Daily Archives: December 2, 2019

#nationalcybersecuritymonth | DCC UK second-gen smart meter network passes three million mark

Source: National Cyber Security – Produced By Gregory Evans

Smart DCC, the licence-holder building and managing the secure national infrastructure that underpins the roll-out of smart meters across the UK, has passed a milestone in its network capability, with the three millionth second-generation smart meter (SMETS2) attached to its smart network.

The Capita subsidiary was granted its licence in 2013 by the then Department for Energy and Climate Change. Its wireless network connects smart meters to energy suppliers, network operators and other authorised service users. It is maintained to standards such as those endorsed by the National Cyber Security Centre.

The network is mandated to: operate reliably for all end-user consumers, regardless of their energy supplier; provide smart metering data to network operators to support the digitisation of the energy industry and the development of a smart grid; and allow authorised third parties to provide consumers with information they have requested, such as how they can reduce their energy usage.

Despite the momentum around smart meters, in September 2019 the UK government conceded that the deadline for every UK home to be offered an upgraded smart gas and electricity meter through the government’s troubled Smart Meter Programme would be put back by four years to the end of 2024.

However, DCC’s milestone meter was installed on the afternoon of 29 November by British Gas in Mickleover, Derby, and the company says more than 500 million encrypted messages to and from smart meters have been carried by DCC’s secure network throughout 2019. October alone saw more than 86 million messages. That equates to just over 28 messages a month for each meter installed.

Three-fifths of these messages are the daily bursts of readings given by each meter. Although SMETS2 meters record information about energy consumption all day, many will send 24 hours or more of readings in one package across the network, saving battery power in the home and preserving capacity on the network.

Security-related messages make up another large part of the network traffic. New virtual security “keys” are exchanged whenever a consumer switches supplier to keep usage details private. Also, a variety of messages are required to install and connect new meters securely to the network. Other messages include tariff changes, firmware updates, topping-up data relating to pre-payment meters, settings changes and alerts for issues.

Throughout 2020, energy suppliers will be adding first-generation smart meters (SMETS1) to the network so consumers can switch without losing smart functionality in their device. Smart DCC says it assures that “seamless” switching is already the case for those consumers with a SMETS2 installed, as these are automatically enrolled onto the DCC network.

The network supplier says that as growth in connected devices has driven up the data being securely transferred, communication efficiency will be very important as the network grows on nationwide. It will also allow the network to retain capacity for new features or re-use. The company claims that with each meter producing hundreds of points of data each month, these messages will inform the deployment of renewables and load-balancing technology, creating a greener grid.

“Our network is a platform for good, and the data flowing across it is paving the way for better use of renewable energy,” said DCC chief executive Angus Flett. “The DCC is making Britain more connected, so we can all lead smarter, greener lives.”

DCC stressed that the milestone would not have been achieved without its customers – energy companies and network operators. It highlighted principal service providers CGI, Telefónica, Arqiva, Critical Software and BT.

Source link

The post #nationalcybersecuritymonth | DCC UK second-gen smart meter network passes three million mark appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof




#infosec | US Hospitals Fined $2.175M for “Refusal to Properly Report” Data Breach

Source: National Cyber Security – Produced By Gregory Evans

An American health services provider has agreed to pay a fine of $2.175m after refusing to properly notify Health and Human Services of a data breach.

In April of 2017, a complaint regarding Sentara Hospitals was received by the Department of Health and Human Services (HHS). The complainant said that they had received a bill from Sentara Hospitals containing another patient’s protected health information (PHI). 

An investigation launched by the Office for Civil Rights (OCR) determined that Sentara had merged the billing statements for 577 patients with 16,342 different guarantors’ mailing labels, resulting in the disclosure of the PHI of 577 individuals. 

Information exposed by the breach included patient names, account numbers, and dates of services they had received.  

Sentara reported this incident as a breach affecting only eight individuals. The health services provider had incorrectly concluded that unless a disclosure included patient diagnosis, treatment information, or other medical information, no reportable breach of PHI had occurred.  

A spokesperson for HHS said: “Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR.”

The OCR also determined that Sentara Hospitals provides services involving the receipt, maintenance, and disclosure of PHI for its member-covered entities, but did not enter into a business associate agreement with its business associate Sentara Healthcare until October 17, 2018, well after the breach.

Sentara manages 12 acute-care hospitals with more than 300 sites throughout Virginia and North Carolina. The health services provider agreed to take corrective action and pay $2.175m to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Privacy Rules.

Roger Severino, OCR director, said: “HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.

“When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

In addition to the monetary settlement, Sentara will undertake a corrective action plan that includes two years of monitoring. As part of the plan, Sentara will have to develop, maintain, and revise, as necessary, their written policies and procedures to comply with federal standards.

