Cryptocurrency wallet maker MetaMask has warned its 21 million monthly users to be wary of Apple iCloud backing up their app’s data by default, after attackers successfully stole $650,000 of funds and NFTs.
Read more in my article on the Hot for Security blog.
Ransomware plagues financial institutions as they face increasingly complex threats over previous years owing to the changing behavior of cybercriminal cartels, according to VMware’s latest Modern Bank Heists report.
This has happened as the cybercrime cartels have evolved beyond wire transfer frauds to target market strategies, take over brokerage accounts, and island-hop into banks, according to the report.
For the report, VMware surveyed 130 financial sector CISOs and security leaders from across different regions including North America, Europe, Asia Pacific, Central and South America, and Africa.
Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.
Cryptocurrency is all the rage these days and it doesn’t seem to be slowing down any time soon. As more people dive into the nitty-gritty of what blockchain is, how NFTs are traded, and the difference between Bitcoin and Ethereum, digital currency developers are finding new ways for people to engage with crypto. But as crypto continues to grow and become more profitable, hackers are simultaneously trying to find ways to get their hands on the coins.
According to Markets Insider, one of the biggest crypto heists in history took place recently, resulting in roughly $625 million stolen.1 Here’s what you need to know about this crypto theft, and how you can stay protected when investing in digital assets.
Ronin, the blockchain underlying the play-to-earn crypto game Axie Infinity, revealed that a hacker stole 173,600 Ethereum (currently worth around $600 million) and 25.2 million USDC (a cryptocurrency pegged to the U.S. dollar), resulting in a loss of about $625 million in cryptocurrency.
On March 29th, Ronin and Axie Infinity operator Sky Mavis revealed the breach and froze transactions on the Ronin bridge, which allows depositing and withdrawing funds from the company’s blockchain. This “side chain” contained nine validator nodes, or proof-of-stake tools, that confirmed and approved each transaction. At least five validator nodes are needed to approve each transaction. Sky Mavis oversaw five, and Axie Decentralized Autonomous Organization (or DAO) controlled four. However, Sky Mavis discontinued its agreement with the DAO in December but failed to revoke the DAO’s permissions. Due to this oversight, the hacker was able to take over the necessary amount of validator nodes to enable access to the cryptocurrency and make a break with it.
According to experts, the use of these side chains rather than native blockchains leads to a rise in cryptocurrency vulnerabilities. Had Sky Mavis abandoned the side chains and stuck to the blockchains, it is likely that an attack of this magnitude could have been avoided. Rather than a cryptocurrency issue, this is more of a cybersecurity issue.
If you are interested in getting into crypto, don’t let cyberattacks like this deter you! As a fairly new phenomenon, there are still many ways in which the crypto world needs to grow, adjust, and adapt to ensure that users can interact with it safely. In the meantime, if you are wanting to dive into the crypto economy but still have reservations, here are some tips to help you stay protected:
Whenever you decide to dive into something new, it’s always important to make sure you are knowledgeable about that thing, especially if it involves investing your money. Before jumping right into the crypto world, research each cryptocurrency, each blockchain, and any software you may use. Keep up with the news to stay informed on security breaches and pick up tips for which system you may want to engage in. Knowing the ins and outs of the crypto economy and its security protocols will solidify your decision of whether you want to join the crypto community and whether the benefits outweigh the risks.
As with all online accounts, it’s important to use secure, unique passwords and two-factor authentication when creating and maintaining cryptocurrency logins. Hackers can access lists of passwords and logins via the dark web, so never reuse your passwords. Two-factor authentication requires a randomly generated passcode for entry that is only accessible to you, so cybercriminals will not be able to access your accounts. If your accounts are a pain for a hacker to try to get through, they will likely move on, keeping your account, your information, and your assets safe.
For some added protection, store your assets in a crypto wallet. A crypto wallet is a software product or physical device that stores the keys to your cryptocurrency accounts. Crypto wallets allow you to transfer funds between crypto types and make transactions while keeping your investments protected. There are various types of cryptocurrency wallets, so do your research to find which one is best for you and your accounts.
