Page 1,654«..1020..1,6531,6541,6551,656..1,6601,670..»

Minneapolis schools report that data was posted on dark web after … – Star Tribune

March 20, 2023 | Author: admin

Minneapolis Public Schools acknowledged Friday that some personal data was leaked to the dark web as a result of a cyberattack the district experienced in late February.

In an update on the Minneapolis Public Schools website, the district said officials are "working with cybersecurity specialists to quickly and securely download the data" to determine the "full scope of what personal information was impacted" and to whom it belongs. The dark web is an area of the internet that is not indexed and often is associated with criminal activity.

This review will take time, officials said, and the district will directly contact anyone whose data has been shared.

"You will receive both an email and a mailed letter to ensure communication is completed," the district said. "We are offering all potentially affected individuals free credit monitoring and identity protection services through Experian."

District officials declined to comment further Friday.

Cyberattacks are a growing threat to school districts, which have seen their insurance premiums rise in recent years. Experts note schools often have thousands of devices used by students and staff who could click on anything. That, combined with budget crunches that lead to slim IT departments, can make them more vulnerable.

The Minneapolis district has not said exactly how its breach occurred.

It revealed its troubles in a Feb. 21 statement noting that technical difficulties had temporarily disabled some district computer systems. But students were not in school buildings Feb. 22-24 because of a snowstorm, and the district said e-learning wouldn't be affected.

On Feb. 24, the district started referring to the technology trouble as an "encryption event," encouraging people to change their passwords on district devices as a "best practice and out of an abundance of caution." Officials said they had no evidence that personal information had been compromised.

On March 7, the district told families that a "threat actor" had claimed responsibility for the encryption event and had posted some Minneapolis Public Schools data online.

A ransomware group called Medusa claimed responsibility for the cyberattack, posted a video online and demanded a $1 million ransom.

That video, which since has been removed, showed screenshots of a variety of information, including spreadsheets that appeared to list student names and addresses, disciplinary information and forms that could contain sensitive employee information, such as W-2s. Other images appear to show lesson plans, enrollment projections and district forms and policy documents.

The district has said it reported incidents related to the cyberattack to law enforcement and families were told to be cautious about scams.

Families can take several steps to monitor and protect their information, in addition to changing passwords, such as using multifactor authentication on accounts when possible, monitoring credit reports and freezing credit files. More information about preventing identity theft is available at usa.gov/identity-theft.

Staff writer Mara Klecker contributed to this report.

Continued here:
Minneapolis schools report that data was posted on dark web after ... - Star Tribune

Read More..
Posted in Encryption | Leave a Comment

The Importance of Motorola DP4801e’s Encryption Capabilities for … – CityLife

March 20, 2023 | Author: admin

The Motorola DP4801e is a two-way radio that offers secure and private communications for businesses and organizations. The radio is equipped with a range of encryption capabilities that ensure secure and private communications.

The Motorola DP4801e utilizes the latest encryption technology to protect the data transmitted over the radio. The radio is equipped with AES-256 encryption, which is the most secure encryption available. This encryption technology scrambles the data transmitted over the radio, making it impossible for anyone to intercept and read the data.

The Motorola DP4801e also features a secure authentication system. This system ensures that only authorized users can access the radio. The radio also features a secure key exchange protocol, which ensures that only authorized users can access the data transmitted over the radio.

The Motorola DP4801e also features a secure voice encryption system. This system encrypts the voice data transmitted over the radio, making it impossible for anyone to listen in on the conversation.

The Motorola DP4801e also features a secure data transmission system. This system ensures that the data transmitted over the radio is secure and private. The radio also features a secure data storage system, which ensures that the data stored on the radio is secure and private.

The Motorola DP4801e is an ideal choice for businesses and organizations that require secure and private communications. The radios encryption capabilities ensure that the data transmitted over the radio is secure and private. The secure authentication system ensures that only authorized users can access the radio, and the secure key exchange protocol ensures that only authorized users can access the data transmitted over the radio. The secure voice encryption system ensures that the voice data transmitted over the radio is secure and private, and the secure data transmission system ensures that the data transmitted over the radio is secure and private. The secure data storage system ensures that the data stored on the radio is secure and private.

The Motorola DP4801e is a two-way radio that offers secure and private communications for businesses and organizations. This radio is equipped with advanced encryption capabilities that provide a secure and private communication system for users.

The Motorola DP4801es encryption capabilities offer a number of benefits for secure and private communications. First, the radios encryption technology ensures that all communications are secure and private. The encryption technology scrambles the data being transmitted, making it impossible for anyone to intercept or decode the messages. This ensures that all communications remain confidential and secure.

Second, the encryption technology also prevents unauthorized access to the radios communications. The encryption technology prevents anyone from accessing the radios communications without the proper authorization. This ensures that only authorized personnel can access the radios communications.

