main

HacksSecurity

How Hackable Is Your Dating App?

February 14, 2019 — by Mike O'Malley0

datingapps-960x653.jpeg

If you’re looking to find a date in 2019, you’re in luck. Dozens of apps and sites exist for this sole purpose – Bumble, Tinder, OKCupid, Match, to name a few. Your next partner could be just a swipe away! But that’s not all; your personal data is likewise a swipe or click away from falling into the hands of cyber criminals (or other creeps).

Online dating, while certainly more popular and acceptable now than it was a decade ago, can be risky. There are top-of-mind risks—does s/he look like their photo? Could this person be a predator?—as well as less prominent (albeit equally important) concerns surrounding data privacy. What, if anything, do your dating apps and sites do to protect your personal data? How hackable are these apps, is there an API where 3rd parties (or hackers) can access your information, and what does that mean for your safety?

Privacy? What Privacy?

A cursory glance at popular dating apps’ privacy policies aren’t exactly comforting. For example, Tinder states, “you should not expect that your personal information, chats, or other communications will always remain secure.” Bumble isn’t much better (“We cannot guarantee the security of your personal data while it is being transmitted to our site and any transmission is at your own risk”) and neither is OKCupid (“As with all technology companies, although we take steps to secure your information, we do not promise, and you should not expect, that your personal information will always remain secure”).

Granted, these are just a few examples, but they paint a concerning picture. These apps and sites house massive amounts of sensitive data—names, locations, birth dates, email addresses, personal interests, and even health statuses—and don’t accept liability for security breaches.

If you’re thinking, “these types of hacks or lapses in privacy aren’t common, there’s no need to panic,” you’re sadly mistaken.

[You may also like: Are Your Applications Secure?]

Hacking Love

The fact is, dating sites and apps have a history of being hacked. In 2015, Ashley Madison, a site for “affairs and discreet married dating,” was notoriously hacked and nearly 37 million customers’ private data was published by hackers.

The following year, BeautifulPeople.com was hacked and the responsible cyber criminals sold the data of 1.1 million users, including personal habits, weight, height, eye color, job, education and more, online. Then there’s the AdultFriendFinder hack, Tinder profile scraping, Jack’d data exposure, and now the very shady practice of data brokers selling online data profiles by the millions.

In other words, between the apparent lack of protection and cyber criminals vying to get a hold of such personal data—whether to sell it for profit, publicly embarrass users, steal identities or build a profile on individuals for compromise—the opportunity and motivation to hack dating apps are high.

[You may also like: Here’s Why Foreign Intelligence Agencies Want Your Data]

Protect Yourself

Dating is hard enough as it is, without the threat of data breaches. So how can you best protect yourself?

First thing’s first: Before you sign up for an app, conduct your due diligence. Does your app use SSL-encrypted data transfers? Does it share your data with third parties? Does it authorize through Facebook (which lacks a certificate verification)? Does the company accept any liability to protect your data?

[You may also like: Ensuring Data Privacy in Public Clouds]

Once you’ve joined a dating app or site, beware of what personal information you share. Oversharing details (education level, job, social media handles, contact information, religion, hobbies, information about your kids, etc.), especially when combined with geo-matching, allows creepy would-be daters to build a playbook on how to target or blackmail you. And if that data is breached and sold or otherwise publicly released, your reputation and safety could be at risk.

Likewise, switch up your profile photos. Because so many apps are connected via Facebook, using the same picture across social platforms lets potential criminals connect the dots and identify you, even if you use an anonymous handle.

Finally, you should use a VPN and ensure your mobile device is up-to-date with security features so that you mitigate cyber risks while you’re swiping left or right.

It’s always better to be safe and secure than sorry.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

HacksSecurity

Here’s Why Foreign Intelligence Agencies Want Your Data

January 23, 2019 — by Mike O'Malley0

iSpy-960x640.jpg

The implications of the recent Marriott hack go far beyond those of your average data breach. This megabreach of 383M records doesn’t just compromise sensitive data for the sake of fraud or financial gain, it paints a frightening picture of international espionage and personal privacy.