Develop a routine of checking in on your crypto accounts to keep an eye on any suspicious transactions. Keep up with news outlets so that if there does happen to be a breach, you can make a timely report of any losses you may have had. For some added security and protection, consider changing your login credentials.
Hackers often use social engineering to enact cyberattacks like these. This includes targeting users’ emails or using phishing to gain access to these accounts. When receiving emails, be wary of addresses that seem slightly off, odd spelling and grammar mistakes, and any links or attachments added to the message. Being cautious and alert when you are online is an important step to ensuring your account safety.
As the world of crypto continues to evolve and more people get involved, cybercriminals are itching to take advantage. However, that is no reason to avoid getting into the crypto economy. If you decide to try your hand at digital currencies, make sure you are doing your research, staying up to date on what is happening in the crypto news, and remaining vigilant when it comes to your online safety.
The post $625 Million Stolen in Latest Crypto Attack: 5 Tips on How to Use Digital Currency Safely appeared first on McAfee Blog.
An expanding attack surface demands a robust cybersecurity strategy. Here’s what you need to know.
The shift to remote work over the past two years would not have been possible without cloud computing, which enables employees to access data and services from anywhere at any time. Yet, many organizations still face challenges in deploying and managing their cloud infrastructures in a security-conscious way.
A study commissioned by Tenable and conducted by Forrester Consulting found that, prior to the pandemic, 31% of business and security leaders had moved business-critical functions to the cloud and 48% had moved non-critical functions. The pandemic accelerated this move and over the next two years, 20% of respondents say they will make the switch to cloud for business-critical assets.
Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021.
Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021.
Several core challenges further emphasize the need for a security-first strategy in the cloud:
The dissolving perimeters introduced by cloud solutions. Heavily dynamic by design, cloud solutions break down typical security perimeters, which are sustainable only when IT systems are run entirely on-premises.
The critical nature of cloud assets. The cloud is becoming an integral component of supply chain technologies, internet of things (IoT), artificial intelligence (AI), and infrastructure as code (IaC) as the world rapidly shifts towards “everything-as-a-service”
The rapidly evolving threat landscape. The ease of interconnecting devices, flows and data that cloud technologies offer comes with the burden of increasing the attack surface. As a consequence, the security posture of any company cannot be reactive any longer. The lack of visibility introduced by cloud technologies, combined with the need for privacy compliance, requires companies migrating to the cloud to shift their mindset from a perimeter-based security approach to a data-driven one, while ensuring a proactive, holistic, end-to-end yet dynamic security program.
The potential for cloud vendor lock-in. Choose your cloud vendors wisely. It can be difficult to switch cloud providers once you’ve established; doing so can introduce performance, compatibility and security complications.
Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021.
The image below shows the complexities of cloud migration. Broadly speaking, a successful cloud migration involves a breadth and depth of dimensions, including consideration of policies, compliance requirements and overarching risks to processes and operations. Each of hese elements needs to be considered in order to effectively manage data, operations and resources while enabling the business to operate in a cost-aware manner.
Source: Tenable, April 2022
Below, we highlight three key areas of focus that can be taken into account to mitigate the cybersecurity blind spots that arise from migration to the cloud.
When shifting to the cloud, businesses enter into a shared responsibility model, in which cloud provider and cloud user are both accountable for security obligations to the degree dictated by the distribution model (i.e., IaaS, PaaS or SaaS).
Cloud risk assessment helps in evaluating and avoiding unidentified or new risks introduced by migrating systems and data. Nothing is ever completely risk-free. The goal with a risk assessment is to identify all potential risk areas and weigh them against business need to arrive at an acceptable level of risk tolerance for each area.
Risk analysis needs to span multiple areas, including:
assessing cloud providers’ risk and potential vendor lock-in;
risks introduced by loss of governance; and
compliance needs.
