Archive for Data Security

Blockchain To Stop Counterfeit Disk-Drive Products

Data storage solutions company Seagate Technology (Seagate), and IBM are reported to be working together and using blockchain and advanced cryptographic product identification technology to reduce disk-drive product counterfeiting.

What’s The Problem?

The problem for Seagate and other manufacturers, integrators, and business partners is the problem of counterfeit hard disk drives (HDDs) being made available for sale online.  For example, these are usually sub-standard counterfeit drives, or old drives that have been re-labelled with false claims of higher speed and greater capacity.

The scale of the counterfeiting problem faced by electronics companies is illustrated by International Anti-Counterfeiting Coalition figures which show that global trade in counterfeit and pirated electronic products is now worth more than US $1.7 Trillion!

What Is Blockchain and How Can It Help?

Blockchain, the open-source, free technology behind crypto-currencies like Bitcoin, is an incorruptible peer-to-peer network (a kind of ledger) that allows multiple parties to transfer value in a secure and transparent way. Blockchain’s Co-Founder Nic Carey describes blockchain as being like “a big spreadsheet in the cloud that anyone can use, but no one can erase or modify”.

IBM has considerable blockchain expertise and powered by the Linux Foundation’s Hyperledger Fabric distributed ledger framework, IBM’s Blockchain Platform on the IBM Cloud enables network participants to append and view blockchain data.

The collaboration with IBM means that whenever Seagate manufactures a hard drive, it will update the IBM blockchain platform with product authentication data which will include each Seagate Secure Electronic ID (eID).  This is a kind of electronic fingerprint that can verify the identity of a hard drive at any time during its product life cycle.  Also, Seagate will use cryptographic erasure technology (Certified Erase) to electronically sign the drive using Seagate Secure public key infrastructure (PKI), and this data will also be added to IBM’s blockchain platform.

With all this unique product-identifying data stored in secure and incorruptible blockchain on IBM’s cloud, technology vendors, service providers and end users will (depending on the permission they have) be able to check a disk-drive product’s provenance on the blockchain.

The Results

The hope is, of course, that by being able to provide an indisputable record of events, from manufacturing through to end-of-life for Seagate’s products, this should reduce data loss, cut warranty costs, go some way towards tackling the counterfeiting problem, and improve customer confidence.

What Does This Mean For Your Business?

This is another example of how businesses are only just beginning to realise the potential of blockchain and what it can offer.  Blockchain has so far proven itself to be particularly useful in applications where authentication, provenance, and proof of different aspects of a supply chain are needed.  For example, an IBM-based blockchain ledger has been used to record data about wine certification, ownership and storage history, and blockchain has been used to record the temperature of sensitive medicines being transported from manufacturers to hospitals in hot climates.  It makes sense, therefore, that blockchain could be an ideal solution in the fight against counterfeiting of electrical and other products and items.

VMware recently joined Microsoft and other companies in offering a blockchain-as-a-service product to companies.

Facial Recognition For Border Control

It has been reported that the UK Home Office will soon be using biometric facial recognition technology in a smartphone app to match a user’s selfie against the image read from a user’s passport chip as a means of self-service identity verification for UK border control.

Dutch & UK Technology

The self-service identity verification ‘enrolment service’ system uses biometric facial recognition technology that was developed in partnership with WorldReach Software, and immigration and border management company, with support from (Dutch) contactless document firm ReadID.

Flashmark By iProov

Flashmark technology, which will be used provide the biometric matching of a user’s selfie against the image read from a user’s passport chip, was developed by a London-based firm called iProov.  The idea behind it is to be able to prove that the person presenting themselves at the border for verification is genuinely the owner of an ID credential and not a photo, screen image, recording or doctored video.

Flashmark works by using a sequence of colours to illuminate a person’s face and the reflected light is analysed to determine whether the real face matches the image being presented.

iProov is a big name in the biometric border-control technology world, having won the 2017 National Cyber Security Centre’s Cyber Den competition at CyberUK, and winning a contract from the US Department of Homeland Security (DHS) Science and Technology Directorate’s Silicon Valley Innovation Program.  In fact, iProov was the first British and non-US company to be awarded a contract by the DHS to enable travellers to use self-service of document checks at border crossing points.

