Fraudsters eat for free as Deliveroo accounts hit by mystery breach
Insec Ethical Hacking Hub Cyber crime goes up by 103.2 percent in UP

Food delivery network Deliveroo has suffered a mysterious security breach that has left dozens of UK users picking up large bills for food they never ordered.

News of the problem were revealed by the BBC’s Watchdog TV show, which said it had received “scores of complaints” of rogue transactions appearing on viewers’ accounts during the last month.

In one example in London, £240 ($300) was debited from a customer in Reading for food delivered 30 miles away in London. In another, Southampton University students were billed a total of £440 for food and alcohol delivered in Leicester (120 miles away) and London (60 miles away).

These were organised fraudsters with big appetites, in the latter incident taking delivery of four curries, six naan breads, a kebab, three grilled chickens, four pizzas, five cheesecakes, garlic bread and a liver-killing eight bottles of vodka.

The first these customers knew of the orders was when they received notification by email and through the Deliveroo smartphone app, by which time it was already too late to stop them.

To its credit, once informed of the fraudulent transactions, Deliveroo refunded the money promptly, although that could still have taken up to 10 days.

The unsettling question is how Deliveroo’s customers were breached in the first place.

Deliveroo has blamed the breach on cybercriminals getting hold of login details “stolen from another service unrelated to our company in a major data breach”.

This is called “credential stuffing” and involves attackers trying logins stolen from one website on lots of others to see if account holders have reused passwords across services.

So far, the company has offered no evidence to back up this claim. On the assumption that it is true, Deliveroo users in the habit of re-using passwords should change theirs immediately as a precaution.

Harder to explain is the ease with which fraudsters were able to run up unusually large bills for food delivered significant distances from registered addresses.

Deliveroo says it uses “anomaly detection” to spot this sort of deviation from normal behaviour but clearly something went wrong with this or it wasn’t applied widely enough.

The criminals were also able to get the food delivered to public buildings rather than home addresses, another red flag that should have raised suspicions.

This is despite the company not asking customers to enter a Card Verification Value 2 (CVV2) code when making orders, a card security system designed to ensure that someone ordering something online has physical possession of the card used to pay for it.

The company said it has started asking customers to verify their identity when changing addresses.

Ideally, Deliveroo should give a more detailed account of what went wrong and not fall back on the “security by obscurity” approach often used by UK companies after security incidents.

If lessons can be learned then customers should be able to learn them too.

–News collected and synced by Info Security Solution Kolkata,

Read more
The malicious iPhone video with a silver lining
Info Security Solution

Anyone here old enough to remember MS-DOS?

In those days, memory protection meant putting the lid back on your computer properly, process separation meant having two computers, and the term “sneakernet” was a tautology.

Code and data were gloriously undistinguished to the point that deliberately interleaving machine instructions and data variables in your programs was perfectly normal.

Indeed, many programs started with a JMP instruction that caused the CPU to hop forwards in memory, skipping over things like error messages, menu screens and other data tables, to land in the executable part.

The unused memory starting at the end of the executable part was used for temporary storage needed while the program ran.

In fact, when your application loaded, its so-called uninitialised variables ended up “initialised”, often rather interestingly, with whatever was left over in memory from the previous program.

(Programs were always full-blown “applications” back then. The newfangled diminutive “app” didn’t exist, which is ironic when you consider that modern apps are thousands of times, sometimes even millions of times, larger than old-school applications.)

If anything went wrong with your MS-DOS program – a buffer overflow, for example, or a corrupted return pointer, or just a wrongly directed jump caused by some other sort of bug – then the results were almost always catastrophic, at least for your data.

When a crash involved a memory access that went wrong, the destination address would often be the RAM in your video card.

This gave wild results, because every even byte denoted the character to display, and every odd byte denoted the colour combination to use, giving absurdly abstract art like this:

And these catastrophes weren’t just occasional annoyances: a busy user might expect to reboot several times a day.

There were no arguments back then about whether you should leave desktop PCs turned on overnight.

First, computers used a lot of power in those days, so you saved serious money by turning them off; second, the chance of it running correctly through the night was pretty low; and third, you’d reboot in the morning anyway, just to ensure that you had a fresh start.

Malicious video problems

It was with all of this in my mind that I read a recent story on 9to5mac with a dramatic headline: There’s another malicious link floating around that will cause any iOS device to freeze.