Third, the encryption technology also prevents eavesdropping. The encryption technology scrambles the data being transmitted, making it impossible for anyone to listen in on the radios communications. This ensures that all communications remain private and secure.

Finally, the encryption technology also prevents data tampering. The encryption technology prevents anyone from altering the data being transmitted. This ensures that all communications remain accurate and secure.

The Motorola DP4801es encryption capabilities provide a secure and private communication system for businesses and organizations. The encryption technology ensures that all communications remain secure and private, preventing unauthorized access, eavesdropping, and data tampering. This ensures that all communications remain confidential and secure.

Motorolas DP4801e two-way radio is a powerful communication tool that provides secure and private communications for businesses and organizations. To ensure the security of its users, the DP4801e utilizes a variety of encryption algorithms to protect the data transmitted over its network. In this article, we will explore the different encryption algorithms used by the DP4801e to ensure secure and private communications.

The DP4801e utilizes the Advanced Encryption Standard (AES) algorithm to encrypt data. AES is a symmetric-key encryption algorithm that uses a 128-bit, 192-bit, or 256-bit key to encrypt and decrypt data. AES is widely used in government and military applications due to its high level of security.

The DP4801e also utilizes the Data Encryption Standard (DES) algorithm. DES is an older encryption algorithm that uses a 56-bit key to encrypt and decrypt data. While DES is not as secure as AES, it is still widely used in many applications due to its simplicity and efficiency.

The DP4801e also utilizes the Rivest-Shamir-Adleman (RSA) algorithm. RSA is an asymmetric-key encryption algorithm that uses two different keys to encrypt and decrypt data. RSA is considered to be one of the most secure encryption algorithms available and is widely used in banking and financial applications.

Finally, the DP4801e utilizes the Triple Data Encryption Standard (3DES) algorithm. 3DES is an enhanced version of the DES algorithm that uses three 56-bit keys to encrypt and decrypt data. 3DES is considered to be more secure than DES, but not as secure as AES.

By utilizing these different encryption algorithms, the DP4801e provides secure and private communications for its users. The combination of AES, DES, RSA, and 3DES ensures that the data transmitted over the DP4801es network is secure and private.

The Motorola DP4801e is a two-way radio that is designed to provide secure communication for businesses and organizations. It is equipped with a range of encryption capabilities that are designed to protect data privacy.

Encryption is a process of encoding data so that it can only be accessed by authorized users. The Motorola DP4801e uses a variety of encryption algorithms to ensure that data is secure and protected from unauthorized access. These algorithms include AES-256, DES, and TDES.

The AES-256 algorithm is the most secure encryption algorithm available and is used by the US government to protect sensitive data. It uses a 256-bit key to encrypt data, making it virtually impossible to crack. The DES and TDES algorithms are also used to encrypt data, but they are not as secure as AES-256.

The Motorola DP4801e also includes a range of other security features such as authentication, authorization, and access control. These features ensure that only authorized users can access the data. Additionally, the radio also includes a range of encryption protocols such as TLS and SSL, which are used to protect data in transit.

The Motorola DP4801es encryption capabilities provide an effective way to protect data privacy. By using a combination of encryption algorithms and security features, the radio ensures that data is secure and protected from unauthorized access. This makes it an ideal choice for businesses and organizations that need to protect sensitive data.

The Motorola DP4801e is a two-way radio that offers secure and private communications through its encryption capabilities. This device is designed to provide users with a secure and reliable way to communicate without the risk of interception or eavesdropping.

The Motorola DP4801e utilizes a 128-bit Advanced Encryption Standard (AES) encryption algorithm to protect the data transmitted over the radio. This encryption algorithm is considered to be one of the most secure encryption methods available and is used by many government and military organizations.

The encryption capabilities of the Motorola DP4801e provide users with a secure and private way to communicate. This ensures that the data transmitted over the radio is kept confidential and secure. The encryption also prevents unauthorized access to the data, which helps to protect the privacy of the users.

The encryption capabilities of the Motorola DP4801e also provide users with a reliable way to communicate. The encryption ensures that the data transmitted over the radio is not corrupted or altered in any way. This ensures that the data is transmitted accurately and securely.

The encryption capabilities of the Motorola DP4801e are an important tool for secure and private communications. The encryption ensures that the data transmitted over the radio is kept confidential and secure, while also providing users with a reliable way to communicate. This makes the Motorola DP4801e an ideal device for secure and private communications.

Read more => The Importance of Motorola DP4801es Encryption Capabilities for Secure and Private Communications

Continue reading here:
The Importance of Motorola DP4801e's Encryption Capabilities for ... - CityLife

Read More..
Posted in Encryption | Leave a Comment

JWTs: Connecting the Dots: Why, When and How – The New Stack

March 20, 2023 | Author: admin

JSON web tokens (JWTs) are great they are easy to work with and stateless, requiring less communication with a centralized authentication server. JWTs are handy when you need to securely pass information between services. As such, theyre often used as ID tokens or access tokens.

