Page 1,247«..1020..1,2461,2471,2481,249..1,2601,270..»

BA, BBC and Boots hit by cyber security breach with contact and … – Sky News

The BBC, British Airways , Boots and Aer Lingus have been caught up in a cyber incident that has exposed employee personal data, including bank and contact details, to hackers.

A ransonware group named Clop has claimed responsibility for the breaches centered around the MOVEit file transfer software.

In an email to Reuters on Monday, the hackers said "it was our attack" and that victims who refused to pay a ransom would be named and shamed on the group's website.

Work by Microsoft had earlier suggested that the Russian-speaking ransomware gang was behind the attack.

It emerged last week that a so-called zero-day vulnerability - a flaw - in the file transfer system MOVEit, produced by Progress Software, had been exploited by cyber criminals.

It had allowed the hackers to access information on a range of global companies using MOVEit Transfer.

Thousands of firms are understood to be affected.

UK-based payroll provider Zellis confirmed on Monday that eight of its clients were among them.

It did not name the organisations.

BA, however, confirmed it had been caught up in the affair.

The airline employs 34,000 people in the UK.

The BBC and Boots, which has 50,000 staff, said they had been affected too.

The broadcaster did not believe its employees' bank details had been exposed though company ID and national insurance numbers were compromised.

Current and former staff at Aer Lingus have also been affected, the airline said, but no financial or bank details nor phone numbers were compromised in the incident.

Analysis: Origins 'appear to have Russian links'

Experts said corporate victims could expect the group responsible to make contact with a list of demands within weeks.

In this instance, the compromised information included contact details, national insurance numbers and bank details.

BA told Sky News: "We have been informed that we are one of the companies impacted by Zellis's cybersecurity incident which occurred via one of their third-party suppliers called MOVEit.

"Zellis provides payroll support services to hundreds of companies in the UK, of which we are one.

"This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool. We have notified those colleagues whose personal information has been compromised to provide support and advice."

Please use Chrome browser for a more accessible video player

A Boots spokesperson said: "A global data vulnerability, which affected a third-party software used by one of our payroll providers, included some of our team members' personal details.

"Our provider assured us that immediate steps were taken to disable the server, and as a priority we have made our team members aware."

Read more from business:New business group launched to rival CBI Six Nations backer CVC plots 4bn takeover of Center Parcs

Zellis said in its own statement: "A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software's MOVEit Transfer product.

"We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.

"All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.

"Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring."

Charles Carmakal, chief technology officer at Google cyber security specialist Mandiant Consulting, said: "At this stage it is critical for victim organisations to prepare for potential extortion, publication of stolen data, and victim shaming.

"It is likely that the threat actor will soon begin to make contact with extortion demands and begin to work through their list of victims.

"Mandiant's investigations into prior campaigns from the suspected threat actor show that extortion demands are usually in the 7- or 8-figure range, including a few demands for more than $35m.

"Any organisation that had the MOVEit web interface exposed to the internet should perform a forensic analysis of the system, irrespective of when the software was patched," he warned.

Click to subscribe to The Ian King Business Podcast

"Watch out for scammers too. Some of our clients impacted by the MOVEit exploitation received extortion emails over the weekend.

"The extortion emails were unrelated to the MOVEit exploitation and were just scams, but organisations could easily confuse them as being authentic."

A MOVEit spokesperson said: "Our customers have been, and will always be, our top priority. When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps."

"We disabled web access to MOVEit Cloud to protect our cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit."

"We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures. We have engaged with federal law enforcement and other agencies with respect to the vulnerability."

"We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products."

Read more:
BA, BBC and Boots hit by cyber security breach with contact and ... - Sky News

Read More..

MOVEit hack: BBC, BA and Boots among cyber attack victims – BBC

5 June 2023

Image source, Getty Images

The BBC, British Airways, Boots and Aer Lingus are among a growing number of organisations affected by a mass hack.

Staff have been warned personal data including national insurance numbers and in some cases bank details may have been stolen.

The cyber criminals broke into a prominent piece of software to gain access to multiple companies in one go.

There are no reports of ransom demands being sought or money stolen.

In the UK, the payroll services provider Zellis is one of the companies affected and it said data from eight of its client firms had been stolen.

It would not reveal names, but organisations are independently issuing warnings to staff.

In an email to employees, the BBC said data stolen included staff ID numbers, dates of birth, home addresses and national insurance numbers.

Staff at British Airways have been warned that some may have had bank details stolen.

The UK's National Cyber Security Centre said it was monitoring the situation and urged organisations using the compromised software to carry out security updates.

The hack was first disclosed last week when US company Progress Software said hackers had found a way to break into its MOVEit Transfer tool. MOVEit is software designed to move sensitive files securely and is popular around the world with most of its customers in the US.

Progress Software said it alerted its customers as soon as the hack was discovered and quickly released a downloadable security update.

A spokesperson said the firm is working with police to "combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products".

The US Cybersecurity and Infrastructure Security Agency issued a warning on Thursday to firms that use MOVEit, instructing them to download a security patch to stop further breaches.

But security researcher Kevin Beaumont said internet scans revealed thousands of company databases could still be vulnerable as many affected firms are yet to install the fix.

"Early indications are there are a large number of prominent organisations impacted," he said.

Experts said it is likely the cyber criminals will attempt to extort money from organisations rather than individuals.

No ransom demands have been made public yet but it is expected cyber criminals will begin emailing affected organisations to demand payment.

They will likely threaten to publish the stolen data online for other hackers to pick through.

Victim organisations are reminding staff to be vigilant of any suspicious emails that could lead to further cyber attacks.

Although no official attribution has been made, Microsoft said it believed the criminals responsible are linked to the notorious Cl0p ransomware group, thought to be based in Russia.

In a blog post the US tech giant said it was attributing attacks to Lace Tempest, known for ransomware operations and running the Cl0p extortion website where victim data is published. The company said the hackers responsible have used similar techniques in the past to steal data and extort victims.

"This latest round of attacks is another reminder of the importance of supply chain security," said John Shier, from cyber security company Sophos.

"While Cl0p has been linked to this active exploitation it is probable that other threat groups are prepared to use this vulnerability as well," he added.

The National Crime Agency told the BBC that it was aware that a number of UK-based organisations had been "impacted by a cyber incident", as a result of a previously unknown security flaw relating to MOVEit Transfer.

The NCA added it was "working with partners to support those organisations and understand the full impact on the UK".

More:
MOVEit hack: BBC, BA and Boots among cyber attack victims - BBC

Read More..

Energy cybersecurity spend lags growing threat as firms think ‘it won … – Recharge

Cybersecurity is racing up the energy sector's agenda in response to growing fears of attacks but companies are still not spending enough to safeguard critical systems, says a new survey by global consultancy DNV.

In a sign of the rising prominence of cybersecurity in energy sector budgeting, 59% of 600 energy professionals surveyed said their organisation is investing more in this segment compared with last year, and 78% reckoned geopolitical uncertainty had made it more aware of the potential vulnerabilities in operational technology (OT).

Almost two thirds said they believe that their organisations infrastructure is now more vulnerable to cyber threats than ever and that their focus on cybersecurity has intensified as a result of geopolitical tensions.

Yet only 42% said their organisation is investing enough in cybersecurity to safeguard critical systems, with just 36% describing investments as sufficient to secure their OT.

Jalal Bouhdada, DNVs global segment director for cybersecurity stated: While energy companies accept that cybersecurity risk is on the increase, some in the industry dont think an attack is something that will happen specifically to them, and they dont dedicate enough budget and resources.

Wind farms and associated power infrastructure have been identified as one of the sectors that is most vulnerable to cyber attacks due, in part, to reliance on remote operations and the need for multiple interfaces through technology such as inverters and transmission equipment.

Article continues below the advert

DNV cited the example of a Russian cyber attack on satellite internet operator ViaSat in the second quarter of 2022, which had the effect of deactivating thousands of wind turbines in Germany when their satellite-dependent monitoring systems were taken offline.

Bouhdada told Recharge that this kind of vulnerability was not inherent to the wind sector, but could be exposed in the interfaces on older projects.

The legacy systems for all new energies, including offshore wind, solar and hydrogen, can be more insecure. Interfaces can be particularly vulnerable if interconnections are not secured by design. This is being improved by a more holistic design approach to the whole life cycle, he said.

DNV noted that energy businesses are also responding by upgrading and connecting their legacy technology and infrastructure to improve safety, increase efficiency and decarbonise through increased electrification, based on a growing share of renewable generation.

The sector has to comply with a raft of new, stricter cybersecurity requirements in the coming years, as authorities encourage energy businesses to increase their resilience to emerging threats.

In the EU, much of the energy sector faces tougher regulation in the form of the revised Directive on Security of Network and Information Systems (NIS2) while the US Department of Energy is working on a National Cyber-Informed Engineering Strategy.

In the survey, 49% of the energy professionals point to regulation as the factor that will most likely unlock increased budgets for cyber security in their organisations, with 38% citing cyber incidents as the most likely catalyst for increased spending.

Six in ten industry professionals say that cybersecurity is now a regular fixture on the boardroom agenda.

This is where regulation is important, as the need to comply with requirements makes it more more likely that funding will be approved, Bouhdad told Recharge.

"An appetite for longer term investment is needed. The ad hoc approach is not working."

Cybersecurity skills shortages and barriers to collaboration, such as communication also emerged as key challenges to greater cyber resilience.

If youre cyber secure, youre very likely to comply with regulation, but the reverse isnt always true: compliance doesnt guarantee security, Bouhdada stated. It takes the right mindset, company culture, and access skills to ensure regulation-driven investment translates into greater cyber resilience.

Ditlev Engel, chief executive for energy systems at DNV stressed that cybersecurity is critical for the energy industry, for the industrys digital transformation and for the acceleration of the energy transition.

Just as governments and energy companies know they need to transition faster to meet the targets of the Paris Agreement, they also know they need to urgently step up action on cyber security. And the two are connected safety and security are enablers of the clean energy technologies that need to be deployed and operated at scale in the coming decades, he stated.

Almost 90% in the DNV survey said they see cybersecurity as a pre-requisite for digital transformation, pointing to a crucial role in attaining the gains in efficiency, safety and lower emissions that this revolution offers.

See the original post here:
Energy cybersecurity spend lags growing threat as firms think 'it won ... - Recharge

Read More..