Simply put, it’s a video that somehow consumes sufficiently many resources, or perhaps even triggers what might turn out to be a potentially dangerous vulnerability…

…that you end up with an entirely unresponsive device.

The video eats so much of your iPhone’s lunch, in fact, that you have to reboot by holding the power button for a few seconds to access the iOS shutdown slider so you can restart:

Things can get so bad that the power button alone isn’t enough – after all, the slider shown above is a itself a software control.

If your device is frozen so solid that you can’t even slide the shutdown button, you can do a force restart by holding the power and home buttons down at the same time for 10 seconds. (On an iPhone 7, use power and volume down.)

The bottom line

All said, this does constitute a security risk, even if only a Denial of Service (DoS) where someone crashes your phone by enticing you to a booby-trapped video.

At any rate, there will probably be some sort of security fix in a forthcoming iOS update.

However, we think that the bottom line of this story is good news…

…when you think how far we have come in the past 20 or 30 years.

We’ve evolved from the crashtastic ecosystems of MS-DOS and early Macs to a world in which a video that doesn’t play properly is considered cause for security concern, and where an unexpected reboot is rightly written up as something malicious.

If that’s not a sliver of good security news for the Black Friday weekend, we don’t know what is.

–News collected and synced by Info Security Solution Kolkata,

Read more
Don’t be a security turkey this Thanksgiving!
Insec Ethical Hacking Hub Horror of Horrors: Smartphones From Xiaomi, Lenovo & Huawei Have Pre-Installed Malwares Says GData 1

Happy Thanksgiving to all our US readers.

We hope you have a great day today, and we hope that you’ll have a good time on Black Friday and Cyber Monday, too.

In particular, we hope you stay clear of spammers, scammers, skimmers and the many cybercrooks who make a living out of getting between customers and retailers and helping themselves to your data (and your money) during the holiday season.

With that in mind, we’ve published these pieces this week:

Thanks to everyone who tuned in for our Facebook Live video, or who watched it later, and to everyone who has liked it, loved it and shared it.

We hope it gives you the encouragement to keep security in mind now and in the future.

As we put it in the video:

Computer security is a bit like quitting smoking. You don’t go to a “quit smoking” day so you can have one day off. You go because you want to make a change in your lifestyle that will let you stop smoking forever. What we’re hoping is that our advice is general enough that it will help you specifically this weekend, but that it will also show you you can live life without taking some of the risks that you may have thought necessary in the past. Sort of, “2% less fun; 98% more security”, if you want to put it that way.

We talked about some of those lifestyle changes in the video, so if you haven’t watched the video yet, here it is:

Have a great weekend, and remember, when it comes to personal information, online or in the store: “If in doubt, don’t give it out.”

–News collected and synced by Info Security Solution Kolkata,

Read more
‘Compromised’ laptop implicated in US Navy breach of 130,000 records
Insec Ethical Hacking Hub ISRO Will Use Satellites To Map & Create 3D Visualizations of Indian Heritage Sites 2

The personal details of more than 130,000 former and currently serving sailors in the US Navy have been “accessed by unknown individuals”, the Department of the Navy said on Thursday.

Details including names and social security numbers have been compromised, the department added.

The leak happened after the laptop of a contractor working for Hewlett Packard Enterprise was “compromised”, said the department.

Little more is known about the breach, and the Navy reassured sailors that it is “in the early stages of investigating” the breach and is “working quickly to identify and take care of those affected by this breach”.

The department also said it was taking the sensible step of “reviewing credit monitoring service options for affected sailors”.

In the meantime, we’d add some further advice if you think you’re one of the sailors whose details might have been compromised:

  • Keep an eye on your bank and credit card statements for dodgy transactions.
  • Be particularly wary of emails, texts or messages on other platforms asking you to click a link and log in to “confirm your account details” or hand over other personal information.
  • Do take up the Navy Department’s offer of credit monitoring services, which will keep an eye on anyone trying to open accounts using your name or social security number.

It seems at the moment that “there is no evidence to suggest misuse of the information that was compromised”, but there’s no harm in following our advice.

Vice-admiral Robert Burke, chief of naval personnel, moved to reassure sailors, saying: “The Navy takes this incident extremely seriously – this is a matter of trust for our sailors.”

–News collected and synced by Info Security Solution Kolkata,

Read more
Facebook ‘quietly developing censorship tool’ for China
Insec Ethical Hacking Hub Phishing + Ransomware = A Modern Day Threat

You can just imagine the seething frustration at Facebook’s commanding heights: what will it take for us to get back into China, with its 721,000,000+ internet users?