Smartphone App

The new smartphone-based digital identity verification app from iProov has been developed to help support applications for The EU Settlement Scheme.  This is the mechanism for resident EU citizens, their family members, and the family members of certain British citizens, to apply on a voluntary basis for the UK immigration status which they will need to remain in the UK beyond the end of the planned post-exit implementation period on 31 December 2020.

It is believed that the smartphone app will help the UK Home Office to deliver secure, easy-to-use interactions with individuals.

What Does This Mean For Your Business?

Accurate and secure, automated biometric / facial recognition and identification / i.d. verification systems have many business applications and are becoming more popular.  For example, iProov’s technology is already used by banks (ING in the Netherlands) and governments around the world, and banks such Barclays already uses voice authentication for telephone banking customers.

Biometrics are already used by the UK government.  For example, in the biometric residence permit (BRP) system, those planning to stay longer than 6 months, or apply to settle in the UK need a biometric permit. This permit includes details such as name, date and place of birth, a scan of the applicant’s fingerprints and a digital photo of the applicant’s face (this is the biometric information), immigration status and conditions, and information about access public funds (benefits and health services).

Many people are already used to using some biometric element as security on their mobile device e.g. facial recognition, fingerprint, or even Samsung’s iris scanner on its Note ‘phablet’. Using a smartphone-based i.d. verification app for border purposes is therefore not such a huge step, and many of us are used to having our faces scanned and matched with our passports anyway as part UK border control’s move towards automation.

Smartphone apps have obvious cost and time savings as well as convenience benefits, plus biometrics provide a reliable and more secure verification system for services than passwords or paper documents. There are, of course, matters of privacy and security to consider, and as well as an obvious ‘big brother’ element, it is right that people should be concerned about where, and how securely their biometric details are stored.

Jail For Car Accident Data Thief

An employee at a vehicle accident repair centre who stole the data of customers and passed it to a company that made nuisance phone calls has been jailed for 6 months following an investigation by the Information Commissioner’s Office (ICO).

Used Former Co-Worker’s Login To Company Computer

The employee of Nationwide Accident Repair Services, Mustafa Kasim, used a former co-workers’ login details to access software on the company computer system (Audatex) that was used to estimate repair costs.  The software also stored the personal data (names and phone numbers) of the owners of the vehicles, and it was the personal data of thousands of customers that Mr Kasim took without the company’s permission, and then passed on to a claims management company that made unsolicited phone calls to those people.

ICO Contacted

Mr Kasim was unmasked as the data thief after the Accident Repair Company noticed that several clients had made complaints that they were being targeted by nuisance calls, and this led to the decision to get the ICO involved.

During the investigation, it was discovered that Mr Kasim continued to take and pass on customer data even after he started a new job at a different car repair organisation which used the same Audatex software system.

First With A Prison Sentence

What makes this case so unusual is that it is the first prosecution to be brought by the Information Commissioner’s Office (ICO) under legislation which carries a potential prison sentence.

Computer Misuse Act

Even though the ICO would normally prosecute in this kind of case under the Data Protection Act 1998 or 2018 with penalties of fines rather than prison sentences, in the case of Mr Kasim it was judged that the nature and extent of the criminal behaviour required making a wider range of penalties available to the court.  It was decided, therefore, that s.1 of the Computer Misuse Act 1990 would be used in the prosecution, and it was the offences under this that resulted in the 6-month prison sentence that Mr Kasim received.

What Does This Mean For Your Business?

Since preparing for GDPR, many companies have become much more conscious about the value of personal data, the importance of protecting customer data, and the possible penalties and consequences of failing to do so.  In this case, the ICO acknowledged that reputational damage to affected companies whose data is stolen in this way can be immeasurable e.g. Nationwide Accident Repair Services and Audatex. The ICO also noted the anxiety and distress caused the accident repair company’s customers who received nuisance calls.

