Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label IT Security News. Show all posts
Russia
Bank Cyber Security Central Bank of Russia Cyber Security IT Security News Russia

Banks offered the Central Bank of Russia to create a centralized mechanism to combat fraudsters

According to the Vice-President of the Association of Banks of Russia Alexey Voilukov, information processing can take several hours or even days, while a fraudster can withdraw money from the card within an hour.

President of the Association of Banks of Russia Georgy Luntovsky sent a letter to Vadim Uvarov, Director of the Information Security Department of the Bank of Russia, with a proposal to organize direct interaction between market participants in order to exchange data on suspicious transactions.

Now financial organizations use an automated system to inform the Regulator about all operations that have signs of being performed without the knowledge of customers. Then the Regulator accumulates all the collected data about attacks and returns them to banks in a consolidated form. According to Alexey Voilukov, information processing can take several hours or even days, while a fraudster can withdraw money from the card to which they were withdrawn within an hour. 

Mr. Voilukov noted that the creation of a centralized mechanism will speed up the exchange of information by about five times, and the time for providing information in some cases will be reduced to 20-30 minutes.

"For example, several people complained to the Bank about unauthorized transfers within an hour. It detects a fraudulent account and promptly sends information about it to the organizations from which the money was transferred. With a quick response, there is a chance to prevent theft," he explained Mr. Voilukov. According to him, this scheme of work will allow us to fight against fraudsters who work using social engineering methods.

The Central Bank told that they will study the proposals. VTB, MKB, Rosbank and Tinkoff support the Association of Banks of Russia initiative. VTB added that the system for exchanging information on incidents needs to be improved, as this will speed up and automate the processes of the rapid response of banks to fraudulent attacks.

Read more »
Russia
Cyber Security HackerOne Information Security News IT Security News Russia

Ozon launched a bug bounty on HackerOne


The reward for each bug found will depend on the degree of its impact on the service, the potential damage that the vulnerability can cause, the quality of the report and other factors

Ozon, one of the largest online stores in Russia, has launched its own program to search for vulnerabilities on the well-known site HackerOne. Since this is the first Russian e-Commerce company, it is hoped that it will set the right path for other projects.

To launch the bug bounty program, Ozon first plans to invest $41,800 in working with researchers searching for vulnerabilities in systems.

At the same time, not only Russian cybersecurity experts but also experts from abroad can participate in the online store program.

According to the company, the launch of the program will provide round-the-clock security monitoring, but it will not cancel the work of the Ozon IT laboratory team in ensuring the security of Ozon services but will complement it. Currently, more than 1,000 engineers work in the Ozon IT lab, and 3.5 million users visit the Ozon website and app every day.

"Now the company has the necessary resources not only to develop its own security services but also to work with the hacker community," said Ozon.

Today, not many Russian companies resort to an organized search for vulnerabilities. Among these, it is possible to allocate giants like Yandex, Mail.ru and Qiwi. Ozon became the next major project, as the company had resources not only to develop its own security services but also to interact with the community of ethical hackers.

Like programs of other companies, the bug bounty from Ozon involves a cash reward, the amount of which depends on the severity of the bug found. For example, a company can pay about $240 for an XSS hole.

But something more dangerous, such as an RCE vulnerability that leads to remote code execution, can bring the researcher up to 1,600 dollars.

In May, HackerOne representatives said that the platform had paid researchers a total of $100 million over the entire lifetime of the project. And in early July, the list of the most generous HackerOne participating companies became known.
Read more »
Technology
Electronic Passports IT Security News Russia Technology

Russians will be able to buy alcohol using a mobile application instead of a paper passport


The digital experiment on the introduction of electronic passports in Russia will help to ensure the safety of citizens and identify the level of fraud attempts, said Russian Deputy Prime Minister Maxim Akimov.

According to him, the experiment will begin in the first half of 2020 in Moscow.

Earlier, E Hacking News published information that the Russian government has determined the basic parameters of the future electronic passport. Prime Minister Dmitry Medvedev said that the main version is a plastic card with a chip, which will be complemented by the secure mobile application "My passport".

Akimov specified that the experiment will be extended to services where there are no legally significant transactions. A mobile application “My passport” replacing a paper passport will work as a payment for goods and services using wireless data transmission technology.

For example, an electronic passport can be presented when buying alcohol or cigarettes, Akimov explained.

"The application will use Russian cryptography. In general, it will work approximately the way payment for goods and services using NFC (Near field communication) is working now," the Deputy Prime Minister said.