Mark Zuckerberg learning Mandarin, visiting the Great Wall, ostentatiously leaving the Chinese president’s book on governance in sight during a visit by the nation’s internet tsar? None of it’s worked! Time to play our final hand – censorship!

That’s one take on the events that might have led to today’s New York Times expose: it seems Facebook has tasked its development teams with “quietly develop[ing] software to suppress posts from appearing in people’s news feeds in specific geographic areas”.

As “current and former Facebook employees” told the Times, Facebook wouldn’t do the suppression themselves, nor need to. Rather:

It would offer the software to enable a third party – in this case, most likely a partner Chinese company – to monitor popular stories and topics that bubble up as users share them across the social network… Facebook’s partner would then have full control to decide whether those posts should show up in users’ feeds.

This is a step beyond the censorship Facebook has already agreed to perform on behalf of governments such as Turkey, Russia and Pakistan. In those cases, Facebook agreed to remove posts that had already “gone live”. If this software were in use, offending posts could be halted before they ever appeared in a local user’s news feed.

As the Times notes, if Facebook ever did return to China, many observers expect it to happen alongside a local partner who could manage the sensitive local politics – especially the censorship rules that have made it impossible for Google and Twitter to operate there.

Facebook’s putative censorship software might make it easier to gain China’s approval for such a partnership. It would certainly fit with Mark Zuckerberg’s earlier statements to employees that:

It’s better for Facebook to be a part of enabling conversation, even if it’s not yet the full conversation.

And Facebook wouldn’t be alone among western companies in agreeing to Chinese censorship. According to Fortune, LinkedIn and Microsoft’s Bing search engine already have.

However, as The Verge reported, once such a tool were introduced:

Facebook would likely face pressure from other autocratic regimes to enable its use in their own countries. It is not impossible that the United States would be one of those countries.

In his Times report, Mike Isaac states that some Facebook employees left the company to protest this censorship project. After posting his story, he tweeted that “it was post-election result that scared some sources into discussing this tool, for fear of a hostile US admin accessing it”.

What does Facebook say?

We have long said that we are interested in China, and are spending time understanding and learning more about the country. However, we have not made any decision on our approach to China. Our focus right now is on helping Chinese businesses and developers expand to new markets outside China by using our ad platform.

While Facebook continues to play its cards close to its chest, it’s looking increasingly like the cat’s out of the bag. If so, it might not be long before other governments start demanding Facebook’s new toy. It could happen before you can say “fake news“!

–News collected and synced by Info Security Solution Kolkata,

Read more
Google secures five-year access to health data of 1.6m people

Artificial intelligence firm DeepMind and a London hospital trust, the Royal Free London NHS Foundation Trust, have signed a five-year deal to develop a clinical app called Streams. The deal extends the already controversial partnership between the London-based startup, which was bought by Google in 2014, and the healthcare trust.

The Streams app is for healthcare professionals. According to the Financial Times, it will trigger mobile alerts when a patient’s vital signs or blood results become abnormal so that a doctor can intervene quickly and prevent the problem escalating.

The trust said that Streams has, thus far, been using algorithms to detect acute kidney injury, and added that it would

alert doctors to [a] patient in need “within seconds”, rather than hours [and] free up doctors from paperwork, creating more than half a million hours of extra direct care

The aim is to use Streams as a diagnostic support tool for a far wider range of illness, including sepsis and organ failure.

OK, so that’s the what. Now for the controversial bit: the how…

The app quite obviously relies on access to patient data.

A story in New Scientist earlier this year raised concerns that the partnership had given DeepMind access to “a wide range of healthcare data on the 1.6 million patients … from the last five years”, and noted that the data will be stored in the UK by a third party and that DeepMind is obliged to delete its copy of the data when the agreement expires.

In a follow-up story published this week, New Scientist revealed that the UK’s Information Commissioner’s Office began investigating the data-sharing agreement following its revelations. A statement from the office says that it is “working to ensure that the project complies with the Data Protection Act”.

But is that enough?

Privacy firms have raised concerns that medical records are being collected on a massive scale without the explicit consent of patients.  Phil Booth, coordinator of medConfidential, queried the value of the app:

Our concern is that Google gets data on every patient who has attended the hospital in the last five years and they’re getting a monthly report of data … [but] because the patient history is up to a month old, [it] makes the entire process unreliable and makes the fog of unhelpful data potentially even worse.

Academics have also raised concerns. Speaking to the Financial Times, Julia Powles, a lawyer who specializes in technology law and policy from the University of Cambridge, highlighted that:

We do not know – and have no power to find out – what Google and DeepMind are really doing with NHS patient data, nor the extent of Royal Free’s meaningful control over what DeepMind is doing.

Give Google a chance?

When Natasha Loder asked:

Powles responded:

That’s exactly it, isn’t it? The issue is not with what Google is trying to achieve, but that fact that it is Google doing it.

Doing it right

I have no issues with technologies being used to improve patient outcomes … provided the right people are doing it, for the right reasons and that it’s done in the right way.

Here we have Google creating an app that really needs real-time data to be useful. Surely it could potentially put patients at risk if the data are not up to the minute when you’re talking about things like organ failure and sepsis. Won’t the doctor need to know what’s been happening with the patient in the last weeks, days, hours and even minutes?

On my second point, Google is not doing the work for profit. Mustafa Suleyman, head of DeepMind Health and DeepMind’s co-founder, told the FT:

We get a modest service fee to supply the software. Ultimately, we could get reimbursed [by the NHS] for improved outcomes.

So you have to ask why. To access to data? To gain a foothold in health analytics? To test possibilities? To build a proof of concept it can sell in the future?

I suspect all of those are near the truth.

Does Google really need to be given this data at all? Wouldn’t it have been a lot safer if the NHS Trust had trialled the app on Google’s behalf, keeping the data safely in-house? After all, if you wanted to test-drive a piece of technology, wouldn’t you ask for the technology to test rather than hand over your data?

Or is this something that can only be accessed as a service, in other words, where data need to sit on the service provider’s machines? If that’s the case, we need to seriously look at how organizations access cloud-based third-party services that require a local copy of data. If we don’t, we risk finding copies of patient, student, citizen and other very personal data here, there and everywhere in the future.

–News collected and synced by Info Security Solution Kolkata,

Read more
Data breach hits MSG: Rangers, Knicks, Rockettes fans hacked
Insec Ethical Hacking Hub Group of cyber-criminals bases in different countries nabbed in joint international operation

The venues host hundreds of thousands of people annually.

The venues host hundreds of thousands of people annually.

Madison Square Garden Company (MSG) reported payment card information was stolen from potentially hundreds of thousands of customers who attended shows or sporting events at the organization’s five major venues during the last year.

MSG reported it had been told by several financial institutions that a pattern of fraudulent activity had been spotted taking place in its point of sale (POS) system and a subsequent investigation by MSG and an outside security firm discovered unauthorized personnel had been accessing POS data from Nov. 9, 2015 to Oct. 24, 2016. The food and merchandise retail POS systems affected were located at Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater, and Chicago Theater. Information involved included, credit card numbers, cardholder names, expiration dates and internal verification codes, but MSG said not all cards used during this period were affected.

“Findings from the investigation show external unauthorized access to MSG’s payment processing system and the installation of a program that looked for payment card data as that data was being routed through the system for authorization,” MSG said in a written statement.

This attack is reminiscent of similar data breaches which hit retailers several years ago, but have recently fallen out favor as cybercriminals switched over to using ransomware and targeting other types of large organizations.

“Madison Square Garden’s breach may be common in that we’ve seen it before, but it’s not common in that we haven’t seen much of it lately. In fact this breach bears a strong resemblance to the high-profile POS RAM scraping hacks we saw so much of in 2014 (Target, Home Depot, Neiman Marcus),” Casey Ellis, CEO and founder of Bugcrowd, told SC Media in an email.

MSG said the malware has been removed from its system and that the company continues to work with an outside security firm to mitigate the damage.

The venues impacted host the NHL Rangers, NBA Knicks, Radio City Music Hall Rockettes and top-flight musical acts that attract hundreds of thousands of visitors per year. MSG has not released any figures on how many people were impacted nor what type of malware was involved.

“It’s critical to properly segment these networks, actively monitor them for breach indicators, and always assume that these systems have been breached,” Richard Henderson, global security strategist at Absolute Software, said to SC Media in an email.

–News collected and synced by Info Security Solution Kolkata,

Read more
Stop wasting time making the wrong passwords stronger
Insec Ethical Hacking Hub ISRO Will Use Satellites To Map & Create 3D Visualizations of Indian Heritage Sites 2

Most of the energy spent on making passwords stronger is wasted, according to at Microsoft Research, and has no effect on security.