This case was also a way for the ICO to send a powerful message that obtaining and disclosing personal data without permission is something that will be taken very seriously, and that the ICO will push boundaries and be seen to use any tool at its disposal to protect the data protection rights of individuals. The case also serves as a reminder to businesses that looking at ways to provide the maximum protection of customer data and plug any loopholes is a worthwhile ongoing process, and that threats can come from within as well as from cyber criminals on the outside.

Fatal Security Flaws Discovered in Solid State Drives (SSDs)

Researchers from Radboud University in the Netherlands have released a paper highlighting several security flaws that they’ve discovered in SSDs which mean that data from a flash disk can recovered in more than one way, even if it’s supposedly self-encrypted.

What Is An SSD?

An SSD is a solid-state storage device that uses integrated circuit assemblies (memory chips on a circuit board with and In/Out interface to feed power and transfer data) as memory to store data persistently. Even though it doesn’t actually contain a physical disk, it is sometimes called a called solid-state disk.

Hardware Encryption Not Better Than Software Encryption

Whereas the popular belief is that AES encryption should stop you from accessing data on a disc that isn’t plugged in to its home system (encryption with SSD through ATA security and TCG Opal encryption methods) and that hardware encryption is similar to or better than software encryption, the findings of the research appear to disprove this.

Not Just Cheap Drives Vulnerable

The research looked at top-of-the-range drives including models by Crucial and Samsung, and found that only the T3 and T5 (external) drives remained secure, whereas the others were found to have fatal vulnerabilities, some to non-cryptographic hacking. Even BitLocker, the Microsoft encryption with each copy of Windows was found to be vulnerable. According to the research, vulnerabilities are such, across the range of vendors, that determined attackers could access data in many so-called encrypted drives without any keys or passwords.

Vulnerable to a Range Attack Methods

Through the reverse-engineering of the firmware of a sample of SSDs, the researchers were able to discover a number of vulnerabilities in self-encrypting SSDs that can leave them open to a range of attacks and exploits. These could include attackers seizing full control of the CPU, corrupting memory, and cracking default passwords, thereby bypassing a custom password set by a user.

Example

The researchers provided a case study of how an attacker could try to breach a locked Crucial MX300 drive with encryption via TCG Opal. The case study outlines how an attacker could install modified firmware that includes read/write capabilities, and then, if encryption is performed via TCG Opal, write executable code to bypass several layers of security, and thereby access the precious data.

What Does This Mean For Your Business?

The discovery by the researchers shows that hardware-based encryption is far less secure than businesses may have thought and that hardware-based full-disk encryption may not, in fact, be a more secure alternative to software-based methods. Also, it seems that the security flaws are in leading products across multiple vendors.

Businesses may, therefore, be best advised not to rely solely on hardware encryption as offered by SSDs for confidentiality. In fact, it may be better to also employ an open source, audited, software full-disk encryption solution.

As well as alerting businesses to the risks of relying solely on the apparently flawed hardware encryption offered by SSDs, this story should surely make vendors take another close look at their SSD products and how the security of them can be improved.

IBM Security Expert Says Prepare For Quantum

As businesses come to realise that they may be required to store some data for decades, encrypted data should be secure well beyond its useful life, and with this in mind, security architect for Benelux at IBM, Christiane Peters, is suggesting that businesses should start preparing now to implement post-quantum data protection.

Post What?

The suggestion is that, in a relatively short time, quantum computers will be commercially available. One threat from this could be that quantum computers in criminal hands could be used to try and crack encrypted business data. For example, in the US, the National Security Agency (NSA) warned back in 2015 that progress in quantum computing was at such a point that organisations should deploy encryption algorithms that can withstand such attacks from quantum computers.

The encryption algorithms that can stand up to attacks from quantum computers are known by several names including post-quantum cryptography / quantum-proof cryptography, and quantum-safe / quantum-resistant cryptographic (usually public-key) algorithms.

What’s The Problem?

Ultimately, with technology advancing at such a rapid rate and with organisations needing to keep some data for long periods of time, there is the risk that even though this sensitive data is stored in secure encrypted formats now, this encryption could be cracked in the not-too-distant future by cyber-criminals with access to commercial supercomputers. Being able to crack encryption could mean encrypted data could no longer be safe even if it is stolen. For example, this could mean that encrypted data lost / stolen in a breach this year could be accessed in the future. Indeed, it is known that some data is being stolen today with this in mind.

How To Prepare Now For Quantum Computer Risk

Christiane Peters is reported as suggesting that ways in which companies could prepare to counter the encryption code-cracking risk posed by the ability of cyber-criminals to use commercially available quantum computers include:

  • Developing / updating crypto policies.
  • Creating an inventory of all systems and applications using cryptography.
  • Classifying data and mapping data flows.
  • Creating an enterprise-specific outlook and timeline for quantum safe crypto.

Developing a Post-Quantum Implementation Strategy

Understanding that encryption is just one way to protect data, combining other capabilities with encryption will help overall cyber resilience over time. For example, companies could also focus on certificate management, mobile device management, application scanning, data loss prevention, security incident response, access control, data classification and digital forensics.

Personal Data Protection Could Pay Off In The Long Term

Christiane Peters, commenting on the findings of a Ponemon Institute study, has also pointed out that, as well as preparing for the security of cryptography in the post-quantum era, businesses that are able to focus on data protection could, by investing in security and encryption now, reap the benefits in the longer term. For example, the report shows that the average cost saving with extensive use of encryption is $13 per data record.

What Does This Mean For Your Business?

What the experts appear to be saying is that even though the use of robust, high-assurance encryption technologies may make the decrypting of protected data impossible in the short-term, this may not always be the case. The power of super-computers may mean that, quite soon, criminals may be able to crack encryption codes. In order to ensure that sensitive company data, particularly personal data is safe in the longer term, companies may want to start looking into ways that they can prepare for quantum data protection standards.

Ubicoustics Overhears Everything You Do … And Understands

Researchers in the US have presented a paper based on their research that identified a real-time, activity recognition system capable of interpreting collected sounds that could well be used by home smart speakers.

Identify Other Sounds, and Issue Responses

Researchers at Carnegie Mellon University in the US claim to have discovered a way that the ubiquity of microphones in modern computing devices, and software that could use a device’s always-on built-in microphones could be used to identify all sounds in room, thereby enabling context-related responses from smart devices. For example, if a smart device such as an Amazon Echo were equipped with the technology, and could identify the sound of a tap running in the background in a home, it could issue a reminder to turn the tap off.

Ubicoustics

The research project, dubbed ‘Ubicoustics’, identified how using an AI /machine learning based sound-labeling mode, drawing on sound effects libraries, could be linked to the microphone (as the listening element) of a smart device e.g. smart-watches, computers, mobile devices, and smart speakers.

As Good As A Human

The sound-identifying, machine-learning model used in the research system was able to achieve human-level performance in recognition accuracy and false positive rejection. The reported accuracy level of 80.4%, and the misclassification level of around one sound in five sounds, means that it is comparable to a person trying to identify a sound.

As well as being comparable to other high-performance sound recognition systems, the Ubicoustics system has the added benefit of being able to recognise a much wider range of activities without site-specific training.

Applications

The researchers noted several possible applications of the system used in conjunction with smart devices e.g. sending a notification when a laundry load finished, promoting public health by detecting frequent coughs or sneezes and enabling smart-watches to prompt healthy behaviours after tracking the onset of symptoms.

Privacy Concerns

The obvious worry with a system of this kind is that it could represent an invasion of privacy and could be used to take eavesdropping to a new level i.e. meaning that we could all be living in what is essentially a bugged house.

The researchers suggest a potential privacy protection measure could be to convert all live audio data into low resolution Mel spectrograms (64 bins), thereby making speech recovery sufficiently difficult, or simply running the acoustic model locally on devices so no audio data is transmitted.

What Does This Mean For Your Business?

The ability of a smart device to be able to recognise all sounds in a room (as well as a person can) and to deliver relevant responses could be valued if used in a responsible, helpful, and not an annoying way. It doesn’t detract from the fact that, knowing that having a device with these capabilities in the home or office could represent a privacy and security risk, and has more than a whiff of ‘big brother’ about it. Indeed, the researchers recognised that people may not want sensitive, fine-grained data going to third-parties, and that operating a device with this system but without transmission of the data could provide a competitive edge in the marketplace.

Nevertheless, it could also represent new opportunities for customer service, diagnostics for home and business products / services, crime detection and prevention, targeted promotions, and a whole range of other possibilities.

Browser Support For Early Versions of TLS To End

The makers of all popular browsers – IE, Edge, Safari, Firefox, and Chrome included – have announced plans to disable Transport Layer Security (TLS) protocol versions 1.0 and 1.1 by default.

TLS

Transport Layer Security (TLS) 1.0 and 1.1 are the early versions of encryption used to secure connections to HTTPS websites. Their job is to provide confidentiality and integrity of data in transit between clients and servers.

This week, and not unexpectedly, all the big browser manufacturers released co-ordinated announcements that TLS 1.0, which will be 20 years old next January, and TLS 1.1 will no longer be supported by their browsers. Newer, updated versions of the security protocol will be favoured instead.

Why?

The reasons given for dropping these versions of the protocol are that:

  • They are now rarely used. For example, Microsoft announced that fewer than “one per cent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1.”. Apple, more accurately puts the figure at less than 0.36% of all connections.
  • 20 years is a is a long time for a security technology to stand unmodified, and newer successor versions of TLS are more advanced, provide better performance and are more secure, e.g. TLS 1.3.
  • The finalization of TLS 1.3 by the Internet Engineering Task Force (IETF) in August 2018, means that the proportion of legacy TLS connections will drop even further, and TLS 1.2 is also required for HTTP/2, which should bring performance improvements for the web. Also, vulnerabilities in 1.0 and 1.1 versions will no longer be addressed by the IETF.
  • Old versions of TLS rely on MD5 and SHA-1, both now broken, and thought to contain other flaws.

When?

Each browser has given slightly different dates for their formal dropping of TLS 1.0 and 1.1. For Microsoft browsers it will be later this year. For Apple support for TLS 1.0 and 1.1 will end in March 2020. For Mozilla, March 2020 will also be the removal date, and for Google browser users on early release channels, the date will be January 2020.

What Does This Mean For Your Business?

It is understandable that, with these versions being very old and unmodified, and not used by many connections, and with newer, more secure and better performance versions available, now is a good time to end default support for TLS 1.0 and 1.1. We are told that the newer successor versions offer greater security and performance and less vulnerability to certain types of attack e.g. BEAST, LogJam and FREAK (Factoring RSA Export Keys). These benefits are, of course, likely to be attractive to most businesses.

News of the co-ordinated killing-off of these 2 versions of the protocol may not be such great news of course, to those who have websites that still only using TLS 1.0 or 1.1, because browsers will soon flag up those websites as insecure or state that they are unable to connect.

Businesses Turning To Zero-Trust Security Model

As a widening attack surface and evolving threats mean that organisations continue to breached despite a large security spend, many businesses are now turning to the ‘zero-trust’ security model.

What Is The Zero-Trust Security Model?

The Zero Trust security model, introduced by analyst firm Forrester Research, is an alternative architecture for IT security that doesn’t work on the traditional assumption that the perimeter is the main focus and that the inside of an organization’s network can be trusted. Zero-trust assumes that untrusted actors exist both inside and outside a company network, and that every user access request has to be authorised, using the principle of “never trust, always verify”. In this way, Zero-trust can address lateral threat movement within the network i.e. stopping insider and other threats from spreading once inside.

Breaches

Almost 70% of organisations are getting breached an average of five times a year, with 81% of breaches being simply linked to weak, default or stolen passwords. Once inside networks, attackers can camouflage their attack behind a legitimate identity like a database administrator, can go on to access and decrypt encrypted information, and be harder to spot and stop because of their apparent legitimacy.

According to some security commentators, this shows that identity, and identity-centric security measures are areas that organisations need to focus on, and this is where architecture such as zero-trust can help.

10 Cyber-Attacks Per Week

More businesses are recognising the need for a better approach to all-round security, particularly in an environment where hacking’s on the up. For example, The UK‘s National Cyber Security Centre has just announced that it has stopped 1,600 attacks over the past two years, many by hostile nation states and that there are now 10 such attacks per week. Also, the NCSC’s Active Cyber Defence (ACD) initiative reports removing 138,398 phishing sites hosted in the UK between September 2017 and August 2018.

Four Pillars of Zero-Trust Security

The zero-trust security model is, therefore, believed to be another step forward in the battle against cyber-criminals. The success of the zero-trust security model is based upon four key ‘pillars’, which are:

  1. Verifying users. This involves identity consolidation which can tackle weak / shared password issues (using single sign-on and one-time passwords), de-facto authentication everywhere, and monitoring user behaviour e.g. time and location factors.
  2. Validating devices.
  3. Limiting access of privileged users where possible.
  4. Applying machine learning to all these factors, and using this to step up the authentication processes wherever necessary. Machine learning also removes the need for manual intervention.

Benefits

Those who have implemented zero-trust security have reported many benefits. These include cost savings due to gains in incident response efficiencies and technology consolidation, and greater confidence in supporting users on mobile devices and rolling out new partner and customer experiences.

Challenge

One main challenge to the growth of the adoption of zero-trust security measures is the mistaken belief that it has to be time-consuming and takes a lot of effort to implement. Security commentators are keen to point out that, in reality, implementing a zero-trust security model is a step-by-step process.

What Does This Mean For Your Business?

It seems that the benefits of the zero-trust model are now becoming widely known by UK businesses and organisations. For example, an IDG study revealed that 71% of security-focused IT decision makers are actively pursuing a zero-trust security model, 10% are currently doing pilots, and around 8% who have implemented it fully.

It’s important to realise that the implementation needn’t be a huge hassle and expense and can be tackled step-by-step, using commercial off-the-shelf technology. This approach to security offers businesses the chance to customise their security for their specific data and assets, and strengthen their infrastructure from the ground up by enabling the identification of vulnerabilities and gaps in their current security models at the root level.

This approach can bring some much-needed benefits, not least of which is a greater feeling of trust and a confidence boost. In terms of more measurable benefits to businesses, a Forrester and Centrify study, for example, has shown that by applying best practices of zero-trust principles, organisations recorded 50% fewer breaches within just two months. These kinds of figures are making this approach to security very attractive to many businesses, particularly those who have fallen victim to costly cyber attacks.

New Tech Laws For AI Bots & Better Passwords

It may be no surprise to hear that California, home of Silicon Valley, has become the first state to pass laws to make AI bots ‘introduce themselves’ (i.e. identify themselves as bots), and to ban weak default passwords. Other states and countries (including the UK) may follow.

Bot Law

With more organisations turning to bots to help them create scalable, 24-hour customer services, together with the interests of transparency at a time when AI is moving forward at a frightening pace, California has just passed a law to make bots identify themselves as such on first contact. Also, in the light of the recent US election interferences, and taking account of the fact that AI bots can be made to do whatever they are instructed to do, it is thought that the law has also been passed to prevent bots from being able to influence election votes or to incentivise sales.

Duplex

The ability of Google’s Duplex technology to make the Google Assistant AI bot sound like a human and potentially fool those it communicates with is believed to have been one of the drivers for the new law being passed. Google Duplex is an automated system that can make phone calls on your behalf and has a natural-sounding human voice instead of a robotic one. Duplex can understand complex sentences, fast speech and long remarks, and is so authentic that Google has already said that, in the interests of transparency, it will build-in the requirement to inform those receiving a call that it is from Google Assistant / Google Duplex.

Amazon, IBM, Microsoft and Cisco are also all thought to be in the market to get highly convincing and effective automated agents.

Only Bad Bots

The new bot law, which won’t officially take effect until July 2019 is only designed to outlaw bots that are made and deployed with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving.

Get Rid of Default Passwords

The other recent tech law passed in California and making the news is a law banning easy to crack but surprisingly popular default passwords, such as ‘admin’, ‘123456’ and ‘password’ in all new consumer electronics from 2020. In 2017, for example, the most commonly used passwords were reported to be 123456, password, 12345678 and qwerty (Splashdata). ‘Admin’ also made number 11 on the top 25 most popular password lists, and it is estimated that 10% of people have used at least one of the 25 worst passwords on the list, with nearly 3% of people having used the worst password, 123456.

The fear is, of course, that weak passwords are a security risk anyway, and leaving easy default passwords in consumer electronics products and routers from service providers has been a way to give hackers easier access to the IoT. Devices that have been taken over because of poor passwords can be used to conduct cyber attacks e.g. as part of a botnet in a DDoS attack, without a user’s knowledge.

Password Law

The new law requires each device to come with a pre-programmed password that is unique to each device, and mandates any new device to contain a security feature that asks the user to generate a new means of authentication before access is granted to the device for the first time. This means that users will be forced to change the unique password to something new as soon as the device is switched on for the first time.

What Does This Mean For Your Business?

For businesses using bots to engage with customers, if the organisation has good intentions, there should not be a problem with making sure that the bot informs people that it is a bot and not a human, As AI bots become more complex and convincing, this law may become more valuable. Some critics, however, see the passing of this law as another of the many reactions and messages being sent about interference by foreign powers e.g. Russia, in US or UK affairs.

Stopping the use of default passwords in electrical devices and forcing users to change the password on first use of the item sounds like a very useful and practical law that could go some way to preventing some hackers from gaining easy access to and taking over IoT devices e.g. for use as part of a botnet in bigger attacks. It has long been known that having the same default password in IoT devices and some popular routers has been a vulnerability that, unknown to the buyers of those devices, has given cyber-criminals the upper hand. A law of this kind, therefore, must at least go some way in protecting consumers and the companies making smart electrical devices.

How Business Emails Are Vulnerable

Research by digital risk management and threat intelligence firm Digital Shadows has revealed that company credentials and emails that can be easily accessed on the web are making it easier for cyber-criminals to target businesses with attacks.

What’s Are The Problems?

According to the research, businesses may be suffering targeted attacks because several key problems that are caused by the results of previous hacks and breaches, and by current poor security practices. These problems are that:

  • Around 12.5 million company email archive files are publicly accessible due to misconfigured archive storage drives e.g. FTP and Amazon S3 buckets. Business emails contain sensitive personal and financial information e.g. the research uncovered 27,000 invoices, 7,000 purchase orders and 21,000 payment records. These things are valuable to cyber-criminals as they help them to target attack methods such as phishing.
  • Improper backing-up of email archives has contributed to their exposure online.
  • Criminal forums e.g. on the dark web, now contain some 33,568 finance department email addresses that have been exposed in third-party breaches, 27,992 of which have passwords associated with them. These forums also contain large numbers of the business of email access credentials, some of which are reported by the research to be worth $5,000 for a single username and password pair to cyber-criminals.
  • Email hacking services can be purchased for as little as $150, with results available in a week or less. The researchers were even offered a 20% share of the proceeds that could be harvested from exploiting email vulnerabilities.

What Does This Mean For Your Business?

Business email credentials have a high potential return on investment to cyber-criminals, and therefore have a high value, which is why many cyber-criminals feel that it is worth looking for them and paying substantial amounts for them on criminal forums. The high value may mean that criminals may even collaborate to target larger organisations. Hacks and breaches over time, together with the subsequent buying and selling of the stolen email credentials may mean that many businesses are exposed to multiple types of email attack such as phishing, and man-in-the-middle attacks without even knowing it.

One thing the research does show is that by tightening up email security practices, businesses could reduce the risks that they face. Measures that companies could take to help reduce such risks include:

  • Including business email compromise (BEC) in business continuity planning and disaster recovery planning.
  • Strengthening wire transfer / BACs controls by e.g. building-in manual controls and as well as multiple-person authorisations to approve significant amounts.
  • Improving staff training to enable them to follow practices that minimise company email and other security risks.
  • Continuously monitoring for any exposed credentials (particularly those of finance department emails), and conducting assessments of executives’ digital footprints e.g. using Google Alerts to track new web content related to them.
  • Preventing email archives from being publicly exposed e.g. by making sure that archive storage drives are configured correctly.
    Being very careful where contractors back-up emails on network-attached storage (NAS) devices is concerned. Making users have passwords, disabling guest / anonymous access, and insisting on NAS devices that are secured by default could help.