Moreover, during the experiment, people will be able to choose the design of the application and the color scheme, as well as to evaluate the usability and functionality.

Special readers such as touchscreens for reading fingerprints or devices with face recognition technology will be installed to control and block the sale of alcohol to people with strong alcohol intoxication or who are driving car.

The Deputy Prime Minister admitted that driver tracking systems using facial recognition technology can become mandatory in Russia within a few years to prevent people to drive while intoxicated. According to him, this is quite serious technology.

It is planned to put the surname, name, date and place of birth of the person, as well as the validity of the passport on the plastic card with the chip (the card will be valid within ten years). In addition, the electronic passport will contain the data of migration registration, Individual insurance account number (SNILS) and Individual Taxpayer Number (ITN), as well as the driver’s license.


Read more »
Russia
Information Security IT Security News Russia

Moscow metro launched a new secure Wi-Fi network


MaximaTelecom launched a closed network in the Moscow metro, which will be free for users who agree to watch ads. Most likely, the company, operating in the metro for seven years, decided to do it after the scandal with the data leak.

It should be noted that MaximaTelecom is the Russian telecommunication company engaged in the development and commercialization of public wireless networks since 2004; the operator of Europe's largest public Wi-Fi network.

The company MaximaTelecom begins open testing of the closed Wi-Fi network in the Metropolitan using Hotspot 2.0 technology. Since January 2019, testing of this network was available only to employees of the company.

According to Boris Volpe, MaximTelecom CEO, Wi-Fi in the Moscow metro will become the largest secure public network in Europe after the introduction of Hotspot 2.0 technologies. Open technology testing will take three months.

According to a company representative, this network has protection against automatic connection to phishing points. In addition, the Hotspot 2.0 technology includes radio encryption. Thus, the user is protected from traffic interception between the access point and the client device.

It is interesting to note that the launch of the new network could be a delayed reaction of the company to the scandal with the leak of user data. Recall that in April programmer Vladimir Serov reported a major vulnerability in Wi-Fi of MaximaTelecom. According to him, it allowed attackers to obtain phone numbers of all connected passengers, as well as unencrypted data about users, such as phone number, gender, age.

MaximaTelecom recognized the existence of the vulnerability and reported that it was promptly closed turning off the option to store data on the movement of users between stations. Roskomnadzor sent a request to find out details, but violations of the rights of users were not recorded.

"With the development of LTE services by mobile operators, the need for Wi-Fi services in the subway, encrypted or not, is reduced," commented MForum expert Alexei Boyko.

Earlier E Hacking News reported that it was found out that Tele2 is monitoring subscribers using a dangerous script. The company gets access to the data due to the mass implementation of scripts via CDN.

Read more »
Security News
Cyber Security IT Security News Russian Cyber Security Security News

Russian cyber security specialists massively quit from Russian banks



The Central Bank’s requirements for information security, which have dramatically increased over the past year, led to the departure of specialists in this field from banks to other industries. This situation has risks for banks and their customers. Experts noted that hackers who in 2019 refocused the attack from banks to government offices and industrial companies, can come back.

The banking market is in a dangerous situation, because the leading information security experts leave banks, finding application in other industries.

According to Alexander Vinogradov, the former head of the information security service at Zlatkombank, only among his acquaintances, 11 important Bank security officers who held senior positions resigned from credit institutions and found work in other areas — Telecom, retail, etc.

"The guys are just tired: the load on information security specialists has increased many times over the past year, the requirements have increased many times, many do not stand the load,” he said.

"The maximum responsibility and requirements with a very dubious return," — said Denis Malygia, the former head of the service of the Bank "Garant-invest", commenting on his decision to leave the post.

According to the information security experts, there is another problem, it is the unwillingness of banks to allocate budgets, which is why the risks of successful hacker attacks increase. Specialists of Group-IB said that 74% of the banks are not ready for hacker attacks.

Experts believe that the departure of information security specialists from banks is a dangerous trend. Maria Voronova, the Director of Consulting at InfoWatch Group of Companies, said that personnel risks, in particular, shortage of personnel, are one of the main operational risks in the field of information security.

According to experts, it is rather difficult to find a replacement for those who quit the bank. It may take about six months to find a new head of information security service.

It is interesting to note that in the first quarter of 2019, cyber attacks on the financial sector amounted to 6% of the total number of attacks on legal entities. State institutions (16%), medical (10%) and industrial companies (10%) became the most popular among hackers. If the bank security system will be more vulnerable, hackers can switch to this area.
Read more »
Russian Cyber Security
Bank Security IT Security News Russian Cyber Security

The Central Bank of Russia has found problems with cybersecurity in all verified Banks


This year, the Bank of Russia checked 75 Banks for compliance with cybersecurity requirements and found all violations of the requirements. The head of the CBR Elvira Nabiullina informed about this, speaking at the II International Cybersecurity Congress (ICC).

Nabiullina said, "Since last year, the Central Bank as a regulator has the authority to supervise financial institutions in terms of how they fulfill cyber security requirements. Last year we checked 58 Banks, this year - 75. Problems and violations were found in all of them."

The Chairman of the Central Bank added that the problems found in Banks should not be considered critical, but they can become such over time, if not to take measures to prevent possible cybercrime.

Nabiullina noted that protection from cyber risks and the level of cybersecurity in the near future will become a competitive advantage for all companies. At the same time, the main drawback is that the business processes of Banks do not include the management of cyber risks.

The Chairman of the Central Bank drew attention to the fact that Russian bankers have no particular fear of hackers. Apparently, for this reason, certain shortcomings or problems were identified in each financial organization.

According to Nabiullina, there is a neglect of cybersecurity in society, and the heads of companies do not understand the problem.

Nabiullina stressed, “Our task is to use new technologies and try to go a step further, keeping up with hackers.”

Russian Prime Minister Dmitry Medvedev also spoke at the ICC. He said that it was necessary "to develop global security standards". Also, Medvedev noted that crimes that are committed with the help of the Internet "have no boundaries."

It should be noted that earlier German Gref, CEO, Chairman of the Executive Board of Sberbank, expressed the opinion that the heads of large companies should be paranoid in the fight against cyber threats: "We are responsible not only for ourselves, but we have hundreds of millions of our customers."
Read more »
Security News
IT Security News Security News

Security flaws found in taxi booking apps

Experts of the Russian Quality System (http://roskachestvo.gov.ru/) made a decision that the most popular applications for ordering a taxi can cause the leakage of personal data, such as Bank card information.

Experts tested such programs as "Yandex.Taxi", Uber Russia, Maxim, Gett, City-Mobil, Rutaxi and Fasten. It turned out that almost half of the applications are vulnerable to DDoS attacks which can cause a blocking of the service.

The test showed that there are a number of potential vulnerabilities in applications, for example, weak hashing and encryption algorithms and insecure SSL implementation.

In turn, Taxi services specified that their programs use a secure data transfer protocol, and all information is stored in encrypted form.

According to experts, people should not order a taxi when connected to an open Wi-Fi network or they must install a VPN client on the device.

The idea of taxi applications nowadays is very practical and comfortable, but the quality of services leaves much to be desired. It turns out that in reality companies are not responsible for the qualification of taxi drivers, as well as for its absence when it comes to litigation. It will not be surprising if next time companies will not take the consequences for the leakage of personal data.
Read more »
IT Security News
Hacking News IT Security News

The database of patients of Moscow region ambulance leaked to the Internet

The database of patients of ambulance service of Moscow region is publicly available on the Web and is stored on file hosting service with a capacity of 17.8 GB. The document contains information, such as the name of the person who called the ambulance, the contact phone number, the address, the date and time of the call, a description of the patient's condition upon the arrival of the doctors.

The representative of the Ministry of Health said that the management system of the ambulance service applied all the necessary measures to protect information in accordance with the current law. The data of citizens is securely protected and only authorized employees have access to it.

The company Group-IB explained that the leak occurred through the database management system MongoDB.

Anastasia Tikhonova, Head of the group-IB threats research group, said that the database was almost in the open access and did not require authorization or other security settings.

In addition, Anastasia added that a group of Ukrainian hacktivists THack3forU leaked the base to the network. They are activists who use computer hacking to promote the ideology of free speech and political freedom. Such cybercriminals use leakage for dirty political purposes.

Andrei Arsentiev, an analyst of InfoWatch, explained that the reason for the leak was the fact that the operator left the MongoDB cloud server unprotected, forgetting to protect it with a password.

Denis Legato, an anti-virus expert of Kaspersky Lab, stressed that the main problem in this situation was the inattention of administrators to the security settings.

It is worth noting that a month ago it became known about the leakage of the database of patients in the Lipetsk region. As a result, the Head of the Department of material and technical support of the Health Department lost his post.
Read more »
Subscribe to: Posts (Atom)