The reason, say Microsoft’s researchers in a recent paper, is because there are two vast “don’t care” regions where energy spent on strengthening passwords is simply wasted.

The chasm

The first “don’t care” region is an online-offline chasm. The chasm represents the gap between the number of guesses a password might have to withstand in an online attack and how many it might face in an offline attack (you can read more about it in my article Do we really need strong passwords?).

To withstand a determined online attack using a website’s login screen your password might have to withstand 1 million guesses. To survive an offline attack by an attacker with specialist hardware, direct access to the password database and plenty of time the figure is eight orders of magnitude greater: 100 trillion guesses.

If passwords sit between these two thresholds then they’re more than good enough to withstand an online attack, but not good enough to handle an offline attack.

Any effort to strengthen passwords in the chasm that falls short of pushing them out of it is therefore wasted.

The saturation threshold

The second “don’t care” region is the threshold at which an attacker stops trying to crack passwords because they’ve already thoroughly compromised the system they’re attacking.

…for an enterprise network a compromised account almost certainly has snowballing effects … The first credential gives initial access to the network, the second, third and fourth solidify the beachhead, but the benefit brought by each additional credential decreases steadily.

So an attacker doesn’t need to crack all of a system’s passwords: in fact they can probably leave most of them untouched.

The point of saturation varies from one network or system to another but the researchers set themselves an upper bound for the saturation point at just 10% of passwords, with the caveat that “saturation likely occurs at much lower values”.

Efforts to strengthen the passwords above the saturation point yield little if any additional security.

Focusing where it matters

On any given system a huge number of passwords are likely to sit in one of the two “don’t care” regions.

If you’re an end user you’ll never know how your passwords are stored or which side of the saturation point they sit, so you should shoot for the strongest passwords you can muster.

If you’re a system administrator charged with keeping your network safe and you don’t have infinite time and resources, the “don’t care” regions can help shape your approach to passwords.

…many policy and education mechanisms are unfocused, in the sense that they cannot be targeted at the specific part of the cumulative distribution where they make most difference (and away from the “don’t care” region where they make none).

How then should you make sure that your efforts to strengthen users’ passwords actually make a difference?

Don’t waste time on composition policies

Perhaps the least popular approach is password composition policies.

These are sets of rules such as “your password should be at least eight characters long and contain at least one uppercase letter, one number and one special character”. They’re popular because the rules are easy to check and they increase the entropy of your password (which can be important but isn’t the same thing as password strength).

However, the case against these rules is compelling: they’re annoying (to everyone, even people choosing really strong passwords); they measure something that isn’t password strength and they restricting the pool of possible passwords (the “password space”), which is a helping hand to password crackers.

Microsoft Research has come up with another reason to ditch those policies, which is that even if they do help to make passwords stronger, they fall into the “don’t care” region where it makes no difference:

…the evidence strongly suggests that none of the password composition policies in common use or seriously proposed can help … enterprises that impose stringent password composition policies on their users suffer the same fate as those that do not

Do block common passwords

Instead of using password composition policies organisations should simply stop users from choosing anything that might appear on SplashData’s annual worst password lists.

Attackers know what the most popular passwords are and any attacker worth their salt will be sure to try them first.

Password blocklists work just where you want them to: below the saturation point for online guessing. Sure, blocklists can be annoying, but they only annoy people choosing poor passwords.

Microsoft and Twitter are both mentioned as sites that use blocklists of hundreds of passwords, but the authors suggest going much further and blocking not just the worst few hundred, but the worst million passwords.

They also suggest that you might use zxcvbn on your website, a password strength meter that actually tries to measure password strength.

Throttle passwords

Limiting the number of times a user can try a wrong password can reduce the vulnerability of passwords below the saturation threshold. Attacks against rate-limited interfaces take a long time and attackers have to be far more circumspect about the guesses they make.

If you’re in any doubt about just how inconvenient rate-limiting can be, just ask the FBI.

The best bang-for-buck guesses for attackers are the the most common passwords, so password blocklists and throttling make a potent combination:

Together with password blocklisting … throttling may almost completely shut down generic online guessing attacks.

NIST (the National Institute of Standards and Technology) now recommends that users be allowed no more than 100 consecutive incorrect guesses in any 30-day period.

Note that whilst sysadmins looking to shepherd flocks of dodgy passwords can feel good about blocklists and throttling, it’s not an excuse for individuals to back off on their password discipline. Recent research showed that if attackers (or more likely their software) target you personally then even the NIST limit of 100 guesses might not be enough to keep you safe.

Enforce two-factor authentication

The paper is tightly focused on passwords and doesn’t cover things like 2FA (two-factor authentication) so I’m going to give it an honorable mention.

Two-factor authentication forces users to provide two pieces of information – typically their password and a code provided by a token, an SMS message or an app.

It protects systems from attackers with stolen passwords, because passwords aren’t enough by themselves to gain access, and it makes guessing passwords online very hard indeed.

Store passwords correctly

Throttling and blocklists are great for fending off online attacks but if a hacker makes off with your password database they can’t help. After a password database has been stolen the password hashes stored inside it are at the mercy of whatever time and hardware the attacker can afford.

How the stolen passwords have been stored makes a huge difference to how big the chasm is.

Passwords should be stored as hashes that have been salted and stretched (for an exhaustive examination of why read How to store your users’ passwords safely).

“Stretching” means repeating the salting and hashing process over and over, typically thousands and thousands of times, in an effort to make password hashing much more computationally expensive.

Moore’s law sees to it that the hardware used for password cracking is always getting faster. Stretching gives system administrators an easy way to keep up – as computers get faster they can simply increase the number of salting and hashing iterations passwords are passed through before being stored.

The upper limit on the number of iterations is determined by what users will stand because they have to wait for their passwords to pass through the salt, hash, stretch process to be authenticated.

The slower the hash the longer that both users and password crackers have to wait:

If 10ms is a tolerable delay an attacker with access to 1000 GPUs can compute a total of … 1012 guesses in four months.  Directing this effort at 100 accounts would mean that each would have to withstand a minimum of T1 = 1010 guesses. Since these are conservative assumptions, it appears challenging to decrease [the chasm] below this point.

1010 guesses reduces the online-offline “don’t care” region considerably but it still leaves us four orders of magnitude adrift of the chasm’s leading edge. But what about other ways of storing passwords?

Administrators can eliminate the online-offline chasm completely by removing the possibility of stolen hash databases, and one way to do that is by using an HSM (Hardware Security Module). An attacker who steals the password database without the HSM has nothing more than a useless list of Message Authentication Codes.

What it all means

The conclusions of the research have the world’s sysadmins in mind. If your job involves looking after users’ passwords and your time is limited then its conclusions can help you focus your energy where it matters – on actually improving security.

If you’re an end-user however, you can’t relax. You’ll never know how your passwords are stored or whether yours sits above or below the saturation point. The measures that sites use to defeat online guessing may be more obvious to you but you’ll still have no control over them, aside from adopting 2FA if it’s available.

Make sure that every password you choose is unique and strong enough to withstand an offline guessing attack. Make each password a random collection of at least 14 letters, numbers and wacky characters and (if you don’t have a photographic memory) use a password manager to keep them safe.

–News collected and synced by Info Security Solution Kolkata,

Read more
Cyber Monday: What to watch out for when you hit the web
Insec Ethical Hacking Hub Facebook’s New Security Tool Will Remove Malware From Your Computer

Cyber Monday happens immediately after the Thanksgiving weekend, and it’s a day of potential online bargins when many people will be flocking to their browsers to look for great deals, just as they flocked to the shopping mall for in-store Black Friday discounts.

Cyber Monday not only causes a huge surge in online shopping, but also brings along a giant raft of spams and scams that aim to catch you while your guard is down.

With that in mind, our timetable of advice this week is as follows:

The Facebook Live video is scheduled for 16:00 UK time (4pm), which is 11am on the US East Coast and 8am on the West Coast.

If you can tune in to our Naked Security Facebook page at that time and join in, we’d love to have you; if you can’t make it, the video will be available to watch any time afterwards.

So, back to today.

Here are four tips for Cyber Monday – tips that you can actually use all year round because they won’t expire once the holiday shopping season is over.

1. Don’t lower your standards for spam

If your inbox is anything like ours, you’ll have seen a surge in “special offer” spam lately, including emails from marketing companies you’ve never heard of, often promoting great deals on products you do know well.

Unfortunately, your inbox is probably also fuller than usual with similar-looking emails from legitimate sources, and the crooks are banking on the fact that you’ve already decided to take advantage of some of the great deals available on Cyber Monday.

In other words, to find the best price among all the many discounted offers, you may very well take a risk and click on links in emails that you’d normally delete as spam.

So, stop and think before you click.

