Daily Archives: December 4, 2019

#cybersecurity | #hackerspace | New Anti-Robocall Law Goes To President For Signatory Approval

Source: National Cyber Security – Produced By Gregory Evans

via Kieren McCarthy – writing at El Regcomes a bit of good news on a Wednesday in the glorious Pacific Northwest: Congress – just this morning, mind you – has passed the esteemed body’s new Anti-Robocall Act monikered the TRACED Act, and along with the Senate’s passing of Senate Bill 151 (sponsored by Senator John Thune [R-SD]) it’s just like A Bill On Capital Hill

“The new law is likely to prove effective: it gives the Federal Communications Commission (FCC) the power to fine companies up to $20,000 per robocall, and it obliges phone companies to verify the legitimacy of calls at no cost.” – via the inimitable Kieren McCarthywriting at El Reg

Recent Articles By Author

  • BSides Portland 2019, John Andersen’s ‘Down The Dependency Rabbit Hole’

  • The Joy of Tech®, ‘The Online Shopping Experience!

  • BSides Portland 2019, Franklin Harding’s ‘Modern Websites Require Modern Vulnerabilities’


*** This is a Security Bloggers Network syndicated blog from Infosecurity.US authored by Marc Handelman. Read the original post at: https://www.infosecurity.us/blog/2019/12/4/new-anti-robocall-law-goes-to-president-for-signatory-approval

Source link

The post #cybersecurity | #hackerspace |<p> New Anti-Robocall Law Goes To President For Signatory Approval <p> appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof

Navigating Security in the Cloud

Source: National Cyber Security – Produced By Gregory Evans

Underestimating the security changes that need to accompany a shift to the cloud could be fatal to a business. Here’s why.

The cloud has changed a lot about the way we conduct business, but one of the most significant shifts has been in the realm of cybersecurity. The expansion of workloads running in the cloud has driven an uptick in security attacks focusing on cloud technologies. As organizations grapple with an increased attack surface, data breaches have become more common, wider-reaching, and costlier than ever.

How is this different from the workplace of years past? Companies used to run their software on-premises, which meant a firewall was all you needed to protect your employee and customer data. IT teams also relied on a monolithic tech stack, deploying apps from a single vendor that offered closed systems and thick client apps. And before the cloud made remote work easy and accessible, employees had to work in central office locations in order to access company technology.

The shift to the cloud has changed all that. Software has moved from on-premises to cloud-native or hybrid environments, and companies are implementing best-of-breed tech stacks that rely on multiple vendors. At the same time, cloud and mobile technologies are allowing employees to access their work from anywhere in the world, which has given rise to a new age of freedom and limited capabilities for control within the traditional approach to security. These four steps can set your company up for success in today’s modern technology landscape.

Step 1: Adopt a zero-trust mentality.
The fact that an increasing number of organizations continue to use cloud services means that companies can’t assume that users can be trusted simply based on the network they’re on. Rather, all users must be verified regardless of their device, their location, or their IP address before gaining access to corporate data or applications.

There are a couple of ways to implement this approach. First, security teams must understand the true identity of who is accessing their network, and monitor and log all network traffic. This means establishing security checkpoints and enforcing rules about who can continue to access the network past each checkpoint. [Editor’s Note: Okta, along with other vendors, markets software to manage and secure user authentication processes in the cloud.] Second, companies need to keep a close eye on access permissions and give the minimum necessary amount of access to every user. For example, if a salesperson doesn’t need access to hiring information or customer login credentials, don’t give it to them. The more a user or employee can access, the higher the risk of a compromised account.

Step 2: Implement micro-segmentation.
Traditional security measures like firewalls are good at regulating what comes in and out of your network. But today, when the workloads themselves are in the cloud and virtual, and access is happening from all over, knowing who is coming in and out of your network doesn’t make you any more secure. This is where micro-segmentation comes in. Micro-segmentation will allow your team to establish customized policies for different segments, giving you more comprehensive security overall. These policies can also be deployed virtually, making a micro-segmented approach ideal for a cloud environment.

Step 3: Encrypt data and move to a passwordless experience.
Encryption is one of the simplest ways to secure your data. Only people with the correct passwords or keys can access encrypted data, so it’s a straightforward way to secure information stored in the cloud. However, Have I Been Pwned (HIBP) reports that hackers have managed to breach 555,278,657 passwords, and research Okta commissioned from Opinium in May revealed that over a third of users reuse the same passwords for multiple accounts.

Ultimately, this reinforces why password-specific policies should not be the last line of defense for your organization. In fact, because login credentials are compromised and reused so frequently, going passwordless is often the best long-term way to keep data safe. Your team can eliminate passwords altogether by investing in technology like physical security keys and relying on more robust contextual access systems, and as identity management continues to evolve, a passwordless future is becoming more and more possible for organizations. But if going passwordless is not an option at your organization, you should, at a minimum, establish strong password regulations. Greater password lengths encourage the use of passphrases, which provide greater protection against brute-force attacks. Eliminating the reuse of old passwords curbs the potential for future account compromises as well.

Step 4: Don’t forget life-cycle management.
In November 2018, an employee who was fired by the Chicago Public Schools system stole personal data from 70,000 people from a private CPS database. This scenario is every HR and security executive’s worst nightmare: a disgruntled employee leaves the company and retaliates by taking sensitive data with them. Unfortunately, even if an employee quits or gets terminated on good terms, passwords stored in the cloud could later be breached if their account is left open, or is orphaned. Although immediate offboarding can be daunting, it’s a vital part of security and worth the investment. As soon as someone stops working at your organization, you need to cut them off from future access to any data.

Onboarding is equally as important. When a new employee starts, a streamlined onboarding process that requires them to set up secure accounts and participate in security training will mean there is less room for error and risk down the road.

Underestimating the security changes that need to accompany a shift to the cloud could be fatal to a business. As soon as your company starts leveraging cloud tools, you need to embed security in your plan from day one. By adopting a zero-trust approach and carefully managing who can access your data and network, you’ll go a long way toward preventing a crippling data breach.

Related Content:

Diya Jolly is chief product officer at Okta. As CPO, Diya leads product innovation for both workforce and customer identity. She plays an instrumental role in furthering Okta’s product leadership, enabling any organization to use any technology. Diya joined Okta from Google, … View Full Bio

More Insights

Click here for the Source link

The post Navigating Security in the Cloud appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof

Critical Flaw in GoAhead Web Server Could Affect Wide Range of IoT Devices

Source: National Cyber Security – Produced By Gregory Evans

goahead web server hacking

Cybersecurity researchers today uncovered details of two new vulnerabilities in the GoAhead web server software, a tiny application widely embedded in hundreds of millions of Internet-connected smart devices.

One of the two vulnerabilities, assigned as CVE-2019-5096, is a critical code execution flaw that can be exploited by attackers to execute malicious code on vulnerable devices and take control over them.

The first vulnerability resides in the way multi-part/form-data requests are processed within the base GoAhead web server application, affecting GoAhead Web Server versions v5.0.1, v.4.1.1, and v3.6.5.

According to the researchers at Cisco Talos, while processing a specially crafted HTTP request, an attacker exploiting the vulnerability can cause use-after-free condition on the server and corrupt heap structures, leading to code execution attacks.

The second vulnerability, assigned as CVE-2019-5097, also resides in the same component of the GoAhead Web Server and can be exploited in the same way, but this one leads to denial-of-service attacks.

“A specially crafted HTTP request can lead to an infinite loop in the process (resulting in 100 percent CPU utilization). The request can be unauthenticated in the form of GET or POST requests and does not require the requested resource to exist on the server,” the researchers say.

However, it’s not necessary that both vulnerabilities could be exploited in all embedded devices running the vulnerable versions of the GoAhead web server.

Web Application Firewall

That’s because, according to the researchers, since GoAhead is a customizable web application framework, companies implement the application according to their environment and requirements, due to which the flaws “may not be reachable on all builds.”

“Additionally, pages that require authentication do not allow access to the vulnerability without authentication as the authentication is handled before reaching the upload handler,” the researchers explain.

Talos researchers reported the two vulnerabilities to EmbedThis, the developer of the GoAhead Web Server application, in late August this year, and the vendor addressed the issues and released security patches two weeks ago.

The Original Source Of This Story: Source link

The post Critical Flaw in GoAhead Web Server Could Affect Wide Range of IoT Devices appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof

#cybersecurity | hacker | TikTok transferred user data to China without consent, lawsuit says

Source: National Cyber Security – Produced By Gregory Evans

secretly transferred user data to China without obtaining consent, according to
a lawsuit filed by a college student in the Northern District of California.

Hong claimed the viral video service culled off her personal videos and
information, then funneled it to servers in China.

“Allegations that TikTok has been accumulating data about U.S. consumers – including personally identifiable information –  and extracting it back to servers in China are unsurprising,” said Ray Walsh, a digital privacy advocate at ProPrivacy. “Despite TikTok’s previous claims that it was not extracting data back to China – a healthy amount of skepticism existed among privacy advocates surrounding this Chinese company’s data practices.”

Calling Big Data a valuable currency that
the service accumulates, Price maintained that “it always seemed highly
probable that the international branch of TikTok would be sending masses of
data back to its masters in China.”

He noted that the services like TikTok aren’t designed “just to profit from advertising revenue within the platform, but also to gain access to valuable data and insights about consumers.” As with all apps developed overseas, “consumers need to be aware of the risks that their data may be extracted and used in accordance with foreign privacy policies and regulations,” Price said. “This means that any data accumulated from U.S. citizens on those platforms could potentially be used to identify, track and profile them” not only now but well into the future.

“The potential that the app is
surreptitiously collecting user content via TikTok – even when users do not
publish those videos to the platform – is extremely concerning and rings very
serious alarm bells,” said Price. “Users ought not to have to worry about draft
videos being hoovered up by the company because if these allegations turn out
to be true TikTok is potentially accumulating all kinds of insights that
consumers believe they are ultimately deciding not to share.”

Next post in Privacy & Compliance News and Analysis

Original Source link

The post #cybersecurity | hacker | TikTok transferred user data to China without consent, lawsuit says appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof