Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Safety. Show all posts
Risk Management
AI Attacks AI Policy AI Risks Company Security Cyber Safety Cyber Security Cybersecurity Crisis Risk Management

Addressing AI Risks: Best Practices for Proactive Crisis Management

 

An essential element of effective crisis management is preparing for both visible and hidden risks. A recent report by Riskonnect, a risk management software provider, warns that companies often overlook the potential threats associated with AI. Although AI offers tremendous benefits, it also carries significant risks, especially in cybersecurity, which many organizations are not yet prepared to address. The survey conducted by Riskonnect shows that nearly 80% of companies lack specific plans to mitigate AI risks, despite a high awareness of threats like fraud and data misuse. 

Out of 218 surveyed compliance professionals, 24% identified AI-driven cybersecurity threats—like ransomware, phishing, and deepfakes — as significant risks. An alarming 72% of respondents noted that cybersecurity threats now severely impact their companies, up from 47% the previous year. Despite this, 65% of organizations have no guidelines on AI use for third-party partners, often an entry point for hackers, which increases vulnerability to data breaches. Riskonnect’s report highlights growing concerns about AI ethics, privacy, and security. Hackers are exploiting AI’s rapid evolution, posing ever-greater challenges to companies that are unprepared. 

Although awareness has improved, many companies still lag in adapting their risk management strategies, leaving critical gaps that could lead to unmitigated crises. Internal risks can also impact companies, especially when they use generative AI for content creation. Anthony Miyazaki, a marketing professor, emphasizes that while AI-generated content can be useful, it needs oversight to prevent unintended consequences. For example, companies relying on AI alone for SEO-based content could risk penalties if search engines detect attempts to manipulate rankings. 

Recognizing these risks, some companies are implementing strict internal standards. Dell Technologies, for instance, has established AI governance principles prioritizing transparency and accountability. Dell’s governance model includes appointing a chief AI officer and creating an AI review board that evaluates projects for compliance with its principles. This approach is intended to minimize risk while maximizing the benefits of AI. Empathy First Media, a digital marketing agency, has also taken precautions. It prohibits the use of sensitive client data in generative AI tools and requires all AI-generated content to be reviewed by human editors. Such measures help ensure accuracy and alignment with client expectations, building trust and credibility. 

As AI’s influence grows, companies can no longer afford to overlook the risks associated with its adoption. Riskonnect’s report underscores an urgent need for corporate policies that address AI security, privacy, and ethical considerations. In today’s rapidly changing technological landscape, robust preparations are necessary for protecting companies and stakeholders. Developing proactive, comprehensive AI safeguards is not just a best practice but a critical step in avoiding crises that could damage reputations and financial stability.
Read more »
Third Party Data
Authentic Data Cyber Safety Data Safety data security Data Usage Fake Data Technology Third Party Data

Balancing Privacy and Authenticity in the Digital Age

The ubiquitous nature of online platforms has led to an increased risk of privacy breaches and data exploitation. While providing false information can serve as a protective measure against unwanted intrusions, it is essential to discern when such a strategy is appropriate. 

There are specific scenarios where employing fake information can mitigate privacy risks:

  • Advertising Platforms: Many advertising platforms collect user data for targeted advertising. Using fabricated information can reduce exposure to unsolicited advertisements and potentially prevent data breaches.
  • Public Wi-Fi Networks: Public Wi-Fi hotspots are often susceptible to cyberattacks. Providing personal information on these networks can compromise sensitive data.
  • Online Surveys and Quizzes: These platforms frequently harvest user data for marketing purposes. To safeguard personal information, it is advisable to use fictitious details.
  • Online Forums and Communities: While online forums offer a platform for interaction, they also pose risks to privacy. Employing pseudonyms and fake information can protect identity and prevent unwanted contact.
  • Low-Trust E-commerce Platforms: For one-time purchases from less reputable online retailers, particularly those not requiring physical product delivery, providing fake information can minimize data exposure.
  • Free Trial Sign-ups: Many free trial offers require personal information. To avoid subsequent spam and potential data misuse, using fabricated details is recommended.

Essential Platforms Requiring Authentic Information

Despite the benefits of using fake information in certain contexts, it is crucial to provide accurate details on platforms that demand authenticity:

  • Government Websites: Government platforms often require verified personal information for various services and processes.
  • Financial Institutions: Financial platforms, including banks and investment platforms, necessitate accurate information for account management and security purposes.
  • Professional Networking Sites: Professional networking platforms like Linkedin and job application portals require authentic details for professional networking and employment opportunities.
  • Healthcare and Medical Websites: Medical and healthcare platforms necessitate accurate information for diagnosis, treatment, and medical records.

By carefully considering the nature of online platforms and the potential risks involved, individuals can effectively balance privacy protection with the need for authentic information.

Moreoever, while using fake information can offer certain advantages, it is essential to comply with relevant laws and regulations. Misrepresenting oneself can have legal consequences.


Read more »
User Safety
Cyber Safety Data Data Breach Data Leak Safety Security User Data User Safety

ERP Firm Data Breach Exposes Over 750 Million Records

 

A leading Enterprise Resource Planning (ERP) company based in Mexico inadvertently left an unsecured database online, exposing sensitive information on hundreds of thousands of users. This was discovered by cybersecurity researcher Jeremiah Fowler, who reported his findings to Website Planet. According to Fowler, the database contained 769 million records and was accessible to anyone who knew where to look.

The exposed data included highly sensitive and personally identifiable information such as API keys, secret keys, bank account numbers, tax identification numbers, and email addresses. The database, which is 395GB in size, belongs to ClickBalance, a software provider that offers a range of cloud-based business services including administration automation, accounting, inventory, and payroll.

Website Planet describes ClickBalance as one of Mexico’s largest ERP technology providers. Upon discovering the database, Fowler immediately contacted ClickBalance, which secured the database within hours. However, it remains unclear whether any malicious actors accessed the data before it was secured or whether the data has been used in any malicious activities. Fowler emphasizes that only a comprehensive forensic investigation can determine the full extent of the exposure.

The exposure of tax identification numbers and bank account details poses significant risks, enabling cybercriminals to conduct fraudulent activities. The theft of active email addresses is particularly concerning, as it allows criminals to launch phishing attacks that can deliver malware and ransomware.

Despite the severe potential consequences, unsecured databases continue to be a common cause of data breaches. Many large enterprises and government organizations have been found with online databases lacking adequate protection. For instance, a previous incident resulted in the personal information of the entire Brazilian population being leaked.
Read more »
Safety
Cyber Safety Cyber Security Data Online Security Safe Safety

How to Protect Your Online Accounts from Hackers

 

Hackers are increasingly targeting individuals to steal cryptocurrency, access bank accounts, or engage in stalking. Although these attacks are relatively rare, it's crucial to know how to protect yourself if you suspect someone has accessed your email or social media accounts.

A few years ago, I wrote a guide to help people secure their accounts. Many companies provide tools to enhance account security, which you can use even before contacting their support teams.

Here, we break down steps you can take across various online services.

First, it's important to note that these methods don't guarantee complete security. If you still feel compromised, consider consulting a professional, especially if you are a journalist, dissident, activist, or someone at higher risk.

Enable multi-factor authentication (MFA) on all your accounts, or at least the most critical ones like email, banking, and social media. This directory provides instructions for enabling MFA on over 1,000 websites. You don't have to use the recommended MFA app; many alternatives are available.

Some services also offer physical security keys or passkeys stored in password managers, providing high-level protection against password-stealing malware and phishing attacks.

Securing Your Gmail Account

If you suspect your Gmail account has been compromised, scroll to the bottom of your inbox and click on "Last account activity" in the bottom right corner. Then click on "Details" to see all the locations where your Google account is active. If you notice any unfamiliar activity, such as logins from different countries, click on "Security Checkup." Here, you can see which devices your account is active on and review recent security activity.

If you spot suspicious activity, click on "See unfamiliar activity?" and change your password. Changing your password will sign you out of all devices except those used for verification and third-party apps you've granted access to. To sign out from those devices, visit Google Support and click on the link to view apps and services with third-party access.

Consider enabling Google’s Advanced Protection for enhanced security. This feature makes phishing and hacking more difficult but requires purchasing security keys. It's highly recommended for individuals at higher risk.

Remember, your email account is likely linked to other important accounts, so securing it is crucial.

Checking Microsoft Outlook Security

To check if your Microsoft Outlook account has been accessed by hackers, go to your Microsoft Account, click on "Security" in the left-hand menu, and then under "Sign-in activity," click on "View my activity." You'll see recent logins, the platform and device used, browser type, and IP address. If anything looks suspicious, click on "Learn how to make your account more secure," where you can change your password and find instructions for recovering a hacked or compromised account.

Given that your email is often linked to other critical accounts, securing it is vital.

Securing Your Yahoo Account

Yahoo also provides tools to check your account and sign-in activity for unusual signs of compromise. Go to your Yahoo My Account Overview or click on the icon with your initial next to the email icon on the top right corner, then click on "Manage your account." Next, click on "Review recent activity." You can see recent activity on your account, including password changes, phone numbers added, and connected devices with their IP addresses.

Since your email is likely linked to sensitive sites like your bank, social media, and healthcare portals, it's essential to secure it diligently.

By following these steps and using the tools provided by these services, you can enhance the security of your online accounts and protect yourself from potential threats
Read more »
Technological Updates
CISO Cyber Safety Cyber Security Cyberattacks CyberCrime Microsoft Technological Updates

Microsoft Revamps Security Leadership, Empowering Deputy CISOs

 


There have been a series of major security breaches recently, and Microsoft is making changes to its security practices, organizational structure, and executive compensation to address the issue, as government leaders and big customers increasingly pressure the company to address the issue.

A portion of the company's senior executive compensation will be tied to progress towards security goals, according to the company. Each product group will be headed by a deputy chief information security officer (CISO), and teams from the company's major platforms and product teams will be brought together in "engineering waves" to revamp security procedures. 

A new team of deputy chief information security officers has been set up by Microsoft in response to blistering criticism from federal officials in April about the lack of security governance. They will be embedded within engineering as part of a sweeping new security governance framework that has been implemented by Microsoft. 

It has been announced that Redmond will tie "part of the compensation of its Senior Leadership Team to our progress toward meeting the security milestones and plans that we set forth for the company." Microsoft security chief Charlie Bell announced on May 2. A spokesperson for Microsoft's Executive Vice President of Security, Charlie Bell, has mentioned on LinkedIn that Microsoft's Secure Future Initiative is a part of the decision to restructure the company's security leadership. 

It was introduced by Microsoft in November to boost the security levels of its wide range of software products and is intended to enhance the security of those products.  Igor Tsyganskiy, a CISO with a long-standing role at the company, will be transitioning from his long-term role of Chief Security Adviser to the role of Chief Security Adviser in a blog post published on December 5. 

According to Bell, Igor Tsyganskiy is expected to assume the role of CISO in the New Year, he will become the company's new chief information security officer. Microsoft spokespersons said that Ann Johnson, a long-time corporate vice president at the company, will be adding the title of deputy CISO, customer outreach, and regulated industries as a result of the changes. 

Bloomberg first reported the changes regarding Microsoft's security chiefs, and Johnson will be tasked with scaling customer engagement and communicating about Microsoft's security. Johnson will be responsible for scaling customer engagement and communication about Microsoft's security. A new role for Microsoft CISO Igor Tsyganskiy will be devoted to nation-state actors and threat hunting. 

It was a result of the findings reported by the Cyber Safety Review Board in early April, in which the company received heavy criticism regarding their response to the hack of Microsoft Exchange Online in the summer of 2023, which led to renewed scrutiny of Microsoft. It was pointed out by the board that the attack -- in which 60,000 emails from the State Department were stolen and Gina Raimondo's account was hacked - was entirely preventable and criticized the company for focusing on product development and features over security for its customers. 