Ask yourself, “If it weren’t Cyber Monday; if I were at work and playing by IT’s rules; if I were broke and looking to spend nothing; if I’d already finished all my purchases, would I have any reason to treat this email as anything but spam?”

Don’t let your guard down just because the volume of enticing email has gone up.

Stick to your usual thresholds for spam tolerance, and don’t give the crooks extra room just because it feels like a special time of year.

2. Don’t disclose more data than you need

Even when you browse to legitimate sites offering special deals, you’ll often bump into what the marketing community calls a “gate”.

A gate is one of those web forms where there is a quid pro quo that requires you to hand over various items of personal information before you can go any further.

To open the gate, you may be asked for an uncomfortable amount of detail such as name, address, email, phone number, date of birth, gender, hobbies, income and more.

Different sites ask for different amounts of personal information, though if you look carefully, you may find that some of it is optional so that you can proceed without giving it away.

You can’t easily tell whether giving a site the minimum amount of personal information and witholding the optional stuff might affect any offers you later receive. For all you know, the company might give better deals for bigger disclosures. However, the amount of data that a company insists you fill in, rather than merely inviting you to provide, gives you an idea of just how acquisitive that company is. We recommend that you leave out all optional data fields unless you have a good reason of your own for disclosing the information.

We suggest that you decide in advance what your data disclosure limits are going to be – rather like setting yourself a maximum bid before an auction so you don’t get carried away in the heat of the moment.

If you’re comfortable with everyone knowing your date of birth, for example, put it on your list of data points you’re willing to give away.

But if you want to keep your location private, say, make a firm decision ahead of time never to hand over your address (or your postcode if you live in a country where each postcode covers just a few houses at most), and make that a disclosure limit you stick to.

Remember that even if a company acquires, uses and shares the data it collected entirely honourably, there is always an implicit risk that it might be exposed in a breach.

Our catchphrase: “If in doubt, don’t give it out.”

3. Don’t get bait-and-switched

As the name suggests, a bait-and-switch is where a website draws you in with a promise of one thing, such as a free iPhone or tickets to a movie premiere, and then leads you round the houses, sometimes quite subtly, to sell you something quite different from what was originally promoted.

Additionally, the “prize” you were promised at the start typically morphs in something different, often much less valuable and desirable than the original drawcard.

Remember that “special offer” scams don’t just arrive by email, but may show up on Twitter, Facebook and other social networking sites.

They may even show up with the endorsement of a friend you trust, for example if your friend’s password was hacked, or their computer was infected with malware.

(No video? Watch on YouTube. No audio? Click on the [Closed captions] icon for subtitles.)

A common bait-and-switch trick, shown in the video above, is to use your location as an excuse for the switch, on the grounds that the offer you started with isn’t available in your area.

Bail out as soon as you feel uncomfortable with the direction any special offer or discount is taking, especially if there’s a gate that requires you to put in personal data early on, before it’s clear what you are going to be offered.

Remember that for disreputable companies, online talk truly is cheap, in both costs and consequences: there are no brochures to print, no stamps to buy, no envelopes to stuff, and often very little for the regulators or the courts to go after if the company ends up breaching its obligations or promises.

Whether it’s CyberMonday or not, don’t be sucked in by too-good-to-miss offers.

Our catchphrase, when it comes to online promises: “If it sounds too good to be true, it IS too good to be true.”

4. Don’t be cyberaware only because it’s Cyber Monday

Cybersecurity is for life, not just for special occasions, as we said when made this very same point yesterday in our advice for Black Friday shopping.

Cyber Monday would be a particularly bad day to be incautious about security, but the tips we’ve given here won’t lose their value when the spending season is over.

If you decide to use Cyber Monday as a reason to take cybersecurity more seriously…

…we urge you to make that a lasting digital lifestyle choice!

–News collected and synced by Info Security Solution Kolkata,

Read more
DHS hiring puts into question the cybersecurity skills shortage
Insec Ethical Hacking Hub Rahul Yadav Fired As Housing CEO. No Association With The Company Anymore!

The cybersecurity skills shortage has been discussed in many different ways over the recent years, but a successful hiring event held by the Department of Homeland Security has some wondering if that event was a sign of optimism or an outlier.

The Department of Homeland Security (DHS) held a two-day hiring event “aimed at filling mission-critical positions to protect our Nation’s cyberspace” in July. According to a new blog post, that event garnered “over 14,000 applicants and over 2,000 walk-ins” and culminated with more than 800 candidate interviews and “close to 150 tentative job offers.”

