Month: November 2016

Following the news that Snooper’s Charter 2.0 Is Set To Become Law As Lords Pass Controversial IP Bill , please see below for a comment from Lee Munson, a security researcher from Comparitech.com :

“For those people saying they having nothing to hide, and hence nothing to fear, the passing of the Investigatory Powers Bill into statute will be something of a non-event.

“Privacy advocates, and an increasing proportion of the rest of the population, may well be concerned, however, that the so-called ‘Snooper’s Charter,’ for so long championed by new Prime Minister Theresa May, has now been passed by the House of Lords.

“It means law-abiding citizens across the country could now see their web browsing history stored for a year, and GCHQ and others will be able to intercept online communications with ease, and what appears to be very limited oversight.

“So, whether citizens have anything to hide or not is no longer for them to decide – their government will do it for them.”

(74)

Commenting on the news that mobile network Three is the latest victim of a cyber attack, Joe Hancock, Cyber Security Lead at Mishcon de Reya said:

“Almost certainly, the reason we know about this breach is because Three had a regulatory obligation to tell its customers. Without this, this news may not have seen the light of day.

“Given that the new GDPR will drive more notifications like this, how a company manages the communication around such incidents is becoming more critical.

“In this instance, it seems that customer information was both ‘accessed’, rather than ‘lost’ in bulk, so – whilst in reality it’s possible some data didn’t go anywhere – Three may struggle to prove it.

“As a result, there will likely be the reputational fall out similar to what we would expect from a large scale data theft. Already, the language used around Three mirrors that used around TalkTalk’s breach. It is therefore perhaps better not to go on the record until the business has a clear understanding of how much data and which customers are affected by the breach. Now every Three customer is concerned.

“It appears that the people behind the breach have been caught, greatly increasing the possibility of preventing use of the data and making financial recoveries from the cyber criminals. Acting quickly is essential to prevent further fraud and to secure the evidence available if there is to be any chance of recovery.”

(93)

Part two: Reducing security complexity for better employee productivity
By François Amigorena, CEO, IS Decisions
IT security is clearly crucial for protecting the network and the resources contained within it. But that said, unnecessarily complex security procedures shouldn’t hinder users, negatively impact on productivity or undermine business performance.

In our recent guide UX versus user security,which is based on a research of 250 British organisations, we found that employees waste 15.27 minutes every week because of complex IT security procedures. That figure equates to 127 days of lost productivity per year for firms of 250 people, and 15.3 days for firms of 30 people. Imagine what those employees could have achieved with that time and the end benefit to the organisation!

When it comes to selecting a security system, organisations need to think about the overall impact it is going to have — for the IT staff, the employees and the organisation itself — and try to strike the right balance between robust user security and a productive user experience. By choosing a system that cuts out the tedious manual processes and hides the complexity of security from the users, it’s possible to improve productivity of users across a business.

Organisations can also customise security by implementing and managing transparent access controls that do not impede user productivity. Logins are the first line of defence in controlling and securing network access so it is important to manage when, where and how the network is accessed to be able to identify if that person is not who they say they are — even if they have the right passwords.

IT departments can easily set and enforce a customised access policy that includes context-aware restrictions such as locations, IP address, time of day, and number of simultaneous sessions that are transparent to the user and does not impede on productivity. These access policies protect against compromised network credentials to reduce the risk of both external attacks and internal security breaches. Ultimately, addressing all the security needs for the network, reducing complexity for employees and increasing productivity.

Learn more about using an effective security solution that does not frustrate IT personnel.

(139)

Starting a blog is so easy today that a child could do it. Maintaining a blog and keeping your information safe and private is a different story. Cyber attacks are real and incredibly threatening, particularly because bloggers are often oblivious to the threat that looms over them. Most bloggers believe themselves to be so inconsequential in the grand scheme of things that they don’t need to take security precautions for their little platform.

