recorded 773 cases with RM26.8 million in losses, cheating in online purchases with 811 cases totaling RM4.2 million and the ‘African Scam’ with 371 cases totaling RM14.9 million.

E-financial fraud recorded 212 cases involving losses of RM21.5 million, he said when opening a Labuan-level briefing on awareness to combat cyber crimes and human trafficking, here.

He said the losses were reported in online scams, credit card frauds, identity thefts and data breaches.

“KKMM is determined to combat cyber crimes in view of the concerns raised on the rise in cyber crimes committed through various means.

“Cyber crimes are a serious threat to the people as these frauds can cause them to lose hundreds of thousands of ringgit of their hard-earned money,” he said.

The briefing is part of the commitment of KKMM to create public awareness on cyber crimes through education and promotion and publicity campaigns.

Shakib said that according to the Commercial Crime Investigation Department, 13,058 cheating cases were reported in 2017 compared to 10,394 last year.

“I was told that telecommunication fraud is the most common form of (cyber) crime in Labuan with 16 complaints in 2017 and 19 complaints last year, a 35 per cent increase,” he said.

Shakib said the ministry would continue to cooperate with its strategic partners like the media, police, the Malaysian National News Agency (Bernama) and Information Department to combat the menace. – Bernama

Source | https://www.nst.com.my/news/crime-courts/2019/04/482208/rm676-million-lost-cyber-crimes-q1-2019

Cyber espionage warning: The most advanced hacking groups are getting more ambitious

The top 20 most notorious cyber-espionage operations have increased their activity by a third in recent years – and are looking to conduct more attacks, according to a security company.

The most advanced hacking groups are becoming bolder when conducting campaigns, with the number of organisations targeted by the biggest campaigns rising by almost a third

A combination of new groups emerging and threat actors developing successful strategies for breaking into networks has seen the average number of organisations targeted by the most active hacking groups rise from 42 between 2015 and 2017 to an average of 55 in 2018.

The figures detailed in Symantec’s annual Internet Security Threat Report suggest that the top 20 most prolific hacking groups are targeting more organisations as the attackers gain more confident in their activities.

Groups like Chafer, DragonFly, Gallmaker and others are all conducting highly targeted hacking campaigns as they look to gather intelligence against businesses they think hold valuable information.

Once attackers might have needed the latest zero-days to gain access to corporate networks, but now it’s spear-phishing emails laced with malicious content that are most likely to provide attackers with the initial entry they need.

And because these espionage groups are so proficient at what they do, they have well tried-and-tested means of conducting activity once they’re inside a network.

“It’s like they have steps which they go through, which they know are effective to get into networks, then for lateral movement across networks to get what they want,” Orla Cox, director of Symentec’s security response unit told ZDNet.

“It makes them more efficient and, for organizations, it makes them harder to spot because a lot of the activity looks like traditional enterprise activity,” she added.

In many of the cases detailed in the report, attackers are deploying what Symantec refers to as ‘living-off-the-land’ tactics: the attackers uses everyday enterprise tools to help them travel across corporate networks and steal data, making the campaigns more difficult to discover.

Not only is the number of targeted campaigns on the rise, but there’s a larger variety in the organisations being targeted. Organisations in sectors like utilities, government and financial services have regularly found themselves targets of organised cyber-criminal gangs, but increasingly, these groups are expanding their attacks to new targets.

“Often in the past they’d have a clear focus on one sector, but now we see these campaigns can focus on a wide variety of targets, ranging from telecoms companies, hotels, universities. It’s harder to pinpoint exactly what their end goal is,” said Cox.

While intelligence gathering remains the key goal of many of these campaigns, some are beginning to expand by also displaying an interest in compromising systems.

This is a particularly worrying trend, because while stealing data in itself is bad enough, attackers with the ability to operate cyber-physical systems could be much worse.

One group Symantec has observed conducting this activity is a hacking operation dubbed Thrip, which expressed particular interest in gaining control of satellite operations — something that could potentially cause major disruption.

In the face of a rise in targeted attacks, governments are increasingly pointing the finger not just at nations but individuals believed to be involved in cyber espionage. For example, the United States named individuals it claims are responsible for conducting cyber attacks: they include citizens of Russia, North Korea, Iran and China. Symantec’s report suggests the indictment might disrupt some targeted operations, but it’s unlikely that cyber espionage campaigns will be disappearing anytime soon.

