Browser makers cite coronavirus, restore support for obsolete TLS 1.0 and 1.1 encryption

Credit to Author: Gregg Keizer| Date: Fri, 03 Apr 2020 13:17:00 -0700

Google, Microsoft and Mozilla have each issued reprieves to Transport Layer Security (TLS) 1.0 and 1.1, aged encryption protocols that were to be bounced from browser support in March, because of the COVID-19 pandemic.

By common agreement, Google’s Chrome, Microsoft’s Internet Explorer (IE) and Edge, and Mozilla’s Firefox were to disable support for TLS 1.0 and 1.1 early in 2020. They, along with Apple – which produces Safari – announced the move a year and a half ago, noting then that the protocols had been made obsolete by TLS 1.2 and 1.3.

To read this article in full, please click here

Read more

Zoom pauses new feature development to focus on privacy, security

Credit to Author: Matthew Finnegan| Date: Fri, 03 Apr 2020 11:27:00 -0700

Zoom has decided to cease development of new product features so it can focus on fixing various privacy and security issues.

The company has seen a surge in the use of its platform in recent weeks, as self isolation in response to the Covid-19 pandemic ramps up the demand for video software. As its popularity has boomed – both for business and personal use – and the company’s stock price rocketed, underlying vulnerabilities in the platform have become apparent. 

“Zoom-bombing,” where intruders have been able to access video meetings that were not password protected, has led to serious privacy concerns, with uninvited attendees harassing online A.A. meetings and church meetings, for example. The FBI this week warned of unauthorized access to virtual classrooms and recommended that users change security settings to protect meetings. 

To read this article in full, please click here

Read more

‘War Dialing’ Tool Exposes Zoom’s Password Problems

Credit to Author: BrianKrebs| Date: Thu, 02 Apr 2020 14:43:04 +0000

As the Coronavirus pandemic continues to force people to work from home, countless companies are now holding daily meetings using videoconferencing services from Zoom. But without the protection of a password, there’s a decent chance your next Zoom meeting could be “Zoom bombed” — attended or disrupted by someone who doesn’t belong. And according to data gathered by a new automated Zoom meeting discovery tool dubbed “zWarDial,” a crazy number major corporations are setting up meetings without passwords enabled.

Read more

BrandPost: Avoid security breaches: How to protect your data

Credit to Author: Joseph Steinberg| Date: Wed, 01 Apr 2020 04:35:00 -0700

Data security breaches at major corporations seem to be perpetually in the news. The hacks range in size and scope, but it’s no secret that firms hit by hackers often suffer serious consequences.

What can you do to help prevent your organization from becoming tomorrow’s cyber-breach news headline? Here are 18 pointers:

  1. Educate all employees on the importance of protecting data. Explain the need to avoid risky behavior such as downloading music or videos from rogue websites. Once employees understand that criminals want the data with which the employees work, their thinking changes in ways that can make the organization’s data much safer than before.
  2. Understand what data you have and classify it. You cannot secure information if you do not know that it exists, where it is stored, how it is used, how it is backed up, and how it is decommissioned. Make sure you know those things about all of your sensitive information. Because not all data is equally sensitive, make sure to classify data according to its level of importance.
  3. Do not give every employee access to every system and piece of data. Create policies governing who has physical and/or electronic access to which computer systems and data, and implement procedures, policies, and technical controls to enforce such a scheme. Authorize people to access the data that they need in order to do their jobs but do not provide them with access to other sensitive data.
  4. Consider moving sensitive information and systems to a cloud provider. Unless you have an adequate information security team, the odds are pretty good that a major cloud provider will do a better job than you at securing your system and information against various risks.
  5. Enable remote wipe. All portable electronic devices on which sensitive information will ever be stored should have remote wipe capabilities enabled.
  6. Give everyone his or her own access credentials. Ensure that each person accessing a system housing sensitive information has his or her own login credentials.
  7. Ensure that everyone uses proper passwords to access such systems. People like to use easy-to-remember passwords; without policies and technology to enforce the selection of proper passwords, organizations are at risk of having passwords such as “1234” being the only line of defense against unauthorized access to sensitive information. So, craft proper policies and implement technology to ensure that the policies are properly enforced.
  8. Go multi-factor. For accessing systems with especially sensitive information, consider implementing some form of strong, multi-factor authentication.
  9. Deal with BYOD. Make sure that you have policies and technology in place to address the many risks created by employees, contractors, and guests bringing personal devices into your facilities and connecting to corporate networks. All access to the Internet from personal devices or devices belonging to other businesses should be achieved via a separate network than is used for company computers.
  10. Encrypt sensitive data when storing it or transmitting it. There are many commercial and free tools available to do this – some operating systems even have encryption capabilities built in. As you probably suspect, if you are not sure if something should be encrypted, encrypt it.
  11. Backup. Backup. Most people and businesses do not backup frequently enough, and many (if not most) will not realize the danger of their mistake until it is too late.
  12. Keep your backups separate from production networks. If ransomware gets onto one of your production networks, it could corrupt any backups attached to that network. Maintain offsite backups in addition to onsite backups.
  13. Create appropriate social media policies and enforce them with technology. As so many organizations have learned the hard way, policies alone do not ensure that employees do not leak sensitive information or make otherwise inappropriate social media posts; implement technology to help with this task. Remember, many serious breaches begin with criminals crafting spear-phishing emails based on overshared information on social media.
  14. Comply with all information security regulations and industry standards. Consider such regulations a baseline – but not rules that if adhered to will offer adequate protection. GDPR, for example, is a regulation for which many businesses still need to prepare.
  15. Use appropriate security technology. Do not just buy the latest and greatest. Acquire and utilize what you actually need by defining functional and security requirements and selecting security controls accordingly. On that note: All computers and mobile devices that handle sensitive information or ever connect to a network to which devices that house sensitive information connect need have security software installed.
  16. Ensure that technology is kept up to date. Besides keeping security software current, make sure to install patches to server and client-side operating systems and software. Many major vendors have automatic update services – take advantage of these features.
  17. Keep IoT devices off of production networks. Treat Internet of Things devices as if they were a special class of risky BYOD devices – and keep them on their own networks. Only purchase IoT devices that have proper security capabilities such as the ability to be patched and to have default passwords changed upon installation and activation.
  18. Hire an expert to help you. There is a reason that businesspeople go to doctors when they are ill and don’t try to perform surgery on themselves, or utilize the services of lawyers if they are being sued or accused of a crime. You need experts on your side. Remember, the criminals who are targeting your data have experts working for them – make sure that you are also adequately prepared.

While there are no guarantees when it comes to information security – even the most security-conscious organizations still face some level of risk – by following these 18 tips, you can greatly improve your odds of fending off hackers who seek to steal your organization’s confidential information.

To read this article in full, please click here

Read more

BrandPost: Protect your data to protect your business

Credit to Author: Constantine von Hoffman| Date: Wed, 01 Apr 2020 03:16:00 -0700

The most important thing your business provides isn’t a service or a product. It’s trust. And it comes from letting your customers and employees know that you’re protecting your business—and their data—against cyberattacks.

Building a foundation for trust isn’t easy. Cyberthreats continue to grow in number and complexity as businesses shift more of their operations online and enable anytime/anywhere access to information to support an increasingly remote workforce. This ongoing digital transformation exposes more systems and data to potential attacks – increasing risk for your organization.

Addressing this challenge requires a new approach to protecting business information. “The assumption that everything’s on-premises and protected behind a firewall has largely disappeared,” says Robert Crane, principal at CIAOPS, a technology consultancy that specializes in helping businesses improve their productivity by using technology and smart business practices. “But some businesses are still locked into that old-world thinking.”

To read this article in full, please click here

Read more

Phish of GoDaddy Employee Jeopardized Escrow.com, Among Others

Credit to Author: BrianKrebs| Date: Wed, 01 Apr 2020 03:30:46 +0000

A spear-phishing attack this week hooked a customer service employee at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned. The incident gave the phisher the ability to view and modify key customer records, access that was used to briefly hijack domains for a half-dozen GoDaddy customers, including transaction brokering site escrow.com.

Read more

Annual Protest to ‘Fight Krebs’ Raises €150K+

Credit to Author: BrianKrebs| Date: Mon, 30 Mar 2020 17:42:52 +0000

In 2018, KrebsOnSecurity unmasked the creators of Coinhive — a now-defunct cryptocurrency mining service that was being massively abused by cybercriminals — as the administrators of a popular German language image-hosting forum. In protest of that story, forum members donated hundreds of thousands of euros to nonprofits that combat cancer (Krebs means “cancer” in German). This week, the forum is celebrating its third annual observance of that protest to “fight Krebs,” albeit with a Coronavirus twist.

Read more

Russians Shut Down Huge Card Fraud Ring

Credit to Author: BrianKrebs| Date: Thu, 26 Mar 2020 17:28:07 +0000

Federal investigators in Russia have charged at least 25 people accused of operating a sprawling international credit card theft ring. Cybersecurity experts say the raid included the charging of a major carding kingpin thought to be tied to dozens of carding shops and to some of the bigger data breaches targeting western retailers over the past decade. In a statement released this week, the Russian Federal Security Service (FSB) said 25 individuals were charged with circulating illegal means of payment in connection with some 90 websites that sold stolen credit card data.

Read more