source: securityweek.com

It could be the worst-ever data breach for American consumers, exposing some of the most sensitive data for a vast number of US households.

The hack disclosed this week at Equifax, one of the three major credit bureaus which collect consumer financial data, potentially affects 143 million US customers, or more than half the adult population.

While not the largest breach -- Yahoo attacks leaked data on as many as one billion accounts -- the Equifax incident could be the most damaging because of the nature of data collected: bank and social security numbers and personal information of value to hackers and others.

"This is the data that every hacker wants to steal your identity and compromise your accounts," said Darren Hayes, a Pace University professor specializing in digital forensics and cybersecurity.

"It's not like the Yahoo breach where you could reset your password. Your information is gone. There's nothing to reset."

Some reports suggested Equifax data was being sold on "dark web" marketplaces, but analysts said it was too soon to know who was behind the attack and the motivation.

"This could be a mercenary group or it could be a nation-state compiling it with other data" for espionage purposes, said James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, a Washington think tank.

"This is the kind of information I would go after if I were a nation-state, to set up psychographic targeting for information and political warfare."

- National security risks -

Peter Levin, chief executive at the data security firm Amida Technology Solutions and a former federal cybersecurity official, said he is concerned over the national security impact of the breach, which follows a leak of data on millions of US government employees disclosed in 2015.

"The implications with regard to national security are very large," he said. Because most federal employees also have credit reports, "those people have now been hacked twice," Levin said, offering potential adversaries fresh data to be used against them.

 source: defenseone.com

Artificial intelligence is giving rise to unprecedented capabilities for surveillance, from facial recognition at bridge crossings to the ability to identify thousands of people at once. Now, new research suggests that AI could potentially be used to identify people who have taken steps to conceal their identities by wearing hats, sunglasses, or scarves over their faces.

The paper, accepted to appear in a computer vision conference workshop next month and detailed in Jack Clark’s ImportAI newsletter, shows that identifying people covering their faces is possible, but there’s a long way to go before it’s accurate enough to be relied upon. Researchers used a deep-learning algorithm—a flavor of artificial intelligence that detects patterns within massive amounts of data—to find specific points on a person’s face and analyze the distance between those points. When asked to compare a face concealed by a hat or scarf against photos of five people, the algorithm was able to correctly identify the person 56% of the time. If the face was also wearing glasses, that number dropped to 43%.

But those imperfect results don’t mean the paper should be ignored. The team, with members from the University of Cambridge, India’s National Institute of Technology, and the Indian Institute of Science, also released two datasets of disguised and undisguised faces for others to test and improve the technology. (Data has been shown to be a key component for driving progress in the field of AI; when deep-learning algorithms have more data to analyze, they can identify patterns in the data with greater accuracy.)

 source: krebsonsecurity.com

An October 2015 piece published here about the potential dangers of tossing out or posting online your airline boarding pass remains one of the most-read stories on this site. One reason may be that the advice remains timely and relevant: A talk recently given at a Czech security conference advances that research and offers several reminders of how being careless with your boarding pass could jeopardize your privacy or even cause trip disruptions down the road.

In What’s In a Boarding Pass Barcode? A Lot, KrebsOnSecurity told the story of a reader whose friend posted a picture of a boarding pass on Facebook. The reader was able to use the airline’s Web site combined with data printed on the boarding pass to discover additional information about his friend. That data included details of future travel, the ability to alter or cancel upcoming flights, and a key component need to access the traveler’s frequent flyer account.

A search on Instagram for “boarding pass” returned 91,000+ results.

More recently, security researcher Michal Špaček gave a talk at a conference in the Czech Republic in which he explained how a few details gleaned from a picture of a friend’s boarding pass posted online give him the ability to view passport information on his friend via the airline’s Web site, and to change the password for another friend’s United Airlines frequent flyer account.

Working from a British Airways boarding pass that a friend posted to Instagram, Špaček found he could log in to the airline’s passenger reservations page using the six-digit booking code (a.k.a. PNR or passenger name record) and the last name of the passenger (both are displayed on the front of the BA boarding pass).

Once inside his friend’s account, Špaček saw he could cancel future flights, and view or edit his friend’s passport number, citizenship, expiration date and date of birth. In my 2015 story, I showed how this exact technique permitted access to the same information on Lufthansa customers (this still appears to be the case).

Špaček also reminds readers about the dangers of posting boarding pass barcodes or QR codes online, noting there are several barcode scanning apps and Web sites that can extract text data stored in bar codes and QR codes. Boarding pass bar codes and QR codes usually contain all of the data shown on the front of a boarding pass, and some boarding pass barcodes actually conceal even more personal information than what’s printed on the boarding pass.

 source: technewsworld.com

 

Ask any security practitioner about ransomware nowadays, and chances are good you'll get an earful. Recent outbreaks like Petya and WannaCry have left organizations around the world reeling, and statistics show that ransomware is on the rise generally.

For example, 62 percent of participants surveyed for ISACA's recent "Global State of Cybersecurity" survey experienced a ransomware attack in 2016, and 53 percent had a formal process to deal with it. While ransomware is already a big deal, it is set to become an even bigger deal down the road.

One of the questions organizations ask is what steps they can take to keep themselves protected. Specifically, what can organizations do to make sure that their organization is prepared, protected and resilient in the face of an outbreak?

A strategy that can work successfully is the long-tested "tabletop exercise" -- that is, conducting a carefully crafted simulation (in this case, a ransomware situation) to test organizational response processes and validate that all critical elements are accounted for during planning.

This strategy works particularly well for ransomware because it encourages direct, frank and open discussions about a key area that is often a point of contention during an incident: the ransom itself.

What Is a Tabletop Exercise?

Invariably, in the context of an actual ransomware incident, someone will suggest paying the ransom. Sometimes it's a business team that sees the ransom as a small price to pay to get critical activities back on track. In other cases, it might be executives who are eager to defer what is likely to be a long and protracted disruption to operations. Either way, paying the ransom can seem compelling when the pressure is on and adrenaline is high.

However, most law enforcement and security professionals agree that there are potential downsides to paying the ransom. First, there is the possibility that attackers won't honor their end of the deal. A victim might pay them but lose its data anyway. Even if the attacker should follow through, there is the danger of creating a perception that the organization is a soft touch, which could induce attackers to retarget it down the road.