Jump to Navigation

Blogs

Error message

  • Notice: Undefined offset: 0 in user_node_load() (line 3604 of /var/www/html/iSecure/modules/user/user.module).
  • Notice: Trying to get property of non-object in user_node_load() (line 3604 of /var/www/html/iSecure/modules/user/user.module).
  • Notice: Undefined offset: 0 in user_node_load() (line 3605 of /var/www/html/iSecure/modules/user/user.module).
  • Notice: Trying to get property of non-object in user_node_load() (line 3605 of /var/www/html/iSecure/modules/user/user.module).
  • Notice: Undefined offset: 0 in user_node_load() (line 3606 of /var/www/html/iSecure/modules/user/user.module).
  • Notice: Trying to get property of non-object in user_node_load() (line 3606 of /var/www/html/iSecure/modules/user/user.module).

Breach of Data Protection Act when London's hospital shared patient data with Google DeepMind

London’s Royal Free hospital failed to comply with the Data Protection Act when it handed over personal data of 1.6 million patients to DeepMind, a Google subsidiary, according to the Information Commissioner’s Office (ICO).
The data transfer was part of the two organisation’s partnership to create the healthcare app Streams, an alert, diagnosis and detection system for acute kidney injury.
Patients were not adequately informed that their data would be used as part of the test.

MACHINE-LEARNING TECHNOLOGIES HELP AGENCIES DEVELOP HIGHLY INTELLIGENT SECURITY POSTURES

security breaches can happen so quickly and stealthily, the damage will be done before anyone even realizes there was a hack.
Factor in the volume and complexity of the threats increase, and it becomes evident the challenge has grown well beyond what can be managed through manual intervention. To successfully combat these challenges, cyber operators should consider incorporating machine-learning capabilities into their toolkit.

Distributed Guessing Attack for Visa Credit card info

To guess card numbers, expiry dates and security codes of any Visa credit or debit card, an attacker tries an unlimited amount of guesses on each card data field splitting the attempts on several websites. The attackers submit data to online payment websites and analyze the reply to the transaction to discover whether or not the data was correct. It is a kind of brute force attack.

It exploits the online payment systems two weaknesses:

Cyber Security for IoT

Securing the IoT has become a matter of homeland security in a release by DHS. Recognizing that too many products today do not incorporate even basic security measures, baking in, rather than bolting on, security at the design time is emphasized.

Five high-level principles for Cybersecurity includes:

Cyber security challenges in government agencies

In article on "Federal Cyber Security Challenges", the federal government agencies are often subjects to the cyber attacks, from hackers, malicious insiders, nations, criminals/organizations, terrorists, amont which the nations are the most frequent attackers.

IoT as bots for DDOS attacks on DNS

An open sourced malware Mirai Bot is used to infect the Internet connected home devices, such as security cameras, DVRs to attack the major Domain Name System (DNS), Dyn. This caused major interruption in Internet traffic, causing major service interruptions for Twitter, Spotify, Amazon, to name a few. The Dyn DNS Service was flooded by a devastating wave of requests originated by million of compromised IoT devices. . The IoT device security is often weak with default settings by manufacturers.

AI can help Cybersecurity

The article "Artificial Intelligence Just Changed the Future of Information Security" (Aug 2016), features AI bots that detect different types of security vulnerabilities hiding in vast amounts of code. The bot uses artificial intelligence and automation to find security and design flaws that bad actors use to penetrate computer networks and steal data.

Audio on CyberSecurity issues of the day

This 9 minute audio by Eric Chabrow and other security analysts is helpful to understand
  • the issues of sharing classified documents via personal email that has been discussed over the media last week. It is a controversial issue. Is it a sloppy human behavior that is to blame or are the governments over-classify information?

Data Breach Incident Report

The annual Verizon Data Breach and Incident Report lists the following key findings in cybersecurity. The report is summarized in here

Human Weaknesses

30% of phishing messages were opened by their intended victim 12% of those targets took the next step to open the malicious attachment or web link

Ransomware Rises

Usable privacy policy tool

New online tool to understand the privacy policies. Most privacy policies are long, dry with leagalese and hard to understand for the average reader. To users to interpret the privacy policies of web sites and online services, Usable Privacy website is launched jointly by Carnegie Mellon University and Fordham Law School. It provides a quick sense for what types of statements are being made in a privacy policy, without having to read the entire thing. It uses color coding to show how policies are organized and what types of collection, sharing, or retention practices they address.

The Android Bankosy malware steals banking OTPs

One-time passcodes (OTPs), a crucial defense for online banking applications, are being intercepted by a malware program for Android, according to new research from Symantec.
One-time passcodes (OTPs) in two-factor authentication scheme are a valid defense for online banking applications, but not enough to ensure a total security for the bank customers. A new strain of malware dubbed Android.Bankosy has been improved by its authors to capture one-time passcodes and elude the 2FA mechanisms implemented by online banking systems.