6th Cyber Security Innovation Series and Awards kicks off in Dubai –

DUBAI, 6th June, 2023 (WAM) -- The 6th Edition of the Cyber Security Innovation Series and Awards kicked off today at The Meydan Hotel in Dubai. The event is organised by Market Solutions Events Management (MS Events), in partnership with the UAE Cybersecurity Council and with the support of Dubai Electronic Security Centre

Held on 6th and 7th June, 2023, this prominent event aims to explore the cutting-edge realm of next-generation cybersecurity in the digital era.

Mohammed Hamad Al-Kuwaiti, Head of Cyber Security for the Government of the UAE, stated that the future of cybersecurity lies in the ability to understand and confront evolving threats and technological advancements to create an advanced and secure cyber environment.

He added that in 2022, the cost of global cybercrime exceeded 6 trillion dollars, doubling over five years, and it is expected that damages resulting from internet crimes will surpass 10.5 trillion dollars globally by 2023. Furthermore, ransomware attacks increased by 311 percent in the past year, highlighting the growing sophistication of attackers. He emphasised that approximately 95 percent of information security breaches are the result of human errors, underscoring the importance of employee awareness and training.

"We are thrilled to host the Cyber Security Innovation Series and Awards in Dubai," said Emirati architect and entrepreneur Madiha Salem, CEO and Founder of MS Events. This event will bring together leading experts, government officials, and industry professionals to discuss the latest trends and strategies in cybersecurity. We believe that by fostering collaboration and knowledge sharing, we can collectively shape the future of cyber defence in the digital era.

The event is featuring an engaging agenda filled with thought-provoking keynotes, insightful panel discussions, and networking opportunities. Attendees are enjoying the chance to connect with industry experts and thought leaders, gaining valuable knowledge and insights into the latest trends, challenges, and strategies in the cybersecurity landscape.

The first day of the conference, June 6, kicked off, by welcome remarks from MS Events and the day was packed with engaging sessions, including VIP keynotes, thought leadership speeches, panel discussions, and informative keynotes by industry experts. Ayesha Almarzooqi, Permits Section Head, Dubai Electronic Security Center delivered the opening keynote titled: From policies to certifications to harmonisation.

During the first day, Biju Hameed, Head of Technology Infrastructure Operations at Dubai Airports, delivered a VIP keynote on best practices for developing a comprehensive security strategy plan, emphasising the importance of consistent strategic planning, innovative practices, and effective communication to stakeholders.

Song Haibin, Chief Security Officer, Huawei Cloud Europe, presented a thought leadership keynote on redefining cloud security governance in the digital era, addressing the challenges on cloud security governance, and introducing 3CS (Cloud Service Cybersecurity & Compliance Standard) as a Unified Compliance tool for overall cloud security governance.

Ahmed Sherif, Senior IT Support Engineer & Cloud Solutions Expert, Government Entity moderated a panel discussion on key strategies for protecting critical resources and ensuring cyber defence in the cloud. The panellists were Adel Alhosani, CISO & Information Security Senior Manager at Dubai Customs, Dr. Ebrahim Al Alkeem Al Zaabi, Digital Transformation expert, Director at the Government of Abu Dhabi; Mohamed Al Maleki, Senior Information Security Specialist at the Federal Tax Authority, and Ashraf Esmat Khalil, Senior Solution Architect at Huawei Middle East and Central Asia.

The second day of the conference, June 7, will begin with a VIP Majlis hosted by Huawei, followed by opening remarks from MS Events. Keynotes and panel discussions will continue to explore critical cybersecurity topics, including ransomware response, governance, risk management, compliance, and the future of cybersecurity.

Day 2 will see Dr. Al Kuwaiti deliver a VIP keynote address on cybersecurity predictions and best practices for 2023-2024, providing valuable insights into the future of cybersecurity in the digital age, followed by the Cybersecurity innovation awards ceremony, recognising exceptional achievements in the field of cybersecurity.

Dubai Electronic Security Centre will launch a Huawei cloud security whitepaper, and Dr. Alyosius Cheang, Huawei Middle East & Central Asia Chief Security Officer, will deliver a thought leadership keynote on the cybersecurity playbook in the digital era, sharing strategic insights and best practices to safeguard the journey to the Cyberverse.

Read more:
6th Cyber Security Innovation Series and Awards kicks off in Dubai -

Read More..

Cisco security head: AI could be bigger than the internet – TechRadar

The rise of AI could cause a bigger overall shift than such groundbreaking initiatives as the actual internet itself, Ciscos top security head has predicted.

Jeetu Patel, Cisco EVP and General Manager, Security & Collaboration, noted that AI was helping in what he called the fourth era of user experience, after command line, graphical user interfaces (GUI), and touch-based interfaces.

We're experiencing a massive shift when it comes to AI...I think it will be bigger than the internet, he told a press and analyst session at the companys Cisco Live 2023 event in Las Vegas.

Patel was particularly enthused on generative AI, especially when it came to machines understanding language, which he says, changes the entire idea and thesis of how software design has worked in the past few decades.

Having announced it at last years event, Patel was able to share more information in the companys main keynote on its Cisco Security Cloud offering.

He likened security services to the various parts of an orchestra - which may sound great individually, but can clash without the proper control or management the company says Cisco Security Cloud can provide.

The security industry grew up as one that was in patchwork," Patel said, The world needs security defenses that are completely synchronized (and) this is what we set out to do - provide a platform for security."

AI is set to play a major part in this, with a new generative AI-powered Policy Assistant allowing IT teams to describe granular security policies and evaluate how to best implement them across different aspects of their security infrastructure, reducing complexity.

Also announced was SOC Assistant, which will support the Security Operations Center (SOC) to detect and respond to threats faster, providing a quick summary, contextualizing events across email, the web, endpoints, and the network to tell the SOC analyst exactly what happened and the impact.

At the media session, Patel was keen to highlight the high amount of coordination between Cisco Security Cloud and Cisco Network Cloud - with the similar naming convention only being the start of the partnership.

You can't be in the connectivity business if you're not in the protection business, Patel noted, where we will shine is not just where we build great security or networking products...it's where security meets the network.

See the original post:
Cisco security head: AI could be bigger than the internet - TechRadar

Read More..

php[tek] 2023 A Community Of Communities Powering The Internet – Security Boulevard

Chicago is famous for many reasons, including the Bears, specific style of hot dogs, and of course, for giving the world skyscrapers. PHP is also known for legendary architecture, being the underlying language for 77.5% of the web via frameworks like Laravel, Drupal, and WordPress. Community members from all over the world, representing all those frameworks and more, got together for php[tek] 2023.

This was the 15th annual convention of PHP, where users shared knowledge and best practices for leveraging the language that came to define the internet over the last 28 years. There was real sense of community at the event, summarized very succinctly in the day one keynote, "Let Go of Ownership," from Tim Lytle. He encouraged us to think about our code and the community as not things we own but instead as things we are entrusted to take care of over time. He said we should think in terms of stewardship, which is a word that sums the subject up nicely.

Over the three days of the event, speakers told their stories about working with PHP and the opportunities it has afforded them. They also dove into some highly technical topics, even showing how PHP itself is compiled. Multiple speakers also covered security and customer data compliance. Here are just a few highlights from the event.

In his talk, "The Many Layers of OAuth," Keith Danger Casey walked us through OAuth, the open protocol to allow secure authorization. He described OAuth through the analogy of a fancy hotel.

In a hotel, you present your credit card and other form of ID to the front desk to prove you are who you say you are. They check you are authentic and expected. They then issue you a hotel key card to get into your room, the gym, and any other restricted areas. The benefits of the key card are that you do not need to constantly re-prove who you are with your complete ID and credit card at all times. The key cards also automatically expire and are easily replaceable.

In OAuth language, the front desk is the OAuth Authorization Server. The key card is your Access Token. Your room and all the other areas where you are allowed access with your key card are the system Resources.

This model achieves the main goals of OAuth:

Delegation Sharing access without sharing credentials. Scoping and Expiration Granting limited access for a short amount of time. Separating policy decisions from enforcement mechanisms.

One crucial point that Keith noted is that OAuth itself does not specify how you do the authentication, just authorization. Authentication, often abbreviated as AuthN, verifies you are who you say you are. This is commonly achieved though opening a web browser and having you log in through another trusted service like GitHub or Google, relying on OpenID Connect. Authorization, abbreviated as AuthZ, is concerned with 'if' you are allowed to perform an action or access a resource.

You end up with a three-step security process where you prove who you are, AuthN, then get approval to reach certain resources, AuthZ, before finally accessing those resources by using the token the process provides.

Attackers commonly target each of these steps and the connections required throughout the process. It is vital to think through security at each of these vectors. This starts by always using HTTPS to prevent man-in-the-middle attacks. It is also important to scope any tokens appropriately, only allowing authorization for the resources required to complete the work. Tokens also need to be short-lived; the shorter the time to live, the better.

Keith also echoed a lot of these same lessons about security in his other talk at the event, "Webhooks: Lessons (Un)learned." Keith was responsible for the initial research that became the website webhooks.fyi. While investigating webhooks, he realized that every company does them slightly differently, but there are some underlying security concerns that we all need to be aware of.

It is vital to secure the payload itself. There are a number of ways to accomplish this, from having shared secrets or using OAuth, to much more secure methods like keyed-hash message authentication codes, HMAC, or mTLS, Mutual Transport Layer Security. It is also important to protect against 'replay attacks' by using timestamps. We are proud to say that GitGuardian Custom Webhooks make use of HMAC and Timestamps to keep our customers safe.

Back on the topic of APIs, Tim Bond talked about external threats in his session "Attackers want your data, and they're getting it from your API." He said APIs are everywhere, including, in the broadest sense, the front of your website.

The first step to securing your API is limiting the responses to only the data absolutely needed to make the app work. HTTPS should always be enforced, echoing what Keith said earlier in the event. He also encouraged using "certificate pinning," where you only accept specific, pre-approved certificates. If possible, he suggests enforcing dynamic integrity checking, as you can do through the Google Play store.

One way you can discourage attackers is by rate limiting. Hackers will often try to enumerate endpoints, especially around user IDs. Someone looking up `user/123`, `user/124`, then `user/125` in rapid calls is likely someone up to no good. Shutting them down should not interfere with legitimate business. Further, he suggested using Unique User IDs, UUIDs, so instead of sequential user numbers, each is assigned a long random number that is unrelated to other user IDs. For example, instead of `user/123`, making them `user/SINFKLDFDF51F` will make it harder for an attacker to guess what other user IDs could be.

Toward the end of his session, Tim suggested familiarising yourself with the OWASP API Security Top 10. For those who wanted to dig deeper, he suggested the free training course from PortSwigger.

Data privacy laws are always evolving, and it can be tricky to keep up to date with the latest news. That is why we were all glad for the session "Data Privacy in Software Development" by Jana Sloane, an attorney at Microsoft. She was quick to state that this session was not giving legal advice but was intended to point us in the right direction to know how to talk to internal legal teams. Having those conversations early in the development lifecycle can help keep everyone compliant and safe.

Jana gave us a brief overview of today's data privacy landscape. In the US, every state has implemented its own framework. In the EU, it is a little clearer, thanks to legislation like GDPR, but she said there is a lot of case law being worked out right now, so talking to legal teams earlier in the process can help you stay ahead of what is on the horizon. In addition to government regulation, software developers need to be aware of any contractual obligations their company must comply with. For example, ensuring your new feature or product will still fall within SOC II compliance is important so there are no surprises when you try to launch.

When thinking about access management, who can get our data, we need to ensure data is:1. Necessary and proper We are only collecting what is truly needed for the application to work.2. Accessed by proper personnel There is a clear log and authorization policy in place for anyone or any service that can obtain the data.3. Used correctly If you say exactly what you will use the data for in the terms of service, you must limit the use to only those purposes.4. Retained accurately Properly storing data means encrypting the data properly and thinking through geolocation issues, only storing it in places allowed by data sovereignty law.

Lastly, you should have a clear policy for how long you are allowed to keep use data. It should not be forever. Your policy should also allow the user to request for it to be deleted at any time. Any time you want to use the data for a new or different reason, you need to inform the customer and have them opt-in for the new use, letting them opt out of the system if they choose.

Scott Keck-Warren began his session "Reducing Bugs With Static Code Analysis" by telling the story of breaking live production websites when he tried to fix bugs on the live server. He quickly learned that there needed to be a way to test his fix before it got to the production machine.

His team moved to manual code analysis, which was a step up from breaking production, but was slow and error-prone. Human beings were still too involved in the process. His team moved next to dynamic testing. While this is much more reliable overall, it takes a while to run, reliable though. What they finally found that was both fast and reliable was a form of source code analysis or SCA, called static code analysis. This allows the code to be analyzed without needing to go through a build step and can save a lot of time and resources.

He found PHP-specific tools like PHPStan and PHP_CodeSniffer were good fit for their needs, given the codebase was mostly PHP. He also is a fan and user of Rector, a tool that "instantly upgrades and refactors the PHP code of your application."

What made these tools truly successful for his org was consistent use, through automation. His favorite way of automating testing is through git hooks. We love git hooks at GitGuardian, as that is how you can leverage ggshield to prevent yourself from committing secrets.

We are also big believers in source code analysis, especially for security. This is why we have officially partnered with Snyk to help our users, and the world, strengthen developer security through SCA. While the tools Scott cited are excellent for debugging PHP code for functionality, Snyk can help any developer deliver more secure code no matter what language your company relies on.

When you think of approaches to building software, you might think of Agile, Waterfall, or even DevOps. However, there is a concept underneath all those approaches which deals with how to think about the code itself. Cori Lint covered this in her talk, "Building a SOLID Foundation."

The SOLID framework was introduced to the world in a 2000 paper from Robert C. Martin defining best practices for Object-oriented Programming, OOP. OOP is the predominant approach of modern software languages and frameworks.

SOLID stands for:

Cori gave multiple examples of these principles, including a `PlayInstrument` class. One can imagine a class for plying instruments that implements the methods:

Let's imagine we try to use 'PlayInstrument' to play a violin. Violins can't toot() or pressKey(). Thus this class violates the Interface Segregation Principle, and we should find a better approach. You could do this by creating new classes to replace the generic `PlayInstrument` class, one for wind instruments and one for string instruments, and perhaps new ones for percussion. These new classes would be simpler and reusable, making the program ultimately more resilient and easier to implement in code.

PHP is at the heart of the internet, taking the form of many frameworks and language behind many services. Just as the code is widespread and used in diverse ways, the community itself varies from security experts focused on APIs, to traditional website builders, to microservice architects. It is truly a global community, as we had folks from all over the world attend php[tek].

No matter where you are on the planet or what particular focus you have in your day-to-day work, security surely lies at the heart of it. We are proud to support developers, DevOps, and security teams as they work to make their code more secure by keeping their secrets secret. If you are not sure where your secrets are right now in your PHP, or any other code, sign up to get started for free for secrets detection and start automating the prevention process with ggshield.

*** This is a Security Bloggers Network syndicated blog from GitGuardian Blog - Automated Secrets Detection authored by Dwayne McDaniel. Read the original post at: https://blog.gitguardian.com/php-tek-2023/

Excerpt from:
php[tek] 2023 A Community Of Communities Powering The Internet - Security Boulevard

Read More..

VPN Proxy Master is Rolling out Latest Wi-Fi Protection to Keep … – PR Newswire

SINGAPORE, June 5, 2023 /PRNewswire/ --Lemon Clove Pte. Limited (Singapore) is proud to announce the release of Wi-Fi Protection for VPN Proxy Master. This latest enhancement reinforces VPN Proxy Master's commitment to providing cutting-edge technology and ensuring the safety and security of its users' internet data.

It is estimated that more than 40% of users had their information compromised while using public Wi-Fi , typically in restaurants and cafe, librabries and hotels. There are few secure networks on public Wi-Fi, which might harbor viruses and presents a great chance for hackers to illegally access users' personal information, including their financial data. In this case, users may need Wi-Fi protection.

Wi-Fi Protection, available on VPN Proxy Master for iOS, Android, Windows, and Mac, offers a comprehensive solution to safeguard users' online activities on public Wi-Fi networks such as hotels, airports, and cafes. By encrypting users' internet usage, including their IP address, browsing history, and online activities, Wi-Fi Protection prevents hackers from intercepting or tampering with users' private data. It also offers ultra-fast connection speeds, allowing users to access worldwide websites and content seamlessly, whether they are in a public space or at home.

Internet security is of paramount importance in today's digital landscape, especially when using public Wi-Fi networks. With the upgraded Wi-Fi Protection, users can browse the internet with peace of mind, knowing their personal information is shielded from potential threats.

As Father's Day approaches, VPN Proxy Master encourages users to protect their loved ones' internet privacy and security by gifting them the ultimate VPN experience. To celebrate this occasion, VPN Proxy Master is offering an additional 3 months for free, available at https://vpnproxymaster.com/.

To benefit from Wi-Fi Protection, users can download and install VPN Proxy Master from the official website: https://vpnproxymaster.com/download/.

About VPN Proxy Master

VPN Proxy Master, headquartered in Singapore, has been providing secure and fast VPN services since its launch in 2018. With over 150,000,000 trusted users worldwide, VPN Proxy Master offers 6000+ secure servers across 50+ locations. The industry-leading AES-256 encryption method ensures high level of data protection, shielding users' internet activity from hackers and malware. VPN Proxy Master aims to empower customers with remote access to network resources worldwide while ensuring online data security.

For more information about VPN Proxy Master, please visit https://vpnproxymaster.com/

SOURCE Lemon Clove Pte. Limited

Go here to see the original:
VPN Proxy Master is Rolling out Latest Wi-Fi Protection to Keep ... - PR Newswire

Read More..

4 Areas of Cyber Risk That Boards Need to Address – HBR.org Daily

In our technology-dependent society, the effectiveness of cyber risk governance of companies affects its stock prices, as well as short-term and long-term shareholder value. New SEC cybersecurity rules provide a solid basis for transparency. Unfortunately, monitoring the long-term effectiveness of a cyber risk management strategy is not easy to grasp. This article provides four critical areas investors should be informed about for evaluating its long-term effectiveness.

As technological innovations such as cloud computing, the Internet of Things, robotic process automation, and predictive analytics are integrated into organizations, it makes them increasingly susceptible to cyber threats. Fortune 1000 companies, for example, have a 25% probability of being breached, and 10% of them will face multi-million loss. In smaller companies, 60% will be out of business within six months of a severe cyberattack. This means that governing and assessing cyber risks becomes a prerequisite for successful business performance and that investors need to know how vulnerable companies really are.

This need for transparency has been recognized by the regulators and facilitated by the new cyber security rules. Currently, the U.S. Security and Exchange Commission (SEC) has increased its enforcement to ensure companies maintain adequate cybersecurity controls and appropriately disclose cyber-related risks and incidents.

Unfortunately, our research shows that cyber risk is not easy to understand. Organizations seem often to underestimate the financial loss related to cyber threats. These can include:

There isnt a simple way forward, though. Overinvesting in cyber risk management or risk-management strategies that dont align with business needs can have equivalently negative impacts. This article explains the importance of the SECs new cybersecurity rules and addresses the four essential topics investors should discuss with the board for evaluating the long-term effectiveness of their companies cyber risk management strategy.

Being transparent about cybersecurity isnt just best practice, its now a requirement for U.S. companies. The SECs new cybersecurity rules require publicly enlisted companies to disclose their cybersecurity governance capabilities, including the boards oversight of cyber risk, a description of managements role in assessing and managing cyber risks, the relevant expertise of such management, and managements role in implementing the companys cybersecurity policies, procedures, and strategies.

This kind of disclosure allows investors to evaluate the attention of executives and business leaders to cyber risks. Management boards need to understand how these threats can cause material harm. For instance, the ransomware attack on Hanesbrands disrupted order fulfillment for three weeks, causing a $100 million loss in revenue. Another example is the IT outage caused by a cyber attack at Tenet Healthcare, which also resulted in $100 million of lost revenues. And the Kaseya VSA breach was the result of insecure operational software that ultimately let to the postponement of an initial public offering that sought to raise $875 million.

Under the new SEC guidelines companies are also required to report within four days of incidents that are deemed material. The materiality determination is influenced by the incidents impact on the companys business, operations, and financial conditions. This mandatory incident reporting allows investors to evaluate the effectiveness of the firms cyber risk policies and may provide learnings for future improvements in cyber risk management. And there is a significant opportunity for improvement since the cost of cyber crime including the cost for recovery and remediation are expected to grow to $10.5 trillion per year by 2025.

These new cybersecurity rules should be considered a starting point for the dialogue about cyber-risk governance. To shore up their cybersecurity and stay ahead of the curve, companies need to consciously anticipate to changing internal and external environment and prioritize their cyber risk efforts accordingly.

