Posted on

How to respond to a data breach

I cover a lot of data breaches. From inadvertent exposures to data-exfiltrating hacks, I’ve seen it all. But not every data breach is the same. How a company responds to a data breach — whether it was their fault — can make or break its reputation.

I’ve seen some of the worst responses: legal threats, denials and pretending there isn’t a problem at all. In fact, some companies claim they take security “seriously” when they clearly don’t, while other companies see it merely as an exercise in crisis communications.

But once in a while, a company’s response almost makes up for the daily deluge of hypocrisy, obfuscation and downright lies.

Last week, Assist Wireless, a U.S. cell carrier that provides free government-subsidized cell phones and plans to low-income households, had a security lapse that exposed tens of thousands of customer IDs — driver’s licenses, passports and Social Security cards — used to verify a person’s income and eligibility.

A misconfigured plugin for resizing images on the carrier’s website was blamed for the inadvertent data leak of customer IDs to the open web. Security researcher John Wethington found the exposed data through a simple Google search. He reported the bug to TechCrunch so we could alert the company.

Make no mistake, the bug was bad and the exposure of customer data was far from ideal. But the company’s response to the incident was one of the best I’ve seen in years.

Take notes, because this is how to handle a data breach.

Their response was quick. Assist immediately responded to acknowledge the receipt of my initial email. That’s already a positive sign, knowing that the company was looking into the issue.

Read More

Posted on

Ex-NSA hacker drops new zero-day doom for Zoom

Zoom’s troubled year just got worse.
Now that a large portion of the world is working from home to ride out the coronavirus pandemic, Zoom’s popularity has rocketed, but also has led to an increased focus on the company’s security practices and privacy promises. Hot on the …

Read More

Posted on

Smart Home…Or Danger Zone? Don’t Let Your IoT-Based Smart Home Devices Serve as Entryways for Hackers

Illustration: © IoT For All

Earlier this year, an Illinois couple panicked when they suddenly heard a male stranger’s voice speak to their infant through the baby monitor. It turns out their smart cameras and thermostat, installed to provide security, had instead been hacked and turned against them.

More recently, A Wisconsin couple got the scare of their lives when a hacker accessed their smart home device and cranked up their heat, spoke to them, and even played vulgar music through a camera.

We don’t have actual numbers on how many more terrifying stories of smart home “invasions” are out there. We do know that as more and more homes are deploying smart home devices (the global smart home market expects to reach 53 billion by 2022).

Instead of just enjoying the rewards of convenience and connectivity, homeowners are also very likely to suffer very real security risks, as smart hackers turn these IoT-based gadgets – lights, locks, cameras, other surveillance systems and even common kitchen appliances such as coffee makers and refrigerators – into gateways to their homes.

In mid-2018, the FBI warned consumers that just as they secure their PCs and mobile devices, they should also safeguard their vulnerable IoT devices such as routers, cameras and other smart appliances.

Common Cyber Threats Against IoT Devices

 As the use of network-connected smart home automation devices soars (many of them unsecured), so do incidents of IoT security breaches such as:

  • Your public IP address pinpointed by hackers as IP addresses are revealed by unsecured devices, increasing the risk of home intrusion (criminals will know when you’re not home).
  • Your hijacked device turned into an email server, able to send thousands of spam emails without the device owner even knowing about it.
  • Your compromised devices recruited as malicious botnets to carry out massive Distributed Denial of Service (DDoS) attacks on government or public facilities (See https://www.iotforall.com/iot-ddos-attack/).
  • Your IoT devices’ failure to encrypt messages before sending them over the network to keep communication and user information secure.
  • Your device’s vulnerability to outside access because manufacturers don’t tell customers to change the default password, which threat actors can easily attain through brute force.
  • Your router’s susceptibility to remote access, enabling hackers to intrude into the home network and discover unsecured IoT devices.

What Happens When Hackers Turn Smart Appliances Against You?

Once accessed and compromised, your smart appliances can wreak havoc on your life. Your smart lock, installed to be able to enter your house without a physical key? It can now lock you out or, worse, unlock the door to intruders. The smart light you set up to automatically turn on and off? It can now decide to turn on all the lights – and all the other electrical appliances – until it overloads your power system. That smart vacuum cleaner that you can schedule to do the cleaning for you? Believe it or not, it can now show potential burglars the very layout of your home. Have a router that connects your devices to the internet and makes all this convenience possible? Careful, it can now give away your personal credentials or private information.

You get the point. Every link in the “smart chain” must be secured.

Smart Devices…Not-So-Smart Security?

Smart homes are great, but they’re also way too open. According to OSWAP, each IoT device alone has 15 attack surface areas.

Smart-home owners, get security smart and protect your IoT devices against attacks by:

  • Accounting for all your connected devices. Be sure to note each device’s settings, credentials, versions, and recent patches so you’ll know what security steps you need to take or even if you should replace or update any device.
  • Authenticating the smart home device before sending or receiving data. Using two-way authentication via cryptographic algorithms ensures that the data comes from a legitimate, rather than fraudulent, source.
  • Replacing default or weak passwords to prevent hackers from accessing them through brute force, and change device settings to achieve stronger security.
  • Using encryption to protect data as it travels from your device to the cloud to ensure that no one can access the transmitted data without the proper decryption key.
  • Segmenting IoT devices by deploying two wireless connections in the home, setting up IoT devices separately, and creating different passwords to prevent the spread of attacks and cut off devices in trouble.

Best of all, adopt a solution – enterprise-grade security protection adapted for homes – that can scan your home network for any unusual activity and then immediately shut it down, while letting you know an attempt was made to invade your privacy.

Igor Rabinovich is CEO and founder of Akita.Box (Wireless IDPS) and the Akita.Cloud platform.

Written by Igor Rabinovich, CEO & Co-founder of Akita, Akita
Source: IoT For All

Posted on

GlobalData reveals top 10 cybersecurity influencers in Q4 2019

An
analysis of GlobalData’s Cybersecurity Influencer Platform, which tracks more
than 300 leading global cybersecurity experts and their discussions pertaining
to the emerging trends, pain areas, new fields of innovation and other popular
areas on Twitter, revealed cybersecurity expert Sean Harris as the top influencer
during the fourth quarter (Q4) of 2019.

SwiftOnSecurity, information security expert and founder of Decentsecurity.com, was ranked second among the cybersecurity experts with an influencer score of 70. Bob Carver, Principal – Cybersecurity Threat Intelligence and Analytics at Verizon, was ranked third with an influencer score of 67.

IMAGE FOR PUBLICATION – Please click
this link for the chart

Among
the companies, Alphabet Inc. emerged as the most discussed company among the
industry experts followed by McAfee and Amazon.com. The conversation on
Alphabet Inc. was largely driven by the measures taken by the company to
protect themselves from rising malware threats and phishing attacks.

In
Q4 2019, ‘Information Security’ emerged as the top trend discussed among the
industry experts, followed by ‘Malware’, ‘Hacking’ and ‘Ransomware’. The
conversations about ‘Information Security’ were driven by the tricks and tips
shared by cybersecurity experts to protect sensitive information online.

Source: GlobalData