Angela Bailey, chief human capital officer for the DHS, said in a blog post that the DHS “set out to dispel certain myths regarding cybersecurity hiring,” including the ideas that there is a cybersecurity skills shortage and that organizations cannot hire people “on the spot.”

“While not all of them were qualified, we continue to this day to hire from the wealth of talent made available as a result of our hiring event,” Bailey wrote. “We demonstrated that by having our hiring managers, HR specialists, and personnel security specialists together, we were able to make about 150 job offers within two days. Close to 430 job offers have been made in total, with an original goal of filling around 350 positions.”

Gunter Ollmann, CSO for Vectra Networks, said although the event “was pitched under the banner of cybersecurity it is not clear what types of jobs were actually being filled,” and some positions sounded more “like IT roles with an impact on cybersecurity, rather than cybersecurity specific or even experienced infosec roles.”

“Everyone with a newly minted computer science degree is being encouraged to get in to cybersecurity, as the lack of candidates is driving up salaries,” Ollmann told SearchSecurity. “Government jobs have always been popular with recent graduates that managed to scrape through their education, but would unlikely appear on the radar as interns for larger commercial organizations or research-led businesses.”

Chris Sullivan, CISO and CTO for Core Security, agreed that the DHS event may not be indicative of the state of the cybersecurity skills shortage.

“It looks like DHS executed well and had a successful event but we shouldn’t interpret that as a sign that cyber-defender resource problems are over. In fact, every CISO that I speak to has not seen any easing in the availability or cost of experienced resources,” Sullivan said. “In addition, the medium to long term solution requires both formal and on the job training — college curriculum is coming but much of it remains immature. We need resources to train the trainers.”

Derek Manky, global security strategist at Fortinet, warned about putting too much into just a few hundred positions compared to the potentially hundreds of thousands of cybersecurity jobs left unfilled.

“The DHS numbers are relatively small compared with the overall number of unfilled positions,” Manky said. “Part of the solution is to build better technology that requires less human capital to be effective and can evolve to meet shifts in the threat landscape. Additionally, the market needs to better define what skills a cybersecurity professional should hold and use these definitions to focus on efforts that can engage and develop a new generation of cybersecurity talent.”

Rob Sadowski, director of marketing at RSA, the Security Division of EMC, said this event might be cause for optimism regarding the cybersecurity skills shortage.

“The experience that DHS shared is encouraging because it shows a groundswell of interest in cybersecurity careers. This interest and enthusiasm needs to continue across the public and private sector if we are to address the still significant gap in cybersecurity talent that is required in today’s advanced threat world,” Sadowski told SearchSecurity before hedging his bet. “The talent pool in an area such as DC, where many individuals have strong backgrounds in defense or intelligence, security clearances, and public sector agency experience contributes significantly towards building a pool of qualified cybersecurity candidates that may not be present in other parts of the country or the world.”

Bailey attributed some of the success of the DHS event to proper planning and preparation.

“Before the event, we carefully evaluated the security clearance requirements for the open positions. We identified many positions that could be performed fully with a ‘Secret’ rather than a ‘Top Secret’ clearance to broaden our potential applicant pool,” Bailey wrote. “We knew that all too often the security process is where we’ve lost excellent candidates. By beginning the paperwork at the hiring event, we eliminated one of the more daunting steps and helped the candidates become more invested in the process.”

Bailey noted the most important advice in hiring was to not let bureaucracy get in the way.

“The most important lesson learned from our experience is the value of acting collaboratively, quickly, and decisively. My best advice is to just do it,” Bailey wrote. “Don’t spend your precious time deliberating over potential barriers or complications; stop asking Congress for yet another hiring authority or new personnel system, instead capitalize on the existing rules, regulations and hiring authorities available today.”

Sadowski said rapid action is a cornerstone of an effective security program, but noted not all organizations may have that option.

“It’s great that DHS has the luxury to act decisively in hiring, especially from what they saw as a large, qualified pool,” Sadowski said. “However, many private sector organizations may not have this freedom, where qualified potential hires may require significant commitment, investment, and training so that they understand how security impacts that particular business, and how to best leverage the technology that is in place.”

Next Steps

Learn more about how the cybersecurity skills shortage be fixed.

Find out how to live with the cybersecurity skills shortages.

Get info on why there is a delay in adopting new tech because of the skills shortage.

–News collected and synced by Info Security Solution Kolkata,

Read more