When news broke that hackers working on behalf of a Chinese intelligence agency may be responsible for the Marriott breach, questions abounded. Why would China be interested in loyalty program data by the millions? And why hospitality data?

Could You Be A Target?

Let’s be frank: Foreign intelligence agency actors aren’t exactly interested in earning a free night’s stay at a Marriott property. The answer is potentially far more nefarious. The fact is, data collected from breaches are but one piece of a larger, darker puzzle. Stolen customer data—when combined with travel data (see Delta, Cathay Pacific, and British Airways hacks, among others) and other sources of online personal information (i.e., what we share across social media platforms)—enable intelligence agencies to build profiles on individuals. These profiles can then be leveraged to recruit potential informants, as well as check the travel of known government and intelligence officers against their own government to identify moles.

It’s also critical to note that heads of state and other political VIPs are no longer foreign intelligence agencies’ only marks; ordinary citizens are similarly targeted, especially those who may have unfettered access to troves of company Intellectual Property (IP) that a foreign government may want for their domestic economy.

[You may also like: Will Cyber Serenity Soon Be a Thing of the Past?]

For example, if you work for a cloud storage company whose customers’ data is in an area of interest to an intelligence agency, you may very well become an object of interest. For example, in the FBI’s most recent indictment against foreign intelligence services, Zhu Hua and Zhang Shilong were charged on acting on behalf of the Chinese Ministry of State Security for stealing personal information and IP from companies in various industries including banking and finance, telecom, consumer electronics, healthcare, biotech, automotive, oil and gas, mining and the U.S. Navy.

The Hua/Shilong case is just the latest example of foreign intelligence agencies playing a game of chess while the U.S. is playing checkers. 2018 demonstrated this multiple times: In March, the Justice Department announced that Iranians had, through years-long cyberattacks, stolen intellectual property from over 300 U.S. universities and companies. In July, several Russian agents were indicted for election hacking and in September, North Korea was accused of trying to hurt the U.S. economy through a hack. And, of course, in December, the U.S. government accused China of the Marriott megabreach.  But 2018’s record isn’t unique; France was accused of stealing U.S. IP for French companies in 2014 by the U.S. Secretary of Defense.

In the case of Marriott and other large enterprises like it, CISOs and C-suite executives are focused on individual pieces of data lost, versus the sum of what that data can reveal about an individual as a whole, putting them (and us) at a significant disadvantage. Indeed, the entirety of the digital footprint we create, which can be used to impersonate us or to profile/create leverage on us, is greater than the sum of the individual data parts. Consumers likewise don’t typically consider the bigger picture their personal data paints, regarding their travel patterns, purchasing habits, hobbies, (not so) hidden secrets, social causes and more. Add in breach burnout, wherein the public has become desensitized to countless stories of data exposure, and a perfect storm for harvesting operatives and stealing IP emerges.

[You may also like: AI Considerations in Cyber Defence Automation]

Look at the Whole Picture

Until enterprises view data holistically and realize that any company with valuable IP could be the target of a foreign government on behalf of that company’s foreign competitors, they will continue to play into the hands of transnational threat actors at the expense of consumer safety and national security.

It is critical that organizations incorporate cybersecurity into every fabric of the business, from the C-level down, including training and education, as well as seeking expertise from security service companies who understand how to protect organizations from the capabilities of foreign intelligence groups. And that education must include an understanding how personal, government and business-related information can be used by foreign intelligence agencies, and how corporate IP may be of value to foreign competitors. Whether it’s a game of chess or an intricate puzzle, individuals must look beyond the breach at hand and grasp what’s around the corner.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

HacksSecurity

2018 In Review: Schools Under Attack

December 19, 2018 — by Daniel Smith0

education-under-attack-960x561.jpg

As adoption of education technologies expanded in 2018, school networks were increasingly targeted by ransomware, data theft and denial of service attacks; the FBI even issued an alert warning this September as schools reconvened after summer break.

Every school year, new students join schools’ networks, increasing its risk of exposure. Combined with the growing complexity of connected devices on a school’s network and the use of open-source learning management systems (like Blackboard and Moodle), points of failure multiply. While technology can be a wonderful learning aid and time saver for the education sector, an insecure, compromised network will create delays and incur costs that can negate the benefits of new digital services.