These areas are critical in the cloud environment and each carries its own sub-list of related risks that need to be accounted for, such as technical, costs, resource allocation, operational processes and procedures, security and legal constraints.
Cloud security governance entails building models for effective security operations in the cloud, assisting leaders in better understanding security risks and how to progressively reduce them in pursuit of strategic alignment and value delivery — all while fostering a security-aware culture.
Cloud security governance aims at:
Strategic alignment between business goals and mandated security investments.
Progressive risk reduction due to implemented and monitored security initiatives, with an eye towards sustainable performance.
Proper role management and resource allocation to security initiatives.
The route to proper cloud security governance depends on a company’s relative maturity. It should, at minimum:
Consider security investments as part of the overarching business goals and strategic alignment.
Set forth measurable security initiatives in pursuit of risk reduction, value delivery and performance.
Ensure appropriate staffing and know how to perform security initiatives and operations.
Performing Data Protection Impact Assessment (DPIA) can help mitigate risks identifying and addressing high-risk scenarios before any data processing takes place. While required by law under certain conditions, a data protection impact assessment is worth performing regardless of legal requirements; the effort can help to maximize adherence to security and privacy best practices, hence minimizing potential liabilities.
When handling data, best practices include:
Removal of personally identifiable factors from your information as much as is feasible.
Having a strategy in place to identify and manage critical vulnerabilities to reduce the risk of data breaches.
Working with cloud vendors to clarify the incident response support they’ll provide so that the organization is well-prepared to handle cybersecurity events that might occur.
In addition to the above, logging and monitoring are critical components of effective cloud security. The practice becomes even more crucial in the event of an incident. Cloud vendors should be assessed on the terms they offer for access and management of log trails. In addition, security operation teams need a continuous monitoring strategy to proactively assess the environment and provide a rapid response in cases of anomalous behavior.
The areas of focus discussed above barely scratch the surface of the myriad security implications of cloud migration and adoption. While organizations have found a lift-and-shift strategy to be an effective way to migrate applications, services and data to the cloud, it’s not an approach that works for cloud security. Instead, organizations need to have an overarching and proactive strategy for securing cloud applications and services that starts well before any migrations get underway.
Effective cloud security requires a holistic approach that includes performing due diligence on all third parties, dis-identifying data and creating sensible SLAs. All leaders — not just security professionals but also IT and business leaders — must proactively embrace cybersecurity as a fundamental condition to ensure longevity of their businesses. Last, but not least, remediate, remediate, remediate: your business depends on it. Regular vulnerability assessment and automated remediation are key to a successful security strategy for the cloud.
Read the study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work
Read the blogs
Protecting the Atomized Attack Surface in the New World of Work
Data Security Is a Global Economic Imperative
3 Things Infosec Leaders Need to Know About the Shared Responsibility Model
Visit the Tenable.cs product page to learn more about our capabilities: https://www.tenable.com/products/tenable-cs
Verification vendor Verica and Toni de la Fonte, creator of the Prowler AWS security tool, have announced the launch of Prowler Pro to enhance cloud security and provide new open-source tools to make AWS security simpler for customers. The two stated in a press release that Prowler Pro marks the evolution of Prowler Open Source, one of the most recognizable open-source tools for AWS cloud security, and puts security assessments, audits, incident response, continuous monitoring, hardening, and forensics readiness in easy reach of businesses running multiple AWS services.
Prowler Pro contains over 220 controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks, the parties said. It is publicly available via AWS Marketplace, and they claim it is easy to deploy in multiple AWS cloud accounts, offering continuous monitoring, faster execution, personalized support, and customizable dashboards.
Image source: Freepik
This blog was written by an independent guest blogger.
As eCommerce grows, there are more issues concerning payments and security. Customers still don’t enjoy a smooth user experience, can’t access fraud-free transactions, and there are still many declined transactions.
Online shopping still lacks a seamless experience due to the risks of storing and handling sensitive account data.
