source:  securityweek.com

As long as computers have been in existence, there have been people trying to hack them. As technology has evolved and improved, so has the advancements for keeping cyberattacks at bay. But of course, as technology gets smarter, so do the hackers. For years, there has been a ceaseless cycle of organizations finding new ways to secure their data, while hackers continue to find ways to break in and access it.

Cybercriminals, or the “bad” hackers, hack because it’s profitable. A recent report showed that 72 percent of hackers are financially motivated. That means that if the economic incentives were minimized, many may find that it is no longer worthwhile to attempt a cyberattack. Of course, there are many nation state attackers and “hacktivists” who choose to hack for other, non-financial reasons. But for the large majority of cybercriminals attempting to make a buck, it’s important to find ways to deter these criminals from putting forth the effort to attack in the first place. 

Rather than focusing our efforts on stopping cyberattacks, what if we were to instead turn our focus to stopping the attackers themselves from having the incentive to attack in the first place? Here are a few ways to lessen these incentives in an effort to stop cybercrime at the source.

Make examples out of hackers. Hacking is unlike many other forms of crime in that it can entirely be done from the safety of your own home, behind the confines of a computer screen. The lack of public exposure leads many cybercriminals to believe they are above the law or otherwise safe from prosecution. Adding to this issue is the fact that many of these attackers live in countries that don’t have extradition treaties with the United States and their local governments may tolerate a certain amount of attacks. 

However, when law enforcement makes a high-profile arrest or indictment, such as the recent accusation of the parties responsible for the 2014 Yahoo hack, it can serve as a harsh reminder to others that they too could be subject to criminal prosecution. It is also promising to see an increase in coordination between international law enforcement entities to stop attacks, such as the 2016 arrest of the ringleader of a global scamming network that was led by Interpol and Nigeria’s anti-fraud agency. These examples further indicate that the old concept of being anonymous and unable to be caught is no longer applicable when cybercriminals are on the cover of news articles or behind bars. This reminder may be enough to dissuade hackers from attempting similar crimes.

Make hacking more costly. Hacking can be expensive, time-consuming work. Many attackers are put off by the possibility that they may spend countless hours of their lives developing a singular botnet or malicious website, only to have it stopped immediately. At the ecosystem level, the continued prevalence of taking down botnets and disrupting hacking organizations is a strong deterrence for those trying to exploit these vulnerabilities. Rebuilding servers requires time, effort and money for cybercriminals, many of whom may no longer wish to put in the level of work that it would take to get their activities back up and running. Hence there is usually a lot of leveraging of botnets that have already had a least one successful attack through repeat attacks at different sites or small modifications to it.

While it’s certainly plausible that more attacks may come in their place, the disruption could be significant enough to slow the hackers down and make their chosen line of work more costly. By stopping these activities in their tracks, especially those working on a large scale, it could discourage other hackers from developing similar tools, or repeating their previous attacks. As an example, there are efforts underway to do network-level botnet command and control infiltration.

Harden infrastructure. A common practice among cybercriminals is a reconnaissance phase, in which hackers do broad scans for systems that appear to be vulnerable. Implementing strong safeguards to make your organization appear secure is a key way to deter the economically-minded hackers who are looking for a quick payday. If you have strong security practices in place, you will look like a much less attractive target to the cybercriminals, who will likely choose to focus their efforts elsewhere in the hopes of targeting a more easily accessible option. Hardening includes efforts such as being diligent in upgrading software and hardware patches for known Common Vulnerabilities and Exposures (CVEs).

De-value data. Many hackers these days choose to focus their efforts on accumulating data that may be useful down the road – whether to exploit, sell or otherwise leverage the information they obtained through illegal means. However, if the data they are looking to acquire becomes much less valuable, they won’t be as motivated to acquire it.

For example, the payments industry has started cutting down on card-present credit card fraud with the introduction of EMV chips. Each time an EMV card is used for payment, the chip in the card creates a unique transaction code that cannot be used again. This means that if a hacker were to steal the chip information from a specific point of sale terminal, that transaction number would not be able to be used again, making it useless to attackers. This has made credit card information much less valuable to acquire, as it is almost impossible to reuse the information.

Similarly, two-factor authentication has made passwords less of a target for hackers – without the second authentication method, such as an individual’s cell phone, having a user’s password is virtually useless. Identifying methods such as these to lessen the allure of certain types of data is a great way to deter hackers from targeting your valuable information.

While there is no singular solution for stopping hackers in their tracks, by implementing a few of these measures, we can work to put an end to the real incentives that exist for hackers today. By removing the allure of hacking, we can hopefully incentivize cybercriminals to instead use their skills in a positive way, to benefit not only themselves but also the greater good.

 

 

source: cnet.com

After Microsoft learned about a flaw that let hackers disguise attacks in Word documents, it only took the company half a year to release a patch.

The exploit, which Microsoft reportedly learned about in October 2016, hid malware in .doc files and put Windows and Office users at risk. When a victim opened the .doc file, it would automatically connect to a server and download an HTML application that gave hackers full control of the device. The exploit worked on every version of Office.

Microsoft released a patch for the issue on April 11. Between the time that Microsoft learned about the flaw and actually fixed it, the Chicago Cubs won the World Series, the Samsung Galaxy Note 7 was recalled (twice), President Donald Trump was sworn into office and NASA found seven exoplanets likely to host life. Yeah, a lot of things can happen in six months.

Ryan Hanson, a security consultant for Optiv, first notified Microsoft about the vulnerability in October, Reuters reported on Thursday, before any hackers had used the exploit. Microsoft told Reuters that fixing the problem was tricky because it couldn't warn users without tipping off hackers.

"There are many factors that affect the length of time between the discovery of an issue and the release of a security update, as every vulnerability is different with its own unique challenges," a Microsoft representative said in a statement. "Ultimately, developing a security update is a delicate balance between timeliness and best quality."

 

Companies take a risk by dragging their feet on informing users about exploits. Yahoo is still dealing with a potential Senate hearing after Sen. Mark Warner argued the internet giant didn't inform users quickly enough about a breach that affected 500 million accounts. In Microsoft's case, hackers caught wind of the Office exploit before a patch had been released.

In January, McAfee noticed the first attacks using the vulnerability, which put up to 1.2 billion people using Microsoft Office at risk. Microsoft didn't learn about active attacks until March, when security firm FireEye shared its discoveries with the company.

Attacks skyrocketed after McAfee disclosed details of the bug on April 7, four days before Microsoft released its patch.

"We did not observe widespread activity until after information was disclosed by McAfee," a Microsoft spokesperson said.

The saga finally ended when Microsoft released its patch earlier this month. However, users who haven't updated Office remain vulnerable.

 

source: digitaltrends.com

Never short of an innovative idea or two, researchers at the Massachusetts Institute of Technology developed a new robotic system capable of 3D printing an entire building.

The system involves a tracked vehicle that carries a giant robot arm with a smaller precision-motion arm at one end, able to extrude concrete or spray insulating material. It also has additional digital fabrication end effectors, such as a milling head.

“For this project, we designed a robotic system that’s mobile so that it can go on site, gather its own energy through photovoltaics, and gather its own material to carry out fabrication using local materials like compressed earth or even ice,” Steven Keating, a mechanical engineering graduate who worked on the project, told Digital Trends. “Most importantly, we wanted to make sure that this could integrate into a construction site tomorrow — and would have incredible benefits compared to regular construction techniques.”

These benefits are numerous. For one thing, it can produce structures faster and cheaper than traditional construction methods. It could also be used to make more customized creations, based both on the local materials available and environmental conditions. 

source: eweek.com

We hear a lot about hacking these days, but in fact, hacking is nothing new. Even long before computers existed, people have tried to hack things. The public became aware of hacking as early as 1903, when Marconi’s wireless telegraph was hacked just as the technology’s capabilities were about to be demonstrated to a large crowd gathered at London’s Royal Institution.

Today, hacking has evolved into a wide-ranging web of cybercrime that is hard to avoid, with perpetrators carrying out their misdeeds for a variety of motives – selling data for profit, hacktivism, stealing state secrets, and revenge against former employers or enemies. But make no mistake, the prime motive is profit. The cost of cybercrime will top $2 trillion by 2019, according to Juniper Research.

The expansion of the Internet of Things (IoT), and its potential to connect every device that can be connected, creates even more opportunities for hackers. We’ve already seen hacks involving WiFi-connected insulin injectors, automobiles, baby monitors and webcams. The massive Oct. 21 DDoS (distributed denial of service) against DNS provider Dyn used hundreds of thousands of connected devices, including webcams, to block access to a host of popular websites, including Twitter, Netflix and the New York Times.

A Fact of Life

Hacking is a fact of life and it’s only going to become more widespread. The sooner we accept that, the better we can defend ourselves. Pretending it doesn’t exist, that it’s somebody else’s problem or some technical genius somewhere will come up with a silver bullet against cybercrime is unrealistic and dangerous.

Everyone has a responsibility to defend against cybercrime because it affects us all. With that in mind, here are six recommendations to protect against hackers and assorted cybercriminals:

  1. Be vigilant

Vigilance starts with awareness, so we all need to do our level best to learn the risks, their potential consequences, and how to avoid them. When it comes to logging on a WiFi network or a website, or connecting a new device at home or the office, follow this simple rule: Stop. Think. Connect. It’s the basis for a national cybersecurity campaign championed by the Department of Homeland Security encouraging everyone to be cyber-aware.