The Vulnerabilities

Some of the biggest adversaries facing school networks are students and the devices they bring onto campus. For example, students attending college typically bring a number of internet-connected devices with them, including personal computers, tablets, cell phones and gaming consoles, all of which connect to their school’s network and present a large range of potential vulnerabilities. What’s more, the activities that some students engage in, such as online gaming and posting and/or trolling on forums, can create additional cybersecurity risks.

In an education environment, attacks–which tend to spike at the beginning of every school year–range from flooding the network to stealing personal data, the effects of which can be long-lasting. Per the aforementioned FBI alert, cyber actors exploited school IT systems by hacking into multiple school district servers across the United States in late 2017, where they “accessed student contact information, education plans, homework assignments, medical records, and counselor reports, and then used that information to contact, extort, and threaten students with physical violence and release of their personal information.” Students have also been known to DoS networks to game their school’s registration system or attack web portals used to submit assignments in an attempt to buy more time.

[You may also like: So easy, a child can do it: 15% of Americans think a grade-schooler can hack a school]

Plus, there are countless IoT devices on any given school network just waiting for a curious student to poke. This year we saw the arrest and trial of Paras Jha, former Rutgers student and co-author of the IoT botnet Mirai, who did just that. Jha pleaded guilty to not only creating the malware, but also to click fraud and targeting Rutgers University with the handle ExFocus. This account harassed the school on multiple occasions and caused long and wide-spread outages via DDoS attacks from his botnet.

What’s more, some higher education networks are prime targets of nation states who are looking to exfiltrate personal identifiable data, research material or other crucial or intellectual property found on a college network.

Why Schools?

As it turns out, school networks are more vulnerable than most other types of organizations. On top of an increased surface attack area, schools are often faced with budgetary restraints preventing them from making necessary security upgrades.

[You may also like: School Networks Getting Hacked – Is it the Students’ Fault?]

Schools’ cybersecurity budgets are 50 percent lower than those in financial or government organizations, and 70 percent lower than in telecom and retail. Of course, that may be because schools estimate the cost of an attack at only $200,000–a fraction of the $500,000 expected by financial firms, $800,000 by retailers, and the $1 million price tag foreseen by health care, government, and tech organizations. But the relatively low estimated cost of an attack doesn’t mean attacks on school networks are any less disruptive. Nearly one-third (31 percent) of attacks against schools are from angry users, a percentage far higher than in other industries. Some 57 percent of schools are hit with malware, the same percentage are victims of social engineering, and 46 percent have experienced ransom attacks.

And yet, 44 percent of schools don’t have an emergency response plan. Hopefully 2019 will be the year schools change that.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

HacksSecurity

Cybersecurity as a Selling Point: Retailers Take Note

December 13, 2018 — by Jeff Curley0

UK-Retailers-960x640.jpg

UK-based retailers were no strangers to data breaches in 2018. In June, Dixons Carphone announced a breach of 5.9 million customer bank card details and 1.2 million personal data records, and the following month, Fortnum & Mason likewise warned customers that their data had been exposed. In fact, since GDPR took effect in May, more than 8,000 data breach reports have been filed in the UK. Each of these breaches involved a notification to the affected users which, combined with accompanying news coverage, is creating a cultural shift in cybersecurity awareness and redefining people’s online shopping habits.

The fact is, very few businesses have the luxury of occupying a unique position in the market without direct competition, and security can—and does—play a role in influencing consumer brand loyalty. Case in point: Following its 2015 hack, TalkTalk lost 100,000 customers.

Considering these dynamics, it is vital that consumer-facing companies view security and privacy not just as the thing that saves them from harm, but as a competitive advantage to be leveraged to drive trade at the loss of those that do not.

Security Standards Are Shifting

Currently, it is a mixed picture as to which organisations advertise their security acumen to their competitive advantage. Of the top five retailers in the UK, three have primary navigation links—named “Privacy Centre” or something similar—on their homepages directing users to their security standards.  If I had to guess, I’d say all five top retailers will have a primary link to such a resource by the end of next year.

