☰ Navigation

1-888-643-2217 Email ABEX
Keeping you updated

Category Archives: Cyber Risk Management

Guard Your Data When Using Mobile Apps

Posted on by

app_icon_applicationsApps can do pretty much anything—they can find the best local restaurants, chart the quickest routes through snarled city traffic and track weight loss. Unfortunately, they can also steal your data.

In order for apps to do the convenient, beneficial things they do, they use customers’ personal information, such as physical location, contact details and passwords. Unscrupulous data thieves can steal your employees’ devices and gain access to this valuable information, or they can siphon it through a rogue app that your employees downloaded without knowing it was malicious. Hackers do this by adding their own illegitimate elements to a popular app and then offering it for free on a ‘bulletin board’ or through a fake online store. Once employees download the phony app, hackers may have unfettered access to their devices.

To help thwart data theft attempts, encourage your employees to follow these tips for securing personal information when using apps:

  • Download apps only from official, trusted stores. Be extremely wary of apps from unknown sources.
  • Read the information about an app in the app store before downloading it. Verify that you are comfortable with the amount and type of personal information it will be using.
  • Clear out unused apps regularly—inactive apps are an open invitation to thieves. If you no longer use an app, uninstall it.
  • Install mobile security software to defend your device.
  • Erase any apps from the device before you recycle, resell or donate it, since they may have access to your personal information. Activate the “factory reset” option in the device’s settings.

 

© 2014 Zywave, Inc. All rights reserved.

43% of companies had a data breach in the past year

Posted on by

Cyber CrimeSource: www.cnbc.com

A staggering 43 percent of companies have experienced a data breach in the past year, an annual study on data breach preparedness finds.

The report, released Wednesday, was conducted by the Ponemon Institute, which does independent research on privacy, data protection and information security policy. That’s up 10 percent from the year before.

The absolute size of the breaches is increasing, said Michael Bruemmer, vice president of the credit information company Experian’s data breach resolution group, which sponsored the report.

“Particularly beginning with last quarter in 2013, and now with all the retail breaches this year, the size had gone exponentially up,” Bruemmer said.

He cited one large international breach few Americans have even heard about. In January, 40 percent of South Koreans—a total of 20 million people—had their personal data stolen and credit cards compromised.

The breach was caused by a worker at the Korea Credit Bureau, which provides credit scores to Korean credit card companies.

While shadowy hackers in Eastern Europe often get the blame for these attacks, more than 80 percent of the breaches that Bruemmer’s group works with “had a root cause in employee negligence,” he said.

“It could be from someone giving out their password, someone being spear-phished, it could be a lost USB, it could be somebody mishandling files, it could be leaving the door to the network operations center open so someone can walk in,” he said.

Despite the rise in breaches, 27 percent of companies didn’t have a data breach response plan or team in place, though that’s down from 39 percent who didn’t have them in the previous year’s survey.

Even in companies that have breach plans in place, employees aren’t convinced they will work. Only 30 percent of those responding to the survey said their organization was “effective or very effective” at creating such plans.

One reason might be that few companies seem to take the need seriously. Of the companies surveyed, just 3 percent looked at their plan of action each quarter. Thirty-seven percent hadn’t reviewed or updated their plan since it was first put in place.

The statistics don’t surprise Ted Julian, chief marketing officer with Co3 Systems in Cambridge, Mass. His company does cyber incident response management.

“Most organizations, and I’m only talking the sophisticated ones, have done a little but it’s not enough,” he said.

Breaches are now just a part of life and yet when they happen too often companies pull out “a dusty incident response plan that hasn’t been touched in two years,” Julian said.

The survey was conducted in 2014 and included 567 U.S. executives, most of whom reported to their company’s information security officers.

Is Your Website Secure?

Posted on by

Best Internet Concept of global business from concepts seriesIn the wake of several high-profile cyber security scandals and the widespread Heartbleed security bug, website security is more important than ever. Without a concerted effort to safeguard your business’ website, you risk losing money due to relentless cyber attacks.

Because hackers are constantly searching for new website vulnerabilities and engineering new viruses, website security should be a round-the-clock concern—the threat will never ebb. The consequences of weakening your stance on website security, even for a second, can be disastrous: loss of revenue, damage to credibility, legal liability and broken customer trust.

Web servers, which host the data and other content available to your customers on the Internet, are the most targeted and attacked components of a company’s network. Some specific security threats to Web servers include the following:

  • Cyber criminals may exploit software bugs in the Web server.
  • Attackers can disable a network by flooding it with information.
  • Hackers may secretly read or modify sensitive information on the Web server.
  • Criminals could gain unauthorized access to resources elsewhere in your business’ network following a successful attack on the Web server.

To avoid similar threats to your website’s security, follow the steps listed below:

  1. Develop and implement a data breach response plan.
  2. Ensure that the Web server operating systems and applications meet your organization’s security requirements.
  3. Publish only appropriate information.
  4. Prevent unauthorized access or modification on your site.
  5. Protect and monitor Web security at all times.

Rely on ABEX for expert, timely guidance on cyber security.

 

 

© 2014 Zywave, Inc.

Hackers can tap USB devices

Posted on by

Source: mobile.reuters.com

USB Flash DriveUSB devices such as keyboards, thumb-drives and mice can be used to hack into personal computers in a potential new class of attacks that evade all known security protections, a top computer researcher revealed on Thursday.