The payment system uses basic details like CVV2, 3-digit security codes, expiration dates, and primary account numbers. If these details are compromised, a lot of things can go wrong. The industry is adopting a technology called “tokenization” to deal with these issues.
Today, we will discuss this technology and help you understand how it can help.
Tokenization might sound like something complex, but the basic principle behind it is simple. It’s a process of replacing sensitive pieces of data with tokens. These tokens are random data strings that don’t hold any meaning or value to third parties.
These tokens are unique identifiers that can still hold a portions of the essential sensitive data, but they protect its security. The original data is linked to the new tokens but without giving any information that lets people reveal the data, trace it, or decipher it.
Here is a video overview of tokenization.
The data piece is stored outside the internal system used by the business. Tokens are irreversible, so if they’re exposed, they cannot be returned to their original form.
Since the data is moved elsewhere, it’s almost impossible for someone to compromise this data.
Tokenization has a wide range of applications. In eCommerce, payment processing is one of the most popular areas of tokenization and companies use tokens to replace account or card numbers, most commonly the primary account number (PAN) associated with a credit card.
The PAN is replaced with a random placeholder token, and the original sensitive data is stored externally. Once the original data needs to be used to complete transaction, it can be exchanged for the token and then transmitted to payment gateways, processors, and other endpoints using various network systems.
TokenEx is a typical tokenization platform used for eCommerce payments. The platform first intercepts the sensitive data from whichever channel it is being collected–mobile, desktop, PIN pad, etc. This data is tokenized and stored securely, and then the token is returned to the client for internal use. In the end, the sensitive data is detokenized and sent to payment-processing providers for executing and verifying transactions.
In the image below you can see how data travels on the TokenEx platform.
First, you have the channels through which the data is coming (“Secure Data Collection”).
In the bottom-middle section, you have our platform, where data is tokenized and stored (“Secure Data Storage”) before being returned to a client environment in the top-middle section (“Compliance Safe Harbor”) for safe, compliant internal use.
And then finally, on the right, you have the data being sent to a third party for processing (“Secure Data Transmission”), likely a payment service provider to authorize a digital transaction.
This combination of security and flexibility enables customers to positively impact revenue by improving payment acceptance rates, reducing latency, and minimizing their PCI footprint.
Image source: TokenEx
Tokenization is becoming popular in many different industries and not just eCommerce. Payments are just one of the uses of tokenization, and there are many more applications out there. Not all tokenization processes are the same, as they have different setups depending on the application.
Tokenization outside of the blockchain means that digital assets are traded outside of the blockchain and have nothing to do with NFTs or smart contracts. There are a variety of tokens and tokenization types outside the blockchain.
Vaultless tokenization is typically used in payment processing. Vaultless tokenization uses secure cryptographic devices with specific algorithms created on conversion standards that allow the safe transfer of sensitive data into non-sensitive assets. Vaultless tokens don’t require a tokenization vault database for storage.
Vault tokenization is used for traditional payment processing for maintaining secure databases. This secure database is called vault database tokenization, and its role is to store both non-sensitive and sensitive data. Users within the network decrypt tokenized information using both data tables.
The natural language processing domain includes tokenization as one of the most basic functions. In this context, tokenization involves dividing a text into smaller pieces called tokens, allowing machines to understand natural text better. The three categories of NLP tokenization are:
Subword tokenization
Character tokenization
Word tokenization
Blockchain tokenization divides asset ownership into multiple tokens. Tokenization on the blockchain is similar to NFTs as they behave as “shares.” However, tokenization also uses fungible tokens, and they have a value directly tied to an asset.
Blockchain tokenization allows decentralized app development. This concept is also known as platform tokenization, where the blockchain network is used as the foundation that provides transactional support and security.
One of the most popular tokenizations today is blockchain NFTs. Non-fungible tokens are digital data representing unique assets.
These assets don’t have a predetermined value (that is where the name non-fungible comes from) and can be used as proof of ownership, letting people trade various items or authenticate transactions. NFTs are used for digital art, games, real estate, etc.
This kind of tokenization is directed toward voting systems on the blockchain. Governance tokenization allows a better decision-making process with decentralized protocols as all stakeholders can vote, debate, and collaborate fairly on-chain.
Utility tokens are created using a certain protocol allowing access to various services within that protocol. There is no direct investment token creation with utility tokens, and they provide good platform activity for improving the system’s economy.
Ecommerce payments have been growing for a long time, even before the global pandemic. We’re seeing a massive shift to online shopping with an exponential growth in sales. Even though the shift towards the digital world is definitive, this trend has introduced new challenges concerning security.
There’s a growing number of hackers and fraudsters looking to steal personal data. According to Risk Based Security research, in 2019 alone there were over 15 million data breaches in eCommerce. Tokenization is quickly being introduced as a way to combat fraud and convert account numbers into digital assets to prevent their theft and abuse.
Payment service providers that specialize in fraud detection can help verify transactions and devices, making it far more difficult for hackers to abuse someone’s information. Credit card and account information tokenization boosts security and protects data from external influences and internal issues.
Ecommerce companies can use tokenization to improve privacy and security by safeguarding payment information. Data breaches, cyber-attacks, and fraud can seriously affect the success of a business. Here’s how tokenization helps with all these threats.
No need for extensive data control because tokens aren’t sensitive
Ecommerce businesses need to implement extensive data control protocols for handling sensitive data and ensuring there are no liabilities. It can be a really tiresome and expensive process. Tokenization removes this issue because none of the confidential data is stored internally.
No exposure if someone gets access to tokens
Data breaches are often fatal to businesses. They can lead to destroyed reputations, damaged business operations, loss of customers, and even legal issues. There’s no exposure of sensitive data when hackers access a database with tokenized payment records.
All payment data and personal information are safe since they aren’t stored within your systems. It’s true that this doesn’t prevent hacks, but it prevents the consequences of such events.
Frictionless transactions and convenience
Modern customers love simplicity. Having saved payment information and the option to press one button to make a purchase is crucial for business success. However, providing this kind of experience carries risk as companies must save payment information so that customers can reuse it.
Having multiple cards linked to an account with saved information creates liability. Tokenization can enable seamless payment options for end customers without requiring routing numbers or credit cards to be stored internally.
Companies can more easily comply with the PCI DSS
Companies that accept payment information and store it need to be compliant with various regulations, specifically the Payment Card Industry Data Security Standard. However, meeting these security requirements takes a lot of time and money. Payment tokenization service providers usually already have the required compliance certifications, so you’re outsourcing the majority of this responsibility to someone else.
We hope this post has helped you understand the basics of tokenization and how you can use it in eCommerce. The global tokenization market is estimated to grow at 21.5% CAGR, indicating that tokenization is here to stay.
Keep in mind that we’re only scratching the surface here.
Critical infrastructure operators, law enforcement, and every level of government are all busy incorporating drones into their day-to-day operations. Drones are being used to support an array of applications for traditional infrastructure as well as agriculture, utilities, manufacturing, oil and gas, mining, and heavy industries.
Drone makers and industry end-users are just now starting to recognize that all elements of their connected enterprises have what Jono Anderson, principal, strategy and innovation at KPMG, calls “robust capabilities that encompass individual drones, connected fleets of drones, cloud/enterprise capabilities, and all communications between them.”
When a significant vulnerability like Spring4Shell is discovered, how do you determine if you are at risk? Insurance or verification services might require you to run external tests on web properties. These reports often show spurious exposures that may or may not lead to more issues on your website. You must research false-positive reports and inform management whether the item found is acceptable risk.
I’ve seen false positives on external scans due to an open port and associating that port with a known issue even if the service is not run on that port. Whenever you have a pen test or vulnerability scan, know that you can disagree with the findings and explain to the researcher how the item in question is not making you insecure. However, these processes take time away from other security duties, and sometimes we agree with the findings and find workarounds and mitigations as that may be faster than arguing with the auditor.