Cybersecurity and Infrastructure Security Agency has issued mitigation guidance to key federal agencies following a separate attack on credentials and source code stolen by the Russia-linked threat group Midnight Blizzard, which resulted in the hacker stealing credentials and source code. 

Compared to recent announcements from other organizations that have appointed business information security officers, Jess Burn, principal analyst at Forrester, said the Microsoft announcements were necessary steps.  The former Microsoft CTO previously served at Bridgewater Associates LP, an investment firm that serves institutional clients like pension funds, endowments, foundations, foreign governments, and central banks as their Chief Technology Officer. 

As a Senior Vice President of Product Management and Head of SAP SE's Advanced Technology Group, Tsyganskiy served as a Senior Vice President of Product Management at Salesforce Inc. and previously led Salesforce Inc.'s Advanced Technology Group. With the advent of technologies such as artificial intelligence (AI), which must be developed with a strong focus on cybersecurity, Microsoft is becoming more optimistic about the development of these technologies. 

There is a commitment to reducing vulnerabilities within Microsoft's product ecosystem that sits at the core of the Secure Future Initiative. To minimize the risk of specific bugs that may be exploited by cyber attackers, the company plans to increase the use of memory-safe programming languages, such as Java, C#, and Python. 

It has also been announced that Microsoft will be using CodeQL, an open-source tool developed by GitHub for automated code vulnerability scanning as well as streamlining its threat modeling procedures. Microsoft plans to double the speed at which it fixes security flaws in its cloud services by accelerating the deployment of security patches by incorporating a remediation methodology called dSDL, which is based on continuous integration and continuous delivery software.  

A report from Microsoft called for the CEO and board to be in charge of all security initiatives directly and closely. As a result of the CSRB report, it was noted that all senior leaders should be held accountable for ensuring that all necessary changes are implemented as soon as possible. It was introduced by Senator Ron Wyden of Oregon, who cited Microsoft's "shambolic cybersecurity practices" as a reason to reduce the U.S. government's reliance on Microsoft software after the report was released.

It is Bell who wrote that Microsoft has decided to incorporate the recommendations made by the CSRB as well as lessons learned from high-profile cyberattacks as part of the changes announced Friday. Microsoft announced on Friday that it would change the compensation for the company's senior leaders, the top executives who report directly to Satya Nadella. 

However, the company did not indicate how much of their compensation would be based on their security credentials. On the company's quarterly earnings call last week, Nadella hinted at these changes by saying the company would "put security before all else, before all other features and investments." He continued by adding that security will be a top priority. Friday morning, Nadella released an internal memo that elaborated on the themes presented in Bell's public blog post, delivering a directive to employees.
Read more »
Singapore
Cyber Crime Cyber Safety CyberCriminal data security Data Stolen Data Theft Database Breach Hacker attack KYC Singapore

Cybercriminals Threaten Release of Stolen World-Check Database, Exposing Millions to Financial Risk

 

A financially motivated criminal hacking group, self-identified as GhostR, has claimed responsibility for the theft of a confidential database containing millions of records from the renowned World-Check screening database. The stolen data, totaling 5.3 million records, includes sensitive information used by companies for screening potential customers and assessing their links to sanctions and financial crime.
 
World-Check, a vital tool for conducting "know your customer" (KYC) checks, enables companies to identify high-risk individuals with potential ties to money laundering, government sanctions, or other illicit activities. The hackers disclosed that they obtained the data from a Singapore-based firm with access to the World-Check database, though the specific company remains unnamed. 

A portion of the stolen data encompasses individuals sanctioned as recently as this year. The compromised records include details of current and former government officials, diplomats, politically exposed persons (PEPs), individuals associated with organized crime, suspected terrorists, intelligence operatives, and even a European spyware vendor. These individuals are deemed high-risk for involvement in corruption, bribery, or other illicit activities. 

The stolen data comprises a wealth of sensitive information, including names, passport numbers, Social Security numbers, online cryptocurrency account identifiers, bank account numbers, and more. Such a breach poses significant risks, as it could potentially expose innocent individuals to unwarranted scrutiny and financial harm. 

Simon Henrick, a spokesperson for the London Stock Exchange Group (LSEG), which oversees World-Check, clarified that the breach did not originate from LSEG's systems but involved a third party's data set. While LSEG did not disclose the identity of the third-party company, they emphasized their commitment to collaborating with the affected party to safeguard data integrity and notify relevant authorities. 

Privately operated databases like World-Check are not immune to errors, raising concerns about the accuracy and fairness of their content. Past incidents, such as the 2016 leak of an older World-Check database, underscore the potential repercussions of erroneous data, including wrongful accusations and financial repercussions for innocent individuals. 

The breach highlights the critical need for enhanced cybersecurity measures and regulatory oversight to protect sensitive personal information and mitigate the risks associated with data breaches. As investigations into the incident continue, stakeholders must prioritize transparency, accountability, and proactive measures to prevent future breaches and safeguard consumer data privacy.
Read more »
Policy
Cyber Crime Cyber Safety Cyberattacks Cybersecurity Cyberthreats Data Safety Europol Policy

Cracking Down on Crime: Europol Shares Data on Europe's Top Threats

 


There has been a considerable increase in serious organized crime over the past few years, and it continues to pose a significant threat to the EU's internal security. The most threatening criminal networks operating in and affecting the EU need to be clearly understood by law enforcement and policymakers if they are to effectively prioritise resources and guide policy action. 

Certain traits make successful companies agile and resilient, able to anticipate trends and pivot to new environments rapidly while maintaining their operations at the same time. Europol released a report on Friday that indicated that the most threatening criminal networks across the EU are also equipped with these skills. 

Europol has presented a report today (April 5) detailing the state of crime in Europe, highlighting 821 criminal networks that exist within the EU territory, flagged as the most dangerous criminal networks within the EU. Making the invisible visible so that we can know, fight, and defeat it. To produce the report, we consulted with law enforcement agencies from 27 of the member countries, as well as 17 other states, who provided information and participation. 

As Europol pointed out, some key characteristics distinguish the 821 most threatening criminal networks: they are agile as they can adopt business processes in a short time, which is characteristic of economies of scale, overcoming challenges that law enforcement agents may face as well. 

Despite their activities remaining concentrated in a single country, criminal networks are borderless: they can operate within EU and non-EU countries without any significant difficulty. Controlling: They can perform excellent surveillance over everything within the organization, and they generally specialize in a specific criminal activity. In addition to corrupt activities, the 821 networks also engage in significant damage to internal security due to corruption. 

As a result of Europol's report on terrorism, 50 per cent of the most dangerous criminal networks are involved in drug trafficking. For 36 per cent of those networks, drug trafficking is their sole business. A total of 15 percent of the organizations deal with fraud exclusively while the remaining 6 percent deal with human trafficking. 

Regarding drugs, aside from heroin, cannabis, and cocaine, there is also the concern that there is the arrival of new substances on the European market such as Fentanyl, which has already caused thousands of deaths in the United States and has already reached a critical point. Recent months have seen massive shipments of drugs hidden in bananas that have been shipped throughout Europe. 

A shipment of bananas in the British Isles contained a shipment of more than 12,500 pounds of cocaine, which was found in February, breaking the record of the most drugs seized in a single seizure in British history. In August of last year, customs agents in the Netherlands discovered that 17,600 pounds of cocaine had been hidden inside banana crates inside Rotterdam's port. 

In the Italian port of Gioia Tauro, a police dog sniffed out 3 tons of cocaine hidden in a case of bananas three months earlier. As part of the top ten criminal groups identified, nine of them specialize in cyber crimes and are actively operating in France, Germany, Switzerland and the U.S. These organizations, mainly run by Russians and Ukrainians, are active in France, Germany, Switzerland and the U.S. 

They have up to 100 members, but have a core of criminals who are responsible for distributing ransomware to affiliates so that they can conduct cyber attacks. A core group of individuals are responsible for managing the negotiation and payment of ransoms, often in cryptocurrency, and usually pay affiliates 80% of their fee for carrying out an attack. 

As a result of their involvement in fraud schemes and providing cyber services and technology solutions, service providers provide crucial support to criminal networks. The methods used in these campaigns include mass mailings and phishing campaigns, creating fake websites, creating fake advertisements and creating social media accounts. 

According to Europol, the firm has also been supporting online fraud schemes and advising on the movements of cryptocurrencies online. Law enforcement personnel sometimes use countermeasures, such as encrypted telephones to avoid detection by criminal networks, to avoid being detected by them. The other group of people avoid the use of electronic devices in all forms of communication and meet in person instead to avoid leaving any digital footprint on their activities.  

A report released by the European Commission stated that drug trafficking continues to stand out as the most significant activity in the EU countries and is witnessing record seizures of cocaine in Europe, as well as an increase in violent crimes linked to drugs, such as in Belgium and France.  

Half of the most dangerous networks in the criminal world are involved in drug trafficking in some form or another, whether on their own or as part of their overall portfolio. According to the report, more than 70% of networks engage in corruption “to facilitate criminal activity or obstruct law enforcement or judicial processes. 68% of networks use violence as an inherent element of their approach to conduct business,” which is consistent with their criminal or nefarious activities.

It has been reported that gang violence has been rife in Antwerp for decades as the city serves as the main entry point for Latin American cocaine cartels into the European continent. Federal authorities say that drug trafficking is rapidly affecting society as a result of an increase in drug use throughout the whole country. 

In Ylva Johansson, EU Commissioner for Home Affairs, the threat of organised crime is one of the biggest threats facing the society of today, a threat which threatens it with corruption and extreme violence. During a press conference, Europol explained the data it collected would be shared with law enforcement agencies in countries of the EU, which should help better target criminals.
Read more »
Security
blogger harassment case Cyber Safety Data Data Safety eBay fine settlement Security

eBay Settles Blogger Harassment Case with $3 Million Fine

 

eBay has agreed to pay a substantial fine of $3 million (£2.36 million) in order to settle charges related to the harassment of bloggers who were openly critical of the company. The disturbing details emerged in court documents, revealing that high-ranking eBay executives, including Jim Baugh, the former senior director of safety and security, orchestrated a targeted campaign against Ina and David Steiner, the couple behind the newsletter EcommerceBytes, which the company's leadership disapproved of.

The court papers outline a series of alarming incidents, including the dispatch of live spiders and cockroaches to the Steiners' residence in Natick, Massachusetts. This relentless campaign of intimidation left the couple, according to prosecutors, in a state of being "emotionally, psychologically, and physically" terrorized. Jim Baugh, alongside six associates, allegedly spearheaded this effort to silence the Steiners, going to extreme lengths.

The harassment tactics escalated to sending live insects, a foetal pig, and even a funeral wreath to the Steiners' home. Moreover, Baugh and his associates reportedly installed a GPS tracking device on the couple's car, infringing on their privacy. Additionally, the perpetrators created misleading posts on the popular website Craigslist, inviting strangers to engage in sexual encounters at the Steiners' residence.

The aftermath of these reprehensible actions saw the termination of the involved employees by eBay. In the legal proceedings, Philip Cooke, an eBay employee, received an 18-month prison sentence in 2021, while Jim Baugh was handed a nearly five-year sentence in the subsequent year.

Baugh's defense claimed that he faced pressure from eBay's former CEO, Devin Wenig, to rein in the Steiners and control their coverage of the company. However, Wenig, who resigned from his position in 2019, has not been charged in connection with the harassment campaign and vehemently denies any knowledge of it.

Acting Massachusetts US Attorney Josh Levy strongly condemned eBay's conduct, labeling it as "absolutely horrific, criminal conduct." Levy emphasized that the employees and contractors involved in this campaign created a petrifying environment for the victims, with the clear intention of stifling their reporting and safeguarding the eBay brand.
Read more »
Subscribe to: Posts (Atom)