Posts

China Could Be Exploiting Internet Security Process to Steal Data, Cyber Experts Warn


To access data from unsuspecting users, the Chinese Communist Party (CCP) could be exploiting a universal authentication process that’s thought to be secure, but in reality may not be, cybersecurity experts have warned.

While encryption remains the preferred method to secure digital data and protect computers, in some cases, the very digital certificates used for authentication on the internet are allowing the Chinese regime to infiltrate various computer networks and wreak havoc, they said.

Bodies around the world, known as “certificate authorities” (CA), issue digital certificates that verify a digital entity’s identity on the internet.

A digital certificate can be compared to a passport or a driver’s license, according to Andrew Jenkinson, CEO of cybersecurity firm Cybersec Innovation Partners (CIP) and author of the book “Stuxnet to Sunburst: 20 Years of Digital Exploitation and Cyberwarfare.”

“Without it, the person or device they are using cannot be according to industry standards, and vital data encryption could be bypassed, leaving what was assumed to be encrypted in plain text form,” Jenkinson told The Epoch Times.

Through cryptography, digital certificates are used to encrypt internal and external communications that prevent a hacker, for example, from intercepting and stealing data. But invalid or “rogue certificates” can manipulate the entire encryption process, and as a result, “millions of users have been given a false sense of security,” Jenkinson said.

Layers of False Trust

Michael Duren, executive vice president of cybersecurity firm Global Cyber Risk LLC, said that digital certificates are typically issued by trusted CAs, and equal levels of trust are then passed on to intermediate providers. However, there are opportunities for a communist entity, a bad actor, or another untrustworthy entity to issue certificates to other “nefarious folks” that would appear to be trustworthy but aren’t, he said.

“When a certificate is issued from a trusted entity, it’s going to be trusted,” Duren said. “But what the issuer could actually be doing is passing that trust down to someone that shouldn’t be trusted.”

Duren said he…

Source…

Are Cloud Computing Services Combating Challenges of Data Security, Compliance and Flexibility?


Cloud computing has become ubiquitous over the last ten years. Often, we barely even notice that we are using it to instantly move data and applications back and forth through the web. Like many workplaces, laboratories are increasingly looking to take advantage of cloud computing as a way to save time and resources, and as a cost-effective option to implement enterprise laboratory solutions.

By integrating cloud computing into all aspects of the scientific workflow, laboratories can harness the increased data security and improved performance delivered by the cloud. Cloud services enable laboratories to remotely access data, permitting scientists to view and process data sets outside the laboratory. A major benefit of cloud computing is that resources can be scaled-up or down, easily and quickly, meaning it can be applied to the small single-site laboratories with minimal or no IT support to multi-site, multi-lab global corporations.

But, how do laboratories integrate cloud systems into their pre-existing systems? Here, we discuss the challenges and benefits of operating in the cloud, focusing on how this model ensures data security and compliance, creating a flexible and scalable resource for all laboratories.

A nebular network of the Internet of Things (IoT)

Cloud computing is the delivery of on-demand computing resources over the Internet. Applications and data are hosted on centralized virtual servers in a cloud data center and accessed via an Internet connection. Usually, both the hardware and software required are delivered as small monthly payments, and only paying for what is used. Different pricing models allow you to make savings over on-demand services, and it is possible to commit to an amount of compute over one or three years and pay a portion of the costs or all the costs upfront maximizing savings.

Cloud computing has moved far beyond uploading photos and documents into storage systems and is more about connecting everyday objects into IoT. Smart fridges, analytical machines, thermostats and HVAC (heating, ventilation and air conditioning) systems; all are examples of instruments that are connected to the Internet for remote control and monitoring from personal…

Source…

Zimperium partners with PCI SSC to help secure payment data on mobile apps and devices


Zimperium announced it has joined the PCI Security Standards Council (PCI SSC) as a new Participating Organization. Zimperium will work with the PCI SSC to help secure payment data worldwide on mobile apps and devices. It will also leverage its threat research and technology to help evolve requirements and drive the adoption of PCI Security Standards.

Zimperium PCI SSC

The PCI SSC leads a global, cross-industry effort to increase payment security by providing flexible, industry-driven, and effective data security standards and programs. The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process and preventing, detecting, and mitigating criminal attacks and breaches.

As a Participating Organization, Zimperium adds its voice to the standards development process and will collaborate with a growing community of more than 800 Participating Organizations to improve payment security worldwide.

Zimperium will also have the opportunity to recommend new initiatives for consideration to the PCI Security Standards Council and share cross-sector experiences and best practices at the annual PCI Community Meetings.

“At Zimperium, our mission is to secure all our digital lives on mobile. Our unified platform leverages machine learning-based protection to secure mobile devices and applications — both of which are key to not just digital payments but e-commerce globally,” said Shridhar Mittal, CEO of Zimperium “Joining the PCI Security Standards Council as a Participating Organization aligns with our overall vision. We are committed to raising awareness about risks impacting mobile and helping the adoption of necessary data security standards for safe payments worldwide.”

Source…

Hackers are selling millions of Acer customers’ data as a result of a data breach


( Image credit : securityaffairs )

Acer, a Taiwanese tech company, has announced that its servers in India were hacked, with hackers gaining access to 60GB of users’ data. This is the company’s second data security breach this year.

According to Hindustan Times, Desorden, the gang that claimed responsibility for the hack, accessed data containing individual customer information, corporate customer data, sensitive account information, and financial data.

The hacker group released a video including files and databases holding the information of 10,000 Indian clients. The organization also claimed to have access to over 3,000 sets of Acer retailer and distributor login passwords across India.

Privacy Affairs confirmed that much of the stolen material was accurate after contacting with numerous affected parties. As a result, Acer and its customers are in an extremely vulnerable position.

According to the article, Acer said that it had discovered an isolated attack on its local after-sales service system in India and had enacted security processes, which were followed by a complete scan of its systems. The corporation also stated that it is alerting all clients in the country who may be affected.

According to Acer, the incident was reported to local law enforcement and the Indian Computer Emergency Response Team (CERT-In).

“We have recently detected an isolated attack on our local after-sales service system in India.” Acer told BleepingComputer. “Upon detection, we immediately initiated our security protocols and conducted a full scan of our systems. We are notifying all potentially affected customers in India.”

We believe Acer declined to pay up the last time a breach like this happened, which is likely why the attackers decided to sell the data rather than try to get Acer to pay up.

In any case, while it appears that Acer is moving in the right direction following the incident, it’s unclear that the business will be able to recover the stolen data.

This is Acer’s second cyberattack in the last seven months. In March, REvil launched a ransomware attack on the company’s infrastructure. Acer was demanded to pay a $50 million ransom for a decryptor in order to recover…

Source…