This way of thinking is exactly why the statistics regarding cybersecurity in businesses and personal websites are so high. According to research, there were more than 169 million personal records exposed in 2015 from publications and businesses. Despite these hard-hitting statistics, other research shows that only 38% of people with an online platform say they’re prepared with adequate security measures to prevent major attacks.

Don’t let your blog fall by the wayside. Starting a blog is a difficult process. You obviously put a lot of time and effort into the writing, advertising platform, customer following, and product store, and you don’t want that to go to waste.

Use these 10 essential security features to protect all your hard work from malicious attacks.

1. Use strong passwords and change them often.

Do you use the same username and password for your blog as you do for everything else? A shocking amount of people do. Sure, it’s inconvenient to remember different, more complicated passwords for every online application, but doing so significantly reduces your chances of being hacked by brute force attacks.

2. Keep blog access close to home.

Don’t grant admin access to friends and family. If you must let someone else log into your blog, change the password as soon as possible afterward.

3. Regularly check and update plugins and software.

Updates are released for several reasons, but most important is to strengthen the security of your blog. Any plugins and software that run alongside your platform should be updated regularly and checked for glitches and manufacturer recalls.

4. Watch out for malicious advertisements.

This is also known as malvertising, which reportedly increased by more than 200 percent in 2013, and has continued to grow ever since. There are more than 12.4 billion malicious ad impressions on the web, particularly on social media and unsavory websites. Before allowing advertisements on your site, make sure there’s no malicious code included.

5. Use secure hosting.

You can make sure your host is secure by checking the security features. Ideally, your host will provide frequent updates, 24/7 technical support in case of a cyber attack, protection against brute force attacks, and SSL options. Do your research to make sure you’re getting the most out of your hosting site and change hosts if necessary for better protection.

6. Beware of public Wi-Fi and always use a clean PC.

You never know what kind of spam and code you’ll pick up with public Wi-Fi, which is almost always unsecured. Your computer and devices should also be free from viruses and other security complications in order to protect your blog from getting “sick.”

7. Use secure checkout for any product pages.

A lot of blogs sell products in order to maximize their earnings, and if this is you, keep that page protected. Your customers will be entering their credit card information and personal details, and hackers love to peruse unsuspecting small businesses and blogs to steal identities and money.

8. Turn off file editing.

Being able to edit your template’s files is a useful feature, but make sure you disable it in your dashboard as soon as you’re happy with the changes. It keeps hackers from changing the files with malicious code.

9. Don’t allow uploads on your comment feature.

Some blog platforms allow this but make sure it’s disabled. Disgruntled readers or hackers can upload viruses, and both you and your readers can catch the virus if the material is downloaded.

10. Hide your login information.

It’s a lot easier for hackers to access your blog if they already know your username, which can often be found in the author archive page’s permalink. With certain plugins,you can easily remove this to add a little more protection.

Don’t be fooled into thinking your blog is safe because you have a small following. You’re just as vulnerable as anyone else on the web, if not more so because you haven’t yet invested in the security of your blog.

– Jenna Cyprus

(58)

Black Friday has become the biggest shopping day of the year, when retailers knock prices across much of their stock to kick-start the gift-buying season but BroadGroup has warned datacentres to prepare for an infrastructure melee potentially on the scale of a DDoS-attack from the expected deluge of customers.
Philip Low, Chairman of BroadGroup said: “This year, internet sales over the 24-hour period are expected to surpass £1bn for the first time in UK history. The hysteria surrounding this, now famous, weekend tests IT infrastructure and websites to the limits. Most brands and operators will have stress-tested their equipment and both tweaked and optimised code and hardware set-ups to maintain performance levels during peak times, however many just don’t know what might happen.”

£1.1bn was spent on Black Friday while £968m was splashed on Monday by UK shoppers in a five-day frenzy a year ago; making the last weekend of November like no other sales event in the year – a ‘Black Five Day!’