Source | https://www.zdnet.com/article/cyber-espionage-warning-the-most-advanced-hacking-groups-are-getting-more-ambitious/

Which countries have the worst (and best) cybersecurity?

With so much of our information (including incredibly personal data) being found online, cybersecurity is of the utmost importance.

So just where in the world are you cyber safe – if anywhere?

Our study looked at 60 countries and found huge variances in a number of categories, from malware rates to cybersecurity-related legislation. In fact, not one country is « top of the class » across the board. All of the countries we analyzed could do with some significant improvements.

However, there were some countries that lacked significantly in a variety of areas and others who outperformed the majority of countries. So with that in mind, we’ve created rankings for these 60 countries, from the least cyber safe to the most cyber safe.

Our methodology: how did we find the countries with the worst cybersecurity?

We considered seven criteria, each of which had equal weight in our overall score. These were:

  • The percentage of mobiles infected with malware – software designed to gain unauthorized access to, destroy, or disrupt a device’s system
  • The percentage of computers infected with malware – software designed to gain unauthorized access to, destroy, or disrupt a computer’s system
  • The number of financial malware attacks – malicious programs created to steal a user’s money from the bank account on their computer system
  • The percentage of telnet attacks (by originating country) – the technique used by cybercriminals to get people to download a variety of malware types
  • The percentage of attacks by cryptominers – software that’s developed to take over a user’s computer and use its resources to mine currency (without the user’s permission)
  • The best-prepared countries for cyber attacks
  • The countries with the most up-to-date legislation

Apart from the latter two, all of the scores were based on the percentage of attacks during 2018. The best-prepared countries for cyber attacks were scored using the Global Cybersecurity Index (GCI) scores. The most up-to-date legislation was scored based on existing legislation (and drafts) that covered seven categories (national strategy, military, content, privacy, critical infrastructure, commerce, and crime). Countries received a point for having legislation in a category or half a point for a draft.

For each criterion, the country was given a point based on where it ranked between the highest-ranking and lowest-ranking countries. Countries with the least cyber-secure scores were given 100 points, while countries with the most cyber-secure scores were allocated zero points. All of the countries in between these two scores received a score on a percentile basis, depending on where they ranked.

The total score was achieved by averaging each country’s score across the seven categories.

All of the data used to create this ranking system is the latest available, and we have only included countries where we could cover all of the data points.

Which is the least cyber-secure country in the world?

According to our study, Algeria is the least cyber-secure country in the world. It was the highest-ranking country for lack of legislation and computer malware rates, and also received a high score in the categories for mobile malware and preparation for cyber attacks.

Other high-ranking countries were Indonesia, Vietnam, Tanzania, and Uzbekistan.

Some countries ranked at the top of one category but did better in others, improving their overall score. Germany received the highest score for financial malware, and China received the highest score as the country where most telnet attacks originated from.

The highest-scoring countries per category were:

  • Highest percentage of mobile malware infections – Bangladesh – 35.91% of users
  • Highest number of financial malware attacks – Germany – 3% of users
  • Highest percent of computer malware infections – Algeria – 32.41%
  • Highest percentage of telnet attacks (by originating country) – China – 27.15%
  • Highest percentage of attacks by cryptominers – Uzbekistan – 14.23% of users
  • Least prepared for cyber attacks – Vietnam – 0.245 score
  • Worst up-to-date legislation for cybersecurity – Algeria – 1 key category covered

Which is the most cyber-secure country in the world?

Our findings revealed Japan to be the most cyber-secure country in the world. It scored incredibly low across the majority of categories, only scoring a little higher in the preparation for cyber attacks and legislation categories.

Other top-performing countries included France, Canada, Denmark, and the United States.

As before, some countries scored well in one category but had other scores that brought their average up. These include Ukraine, which had the lowest financial malware rate, and Uzbekistan, Sri Lanka, and Algeria, which had the lowest telnet attack scores.

The lowest-scoring countries per category were:

  • Lowest percentage of mobile malware infections – Japan – 1.34% of users
  • Lowest number of financial malware attacks – Ukraine – 0.3% of users
  • Lowest percent of computer malware infections –  Denmark – 5.9% of users
  • Lowest percentage of telnet attacks (by originating country) – Algeria, Uzbekistan, and Sri Lanka – 0.01%
  • Lowest percentage of attacks by cryptominers – Denmark – 0.61% of users
  • Best prepared for cyber attacks – Singapore – 0.925 score
  • Most up-to-date legislation for cybersecurity – France, China, Russia, and Germany – all 7 categories covered

Overall cybersecurity rankings (from the worst to the best)

Rank Country Score Percentage of Mobiles Infected with Malware Financial Malware Attacks (% of Users) Percentage of Computers Infected with Malware Percentage of Telnet Attacks by Originating Country (IoT) Percentage of Attacks by Cryptominers Best Prepared for Cyberattacks Most Up-to-Date Legislation
1 Algeria 55.75 22.88 0.9 32.41 0.01 5.14 0.432 1
2 Indonesia 54.89 25.02 1.8 24.7 1.51 8.8 0.424 4
3 Vietnam 52.44 9.62 1.2 21.5 1.73 8.96 0.245 2
4 Tanzania 51.00 28.03 0.7 14.7 0.04 7.51 0.317 1.5
5 Uzbekistan 50.50 10.35 0.5 21.3 0.01 14.23 0.277 3
6 Bangladesh 47.21 35.91 1.3 19.7 0.38 3.71 0.524 3.5
7 Pakistan 47.10 25.08 1.4 14.8 0.4 6.07 0.447 2.5
8 Belarus 45.09 9.33 0.7 31.1 0.04 9.73 0.592 3
9 Iran 43.29 28.07 0.8 12.7 1.71 4.51 0.494 2
10 Ukraine 42.58 10.85 0.3 28.7 1.17 7.6 0.501 3
11 Nigeria 42.54 28.54 0.7 15.6 0.89 4.54 0.569 2
12 Peru 41.25 13.81 0.9 16.6 0.22 6.29 0.374 3
13 China 40.80 25.61 1.4 11.8 27.15 1.73 0.624 7
14 Sri Lanka 39.59 13.71 1.1 18.8 0.01 3.61 0.419 3
15 India 39.30 25.25 0.7 21.8 2.59 4.4 0.683 3.5
16 Greece 39.06 5.78 2.3 21.6 0.73 1.77 0.475 4
17 Romania 39.02 6.42 1.2 24.6 0.61 3.21 0.585 2
18 Ecuador 38.29 14.13 0.7 16.8 0.4 3.73 0.466 2
19 Azerbaijan 38.20 6.53 0.9 26.7 0.03 7.13 0.559 4
20 Egypt 38.03 18.8 1.3 20.2 7.43 4.01 0.772 4
21 Bulgaria 37.86 7.96 0.4 21.5 10.57 2.74 0.593 4
22 South Korea 37.16 7.14 2.8 14.3 3.57 3.1 0.782 3
23 United Arab Emirates 36.88 9.14 1.9 20.7 0.09 2.99 0.566 4
24 Philippines 36.79 23.07 0.6 23.8 0.1 2.94 0.594 4
25 Morocco 36.47 10.61 1.5 21.7 0.11 3.01 0.541 4
26 Slovakia 35.57 5.32 0.6 22 0.13 2.76 0.362 3
27 Tunisia 35.54 9.85 1.2 21.5 0.1 2.78 0.591 3
28 South Africa 34.39 9.9 1 13.4 0.64 2.51 0.502 2
29 Kenya 34.16 21.43 1.2 17 0.15 3.39 0.574 5
30 Brazil 33.57 4.73 1.8 21.4 0.7 3.49 0.579 3
31 Latvia 33.05 6.25 1.4 23.1 0.17 4.17 0.688 4
32 Saudi Arabia 32.99 10.15 0.7 20.7 0.11 2.72 0.569 3
33 Portugal 32.79 5.25 1.9 20.9 0.09 1.63 0.508 5
34 Thailand 32.42 7.26 1 19.7 0.79 4.27 0.684 3
35 Malaysia 31.79 15.46 2.1 21.7 0.24 2.87 0.893 5
36 Italy 28.31 5.24 1.3 18 1.75 1.14 0.626 4
37 Argentina 28.11 11.71 0.9 18.8 0.86 2.11 0.482 6
38 Russia 28.02 10.11 0.6 23 7.87 6.89 0.788 7
39 Colombia 27.69 12.52 0.5 16.4 0.52 2.01 0.569 4
40 Poland 27.36 5.83 0.8 19.9 1.23 1.73 0.622 4
41 Hungary 27.30 7.28 0.8 20.2 0.3 4.19 0.534 6
42 Mexico 27.17 10.49 0.7 19.5 0.73 1.43 0.66 4
43 Croatia 27.09 3.66 1.8 15.2 0.05 1.91 0.59 5
44 Germany 26.48 3.41 3 15.7 1.11 0.91 0.679 7
45 Austria 25.76 2.94 1.4 12.3 0.12 0.84 0.639 3
46 Spain 24.12 5.14 0.8 18.6 1.1 1.56 0.718 4
47 Turkey 23.20 8.94 0.8 15.6 1.82 2.17 0.581 6
48 Belgium 21.03 4.11 0.4 13.5 0.07 0.97 0.671 3
49 Czech Republic 20.37 5.68 0.5 10.9 0.34 1.44 0.609 4
50 Australia 16.34 5.47 0.8 14.5 0.37 0.88 0.824 5
51 Singapore 15.13 8.18 0.8 8.5 0.14 1.61 0.925 4
52 Netherlands 15.00 3.71 0.6 8.1 0.32 1.06 0.76 4
53 United Kingdom 14.15 3.68 0.7 10.5 1.07 0.88 0.783 5
54 Sweden 13.78 3.15 0.4 11 0.45 1.31 0.733 5
55 Ireland 13.41 3.73 0.5 7.9 0.06 0.85 0.675 5
56 United States 12.20 7.68 0.5 10.3 4.47 0.71 0.919 5.5
57 Denmark 12.04 1.98 0.4 5.9 0.04 0.61 0.617 5
58 Canada 11.19 3.91 0.4 14.3 0.47 0.81 0.818 6
59 France 10.58 4.72 0.4 16.2 0.67 1.12 0.819 7
60 Japan 8.81 1.34 0.5 8.3 1.23 1.1 0.786 6

 

What can we take away from these findings?

Despite some countries having clear strengths and weaknesses, there is definite room for improvement in each and every one. Whether they need to strengthen their legislation or users need help putting better protections in place on their computers and mobiles, there’s still a long way to go to make our countries cyber secure.

Plus, as the landscape of cybersecurity constantly changes (cryptominers are growing in prevalence, for example), countries need to try and get one step ahead of cybercriminals.

Sources:

https://securelist.com/it-threat-evolution-q3-2018-statistics/88689/

https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-R1-PDF-E.pdf

https://csis-prod.s3.amazonaws.com/s3fs-public/Cyber_Regulation_Index.pdf?4tIe15nR2.LSc8dh9ztuvwpohH1t4dHF

https://www.comparitech.com/fr/blog/vpn-privacy/cybersecurity-by-country/

How smart hospitals are dealing with cybersecurity

The healthcare industry is using technology to improve the work of the sector’s professionals and patients’ lives – but how is it confronting cyber threats?

Is there a difference between going digital and becoming a smart hospital? Apparently, there is.

Dr Milind Sabnis, healthcare director at Frost & Sullivan, explained at the 9th Healthcare Innovation Summit that going digital and generating data is not enough.

Instead, healthcare institutions must be able to make sense of the data and derive actionable results to be successful.

“A smart hospital is a hospital that optimises, redesigns, and builds new clinical processes, management as well as infrastructure to provide a valuable service or an insight which was not there before, and in the process, help achieve better patient care, experience as well as operational efficiency”, he explained.

Senior stakeholders — from regulators, policymakers and healthcare institutions to practitioners and technology providers — agree that the pressure is on to integrate ICT and medical technologies into healthcare services effectively.

In Dr Sabnis’ view, smart hospitals look into three areas of development to reduce operational costs, improve margins, reduce staff burden, increase the recovery rate, and improve satisfaction and experience of the patient.

First, they look at managing logistics more efficiently. Second, they make sure that their staff provides positive patient experiences through clinical excellence. And third, they introduce innovative services and technology initiatives to keep operations patient-centric.

“Whether you like it or not, smart transformation is coming. If you do not prepare for it, do not acclimatise yourself to it, you are going to be extinct,” Dr Sabnis concluded.

Cybersecurity in healthcare

James Woo, CIO of Farrer Park Hospital, emphasised that even smart hospitals today must be future-ready in at least four domains — people, processes, technology and cybersecurity.

Of these, security is among the top concerns.

“Cybersecurity is actually very important. Why? Because even though you have built everything, without that at the end of the day, you have nothing”, explained Woo. “All your people, processes and technologies are not going to work.”

It is a fact: healthcare institutions cannot rely solely on their firewalls to defend against such intrusions. Research has shown that hackers can enter a network and lie dormant for 140 days before detection.

Hence, healthcare institutions are embracing a robust security strategy for protection today and in the future.

Rethinking primary healthcare  

Professor Barbara Starfield, from the John Hopkins Bloomberg School of Public Health, defines primary care as “that level of health service systems that provides entry into the system of all new needs and problems.”

She said it also provides person-focused care over time and care for all unusual conditions and coordinates integrated care given elsewhere.

Simply put, there is much more to do in primary care than just the episodic care usually given to patients.

“In a bigger scheme of things, the way we integrate care within primary care is very important”, affirmed Dr K Thomas Abraham, Advisor at SATA CommHealth. “We need to understand that there could be vertical integration and horizontal integration.”

He said vertical integration involves integration within hospitals or other institutions where care is given while horizontal integration is between practitioners or within the industry.

“I think the future is about how we empower our patients through the use of technology, through the use of different resources that are available for their care”, Dr Abraham said. “Self-care is important; this is how you manage patients and reduce the cost of healthcare and prevent them from being hospitalised.”

How can technology help patients?

A study has shown that socioeconomic factors, as a determinant of health, contribute 40 percent to a person ’s general health and well-being, while clinical care contributes only 10 percent.

This leads healthcare professionals to start looking more closely at patients’ environment as well as individual characteristics and behaviours.

Today, technology also makes it possible to care for patients remotely.  A study conducted by Accenture reveals that virtual care solutions in primary care can generate savings of up to US$10 billion annually for the industry.

However, while mobile health (mHealth) and telehealth solutions undoubtedly raise staff efficiency and reduce the cost of services, it also opens up new paradigms in healthcare.

“Today’s technology has the power to aid the healthcare sector in many ways – integrated care, self-care, social care, and virtual care”, concluded Dr Abraham. “These are not new things to us, but if we put greater effort into finding new ways of advancing these areas, we are definitely going to see better primary care, and it would definitely make better outcomes for our patients too.”

Source | https://www.cio-asia.com/article/3311696/health-care-industry/how-smart-hospitals-are-dealing-with-cybersecurity.html

National Cybersecurity policy for online threats being discussed, says Gobind

KUALA LUMPUR: The Government plans to establish a National Cybersecurity policy to better secure the nation against threats, says Gobind Singh Deo.

The Communications and Multimedia Minister said his ministry will be spearheading the policy in collaboration with the National Cybersecurity Agency and the Malaysian Communications and Multimedia Commission.

“With Malaysia’s digital economy growing by leaps and bounds, it is inevitable that there will be unintended consequences.

“Threats like data breaches and theft, sabotage, intrusion, and cyber espionage can have adverse impacts on organisations and the state,” he said.

He said the ministry is now in discussion with various parties to come up with a robust policy.

One of the areas is to develop more local cybersecurity talents.

“Developing the right talent is a very important aspect of cybersecurity preparedness.

“It is crucial that we establish a sustainable model with the cooperation of various government agencies (along with) academic and private institutions,” he said.

Gobind added that he will suggest amending laws to combat cyberbullying and cybercrimes.

“We could introduce new provisions in the Penal Code, for example, so that such crimes could be investigated by the police.

“But before we do all these, I am in the process of discussing it with the police to get their views,” he said.

Source | https://www.thestar.com.my/news/nation/2018/12/03/national-cybersecurity-policy-for-online-threats-being-discussed-says-gobind/#Jd4Vb6pfj8R4VQSJ.99

 

Cybersecurity predictions for 2019

As a digital technology, biometrics are almost always bound up in some way with cybersecurity. With that in mind, Biometric Update has reviewed predictions for the year ahead to present the most noteworthy, controversial, and troubling among them.

First major biometric hack

A single-factor biometric authentication system will be successfully hacked at scale in 2019, according to security firm Secplicity. This will drive increased adoption of multi-factor authentication, the company says.

Experian’s Data Breach Industry Forecast 2019 also predicts biometric hacking will increase next year, as attackers seek to exploit stolen or altered biometric data, spoofing methods, and deteriorated or manipulated fingerprint and facial recognition sensors. In the report, the company urges organizations to secure all layers of their biometric systems, and to encrypt and store all biometric data in secure servers.

New facial recognition vulnerabilities spur behavioral biometrics

Non-biometric two-factor authentication will be undermined by “SIM swaps” and persistent phishing, cybersecurity service provider Forcepoint says. Biometrics can provide the answer, the company predicts, but behavior analytics will be the preferred method of protection.

New laws and regulations

Acuant President and CEO Yossi Zekri told Biometric Update in an email that new laws or regulations are coming.

“The progress of GDPR will drive continued adoption of identity-related legislation across the world,” he writes. “The United States, currently a hotbed of frustration over the mismanagement of personally identifiable information (PII) and lack of protection for digital identity, will begin to adopt similar legislation in 2019. Recent revelations into questionable business practices and Congress’ increasing focus on technology behemoths Facebook, Amazon, Google and Netflix will drive the U.S. government to reign in the industry with compliance requirements (similar to Sarbanes-Oxley after the Enron and Worldcom debacles).”

Acuant President and CEO Yossi Zekri

Zekri also predicts that systems leveraging both AI and human judgement will outperform the accuracy of fully automated identity verification solutions, and that with an increasing consumer focus on self-sovereign identity, “organizations will start to adopt methods to verify individuals without using personal data. Identity scores – or a similar scoring mechanism – will emerge as a way to verify the individual and replace the need to share PII.”

Nok Nok Labs CEO Phil Dunkelberger also tells Biometric Update that companies should be prepared for a more challenging regulatory environment in the year ahead.

Blockchain hits a roadblock

Mitek CTO Steve Ritter thinks blockchain will be revealed to be unready for mainstream identity platform use in coming year.

“While blockchain continues to grow in popularity with varying use cases, for it to make a significant impact with identity platforms, it will need to considerably improve any existing solution,” Ritter says. “The biggest challenge with blockchain for identity verification is that a public distributed ledger would be accessible to anyone who needed it but owned by no one, which will likely create privacy and security concerns. The system would need buy-ins from both consumers and businesses to get traction and reach an acceptance “tipping point.” It would take time and money to promote the service, far more than what would be required to create and run it. Until businesses figure out how to monetize blockchain and where it can best be adopted in their businesses, we are unlikely to see this technology revolutionize identity management. As a result, expect that at least 30 percent of data management projects using blockchain will fail and more identity platforms will abandon development of blockchain.”

Account takeover fraud, which cost $5.1 billion in 2017 according to Javelin Research, will decrease, Ritter says, as new identity document verification technology turns the tide and prevents more than 40 percent of account takeover fraud attempts in 2019.

Businesses move away from KBA

TrustID’s 2018 State of Call Center Authentication report shows that a mere 10 percent of call center agents very confidently trust knowledge-based authentication (KBA) to accurately identify callers. This is with good reason, the company says, as there were 668 confirmed data breaches and 22.41 million records exposed in the first half of 2018, according to the Identity Theft Resource Center. TrustID says 2019 marks “the final countdown” for KBA, with the factor fading away within five years.

Ritter also predicts that digital identity verification will replace KBA for online marketplaces, as continuing growth in online transactions and data breaches drives a push for greater regulation.

Other predictions from TrustID include that fraud will continue to move to the fraud channel, that financial transactions will have a short window for accurate verification, and that hacks on health care organizations will increase.

Internet of Things devices scam users

“Your smart fridge will start scamming you,” BioCatch Chief Cyber Officer Uri Rivner tells Forbes. “IoT-connected appliances such as refrigerators and washing machines already produce unattended payments that the user cannot personally verify. Fraudsters see this vulnerability now and will begin to take advantage of it.”

It stands to reason that the challenges preventing fraud even when the payer is present would only increase when the device authorizes payments without the user.

All readers are invited to make cybersecurity predictions for 2019 in the comments below.

Source| https://www.biometricupdate.com/201812/cybersecurity-predictions-for-2019

THE WORST CYBERSECURITY BREACHES OF 2018 SO FAR

LOOKING BACK AT the first six months of 2018, there haven’t been as many government leaks and global ransomware attacks as there were by this time last year, but that’s pretty much where the good news ends. Corporate security isn’t getting better fast enough, critical infrastructure security hangs in the balance, and state-backed hackers from around the world are getting bolder and more sophisticated.

Here are the big digital security dramas that have played out so far this year—and it’s only half over.

Russian Grid Hacking

In 2017, security researchers sounded the alarm about Russian hackers infiltrating and probing United States power companies; there was even evidence that the actors had direct access to an American utility’s control systems. Combined with other high-profile Russian hacking from 2017, like the NotPetya ransomware attacks, the grid penetrations were a sobering revelation. It wasn’t until this year, though, that the US government began publicly acknowledging the Russian state’s involvement in these actions. Officials hinted at it for months, before the Trump Administration first publicly attributed the NotPetya malware to Russia in February and then blamed Russia in March for grid hacking. Though these attributions were already widely assumed, the White House’s public acknowledgement is a key step as both the government and private sector grapple with how to respond. And while the state-sponsored hacking field is getting scarier by the day, you can use WIRED’s grid-hacking guide to gauge when you should really freak out.

US Universities

In March, the Department of Justice indicted nine Iranian hackers over an alleged spree of attacks on more than 300 universities in the United States and abroad. The suspects are charged with infiltrating 144 US universities, 176 universities in 21 other countries, 47 private companies, and other targets like the United Nations, the US Federal Energy Regulatory Commission, and the states of Hawaii and Indiana. The DOJ says the hackers stole 31 terabytes of data, estimated to be worth $3 billion in intellectual property.

The attacks used carefully crafted spearphishing emails to trick professors and other university affiliates into clicking on malicious links and entering their network login credentials. Of 100,000 accounts hackers targeted, they were able to gain credentials for about 8,000, with 3,768 of those at US institutions. The DOJ says the campaign traces back to a Tehran-based hacker clearinghouse called the Mabna Institute, which was founded around 2013. The organization allegedly managed hackers and had ties to Iran’s Islamic Revolutionary Guard Corps. Tension between Iran and the US often spills into the digital sphere, and the situation has been in a particularly delicate phase recently.

Rampant Data Exposures

Data breaches have continued apace in 2018, but their quiet cousin, data exposure, has been prominent this year as well. A data exposure, as the name suggests, is when data is stored and defended improperly such that it is exposed on the open internet and could be easily accessed by anyone who comes across it. This often occurs when cloud usersmisconfigure a database or other storage mechanism so it requires minimal or no authentication to access. This was the case with the marketing and data aggregation firm Exactis, which left about 340 million records exposed on a publicly accessible server. The trove didn’t include Social Security numbers or credit card numbers, but it did comprise 2 terabytes of very personal information about hundreds of millions of US adults—not something you want hanging out for anyone to find. The problem was discovered by security researcher Vinny Troia and reported by WIRED in June. Exactis has since protected the data, but it is now facing a class action lawsuit over the incident.

Cloud leaks pop up regularly, but data exposures can also occur when software bugs inadvertently store data in a different format or location than intended. For example, Twitter disclosed at the beginning of May that it had been unintentionally storing some user passwords unprotected in plaintext in an internal log. The company fixed the problem as soon as it found it, but wouldn’t say how long the passwords were hanging out there.

After the revelation of a data exposure, organizations often offer the classic reassurance that there is no evidence that the data was accessed improperly. And while companies can genuinely come to this conclusion based on reviewing access logs and other indicators, the most sinister thing about data exposures is that there’s no way to know for sure what exactly went down while no one was watching.

Under Armour

Hackers breached Under Armour’s MyFitnessPal app in late February, compromising usernames, email addresses, and passwords from the app’s roughly 150 million users. The company discovered the intrusion on March 25 and disclosed it in under a week—some welcome hustle from a large company. And it seems Under Armour had done a good enough job setting up its data protections that the hackers couldn’t access valuable user information like location, credit card numbers, or birth dates, even as they were swimming in login credentials.

The company had even protected the passwords it was storing by hashing them, or converting them into unintelligible strings of characters. Pretty great, right? There was one crucial issue, though: Despite doing so many things well, Under Armour admitted that it had only hashed some of the passwords using the robust function called bcrypt; the rest were protected by a weaker hashing scheme called SHA-1, which has known flaws. This means that attackers likely cracked some portion of the stolen passwords without much trouble to sell or use in other online scams. The situation, while not an all-time-worst data breach, was a frustrating reminder of the unreliable state of security on corporate networks.

One to Watch: VPNFilter

At the end of May, officials warned about a Russian hacking campaign that has impacted more than 500,000 routers worldwide. The attack spreads a type of malware, known as VPNFilter, which can be used to coordinate the infected devices to create a massive botnet.

But it can also directly spy on and manipulate web activity on the compromised routers. These capabilities can be used for diverse purposes, from launching network manipulation or spam campaigns to stealing data and crafting targeted, localized attacks.

VPNFilter can infect dozens of mainstream router models from companies like Netgear, TP-Link, Linksys, ASUS, D-Link, and Huawei. The FBI has been working to neuter the botnet, but researchers are still identifying the full scope and range of this attack.

Source | https://www.wired.com/story/2018-worst-hacks-so-far/

 

 

Why Cyber Security is Vital for Homeland Security

Why Big Data & Cyber Security Are Receiving Major Attention from Homeland Security

Every year the United States faces thousands of threats from foreign governments, terrorist organizations, and individuals bent on causing chaos. The Department of Homeland Security’s mission of protecting American interests and assets has become much more difficult in recent years. The interconnectivity of critical systems, large vulnerabilities in network security, and the sheer volume of information to be processed all highlight the evolving nature of threats DHS must address on a daily basis. DHS is adapting to the rise in cyber threats and utilizing the tools of big data to make the nation, and its infrastructure, more secure.

Keeping The Lights On

Critical infrastructure is a prime target for cyber attacks, both from hostile governments and cyber terrorist organizations. DHS identified 16 sectors of the economy and society that could be targeted by cyber attacks. A successful, large scale attack on any one of the 16 sectors could disrupt American life for months, leaving the United States vulnerable to traditional assaults in the process. The reason for the vulnerability is a system of outdated industrial control systems. These systems were installed with the infrastructure decades ago, when almost every system was entirely self-contained to its own network or facility.

Over the last ten years, there has been an effort to digitize and automate important systems, which violated the system’s self-containment by tying it in to a larger computer network. Because the computer network is tied in to the internet, hackers can compromise the industrial control system and wreck havoc on everything from the power grid to transportation networks and more. Evidence suggests China and Russia have already made inroads into breaching America’s critical infrastructure, and DHS is working with private companies to enforce stricter security protocols. DHS admits that stopping such an attack may prove impossible, but they can prepare to mitigate the effects of an infrastructure attack by creating redundancies or backups to restore functionality as soon as possible.

Stemming The Loss Of Data

Sony, JP Morgan Chase, AshleyMadison.com, and Anthem have all experienced massive data breaches in the last five years, leading to the loss of millions of customer/client data. The latest studies show that these data leaks cost the average company more than $3.8 million, with the cost per stolen record increasing substantially across all sectors of the economy. Large corporations have the financial resources to recover from such a loss of data, but smaller businesses often go under as a result of a data loss. Data loss concerns DHS for many reasons.

  • Hackers can use the ill-gotten data to steal the identity of unsuspecting people, allowing terrorists to raise funds to finance their illegal activities.
  • Companies must invest millions into insurance premiums and security upgrades, in addition to the cost of reconfiguring servers and informing customers of the data breach.
  • Hidden costs, like the erosion of public opinion and destruction of the brand, lead to long-term financial problems for American companies.
  • Critical and confidential company data is at risk when a breach occurs, especially information about new product development, financial information about the company, and long-term strategic plans.

The AshleyMadison.com leak also shed a light on a potentially devastating aspect of data leaks: the potential for blackmail. Members of the site received blackmail letters from hackers who threatened to take the information public, if the victim refused to pay. Blackmail of high level government officials or business executives through a data leak has the potential to cause serious issues for the nation moving forward. By shoring up cyber security procedures and building a better prevention system, DHS will be more equipped to assist companies in protecting against a data leak.

Big Data, Big Analysis

Not all of the news is dire for DHS. In the last 24 months, the introduction of big data analytics to the DHS provided new and important tools to protect American interests. Big data analysis uses new data processing techniques to break down extremely large data sets in an effort to find trends and patterns. DHS is using big data as a weapon to examine human behavior in terrorist organizations, allowing DHS to track and target high-value individuals. The extent of big data captured by DHS was revealed by Edward Snowden in his leak of classified documents from the National Security Agency.

The documents showed DHS and other government agencies were collecting massive amounts of data concerning phone records, emails, and other digital activity. Though questions remain about how the data is collected and used, DHS has already shown the usefulness of the analytics. Airline screenings are where DHS is having the most success with its application of big data. Each day about two million people get on airplanes in the United States, and without trend analysis afforded by big data, only a fraction of the passengers could be screened.

DHS uses a complex algorithm to look for high risk factors, create profiles of the most likely terrorists, and prioritize in-depth screening for those people who pose the greatest potential threat. The Department of Homeland Security is in the process of adapting to new threats presented by rogue governments and cyber terrorists. Through the use of all of the tools at their disposal, DHS will be better equipped to address pressing national security needs than ever before.

Source| https://safetymanagement.eku.edu/resources/articles/homeland-security-data/