SCADAPASS: Cyber Physical Security - default credentials

A list of default credentials, “SCADAPASS,” associated with industrial control system (ICS) products from various vendors are published by a research team. The list includes default credentials for more than 100 products which include:

Voter registration data exposed in CA

A misconfigured database leaking the personal information of over 191 million voters was reported to DataBreaches.net by researcher Chris Vickery.

Number one information security risk in healthcare

The article reports that in healthcare industry, regardless of countless controls and policies, they are as vulnerable as most gullible employee.

Jailbreaking

Many smartphone, tablet, and game console makers include a layer of Digital Rights Management (DRM) software on their products. This DRM exists either to limit the software you can run on it, or is there for security reasons. Jailbreaking is the process of hacking these devices to bypass DRM restrictions, allowing you to run "unauthorized" software and to make other tweaks to your operating system.

Infographic for Government Cyber attacks

This infographic explains different types of cyber security attackes and how government gets hacked through real-world examples and data. It also offers eight basic steps that agencies can take to strengthen their cyber defenses. Infographic

Drive-by-Download attack & Cross Site Scripting attack

'Drive-by-download' attacks occur when a visitor navigates to a site that injects malware onto the victim's PC. Crucially, these attacks are usually downloaded and run in the background in a manner that is invisible to the user - and without the user taking any conscious 'action steps' to initiate the attack. Just the act of viewing a web-page that harbors this malicious code is enough for the attack to run. The downloaded malware often initiates a buffer-overflow attack. Cross Site Scripting Attack

Malvertising

Malvertising refers to a "malicious advertising". It is a malware attack that uses online ads to spread malicious codes. This is a typical way to use malvertising attack:

DDOS attack types

This youtube video discuss different types of Distributed Denial of Service (DDos) attacks, including ICMP Ping Flood, UDP flood, Smurf Attack, SYN Flood, Get Request attack, Frag Flood, DNS Amplification attack:

Mobile Web Tracking - TURN

Mobile user's web browsing can be tracked. Online advertising company, Turn, can re-create the history of a person’s Web browsing traffic using Verizon’s tracking system. Verizon uses "Header Enrichment" tracking methods where the mobile subscribers’ web surfing traffic are tagged at the carrier level with a number called a UIDH (Unique Identifier Header). Verizon Wireless has been silently modifying its users' web traffic on its network to inject a cookie-like tracker.

Cybersecurity and the Risk to the Small/Medium Businesses

Running a small business is risky, but ignoring the cybersecurity of the business is even riskier. With so much at stake, it behooves a small business owner to guard the company's assets as much as possible. For example, last year in the United Kingdom, the Department for Business Innovation and Skills (BIS) reported that 63 percent of small businesses were breached and 23 percent were hit by denial of service (DoS) attacks. Fifteen percent of small firms detected network intrusions, and nine percent reported the theft of intellectual property by hackers.

US Cybersecurity National Strategy report by GAO 2013

Compare this US report on CYBERSECURITY National Strategy, Roles, and Responsibilities published in 2013 by GAO with the previous entry on ENISA evaulation of the cyber security strategies in Europe.

ENISA proposed Evaluation Framework on National Cyber Security Strategies (NCSS)

ENISA (European Network and Information Security Agency) proposed Evaluation Framework on National Cyber Security Strategies (NCSS) that consists of:
  • A blueprint logic model presenting conceptual building blocks and a structure.
  • A list of possible key performance indicators (KPIs)
  • 10 hottest IT skills for 2015

    194 IT executives responded to our survey said will be most in demand heading into 2015.
    The top 10 IT skills demands include:
    1. Programming/application development
    2. Project management
    3. Help desk/technical support
    4. Security/compliance governance
    5. Web development
    6. Database administration
    7. Business intelligence/analytics
    8. Mobile applications and device management
    9. Networking
    10. Big data

    Enterprise security - insider threats

    Insider Threats in an enterprise arise:

    Cyber Security History, Threats & Solutions

    This video is a nice introduction for the cyber security history.

    Memory-Scraping Malware - POS attacks

    A memory-scraping malware (aka “memory dump” malware, or "skimming" ) uses a technique that parses data stored briefly in the memory banks of specific POS (point of sales) devices. The malware captures the data stored on the card’s magnetic stripe in the instant after it has been swiped at the terminal and is still in the system’s memory. Thieves can create cloned copies of the cards with the captured data, and use them to shop in stores for high-priced merchandise or to sell in the underground market.

    Mobile Malware

    Mobile Malware types

    There are three broad categories of android malware:
    • Malware that steals personal data These types steal personal contacts, GPS locations, SMS, phone calls or browsing patters. An example is NickiBot Spyware for GPS location monitoring, sound recording, uploading via email, call log collection. Find and Call malware is another example that spreads the phone contacts through SMS spam messages or uploads the contact on the remote server, once the user register her device online.
    • Malware that has root access

    Pages

    Subscribe to RSS - blogs


    Sponsored by

    Main menu 2

    Dr. Radut Consulting