Hackers Learn To Hurdle Two-Factor Authentication*:
- For years, cyber security experts have been urging users to add a second layer of authentication to their accounts – often a code sent via text message.
- Hackers are now able to hurdle this extra measure by spoofing your SIM card, intercepting the unencrypted message as it is sent over the network or trying to steal databases filled with information about mobile accounts.
- Last year, there were reports of hacking accounts with two-factor authentication in both Germany and the US.
- Some experts say using SMS is less secure than other forms of second-factor authentication, such as physical tokens or authenticator apps on smartphones.
- The first factor, a password, is what you have in your head and the second factor is meant to be what you have in your device; SMS does not quite work like that as it is sent from a network to the phone, giving a hacker an opportunity to capture it.
- One popular hacker technique involves “socially engineering”, in other words, persuading call centre or shop staff at telecoms operators to give them an identical SIM, pretending to have lost their phone.
- Other high-tech tactics like stingrays can be bought online and set up anywhere mimicking mobile phone towers and capturing data from nearby phones.
- Attacks still tend to be targeted, as the hacker must already have the victim’s phone number and account password.
- Companies are introducing alternatives to SMS authentication for employees and customers, and a hardware token is a thing you have and it does not send information over a telecoms network.
- Authenticator apps may rest on your phone, but they do not depend on the SIM card.
- Google recently launched Advanced Protection, a program designed to give an extra layer of security to the accounts of those most at risk of targeted attacks: journalists, activists, business leaders, and political campaign teams.
- One advantage of the Google system is that it does not rely on the user to spot whether the website into which they are entering their details is fake – the key can tell if it is not getting the right message back.
- Google also uses machine learning to “stitch together subtle anomalies and deviations from the norm” that go beyond the factors that are often considered.
*Source: Financial Times, March 15, 2018
Madison Square Garden Has Used Face-Scanning Technology on Customers*:
- Madison Square Garden has quietly used facial-recognition technology to bolster security and identify those entering the building.
- The technology uses cameras to capture images of people, and then an algorithm compares the images to a database to identify the person, and determine if the person is considered a problem.
- The technology, which is sometimes used for marketing and promotions, has raised concerns over personal privacy and the security of any data that is stored by the system.
- It is unclear when the face-scanning system was installed, or how many events at the Garden have used it.
- The Garden was already known for having tight security since it is in the heart of Manhattan and is built above Pennsylvania Station.
- The use of facial recognition technology puts the arena in the vanguard of professional sports facilities, but it is difficult to know for sure how widespread its use is.
- Some vendors and team officials said the customer engagement and marketing capabilities of facial recognition are even more valuable than added security for sports facilities.
- Law enforcement agencies have used facial recognition technology for many years, but some commercial entities have been wary.
- The software can be used to determine who is allowed into a building, like vendors or workers at a specified employee entrance.
- An electronic advertising board connected to the system could even be changed depending upon the age and gender of who is standing in front of it.
- There is no federal law governing the use of facial recognition technology, though both Illinois and Texas have laws that restrict its use without informed consent.
*Source: New York Times, March 13, 2018
Payment Fraud: Millions Lost in Money Transfer Trick*:
- A total of £236m was lost last year to authorised push payment fraud, with banks unable to return nearly three-quarters (74%) of the money lost.
- Victims think they are transferring money to someone official, but fraudsters may have intercepted mail or emails and pose as a legitimate businesses demanding payment.
- They often occur when people transfer money during a housing transaction, or when paying an invoice for work done on the home.
- This is the first time such calculations have been made by UK Finance, showing that there were 43,875 reported cases of these scams.
- Nearly nine in 10 (88%) of these were consumers, who lost an average of £2,784. The rest were businesses who lost on average of £24,355 per case.
- Unlike many other payment methods, victims conned into transferring money by bank transfer to a fraudster have no legal right to get their money back from their bank.
- The latest figures show financial providers returned £60.8m (26%) of the authorised push payment scam losses in 2017.
*Source: BBC, March 15, 2018
Cyber-attacks Put Russian Fingers on the Switch at Power Plants*:
- The Trump administration accused Russia of engineering a series of cyberattacks that targeted American and European nuclear power plants and water and electric systems.
- United States officials and private security firms saw the attacks as a signal by Moscow that it could disrupt the West’s critical facilities in the event of a conflict.
- The attackers had compromised some operators in North America and Europe by spring 2017, after President Trump was inaugurated.
- In the following months, Russian hackers made their way to machines with access to critical control systems at power plants.
- American intelligence agencies were aware of the attacks for the past year and a half, and warnings were issued to utility companies in June.
- Last week, the Trump administration imposed sanctions against Russian individuals and organizations it accused of election meddling and “malicious cyberattacks.”
- For years, American intelligence officials tracked a number of Russian state-sponsored hacking units as they penetrated the computer networks of critical infrastructure operators across North America and Europe.
- Some of the units worked inside Russia’s Federal Security Service, others were embedded in the Russian military intelligence agency, and others were made up of Russian contractors.
- In an updated warning to utility companies last week, Homeland Security officials included a screenshot taken by Russian operatives that proved they could now gain access to their victims’ critical controls.
- Cybersecurity experts were still questioning where the Russian attacks could lead, given that the United States was sure to respond in kind.
- The United States is struggling to come up with proportionate responses to the wide variety of cyber-espionage, vandalism and outright attacks.
*Source: New York Times, March 15, 2018
The One Thing That Protects a Laptop After It’s Been Stolen*:
- When your laptop is lost or stolen, your personal information is accessible to whoever takes it – even if you have a password.
- If thieves remove the hard drive and put it into another computer, they have access to any files you have stored on it; in some cases, they can even reset the password on your PC and gain access to your email and other personal information.
- You can protect your data with encryption.
- Encryption is a mathematical process used to jumble up data.
- Encrypting your hard drive isn’t some super-technical process that only security experts can perform – anyone can do it on their computer at home in a few minutes.
- How to Encrypt Your Hard Drive: Some Windows 10 devices come with encryption turned on by default, and you can check this by going to Settings > System > About and scrolling down to “Device Encryption.”
- If your laptop doesn’t support Device Encryption, you can use Windows’ other built-in encryption tool: BitLocker (BitLocker is available only on Professional versions of Windows and above)
- Go to Windows’ Control Panel > System and Security > Manage BitLocker. Select your operating system drive and click the “Turn On BitLocker” button, following the prompts to create a password that will function as your encryption key.
- All modern Macs have a feature called FileVault that encrypts your entire system drive. Just open your Mac’s System Preferences, head to Security & Privacy and select the FileVault tab.
- There is one catch to encryption: Your password is much, much more important to remember.
- Data may be protected from intruders, but it’s also impossible for you to access should you forget your password or recovery key.
- And no matter what, always keep a good backup of your data, either on another hard drive or with a cloud service that keeps your data secure.
*Source: New York Times, March 13, 2018
Chinese Hackers Hit U.S. Firms Linked to South China Sea Dispute*:
- Chinese hackers have launched a wave of attacks on mainly U.S. engineering and defense companies linked to the disputed South China Sea.
- The suspected Chinese cyber-espionage group dubbed TEMP.Periscope appeared to be seeking information that would benefit the Chinese government.
- The hackers have focused on U.S. maritime entities that were either linked to or have clients operating in the South China Sea.
- The TEMP.Periscope hackers were seeking information in areas like radar range or how precisely a system in development could detect activity at sea.
- The surge in attacks picked up pace last month and was ongoing.
- FireEye declined to name any targets; although most were based in the U.S., organizations in Europe and at least one in Hong Kong were also affected.
- Data sought in the latest incidents could be used, for instance, to determine how closely a vessel could sail to a geographical feature.
- The US Navy sometimes conducts freedom of navigation operations to challenge Chinese claims to more than 80 percent of the South China Sea – one of the world’s busiest trading routes.
- China has reclaimed some 3,200 acres (1,290 hectares) of land in the waters and built ports, runways and other military infrastructure on seven artificial features it has created.
- The latest attacks were carried out using a variety of techniques including “spear-phishing,” in which emails with links and attachments containing malware are used to open back doors into computer networks.
- FireEye said in a separate report that government offices, media and academic institutions have been attacked, along with engineering and defense companies.
*Source: Bloomberg, March 16, 2018