Operators should be undertaking extreme performance tests of their systems up to peak loads to practice breakdown scenarios. Simulating major incidents to test contingency plans will enable operators to understand how they will cope with a “dam burst” scenario if faced with a larger than expected influx of traffic on the day. Regardless of how prepared operators might be, it is difficult to make Black Friday/Cyber Monday 100% fail-proof. Low continued, “It isn’t too late to put some basic measures in place such as queuing systems to control surges of customers to reduce the chances of a site crashing. A queue would also relieve strain on any back-end operations while any fixes are implemented.”

“Last year, an unprecedented level of customer demand saw the websites of several high-profile retailers buckle under pressure. Retailers and operators working for retailers should think about peak trading as a crisis that they know will happen in advance. Preparation is vital, and retailers need to consider their business and operational plans for the period. With the right plan this is where most plan to be this time around,” added Low.

(81)

£19M awarded to deliver industry-led PhD training through collaborative partnerships

It has been announced £18.9M of funding to support world-class industry-led collaborative doctoral training through Collaborative Training Partnerships (CTP). The investment will train and develop 189 PhD students to produce skilled people for the research base and build capability in the UK workforce. CTP succeeds BBSRC Industrial CASE Partnerships (ICP) as BBSRC’s mechanism for the block award of CASE studentships to non-academic research organisations.

Secretary of State for Business, Energy and Industrial Strategy the RT Honourable Greg Clark said: “Furthering collaboration between government, academia and industry is a key part of the industrial strategy we’re developing. Collaborative Training Partnerships will boost the UK’s world-leading reputation for research and science while increasing the talent and expertise of our workforce in the UK and providing new opportunities for the science leaders of tomorrow.”

Dr Karen Lewis, BBSRC Executive Director, Innovation and Skills said: “Bioscience impacts on our lives in many ways. BBSRC strives to harness the power of bioscience to deliver a healthy, prosperous and sustainable future for the UK and beyond. To achieve this we need to maintain our leading position in global bioscience by ensuring that the next generation of scientists have the best training and skills and Collaborative Training Partnerships will play a key role in achieving this.”

Dr David McAllister, Head of Skills and Careers said: “A highly skilled and trained workforce is essential for the success of the bioscience sector and a driving force for the bioeconomy. BBSRC’s investments in Collaborative Training Partnerships will help ensure that the research base is equipped with the range of skills and talent required for modern bioscience, and provide highly skilled people for the public, private, third and research sectors.”

In total, 10 CTPs will be supported:

(129)

ESET researchers have discovered a link between the Tesco Bank breach and the Retefe malware.The Retefe trojan horse goes after users’ online banking credentials, which can be then misused to conduct fraudulent transactions. The campaign began at least as far back as February 2016.

Following up on the story, Lee Munson, security researcher at Comparitech.com said:

“While Tesco remains tight-lipped over how thousands of its banking customers were hacked recently, security vendor ESET has suggested the Retefe banking Trojan could be to blame.

“This sort of attack vector would hardly be surprising – credential-stealing Trojans are hardly anything new, and the fact that other banks may be on its target list is only logical.

“From the banks’ perspective, this is a hard attack to block so their focus should really be on their customers who should be advised to be on the lookout for the fake Comodo certificate, a task that is likely to be met with little success.

“Therefore, some basic tips about account security, using a software security solution and not opening suspicious emails or visiting dodgy sites should also be the order of the day.

“Affected browsers – which are most of the major ones – should consider blocking the Comodo certificate until this mess is cleared up.

“Meanwhile, customers can rest easy, safe in the knowledge that any losses they incur will be covered by their bank, unless they have been reckless in with their own account security.”

(63)

A wave of DDoS attacks hit at least five Russian banks with prolonged DDoS attacks this week. Among the victims of the DDoS attacks against the online banking services there are Sberbank and Alfabank banks. The string of DDoS attacks began on Tuesday afternoon and lasted over two days.

