Big Brother watching you is bad enough. But Big Brother allowing hackers to watch you as well is worse.And that is increasingly the case, thanks to the indiscriminate, and insecure, collection of vehicle license plate data, according to recent reports from the Electronic Frontier Foundation (EFF) and the alt-weekly DigBoston.The technology at issue is Automated License Plate Readers (ALPR) – cameras mounted on patrol cars or stationary roadside structures like utility poles that record not just the plate number, but metadata including the date, time and location of the vehicle.EFF reported late last year that it had found, “more than a hundred ALPR cameras were exposed online, often with totally open Web pages accessible by anyone with a browser.” Those cameras were in several Louisiana communities; in Hialeah, Florida; and at the University of Southern California.To read this article in full or to leave a comment, please click here
On the face of it, Wyndham Hotels and Resorts dodged a major bullet from the Federal Trade Commission (FTC).After three major data breaches in 2008 and 2009 that compromised the credit card information of more than 619,000 customers and led to more than $10.6 million in fraudulent charges, the company earlier this month settled a lawsuit brought by the FTC that doesn’t require it to pay a penny in fines or even admit that it did anything wrong.To read this article in full or to leave a comment, please click here
Some members of Congress apparently think that by passing a law, they can beat ticket bots.The response of IT experts: Good luck with that.The intentions are the best, of course. Companion bills now pending in the House and Senate are aimed at stopping online ticket scalpers by banning the use of bots – software that can buy hundreds or even thousands of tickets or reservations before the average individual buyer even gets started.But a law isn’t going to stop the scalpers, according to experts including Rami Essiad, cofounder and CEO of Distil Networks. “You’re trying to combat an enemy you can’t see,” he said. “Making it illegal doesn’t allow you to see them. There’s a lot of legislation saying it’s illegal to hack, but there’s plenty of hacking still going on.”To read this article in full or to leave a comment, please click here
A deal announced two months ago between China and the U.S. was pitched as bringing an end to economic espionage.But if any business leader thinks that means their organizations are no longer a target, they haven’t been paying attention.That is the unanimous conclusion of a number of experts who have been tracking cyber attacks from China in the two months since Chinese President Xi Jinping and U.S. President Barack Obama announced that, “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property (IP), including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”To read this article in full or to leave a comment, please click here
Ted Koppel, anchor of ABC TV’s “Nightline” for 25 years, from 1980-2005, is the author of “Lights Out,” which argues that not only is the nation’s critical infrastructure at grave risk of a catastrophic cyber attack that could leave as much as a third of the nation without electricity for months or even a year, but that there is no government plan to respond to such an attack.[ ALSO ON CSO: Read our review of the book and if the industry agrees with Koppel ]Koppel spoke briefly with CSO earlier last week about those issues:What kind of feedback on your book are you getting from information security professionals? Do they think you’ve overstated the risk or not?To read this article in full or to leave a comment, please click here
Security experts regularly exhort organizations to improve their security not just internally but externally as well, in their business relationships with third parties.In many cases, it is more than an exhortation – it’s a mandate. Last year’s updated standards for the payment card industry (PCI) made a point of addressing third-party risks.But some evidence suggests an area of third-party relationships where security still lags is mergers and acquisitions (M&A).In a survey of, “214 global deal-makers from corporates, financial institutions, investors and legal services providers,” the London-based law firm Freshfields Bruckhaus Deringer found that while there is plenty of awareness (74 percent of acquirers and 60 percent of sellers) about the effect that cyber security risks can have on a pending deal, a large majority of respondents – 78 percent – “believe cyber security is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.”To read this article in full or to leave a comment, please click here
Last Friday’s Oct. 1 deadline for so-called EMV or “chip-and-PIN” credit card technology to replace the 1960s-vintage “swipe-and-signature” magnetic stripe card system should not have been a surprise to any of the major players in the payment card industry (PCI) – merchants, card issuers and banks.Visa, one of the three developers of the EMV standard (along with Europay and MasterCard) announced in August 2011 – more than four years ago – that it would be moving to EMV in the U.S. (it has been in use in Europe for more than a decade). The EMV Migration Forum was created by the Smart Card Alliance in July 2012.To read this article in full or to leave a comment, please click here
Getting a top job in information security has never been as simple as just having the required training and experience. Yes, those are mandatory, but the modern hiring process also includes personality evaluations to determine the so-called “XQ” – whether a candidate would be a good “fit” for a position – background checks and yes, the personal interview.It is generally the final stop before either a job offer, or a perfunctory “thanks-for-your-interest” dismissal.And as the roles of the CISO and CSO have evolved in recent years from a relatively narrow focus as “guardians of the data” to members of the C suite who are expected to speak the language of business, participate in strategic planning and be perceived as business enablers rather than impediments, the interview has evolved as well.To read this article in full or to leave a comment, please click here(Insider Story)
Cybercriminals are maddeningly adaptable.If a Dark Web illicit marketplace gets shut down, others spring up almost immediately to take its place. If credit cards get tougher to hack, there is always spear phishing, poorly protected electronic health records or the unending variety of devices that make up the Internet of Things (IoT), most of which have little to no security built in.To read this article in full or to leave a comment, please click here
According to '70s hippie comics Cheech & Chong, “Everybody shares stuff, man.”Maybe if it’s weed. But, apparently not if it’s cyber threat information.Supposedly, creation of a federal framework for that kind of sharing among industries and government has been a priority for years for all parties involved – President Obama Congress and private sector enterprises that are under constant, ever-more-sophisticated attacks.But after years of proposals, there are still no results. And if privacy and civil liberties advocates prevail in the current dustup, there won’t be any results this year either.The latest effort – several bills on both the House and Senate side – have had varied success. Two House bills – the Protecting Cyber Networks Act, or PCNA (H.R. 1560) and the National Cybersecurity Protection Advancement Act of 2015, or NCPAA (H.R. 1731) – easily passed and were combined into one labeled H.R. 1560.To read this article in full or to leave a comment, please click here
One of the best ways to understand your enemy – what he’s up to, what his capabilities are and how he can damage you – is to spy on him.And according to some cybercrime experts, one of the easier and more effective ways to do that is to hang out where the bad guys do – on the Dark Web.In a recent post on Dark Reading, Jason Polancich, founder and chief architect of SurfWatch Labs, asserted that, “most businesses already have all the tools on hand for starting a low-cost, high-return Dark Web intelligence operations within their own existing IT and cybersecurity teams.”To read this article in full or to leave a comment, please click here
Credit card data isn’t quite the mother lode it once was for cyber thieves. Not only is its useful life generally brief, it also isn’t worth as much as it used to be.But cyber criminals are, among other things, adaptable. As Daniel Berger, CEO of Redspin puts it, "hackers are bad guys but good economists.” So they simply turn to something that provides a bigger bang for the buck.And that, increasingly, is the data you voluntarily turn over to doctors, hospitals and health insurers, known as PHI, or Personal Health Information.MORE ON CSO: How to spot a phishing email
The Identity Theft Resource Center reported in January that of reported breaches, the healthcare sector had the most for three years in a row, with 42.5% of the total in 2014.To read this article in full or to leave a comment, please click here
Tracking devices is nothing new. In the auto industry, multiple vendors compete to convince drivers to install the devices in their cars, promising that if it gets stolen, the cops will know right where to find it. In law enforcement, criminals on probation sometimes are required to wear an ankle bracelet that does the same thing – tells authorities exactly where they are.
It is also possible to do that with data. Digital watermarking can track where it is being viewed or downloaded, and also identify the IP address and the type of device doing it. It is not in widespread use, according to experts, and could in some cases have privacy implications, but its advocates say while it doesn’t prevent a data breach, it can let an organization that has been breached know about it almost immediately, instead of months later.To read this article in full or to leave a comment, please click here