____________________________________________________________________________________________________________________

#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity
____________________________________________________________________________________________________________________

Source link

The post #infosec | US Hospitals Fined $2.175M for “Refusal to Properly Report” Data Breach appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof




#cybersecurity | #hackerspace | We Phish You a Very Merry Christmas and a Fraudulent New Year

Source: National Cyber Security – Produced By Gregory Evans

The holiday season is kicking into full gear, and so is the annual holiday cybercrime surge. As gift givers scour the web to seek out the best deals, cybercrooks put in extra work to profit off of the holiday shopping frenzy.

Cybersecurity researchers report that this annual holiday fraud cycle has firmly established itself in recent years. The bad guys always follow the money and, at this point, once we round into Black Friday and Cyber Monday the money inevitably pours into online shopping channels.

“Cybercriminals thrive during peak holiday shopping,” security researcher Emily Wilson of Terbium Labs told Credit Union Times in a recent report. “The hustle and bustle of transactions and unusual shopping patterns create countless opportunities to capture payment data and attempt fraudulent transactions”

Cyber criminals are looking to take a bite of the profit through a number of different attack methods, including:

Phishing

Phishing activity experiences an annual spike right around the holidays and this year is shaping up to be an particularly bad one. The latest research shows that the use of ecommerce phishing URLs this year has more than doubled since its holiday peak in 2018. The holiday lures are plentiful from cyberattackers, who are trying everything from order confirmation scams in email and SMS to enticing promotional offers.

Promo Scams and Domain Impersonation

A lot of the phishing is paired with very convincing domain impersonation scams that masquerade as real ecommerce operations by running lookalike retail impersonation sites that ape both big and small brands alike. Many of them are also tied into social media impersonation and they usually promote ‘unbeatable’ deals and a sense of urgency with ‘limited time offers’ that convince consumers to part with their payment details.

Credential Stuffing

The criminals work overtime to direct automated bots to carry out credential stuffing attacks that try credentials stolen from one site on a bunch of other different sites in case the victim reuses passwords. According to researchers at Radware, these bad bots carrying out account takeover attempts reach their peak right before Black Friday in prep for the holiday season—the bots usually represent 96.6% of retailer traffic in that time. Normally the human-to-bad bot ratio on login pates is 2 to 1 on a normal day but just before the holidays that shoots up to 1 to 20.

Ad Fraud

After attackers have harvested plenty of accounts and start to monetize that with card fraud, they transition their bot activity to another lucrative venue: ad fraud. According to Radware, the onslaught of advertising fraud usually happens right after Cyber Monday. Last year, programmatic advertising vendor Pixalate found that ad fraud increased 24% during the holidays.

Magecart Attacks
Online skimming Magecart attacks have grown very popular among criminals today, as they take advantage of vulnerabilities in payment platforms like Magneto to collect consumer payment card information as they enter it into legitimate transactions. Criminals are already getting the jump on the holiday rush to amp up their Magecart mojo. The recent Macy’s breach announced in mid-November came at the hands of Magecart attackers.

Charity Scams

The government pundits at the US Cybersecurity and Infrastructure Security Agency (CISA) just recently released a blanket warning against holiday scams and malicious cyber campaigns. One of the sometimes forgotten scams they called attention to were charity scams, warning consumers to “verify a charity’s authenticity before making donations.”

Gift Card and Loyalty Point Scams

A report from CNBC shows that the Dark Web is awash in stolen gift card account information, and the bad guys are seeking every way they can to siphon off the monetary value stored not only in gift card but also retail loyalty accounts. This includes everything from brute forcing account number and PIN combos on retail sites using bots to demanding payment in gift cards for ransomware extortion.

Current economic estimates state that holiday shopping sales in the US alone will top the $1 trillion mark for the first time ever in 2019. An increasing amount of that will come on the back of ecommerce sales, which are expected to grow 3x more quickly than overall retail holiday sales according to the experts with Deloitte.

They predict US ecommerce sales for November 2019 through January 2020 will jump by 14%-18%, compared to a max 5% gain in overall retail sales during the same time period. What’s more, a study just released by TransUnion, the 2019 Holiday Retail Fraud Survey, found that some 75% of consumers say they’ll do at least half of their shopping online this year. In spite of that, Deloitte figures show that ecommerce sales will still only make up 14% of all retail receipts this holiday season.

However, as retail organizations invest in digital transformation efforts that focus on omnichannel customer experiences—including online ordering for curbside pickup, in-store kiosk orders shipped to the home, and a plethora of mobile loyalty apps—the lines between ecommerce and ‘traditional’ retail are blurrier than ever.  Deloitte experts say the focus on convenience through this expansion of the digital footprint is retail’s number one driver today:

“We’ve seen retailers continue to improve customer experience, invest in the fundamentals and leverage relationships with innovative startups to boost engagement and efficiency. But, convenience is the new retail currency; retailers who offer seamless experiences, have products available and can deliver items more quickly than ever are most likely to win this holiday season.”

However, anyone who has been in the security world long enough understands that increased omnichannel customer interactions will inevitably yield increased omnichannel fraud. And the TransUnion study shows that while convenience is huge, consumers are growing more security conscious about their online holiday shopping. The study found 46% of consumers are worried about becoming a victim of fraud this holiday season.  Over half of shoppers surveyed said they’d be more likely to make an online purchase from a retailer that provides two-factor authentication.

Nevertheless, retailers must walk a fine line between security and convenience.

“More and more consumers are turning to online shopping, yet consumers demand that retailers not only provide them with a secure checkout process, but also make it as convenient as possible,” said Geoff Miller, head of global fraud and identity for TransUnion. “Retailers need to do all they can to ensure transactions are secure and seamless for all consumers.”

Source link

The post #cybersecurity | #hackerspace |<p> We Phish You a Very Merry Christmas and a Fraudulent New Year <p> appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof




#cybersecurity | #hackerspace | End-of-Life Devices Pose Data Breach Risk

Source: National Cyber Security – Produced By Gregory Evans

End-of-life devices not properly sanitized of data can cause compliance issues and make corporate data vulnerable

GDPR, CCPA and the rest of the alphabet soup of privacy laws should have organizations looking more deeply at how and where they store and use data. While most companies have improved their approach to data security in response to privacy laws, too many continue to ignore the data sanitization of devices at end of life, and this exposes the organization to data breaches. New research from Blancco Technology Group found that, globally, organizations’ overconfidence in their data sanitization methods makes them more vulnerable to a data breach, and nearly three-quarters of those surveyed point to the potential problems caused by end-of-life devices.

Data breaches at device end-of-life is a very big problem, said Fredrik Forslund, vice president, Enterprise and Cloud Erasure Solutions at Blancco, in an email interview. For example, a few months ago while researching how often sensitive data remains on pre-owned technology, Blancco purchased 159 drives from professional sellers using eBay in the U.S., UK, Germany and Finland. All of the drives were “guaranteed” by the sellers to be clean from data. That wasn’t the case, however: Almost half (42%) still contained data, with 15% of the information being PII and/or corporate data. Forslund said in that study they found:

  • A drive from a software developer with a high level of government security clearance, with scanned images of family passports and birth certificates, CVs and financial records.
  • 5GB of archived internal office email from a major travel company.
  • 3GB of data from a cargo/freight company, along with documents detailing shipping details, schedules and truck registrations.

Failing to make sure that devices are wiped clean of data sets up organizations for data breaches and violations of data privacy laws.

Where the Risks Are

According to the results in this most recent study, “A False Sense of Security,” 36% reported relying on inappropriate data removal methods—using data wiping methods such as formatting, overwriting using free software tools or paid software-based tools without certification or physical destruction (both degaussing and shredding) with no audit trail.

That is just one of the ways that organizations are risking their data, according to the report. Another risk is in the storage of these end-of-life devices. Eight in 10 said they have a stockpile of out-of-use equipment sitting in storage, and more than half admitted that it takes them more than two weeks to get around to data sanitization of those devices. Another area of risk is the lack of a clear chain of custody of the audit trail for these end-of-life devices, and that includes transporting them to a facility where they are physically destroyed.

The most common issue is a lack of awareness of what is a secure and reliable process for asset disposition, said Forslund. “Companies may do a format or use freeware and assume this is sufficient; however, not running a process where you can confirm that all assets have been processed results in having data left on assets and ultimately can lead to data breaches.”

He recommended using best practice standards and ensuring an audit trail to verify that all assets are covered. What does that look like? According to the report, it includes a review of the current processes and policies that are to be followed by all employees and building integration into asset management solutions to automate process flow, among other steps.

“It is also important to ensure that there are no delays or possible loopholes,” he added. “Often policies on how to run a strong IT asset disposition process and proper data sanitization are out of date or not properly implemented, which can be another factor that leads to poor outcomes.”

When asked what he sees as the biggest and most important takeaway of this study on the risks of data breaches in end-of-life devices, Forslund stressed those best practices policies.

“Update your policy, enforce that policy, and make sure implemented best practice is as automated and integrated into your asset management and data management as possible,” he said. “Do not wait until end of life of the asset to start thinking about what to do. Be proactive and always a step ahead!”

Source link

The post #cybersecurity | #hackerspace |<p> End-of-Life Devices Pose Data Breach Risk <p> appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof