iNews - Around The World This Week

1)     Understanding Supply Chain Cyber Attacks - Today's cybersecurity landscape has changed dramatically due to digitalization and interconnectivity. While the benefits of each push businesses toward adoption, security risks associated with interconnectivity between networks and systems raise major concerns. Everything-as-a-service removes traditional security borders and opens the door to new cyber-attacks that organizations might not be prepared to recognize or even deal with.

2)     Schneider Electric: TRITON/TRISIS Attack Used 0-Day Flaw in its Safety Controller System, and a RAT - Industrial control systems giant Schneider Electric discovered a zero-day privilege-escalation vulnerability in its Triconex Tricon safety-controller firmware which helped allow sophisticated hackers to wrest control of the emergency shutdown system in a targeted attack on one of its customers. Once the malware was inside the controller, it injected the RAT into memory by exploiting a zero-day vulnerability in the firmware, and escalating its privileges.

3)     Ransomware: Why the crooks are ditching bitcoin and where they are going next - The popularity of bitcoin is creating problems for criminals dealing in ransomware -- and some are already casting their gaze towards a less volatile cryptocurrency. While bitcoin has suddenly found itself in the public eye thanks to its rocketing -- and, more recently, plummeting -- value, it hasn't appeared from nowhere. We'll see a progressive shift in 2018 towards criminal use of cryptocurrencies other than bitcoin, making it generally more challenging for law enforcement to counter.

4)     Where to Find Security Holes in Serverless Architecture - Application security is getting a twist with the rise of serverless architectures, which introduce a new way of developing and managing applications - and a new wave of related security risks. Businesses are looking to serverless architectures to drive simplicity and reduce cost. Applications built on these platforms scale as cloud workloads grow, so developers can focus on product functionality without worrying about the operating system, application server, or software runtime environment.

5)     49% Indian companies not likely to secure sensitive data in cloud - While an overwhelming majority of global firms have adopted cloud services, there is still a wide gap in the level of security precautions applied by them, a survey has revealed. Almost half of Indian organizations say they are not likely to secure sensitive data in the cloud. Globally, organizations said only two-fifths of the data stored in the cloud is secured with encryption and key management solutions.

6)     Man pleads guilty to launching DDoS attacks against former employers - A man from New Mexico has admitted to launching distributed denial-of-service (DDoS) attacks against former employers, as well as possessing a firearm illegally. On Wednesday, the US Department of Justice (DoJ) said John Kelsey Gammell has pleaded guilty in a St. Paul, Minnesota court to directing DDoS attacks against former employers, business competitors, companies that refused to hire him and websites for law enforcement and courts, among others. Gammell not only set up the DDoS attacks, which launch traffic in such volumes that online services are disrupted, on his own computers but also paid DDoS-for-hire services to hammer victims further.

7)     Oman's stock exchange was easily hackable for months - The security flaw made the securities market an easy target and was only fixed after a security researcher sent more than half-a-dozen warning emails. A core router for Oman's stock exchange, the Muscat Securities Market, had both its username and password as "admin" for months, even after several attempts by a security researcher to warn the exchange of the security implications.

8)     Uber ignores security bug that makes its two-factor authentication useless - Uber has ignored a security bug that can allow an attacker to hack into user accounts by bypassing two-factor authentication because the ride sharing company says the flaw "isn't a particularly severe" issue. Two-factor authentication (2FA) is a vital part of protecting online accounts. It adds a second layer of security on top of your username and password -- which can be stolen -- by sending a code by text message to your phone, for example, which only you would have access to.

9)     Behavioral biometrics missing from cybersecurity - Recently, there’s been an uptick in the adoption of the NIST Cybersecurity Framework, a set of guidelines aimed at helping organizations improve their overall cybersecurity process. In December 2017, NIST released the second draft of its framework. Among the updates were two critical additions to the Identity Management, Authentication and Access Control guidance. Rather than being shocked by each new data breach, ransomware attack or instance of fraud, companies are increasingly working to improve their cybersecurity posture, and not just internal information security professionals.

Up to 40K Affected in Credit Card Breach at OnePlus - Chinese smartphone manufacturer OnePlus has reported a credit card breach affecting up to 40,000 users at oneplus.net. Users who entered their credit card data on the website between mid-November 2017 and January 11, 2018 could be at risk. The malicious script has been eliminated, the infected server quarantined, and all relevant system structures reinforced. Users who paid using a saved credit card, the "Credit Card via PayPal" option, or PayPal should not be affected, OnePlus reports.

iNews - Around The World This Week

1)     Hospital pays $55,000 in bitcoin to hackers after 'SamSam' ransomware locks systems - A US hospital has reportedly paid hackers $55,000 (£39,900) to restore control over its computer systems after they were infected with a strain of ransomware known as 'SamSam'. Last Thursday (11 January), staff at Hancock Regional Hospital, Indiana, found their computers had been infected with malware, which was demanding bitcoin to regain access. As reported, the hack impacted emails and health records, but no patient data is believed stolen.

2)     Privacy: The Dark Side of the Internet of Things - Before letting an IoT device into your business or home, consider what data is being collected and where it is going. There's a lot of buzz about the Internet of Things (IoT), but people aren't quite sure what to think of it. Back in fall 2016, there was a big attack on an Internet service provider in which a bunch of IoT devices became a botnet and made much of the Internet unavailable. It was a big moment that made people question the security of IoT. And although security risks are getting the headlines right now, and should certainly be considered, the bigger risk with IoT is privacy.

3)     Hackers hijack Twitter account of India's top diplomat to post photos of Pakistan's flag - The verified Twitter account of India's top diplomat to the United Nations was briefly taken over by suspected Turkish hackers early on Sunday, 14 January, morning. The Turkish hacking group Ayyıldız Tim claimed responsibility for the attack and managed to take over the president of the World Economic Forum's account over the weekend as well.

4)     IT Security Spending to Reach $96 Billion in 2018 - Worldwide IT security spending is expected to climb 8% next year to $96.3 billion, fueled by investments in identity access management and security services – two areas on tap to rise faster than the overall spending growth rate, according to a Gartner report released this week. Identity access management and security services to drive worldwide spending growth.

5)     The state of Israel’s cybersecurity market - The Equifax breach, WannaCry, NotPetya, the NSA leak, and many more cyber incidents – 2017 was certainly a busy year for hackers, illustrating yet again just how vital innovative cybersecurity solutions are in the fight against cyber threats. Second only to the U.S., in terms of cybersecurity investment 2017 was another excellent year for Israeli cybersecurity startups, with dozens of companies being formed, breaking fundraising records and producing solid exits. The 2017 data also suggest that the Israeli cybersecurity industry is maturing, as we see a shift in funding towards later stage companies.

6)     Top think tank warns cyberattacks could lead to 'inadvertent nuclear launches' - A new report from the Chatham House think tank has warned that cybersecurity vulnerabilities could lead to accidental nuclear war if countries carrying the hugely destructive warheads do not introduce new measures. While cybersecurity is a prevalent issue many sectors of society now have to consider, nuclear weapons systems were developed during a technological era when " little consideration was given to potential malicious cyber vulnerabilities", the report states.

7)     What is FakeBank? New banking malware can intercept SMS messages to steal sensitive data and funds – Security researchers have discovered a mobile malware strain that can intercept users' sensitive SMS messages to steal their banking details and funds, phone numbers, balance on a linked bank card and location data. According to Trend Micro researchers, the malware dubbed "FakeBank" has been spotted in several SMS/MMS management software apps and primarily targets victims in Russia and other Russian-speaking countries.

8)     Watch out for this Netflix phishing scam that will steal your credit card details - Netflix users are being warned to avoid clicking on any suspicious email links after a phishing scam was uncovered, which security experts say is designed to steal credit card details. Found by Australian cybersecurity firm MailGuard, and shared on Twitter by the New South Wales police, the fake emails use convincing social engineering tactics – including the official Netflix website layout – in an attempt to dupe recipients into entering financial details.

9)     Hyper-Converged Infrastructure To Accelerate IT Transformation - Technology is fast becoming the key pillar for organizations to stay competitive, spur innovations, and seize new growth opportunities. Despite increasing IT budgets, the traditional three-tier architecture, is proving to be a hindrance to meeting the rising business and market demands due to its inbuilt complexities. Apart from that, the stress to reduce operational costs and improve productivity is also forcing technology teams to explore alternative means to bring down complexity and costs through the adoption of agile architectures.

Blockchain Technology Goes Beyond Cryptocurrency - Cryptocurrency, the digital currency system that enables global monetary transactions between two parties without the need for a trusted third party financial institution, has gained tremendous momentum over the last few years. Bitcoin, the first cryptocurrency, came into existence in January 2009. Its inventor, Satoshi Nakamoto (an anonymous person or a group) published a whitepaper prior to this in October, 2008. Since then, numerous cryptocurrencies have come into existence. More recently, bitcoin has gained mainstream attention. Under the hood, the technological innovation is the blockchain that is seen as revolutionary foundational technology having a tremendous potential across different verticals.

Making GDPR a priority for the year 2018

“ You can resist an invading army; you cannot resist an idea whose time has come,” once said Victor Hugo wisely.

Today, in India, that idea is privacy. To date, privacy has not put up much of a fight; that will change in 2018. After a couple of years of getting fringe interest, privacy has, quite quickly, hit a tipping point.

The advent of EU’s General Data Protection Regulation (GDPR), only adds to that movement. So, how is GDPR going to impact Indian organisations and what should you, the IT leaders, be doing to ensure that your organisation complies with GDPR regulations.

The EU General Data Protection Regulation (GDPR) becomes enforceable by law in May of 2018. It will require global organizations that hold the personal data of European Union residents to adhere to new requirements around control, processing and protection.

GDPR will have a far-reaching impact the digital economy

The GDPR probably won’t affect a large swathe of small and medium Indian businesses. But given the penalties (more on this later), that’s not a chance your business wants to take. Also, it is expected that many countries will follow the EU in terms of updating their regulations to match this new standard for data protection.

If not already, it is time to know if your company has or processes any data of a European company or a European citizen. Remember, the citizen doesn’t have to be residing in a country that’s part of the EU—just that she is a citizen. (Which countries are part of the EU?)

Given, the GDPR comes into force in May of 2018, it leaves Indian companies who haven’t started preparing only about two quarters to do so.

Start here.

Here’s the full text of the GDPR

Preparing for GDPR is critical

Delaying preparation for GDPR isn’t the best approach. Procrastinating isn’t going to make the GDPR go away!

Like any law, the worst case only applies if your company has suffered a data breach and is challenged by a European company or citizen--and you can’t prove you have complied with the GDPR.

Any personal data breach impacting a European Union resident will need to be reported within 72 hours. Companies that do not comply will face fines of up to 20 million Euros or 4 percent of global turnover, whichever is higher. Infringements of a more technical nature call for penalties that amount to 2% of annual global revenue, or €10 million.  Those who have not budgeted for the long-term implications of the GDPR will struggle.

Complying with GDPRs Conditions

Our own research shows that complying with erasure (the right of EU nationals to scrubbed clean off your servers and the servers of your partners) is what concerns businesses the most (51%).

That said, there a host of that need to be met; how difficult they are to comply with comes down to maturity of your company’s data practices.

Here’s a slightly long, yet an-easy-to-read, list of changes that the GDPR has brought about.

What Needs to Change?

Plenty. The way your company asks for consent and collects data, how that data is stored and processed, the way your data supply chain is constructed, who your company shares data with, the number of technology partners your company uses for data back-up and archiving, the cloud services it chooses—all of this, and more, needs to change.

The majority of businesses will be stunned by the regulation’s impact on their operations, as it creates security challenges that cannot be solved solely with technology.

Smart companies will see this not just through the compliance lens but as a feature of their security policy. Fundamentally, the GDPR changes the way we look at data security.

Data is important because it belongs to people or is important to people, hence the focus on privacy. GDPR will put humans back at the centre of security debate. And is another idea whose time has come.

iNews - Around The World This Week

1)     Breach of India's Biometric Database Puts 1 Billion Users at Risk – A breach of the Unique Identification Authority of India's Aadhaar biometric system is putting personally identifiable information (PII) of more than 1 billion Indian residents at risk, reports the Tribune, an Indian publication. Attackers created a gateway to the biometric database, in which any Aadhaar user's ID number can be entered into a portal, the Tribune reports. Once the number is entered, it will pull up the resident's name, address, postal code, photo, phone number, and email address, according to the Tribune.

2)     Google Apps Script vulnerability could lead SaaS apps to download malware – Google Apps Script is vulnerable to exploits that could allow malware to be delivered via URLs. Attackers could automatically download arbitrary malware hosted in Google Drive to a machine -- and the victim would have no idea it was happening. This type of attack is different from phishing and malware distribution via links to Google Drive URLs, which are fairly common. These normally involve sending a Microsoft Office doc, which is enabled to run macros when the user gives permission.

3)     Android malware targets bitcoin, bank apps, including SBI, HDFC, Axis Bank: Report - If you are using banking or cryptocurrency apps on your mobile phone, you need to read on. An Android Banking Trojan called Flash Player has affected over 232 banking apps, many of which are mobile apps of prominent Indian public as well as private banks. Android mobile phone users having third party app stores - an online app market to install apps, just like Google Play but not owned by Android OS or Google - run the risk of accidentally downloading this malware, putting confidential security details like netbanking customer id and password at risk. Links to download this can also come through spam emails or SMS.

4)     Enterprise machine learning will double and jump start business growth and adoption, Deloitte predicts – Machine learning will intensify amongst medium and large-sized enterprises, doubling the number of implementations and pilot projects using machine learning technology in 2018 compared to last year, and then doubling again by 2020. According to Deloitte’s Technology, Media and Telecommunications (TMT) Predictions, advancements in machine learning technology include data science automation and a reduced need for training data as well as new chips in both data centers and mobile devices. The advancements will help establish the foundation, which will over the near term make machine learning mainstream across industries where organizations have limited talent, infrastructure and data to train models.

5)     Payment system, network security under RBI radar - The Reserve Bank of India has again flagged cyber risks faced by banks and said it would continue to do surprise drills and inspections to ensure that they have systems in place to deal with any threats to payment systems and network security. While the assessment is factored in the overall risk profile of a bank under risk-based supervision, certain specific areas like payment systems and network security are proposed to be subjected to more intensive scrutiny during the year.

6)     Meltdown and Spectre: ‘worst ever’ CPU bugs affect virtually all computers – Serious security flaws that could let attackers steal sensitive data, including passwords and banking information, have been found in processors designed by Intel, AMD and ARM. Everything from smartphones and PCs to cloud computing affected by major security flaw found in Intel and other processors – and fix could slow devices.

7)     Behavioral biometrics will replace passwords by 2022 – In just a few years, we can all safely forget those cumbersome passwords we use to secure and unlock our devices. And we will be able to thank on-device artificial intelligence (AI) for easing the strain on our memory. Smartphones will be an extension of the user, capable of recognizing them and predicting their next move. Gartner analysts believe on-device AI, as opposed to cloud-based AI, will mark a paradigm shift in digital security, and will do so sooner than most people think.

8)     SplashData reveals the worst passwords of 2017 and they're still astonishingly terrible – After trawling through the more than five million passwords that have leaked over the past year, mostly in North America and Western Europe, the California-based company said any one of the passwords included in its list of 100 worst passwords of the year would put users at "grave risk" of identity theft. For the fourth year in a row, "123456" took the top spot as the worst password of the year followed by "password". Naturally, variations of these two such as extra digits or replacing the "o" with a "0" (zero) in "password" were also included in the list.

9)     The Future of Seamless Hybrid Clouds – In a world that appears to be dominated by clouds -- both public and private -- the underlying infrastructure that provides connectivity becomes largely invisible to users. Indeed, one of the major promises of cloud is that the pools of resources that power the cloud can reside anywhere, are elastically available, and are dynamically adjusted to accommodate the fluctuating needs of the applications they power. The cloud is already a fractured marketplace, a situation that will only get worse. As cloud becomes more mainstream for enterprises, they will each focus on the things that make themselves attractive. If we assume for a moment that each of them will have some success, the likelihood that enterprises end up putting all of their resources into a single cloud seems low.

Bitcoin price rise could lead to smart home attacks and higher bills, cyber security expert warns – People’s homes could come under attack as a consequence of bitcoin’s price surge, a cyber security expert has warned. “Cryptojacking” incidents, in which people’s devices are quietly hijacked and forced to mine digital currencies for other people, are on the rise. “Any device that is ‘smart’ now has the three key ingredients to provide the cyber bad guy with everything they need – internet access, power and processing.