Karsten Nohl, chief scientist with Berlin’s SR Labs, noted that hackers could load malicious software onto tiny, low-cost computer chips that control functions of USB devices but which have no built-in shields against tampering with their code.

“You cannot tell where the virus came from. It is almost like a magic trick,” said Nohl, whose research firm is known for uncovering major flaws in mobile phone technology.

The finding shows that bugs in software used to run tiny electronics components that are invisible to the average computer user can be extremely dangerous when hackers figure out how to exploit them. Security researchers have increasingly turned their attention to uncovering such flaws.

Nohl said his firm has performed attacks by writing malicious code onto USB control chips used in thumb drives and smartphones. Once the USB device is attached to a computer, the malicious software can log keystrokes, spy on communications and destroy data, he said.

Computers do not detect the infections when tainted devices are inserted because anti-virus programs are only designed to scan for software written onto memory and do not scan the “firmware” that controls the functioning of those devices, he said.

Nohl and Jakob Lell, a security researcher at SR Labs, will describe their attack method at next week’s Black Hat hacking conference in Las Vegas, in a presentation titled: “Bad USB – On Accessories that Turn Evil.”

Thousands of security professionals gather at the annual conference to hear about the latest hacking techniques, including ones that threaten the security of business computers, consumer electronics and critical infrastructure.

Nohl said he would not be surprised if intelligence agencies, like the National Security Agency, have already figured out how to launch attacks using this technique.

Last year, he presented research at Black Hat on breakthrough methods for remotely attacking SIM cards on mobile phones. In December, documents leaked by former NSA contractor Edward Snowden demonstrated that the U.S. spy agency was using a similar technique for surveillance, which it called “Monkey Calendar.”

An NSA spokeswoman declined to comment.

SR Labs tested the technique by infecting controller chips made by major Taiwanese manufacturer, Phison Electronics Corp, and placing them in USB memory drives and smartphones running Google Inc’s Android operating system.

Alex Chiu, an attorney with Phison, told Reuters via email that Nohl had contacted the company about his research in May.

“Mr. Nohl did not offer detailed analysis together with work product to prove his finding,” Chiu said. “Phison does not have ground to comment (on) his allegation.”

Chiu said that “from Phison’s reasonable knowledge and belief, it is hardly possible to rewrite Phison’s controller firmware without accessing our confidential information.”

Similar chips are made by Silicon Motion Technology Corp and Alcor Micro Corp. Nohl said his firm did not test devices with chips from those manufacturers.

Google did not respond to requests for comment. Officials with Silicon Motion and Alcor Micro could not immediately be reached.

Nohl believed hackers would have a “high chance” of corrupting other kinds of controller chips besides those made by Phison, because their manufacturers are not required to secure software. He said those chips, once infected, could be used to infect mice, keyboards and other devices that connect via USB.

“The sky is the limit. You can do anything at all,” he said.

In his tests, Nohl said he was able to gain remote access to a computer by having the USB instruct the computer to download a malicious program with instructions that the PC believed were coming from a keyboard. He was also able to change what are known as DNS network settings on a computer, essentially instructing the machine to route Internet traffic through malicious servers.

Once a computer is infected, it could be programmed to infect all USB devices that are subsequently attached to it, which would then corrupt machines that they contact.

“Now all of your USB devices are infected. It becomes self-propagating and extremely persistent,” Nohl said. “You can never remove it.”

Christof Paar, a professor of electrical engineering at Germany’s University of Bochum who reviewed the findings, said he believed the new research would prompt others to take a closer look at USB technology, and potentially lead to the discovery of more bugs. He urged manufacturers to improve protection of their chips to thwart attacks.

“The manufacturer should make it much harder to change the software that runs on a USB stick,” Paar said.

Scammers More Sophisticated, Warns Competition Bureau

Posted on by

phishing emailThe Competition Bureau reports that phishing is one of the growing scamming techniques, and users of social networking sites are especially vulnerable. Almost 95 per cent of fraud-related crimes in Canada go unreported, according to an estimate by the Canadian Anti-Fraud Centre. One glaring reason for this is because people are usually too embarrassed to admit that they fell for a fraud scam, especially one that happened on a social networking site.

A phishing scam is a phony email or pop-up message used to lure unsuspecting Internet users into divulging personal information, such as credit card numbers and account passwords, that will later be used by hackers for identity theft. A phisher’s email can be very persuasive and believable if he or she is impersonating a well-known organization or individual.

Keep employees safe from phishing scams by teaching them to:

  • Be extremely wary of urgent email requests for any personal or financial information (their information or a client’s).
  • Call the company or individual in question with the number listed on the corporate website or in the phone book. Avoid using phone numbers provided in the email, as they could be phony too.
  • Do not use the links included in the email unless you are certain that the email is legitimate.
  • Do not divulge personal or financial information on the Internet unless the site is secure (sites that start with “https”).
  • Never disable anti-virus software.

The only way that the authorities can keep tabs on new scams that pop up is if individuals report crimes when they happen. When these crimes go unreported, the public can’t be alerted to watch out for scams, which can in turn affect many more people.

A computer intrusion could cripple your company, costing you thousands or millions of dollars in lost sales and/or damages. Make sure your employees are alerting you when they encounter suspicious emails or websites.

 

 

© 2014 Zywave, Inc. All rights reserved

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN