Tag Archive for: paying

Automakers risk cyberattacks by paying white hat hackers less

/in


The auto industry lags others in cybersecurity, said Mohammed Ismail, chair of the Electrical and Computer Engineering Department at Wayne State University in Detroit.

“With any new technology, this is a very typical situation,” he said. “When Wi-Fi and Bluetooth started 25 years ago, it took years for those technologies to be seamless and mature.”

Ismail estimates the auto industry needs about five more years of R&D to produce millions of predominantly software-based vehicles that are very secure.

Friendly hackers will help the industry get there.

“Using a bug bounty platform has proven to be an effective way to bring on board the knowledge and expertise of the security community,” Katja Liesenfeld, Mercedes-Benz Cars & Vans’ manager for IT communications, said in an email. “We cannot give more details on any technical details as the programs are private.”

Automakers are reluctant to talk about their reward programs and cybersecurity issues. Ford, Jaguar Land Rover, Nissan, Stellantis and Subaru declined to discuss their cybersecurity programs with Automotive News. BMW, Porsche and Volkswagen did not respond to queries. Honda said it doesn’t have a bug bounty program.

Nonetheless, most of the auto industry is proactive about cybersecurity issues, said Kevin Tierney, General Motors’ chief cybersecurity officer and vice chair of the Automotive Information Sharing and Analysis Center, known as Auto-ISAC. The group of automakers shares information about potential cyberthreats, vulnerabilities and incidents.

“Everyone’s making big moves and big investments,” Tierney said. “It’s not always obvious to the end consumer with everything that’s happening.”

GM started its bug bounty program in 2016. It is administered by HackerOne, of San Francisco, which also runs programs for BMW, Ford, Rivian and Toyota.

HackerOne’s automotive business jumped 400 percent from 2021 to 2022 as clients added services to their contracts. In addition to bug bounty management, HackerOne provides vulnerability disclosure programs, penetration testing of online systems and other services.

Source…

Are companies paying enough attention to cybersecurity culture among employees?

/in


The advent of new technologies such as cloud computing, big data, artificial intelligence, and the Internet of Things have made today’s IT world a lot different than what it was a decade ago. As the technology has been evolving substantially, so have the cyber criminals, with attacks getting increasingly sophisticated. 

The pandemic’s role in pushing companies of all sizes and sectors toward adopting an always-online mode and cloud and other cyber technologies is accompanied by a whirlwind of scams and fraudulent activity hitting companies in 2020 and 2021 with cybercriminals targeting employees’ access to the organization’s systems. 

In this time of digital disruption and increased cyber threats, many companies are focusing their cybersecurity efforts on the technology component—to the detriment of the human factor. When data is compromised, often it’s tied to negligence or failure in the cybersecurity system within the company or from a third-party working with the company.

First line of defense: Employees 

It is imperative that companies focus on building and sustaining a culture of cybersecurity and cultivate it in the workplace for effective cyber risk management. This would entail moving beyond the typical strategy used in which most businesses simply allocate a certain portion of their IT budgets or revenue to security without considering their actual needs. The approach must include helping employees realize that the risk is real and that their actions can have an impact on increasing or reducing that risk. Companies’ cybersecurity blanket must also include third-parties and others on their IT architecture.

Effective cybersecurity necessitates a persistent effort that covers employee behavior, third-party risks, and numerous other potential vulnerabilities in addition to application security, penetration testing, and incident management.

Enterprises spend millions of dollars on hardware and software but may neglect the simple act of properly training their employees on security practices. Teaching employees to recognize threats, curb poor cyber behavior, and follow basic security habits can provide the best return on…

Source…

Wawa paying state prosecutors $8M to settle malware data breach | Business

/in


Source…

It’s Time to Stop Paying for a VPN

/in


A caveat: VPNs are still great for some applications, such as in authoritarian countries where citizens use the technology to make it look as if they are using the internet in other locations. That helps give them access to web content they cannot normally see. But as a mainstream privacy tool, it’s no longer an ideal solution.

This sent me down a rabbit hole of seeking alternatives to paying for a VPN. I ended up using some web tools to create my own private network for free, which wasn’t easy. But I also learned that many casual users may not even need a VPN anymore.

Here’s what you need to know.

Not long ago, many websites lacked security mechanisms to prevent bad actors from eavesdropping on what people were doing when browsing their sites, which opened doors to their data being hijacked. This helped VPN services become a must-have security product. VPN providers offered to help cloak people’s browsing information by creating an encrypted tunnel on their servers, through which all your web traffic passes.

But in the last five years, the internet has undergone immense change. Many privacy advocates and tech companies pushed for website creators to rewrite their sites to support HTTPS, a security protocol that encrypts traffic and solves most of the aforementioned problems.

You’ve probably noticed the padlock symbol on your web browser. A locked padlock indicates a site is using HTTPS; an unlocked one means it’s not and is therefore more susceptible to attack. These days, it’s rare to stumble upon a site with an unlocked padlock — 95 percent of the top 1,000 websites are now encrypted with HTTPS, according to W3Techs, a site that compiles data on web technologies.

This means that VPNs are no longer an essential tool when most people browse the web on a public Wi-Fi network, said Dan Guido, the chief executive of Trail of Bits, a cybersecurity firm.

“It’s very difficult to find cases where people were harmed by signing on to the airport, coffee shop or hotel Wi-Fi,” he said. These days, he added, the people who benefit from a VPN are those working in high-risk fields and who might be targets, like…

Source…