Commenting on this, Stephen Gates, chief research intelligence analyst at DDoS mitigation company, NSFOCUS, said “What we have learned in the past 12 months alone, is that no organisation, government or nation is immune to the pending threat of DDoS; as IoT botnets grow larger in numbers and with greater firepower than ever witnessed before. It’s time for the world’s leaders to come together to eliminate this threat once and for all, or remain in status quo – being every man for themselves. Global collaboration, world-wide deployment of defensive infrastructures, harsh international prosecution of perpetrators, and universal IoT manufacturing accountability must accelerate. Wake up world, this problem will never go away on its own.”

(44)

To help combat the increasing threats that Britain faces from terrorists, hackers and cyber fraudsters, GCHQ, MI5 and MI6 are searching for technically-minded apprentices.

For prospective programmers and tech-savvy talent, an apprenticeship could be a tempting alternative to a university degree – and a unique start to a career – but time is running out with the closing date fast approaching.

A spokesperson representing Careers in British Intelligence said: “This is a fantastic opportunity for recruits to get unique insights and perspectives into the work of the intelligence services. In addition, the opportunity to do real hands-on work that makes a difference to keeping the country safe makes this Apprenticeship exciting and different. We have been offering apprenticeships for a number of years and see a huge amount of value in them for our work.”

The two schemes available are aimed at young people interested in technology and coding. With a mix of classroom-based learning and practical experience they could lead to a recognised qualification and, potentially, a full-time job

The British Intelligence Higher Apprenticeship in IT, Software, Internet and Telecoms leads to a Foundation Degree and offers a year working in Cheltenham with placements at GCHQ or even in London, possibly at MI5, MI6 or the National Crime Agency (NCA) afterwards.

The second, a three-year Technical Apprenticeship scheme based in the Greater Manchester area, leads to a BSc Honours Degree and will give apprentices the opportunity to build and maintain some of the world’s most sophisticated electronic equipment amongst other exciting things.

Both schemes are in many ways like any other Apprenticeship in that they allow participants to earn a salary while they build up their technical expertise and develop soft skills like teamwork, communication and leadership. But our apprentices also gain a unique insight into a world otherwise hidden behind closed doors and take on the responsibility of being entrusted with access to top secret information. It can be daunting at first, but they quickly get used to it.

The closing date for both schemes is 14 November 2016.

GCHQ are particularly keen to encourage applications from women, as part of their effort to promote STEM careers for women across the UK, and from ethnic minorities to maintain their commitment to a diverse workforce.

For further details on both schemes and to apply, visit the GCHQ careers website: https://www.gchq-careers.co.uk/index.html

(289)

Some employees at Yahoo were aware of a recently disclosed major hacking incident when it occurred in 2014, the company revealed in a Securities and Exchange filing yesterday. The Financial Times reported  that an investigation has been launched, to look into the “scope of the knowledge within the company in 2014” regarding the breach, which was announced six weeks ago.

Stephen Gates, chief research intelligence analyst at NSFOCUS:

“From the recent keynote speeches in several cybersecurity conferences in the U.S., the audience learned that Yahoo had some serious internal cultural issues. According to the keynotes, the employees responsible for securing Yahoo from cyberattacks were publicly called “The Paranoids” within the organisation itself. If true, these types of findings lean one to believe that the highest ranking officers in the company are responsible for fostering this type of appalling culture, and should be held directly responsible for its result.”

Lee Munson, security researcher at Comparitech.com:

“Yahoo getting breached is unfortunate but, perhaps, understandable in the current climate when many companies are beginning to realise the question for them should be when, not if. The amount of accounts compromised at Yahoo was shocking, no two ways about it. The amount of time if took for the breach to be detected and become public knowledge was disturbing, especially coming as it did so soon after a similar situation at LinkedIn.

The fact that Yahoo staff knew of the breach at the time it occurred and kept quiet is completely and utterly unforgivable. Not only is it what appears to be a complete cover-up as the company continues merger talks with Verizon, it is also a huge slap in the face to half a billion customers who must now be wondering whether they can ever trust Yahoo again.”

(43)