Cyber risk can be hard to understand. Board members already deal with a lot of different strategic challenges, and when faced with issues around cyber risk such asprioritizing product market growth versus its security, critical supplier dependency for secure service delivery, dealing with heinous aspects of ransomware attacks, or falling victim to geopolitical cyber tensions they can be overwhelmed by the complexity and dynamic nature of the problems. Ultimately, this may cause cybersecurity-related blind spots, impacting the effectiveness of intended decisions and even yielding unintended consequences, which can lead to what is the capability trap, an ongoing deterioration of essential organizational processes. An essential characteristic of this trap is that its effects remain hidden from management for a very long time, until it is too late. The capability trap happens more often than many decision-makers imagine.

To avoid this trap, companies need to focus on long-term effectiveness of their strategic decisions in four areas:

Boards have many corporate challenges to face and limited amounts of funding available to meet them, so being able to make the business case for this investment is essential. Clear insights into business, operational, and financial exposures: 1) generate language to discuss cyber risks, 2) connect to board members who do not have a technical background, and 3) put cyber risk on the agenda, as well as allow for comparing this risk with other corporate challenges. It also helps the board explain the cyber risk exposure of the firm to investors. The National Association of Corporate Directors (NACD) recognizes this need and deployed a commercially available solution to its members.

The people, processes, and technology that make up firms is changing and there are more and more areas that need protection, imposing an ever-increasing and dynamically shifting burden on the security capabilities of the organization, making lapses more likely. Solving these problems may require significant security capability improvements, which may take several months or even years.

Continuous monitoring is essential to establish if the cyber-risk management strategy performs as intended. Often management reporting dashboards, combined with insights from cyber event exercises are used for this purpose. Currently, in their most advanced form, these activities can capture the near real-time situation. Yet, for bridging the timing gap for utilizing improvements decision-makers have a need to see what the future outcome of their strategic decisions. This evokes the need for simulation aided approaches to strengthen managerial foresight capabilities.

Digital transformation also allows for faster, stronger, and more sophisticated attacks. This adversarial behavior strengthens the ongoing, changing, and emerging struggle between the offensive and the defensive. Both parties try to observe, learn, and anticipate each other. Consequently, adversaries introduce new, innovative techniques to remain successful.

Proactive cyber risk management enables defending organizations to learn from information sharing and exercises prior to cyberattacks. It contributes to security capability improvement prior to attacks and therefore reduces the number of significant security incidents. Reactive learning is significantly costlier because organizational improvement takes place based on the lessons learned from cybersecurity incidents that they have suffered. Currently, 56% of knowledgeable decision-makers make costly, suboptimal decisions when it comes to cyber risk management. The overspending on cyber risk management affects the profitability of the firm.

Cyber-risk-management strategy implementation can be a challenge. As previously mentioned, the ongoing increase in surfaces that require protection and increasing adversarial behavior require more efforts from cybersecurity teams to improve the defensive posture. However, these teams are struggling with a lack of qualified security resources. Currently, the United States alone has more than 750,000 cybersecurity job openings. This makes focusing on todays workload already difficult, let alone preparing for the defense posture of the future by running a cyber risk management program.

Effective ongoing workload reduction becomes essential. Therefore, secure by design, collaboration with other parties, automation, and the realization of economies of scale are critical to achieving a future state of security. Organizations that cannot properly make these adjustments become increasingly exposed to unintended control lapses and reactive learning mechanism.

The SECs new cybersecurity rules provide a solid basis for transparency about companies cyber-risk governance. These rules are a great basis for starting a dialogue about long-term effectiveness of cyber-risk governance with the board. This article provides four critical areas relevant to this dialogue.

Acknowledgements: This work is co-funded by Fondo Europeo di Sviluppo Regionale Puglia POR Puglia 2014 2020 Asse I Obiettivo specifico 1a Azione 1.1 (RS) Titolo Progetto: Suite prodotti Cybersecurity e SOC and BV TECH S.p.A. This work is co-funded by Cybersecurity at MIT Sloan (CAMS).

See the original post here:
4 Areas of Cyber Risk That Boards Need to Address - HBR.org Daily

Read More..

Cyber spotlight falls on boardroom privilege as incidents soar – ComputerWeekly.com

Three-quarters of all data breaches observed in the past year included a significant element of human failure, with social engineering attacks involving pretexting i.e. the invention of a scenario by a threat actor that tricks someone into giving up data or otherwise causing a breach on the rise, and now accounting for half of all social engineering attacks, including business email compromise (BEC).

This is one among many headline findings in Verizons mammoth annual Data breach investigations report (DBIR), released 6 June, and which Chris Novak, managing director of cyber security consulting at Verizon Business, described as one of the most staggering changes weve seen year on year.

Novak said that senior business leaders were particularly at risk of falling victim to this sort of attack, and as such represent a growing security threat for many organisations. Not only do they possess an organisations most sensitive information, they are often among the least protected, as many organisations make security protocol exceptions for them, he said.

With the growth and increasing sophistication of social engineering, organisations must enhance the protection of their senior leadership now to avoid expensive system intrusions, added Novak.

When you look at the grand scheme of social engineering, the reason we see this increasing is because its a relatively easy thing for a threat actor to throw out there and try to hit a lot of organisations with, Novak told reporters during a pre-briefing session attended by Computer Weekly.

This ties back to being financially motivated most of these events are about fraudulent movement of money and, typically, that results in them getting paid very quickly.

Indeed, based on data contributed by the FBIs Internet Crime Complaint Center (IC3), Verizon said that the median amount stolen in a BEC attack has doubled over the past year and now sits at $50,000 (40,400). This likely contributed to the growth in pretexting incidents.

Globally, cyber threat actors continue their relentless efforts to acquire sensitive consumer and business data. The revenue generated from that information is staggering, and its not lost on business leaders, as it is front and centre at the board level, said IDC research vice-president Craig Robinson.

The research team added that the fact many organisations continue to rely on distributed workforces added to the challenges faced by defenders in creating and, crucially, enforcing human-centric security best practice.

Verizons team of experts analysed over 16,300 security incidents and almost 5,200 confirmed breaches to compile this 16th edition of the DBIR. The data relates to activity that occurred between 1 November 2021 and 31 October 2022.

Other significant findings in this years report include new insight into the cost of ransomware incidents, which has more than doubled since 2021. According to data provided by the IC3, the median loss in a ransomware incident stands at $26,000, and in 95% of incidents where losses occurred these losses were between $1.00 and $2.25m, Verizon revealed.

It is important to point out that not all ransomware incidents under 10%, in fact incurred losses, and it is worth noting that when adjusting for inflation, the median cost has actually dropped quite significantly.

Additionally, said Novak, Verizon has observed the number of ransomware attacks as a percentage of all incidents and breaches levelling off over the past 12 months, although he added that this was not necessarily a reason to get excited.

What I believe is leading to this levelling off is not that weve got better, but that the threat actors have reached a point of saturation. They typically need people and tools to conduct their actions and they reach a point where they dont have enough people to hit [their] targets, or their tools are getting stale, he explained.

If we see they are able to recruit more, or innovate and evolve their tools, theres a risk this will start picking up again. Its important for organisations to understand we cant look at this stat and say we can focus on something else because ransomware is going away we will see an upward trajectory again in the future, unfortunately, added Novak.

The full report, which is available now to download, contains additional insight into the nature of security incidents and breaches, including new data on how malicious actors get into their victims networks to begin with and what motivates them to do so. As usual, it also breaks out breach and incident data by region and by industry.

The 2023 DBIR additionally looks back over some of the most significant incidents seen during its focus period including Log4j which first came to light at the end of 2021 and has since become one of the most widely exploited vulnerabilities ever seen. In 90% of breaches that began with a vulnerability exploitation in the past 12 months, that vulnerability was Log4j, said Verizon.

The rest is here:
Cyber spotlight falls on boardroom privilege as incidents soar - ComputerWeekly.com

Read More..

Operation Angel Leads to Fifth Federal Indictment for Sexual … – Department of Justice

Louisville, KY Earlier this year, several law enforcement agencies worked together in an undercover operation designed to identify individuals seeking to sexually exploit minors. That effort, called Operation Angel, resulted in the arrest of four individuals, Justin Aubrey, 26, Steven Earnest, 35, Kevin ODonnell, 26, and Alexander Young, 26, all of Louisville, Kentucky. A federal grand jury previously returned indictments against all four. Aubrey and Earnest were charged with attempted sex trafficking of children on March 15, 2023. Earnest was also charged with attempted online enticement. ODonnell, and Young were charged on February 22, 2023, with attempted online enticement. Today, a federal grand jury returned a new and additional indictment against Young for online enticement, transfer of obscene material to a minor, and production of child pornography.

U.S. Attorney Michael A. Bennett of the Western District of Kentucky, Kentucky Attorney General Daniel Cameron, Special Agent in Charge Robert Holman of the United States Secret Service Kentucky Field Division, Special Agent in Charge Rana Saoud of Homeland Security Investigations Nashville, Special Agent in Charge Jodi Cohen of the FBI Louisville Field Office, Chief Jacquelyn Gwinn-Villaroel of the Louisville Metro Police Department, Chief Richard Sanders of the Jeffersontown Police Department, and Chief Art Elum of the Owensboro Police Department made the announcement.

According to the latest indictment, in December 2022, Young met a girl, under the age of 16, online. He communicated with her and persuaded, induced, and enticed her to engage in sexual activity for which a person may be charged with a criminal offense, including the production of sexually explicit images which she sent to him. Young also sent the girl sexually explicit images of himself. The latest charges resulted from additional investigation following Operation Angel.

The earlier indictments charged Aubrey and Earnest after they showed up, with money, after negotiating to pay for sex with children under age 14. ODonnell and Young were charged after showing up to engage in sexual activity with minors under the age of 16. For all these charges, law enforcement officials were acting in online, undercover roles.

All defendants remain in federal custody pending resolution of their charges.

Assistant United States Attorney Jo E. Lawless is prosecuting the cases.

Multiple federal, state, and local officials participated in Operation Angel, led by the USSS. Other law enforcement agencies included the FBI, HSI, the Kentucky Attorney Generals Office Department of Criminal Investigations, the Louisville Metro Police Department, the Jeffersontown Police Department, and the Owensboro Police Department.

This case was brought as part of Project Safe Childhood, a nationwide initiative launched in May 2006 by the Department of Justice to combat the growing epidemic of child sexual exploitation and abuse. Led by the United States Attorneys Offices and the Criminal Divisions Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state, and local resources to locate, apprehend, and prosecute individuals who sexually exploit children, and to identify and rescue victims. For more information about Project Safe Childhood, please visit http://www.usdoj.gov/psc. For more information about internet safety education, please visit http://www.usdoj.gov/psc and click on the tab resources.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

###

See the original post here:
Operation Angel Leads to Fifth Federal Indictment for Sexual ... - Department of Justice

Read More..