[You may also like: Consumer Sentiments About Cybersecurity and What It Means for Your Organization]

Online banking institutions appear to be the most acutely aware of security’s influence on customer decision making. This is a perhaps unsurprising, given that their security postures are scored by third party organisations such as Which?, across categories such as two-factor authentication login, encryption, safe navigation and logout.

Since the advent of GDPR—which sets out clear guidelines for companies with regard to how they should store data in their systems, how they should identify and report breaches, and more—we are seeing security positioned as a primary consideration in the build of new online services, so-called ‘data protection by design.’  We could not have conceived of this a new phenomenon prior to GDPR, and it will surely result in a fundamentally different online experience for consumers in the coming years.

The Role of AI in Managing Privacy

Security regulations aren’t the only new influence on managing consumer privacy. New technologies, like AI and IoT devices, are likewise impacting online retail experiences. While the top ten UK retailers don’t currently utilize chatbots or similar AI technology on their websites, chatbots are increasing in popularity among organisations that have complex or diverse product ranges (like H&M’s Virtual Assistant for clothing selection guidance).

[You may also like: Consolidation in Consumer Products: Could it Solve the IoT Security Issues?]

As cutting-edge and “cool” as these are, the reality is that any form of online communications can become a vector for cybersecurity attacks. And the newer a technology is, the more likely it will become a focal point for hackers, since gaps tend to exist in technologies that have yet to establish a solid framework of controls. Just ask Delta Airlines and Sears, which suffered targeted attacks on their third-party chat support provider, exposing customer data and payment information.

One of the primary privacy exposures facing these types of online services is the frequency of change in web applications. Decisions on how and when to secure an application can be lost during interactions between developers and security professionals, particularly when code changes can be upwards of thousands per day. How do you reduce this risk? One way is via the application of machine learning to understand and patrol the “good” behavior of web application use, as opposed to chasing the ever-lengthening tail of “bad” behaviors and deploying access control lists.

The Way Forward

By pushing privacy to the forefront of customer experiences, online retailers can differentiate themselves from competitors. A recent Radware survey discovered just how security conscious UK consumers are: They are liable to abandon brand loyalty in exchange for a secure online shopping experience. Organisations would do well to invest in strong cybersecurity if they want to increase trust and attract new customers at key trading periods. Otherwise, retailers stand to lose their competitive advantage by encouraging customers to exercise their true power, their power to go elsewhere.

Read “Consumer Sentiments: Cybersecurity, Personal Data and The Impact on Customer Loyalty” to learn more.

Download Now

Attack MitigationHacksSecurity

Growing Your Business: Security as an Expectation

November 7, 2018 — by Mike O'Malley0

Growing_Your_Business-960x640.jpg

Who is responsible for my device and application security? This is a critical question in today’s growing threat landscape, and one without a clear answer. Despite increases in demands for mobile app and connected device security features, no key players—device manufacturers, consumers, mobile carriers or organizations that consumers do business with via devices—will take responsibility.

While this is certainly problematic, it also represents an opportunity to differentiate your business from competitors by baking security into your platform. Over 70% of C-suite executives report being greatly concerned about data privacy and 66% admit that their network is vulnerable to hacking. In light of this, security must be recognized and acknowledged beyond an add-on or premium feature; it must be treated as an integral feature for any business owner.

The True Cost of Data Insecurity

When security is included as a core component of a business, it strengthens customers’ perceptions of your company. In fact, security itself can be a key selling point that sways customers from competitors. Startups that especially integrate security as part of its foundational architecture have a competitive advantage over companies of all sizes that gloss over security or utilize it as an unsupported, unplanned add-on.

[You may also like: The Million-Dollar Question of Cyber-Risk: Invest Now or Pay Later?]

Indeed, security as an afterthought is a major, and potentially fatal, flaw during a company’s decision-making process. The average cost of a data breach is $3.9 million – an amount enough to put myriad companies in bankruptcy. But costs can be even higher. For example, Yahoo agreed to a settlement of $50 million following its 2013 data breach and had to pay an additional $37.5 million for attorney fees and expenses.  And it didn’t end there; the original $4.83 billion deal to sell Yahoo’s digital services to Verizon was also discounted by $350 million as an added penalty for decreased brand value and to amend for other potential related costs. The true cost of a data breach? Far more than the current visible numbers.

Potential Growth Areas

Instead of approaching security as an extra, optional cost, business owners would do well to view security as a core capability for revenue; the growth potential for security as an integrated core strategy is enormous. Need proof? Just look at the numerous security vulnerabilities that accompany the constant onslaught of innovative hacking threats. Commonplace attacks, like IoT botnets, mobile APIs and malware, show no evidence of going away anytime soon and companies that are prone to system vulnerabilities are at risk. Even threats from a decade ago, such as Trojan malwares, and exploitation of vulnerabilities are still utilized as attacks, either in their original form or through modifications like malware botnet Mirai.

[You may also like: Defending Against the Mirai Botnet]

This is why companies shouldn’t wait for the “perfect” security product; delaying an investment in security only increases a company’s risk factor for being attacked and potentially dooms one to a constant game of catch up—and enormous costs. Conversely, by adding new applications within a secure business framework from the start, businesses can ensure optimal protection without any extreme added costs.

The sooner a business incorporates security as a core piece of the business puzzle, the better they’ll be at protecting and mitigating threats, and capturing new revenue opportunities. 

Don’t let data seep through the cracks. Secure the customer experience now.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

DDoS AttacksHacksSecurity

Hacking Democracy: Vulnerable Voting Infrastructure and the Future of Election Security

November 6, 2018 — by Mike O'Malley1

election_security-960x640.jpg

It’s been two years since international interference sabotaged the United States’ election security, and still the vulnerability of our voting infrastructure remains a major problem. This past May, during Tennessee’s primary election, the Knox County election website fell prey to a DDoS attack. And just days ago, Texas voters experienced “ominous irregularities” from voting machines.

In the lead up to the midterm elections, Radware surveyed Facebook users on the safety of U.S. elections, and the results paint a gloomy picture. The overwhelming majority (93.4 percent) of respondents believe that our election system is vulnerable to targeting and hacking—and they’re correct. What’s more, respondents were unable to suggest long-term tenable solutions when asked how the U.S. can improve its election safety (which is understandable, given the complexity of the issue).

A Seriously Flawed Voting Infrastructure

It is alarmingly quick and easy to hack into U.S. voting systems; just ask the 11-year-old boy who earlier this year demonstrated how he could hack into a replica of the Florida state election website and change voting results in under 10 minutes.

Why is it so easy? A large part of the problem is a lack of consistency among state election systems in either protocols or equipment. Voting equipment varies from paper ballots, to punch cards to electronic touch screens. Some states manually count votes while others use automation. Because of these many variables, each state has different security flaws and different vulnerability of being hacked.

There are roughly 350,000 voting machines used in the U.S. today, according to Verified Voting. There are two types of machines: direct-recording electronic (DRE) machines, which are digital and allow voters to touch a screen to make their selections, and optical-scan systems. Optical-scan machines allow voters to make their selections on a paper ballot, which gets fed into an optical scanner and can be used later to verify the digital results. The DREs are of particular concern because all models are vulnerable to hacking. And because DREs do not provide a hard copy of the vote, it is difficult to double-check results for signs of manipulation.

[You may also like: Can Hackers Ruin America’s Election Day?]

Additionally, voting machines need to be programmed with ballot information, which likely happens by direct connection to the Internet. Precinct results are often centrally tabulated by state and local governments over their various local area networks, adding even more points of potential hacking and vote manipulation.

Multiple voting machines, multiple connection points, multiple network architectures, multiple tabulation systems. There is no consistent framework to secure thousands of potential different weaknesses.

Today, the burden lies with local municipalities, which are ill-equipped to deal with sophisticated, nationally-organized cyber security attacks by hostile foreign governments. That’s the bad news. But the good news is that we can do something about it.

We Need to Reboot

This midterm election, it’s estimated that 1 in 5 Americans will cast ballots on machines that do not produce a paper record of their votes. This is highly problematic when you consider that the Department of Homeland Security (DHS) identified election system hacking in 21 states—nearly half of the country—last September. If left unaddressed, these vulnerabilities will continue to threaten national security and our democratic system.

The federal government, through DHS, needs to help municipalities and government workers minimize risks and become smarter about election hacking issues by taking these steps:

  • Teach administrative staff about phishing scams, DDoS attacks, etc.  While election officials and staff are trained on the proper procedures and deployment of their voting systems, it is also important that be educated on cybersecurity events so that they are not as likely to fall prey to them and compromise local networks.
  • Do not open any attachments without confirming the attachment came from a trusted source. Attachments are one of the biggest security risks, particularly attachments coming from unknown, suspicious or untrustworthy sources.
  • Use best practices for password protection such as two-factor authentication so that security is maximized. This method confirms users’ identities through a combination of two different factors: something they know and something they have, like using an ATM bank card which requires the correct combination of a bank card (something that the user has) and a PIN (something that the user knows).
  • Keep all software updated. Turn on auto-updates on your phone and laptops – don’t wait to apply them.
  • Check for firmware updates on all printer and network devices as part of your regular patch management schedule as these devices can be weaponized. Updates can add new or improved security features and patch known security holes.
  • Do not conduct any non-government related activity while connected to the network – fantasy football, signing your kid up for soccer, etc.

[You may also like: DDOS Protection is the Foundation for Application Site and Data Availability]

The Future of Election Security

Looking forward, innovative technologies such as blockchain, digital IDs and electronic signatures should be considered on a single, national voting network. Some states, like West Virginia, have already deployed pilot programs enabling voting via a blockchain network to store and secure digital votes.

The threat of interference remains until we are on a secure nationwide election system. To preserve the democratic value of one person one vote, the U.S. must make the necessary security upgrades to prevent voter fraud, foreign influence campaigns and hacking of our election infrastructure. Federal legislation needs to be introduced to make this happen. Protecting our elections is a matter of national security, requiring immediate action and coordination at all levels of government.

 

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Application DeliveryHacksSSL

Network Security Does Not Matter When You Invite the Hacker Inside

March 9, 2017 — by Frank Yue0

outbound-ssl-inspection-960x540.jpg

We build security solutions to protect our networks from the rest of the internet, but do we do anything to protect the network from our own employees and users?  The first line of protection for your networks is not the firewall or other perimeter security device, it is the education and protection of the people that use the network.  People are concerned about having their apartments or homes broken into so they put locks on the doors, install alarm systems, or put surveillance equipment like security cameras around the property.  They are vigilant about making sure that an unauthorized intruder cannot enter the home easily without detection and alarms being raised.

DDoSHacksSecurity

Is Heat Your Thermostat’s First Priority?

December 1, 2016 — by Pascal Geenens0

Radware_Thermostat_Hack_Cartoon-960x960.png

Mirai has been popping on and off the news and is becoming a commodity resource for large scale DDoS attacks. Although most of the security community have been debating and warning about the IoT threat, there is only evidence for a very specific class of devices being involved in the Mirai attacks. As we came to know the source code and security researchers started to investigate the victimized devices, it was clear that a common class of devices stood out in the list compiled by Krebs: IP cameras, DVRs and a handful of routers. What made them better candidates than your smart toaster or your cloud connected thermostat? The fact that routers are in the list should not be surprising, those devices are per definition connected to the internet and are clearly #1 on the pwning list, which was proven again recently when 900,000 routers from DT where taken offline for service as a result of what is supposed to be an adapted version of Mirai using a remote code execution (RCE) vulnerability through the TR-069 CPE WAN management protocol.

HacksSecurity

Social Engineering

November 17, 2016 — by Daniel Smith0

social-engineering-960x643.jpg

Social Engineering is a process of psychological manipulation, more commonly known in our world as human hacking. The sad reality behind Social Engineering is it is very easy to do. In fact, it’s so easy that even a teenager can do it and destroy your company, all on a Friday night. The goal is to have the targeted victim divulge confidential information or give you unauthorized access because you have played off their natural human emotion of wanting to help. Being nice is a human trait and everyone wants to be kind and helpful. If you give someone the opportunity to save the day or to feel helpful, they will most likely divulge the information required. Most of the time the attacker’s motives are to either gather information for a future attack, to commit fraud or to gain system access for malicious activity.

Older Posts