This is generally considered a secure practice as the tokens are usually signed and encrypted. However, when incorrectly configured or misused, JWTs can lead to broken object-level authorization or broken function-level authorization vulnerabilities. These vulnerabilities can expose a state where users can access other data or endpoints beyond their privileges. Therefore, its vital to follow best practices for using JWTs.

Knowing and understanding the fundamentals of JWTs is essential when determining a behavior strategy.

JWT is a standard defined in RFC 7519, and its primary purpose is to pass a JSON message between two parties in a compact, URL-safe and tamper-proof way. The token looks like a long string divided into sections and separated by dots. Its structure depends on whether the token is signed (JWS) or encrypted (JWE).

JWS Structure

JWE Structure

The short answer is that it depends. The security of JWTs is not a given. As mentioned above, JWTs are often considered secure because they are signed or encrypted, but their security really depends on how they are used. A JWT is a message format in which structure and security measures are defined by the RFC, but it is up to you to ensure their use does not harm the safety of your whole system in any way.

Should they be used as access and ID tokens?

JWTs are commonly used as access tokens and ID tokens in OAuth and OpenID Connect flows. They can also serve different purposes, such as transmitting information, requesting objects in OpenID Connect, authenticating applications, authorizing operations and other generic use cases.

Some say that using JWTs as access tokens is an unwise decision. However, in my opinion, there is nothing wrong if developers choose this strategy based on well-done research with a clear understanding of what JWTs essentially are. The worst-case scenario, on the other hand, is to start using JWTs just because they are trendy. There is no such thing as too many details when it comes to security, so following the best practices and understanding the peculiarities of JWTs is essential.

JWTs are by-value tokens containing data intended for the API developers so that APIs can decode and validate the token. However, if JWTs are issued to be used as access tokens to your clients, there is a risk that client developers will also access this data. You should be aware that this may lead to accidental data leaks since some claims from the token should not be made public. There is also a risk of breaking third-party integrations that rely on the contents of your tokens.

Therefore, it is recommended to:

Should they be used to handle sessions?

An example of improper use of JWTs is choosing them as a session-retention mechanism and replacing session cookies and centralized sessions with JWTs. One of the reasons you should avoid this tactic is that JWTs cannot be invalidated, meaning you wont be able to revoke old or malicious sessions. Size issues pose another problem, as JWTs can take up a lot of space. Thus, storing them in cookies can quickly exceed size limits. Solving this problem might involve storing them elsewhere, like in local storage, but that will leave you vulnerable to cross-site scripting attacks.

JWTs were never intended to handle sessions, so I recommend avoiding this practice.

JWTs use claims to deliver information. Properly using those claims is essential for security and functionality. Here are some basics on how to deal with them.

It is important to remember that incoming JWTs should always be validated. It doesnt matter if you only work on an internal network (with the authorization server, the client and the resource server not connected through the internet). Environment settings can be changed, and if services become public, your system can quickly become vulnerable. Implementing token validation can also protect your system if a malicious actor is working from the inside.

When validating JWTs, always make sure they are used as intended:

The registry for JSON Web Signatures and Encryption Algorithms lists all available algorithms that can be used to sign or encrypt JWTs. It is also very useful to help you choose which algorithms should be implemented by clients and servers.

Currently, the most recommended algorithms for signing are EdDSA or ES256. They are preferred over the most popular one, RS256, as they are much faster than the well-tried RS256.

No matter the token type JWS or JWE they contain an alg claim in the header. This claim indicates which algorithm has been used for signing or encryption. This claim should always be checked with a safelist of algorithms accepted by your system. Allowlisting helps to mitigate attacks that attempt to tamper with tokens (these attacks may try to force the system to use different, less secure algorithms to verify the signature or decrypt the token). It is also more efficient than denylisting, as it prevents issues with case sensitivity.

One thing to remember about JWS signatures is that they are used to sign both the payload and the token header. Therefore, if you make changes to either the header or the payload, whether merely adding or removing spaces or line breaks, your signature will no longer validate.

My recommendations when signing JWTs are the following:

Symmetric keys are not recommended for use in signing JWTs. Using symmetric signing presupposes that all parties need to know the shared secret. As the number of involved parties grows, it becomes more difficult to guard the safety of the secret and replace it if it is compromised.

Another problem with symmetric signing is that you dont know who actually signed the token. When using asymmetric keys, youre sure that the JWT was signed by whoever possesses the private key. In the case of symmetric signing, any party with access to the secret can also issue signed tokens. Always choose asymmetric signing. This way, youll know who actually signed the JWT and make security management easier.

API security has become one of the main focuses of cybersecurity efforts. Unfortunately, vulnerabilities have increased as APIs have become critical for overall functionality. One of the ways to mitigate the risks is to ensure that JWTs are used correctly. JWTs should be populated with scopes and claims that correspond well to the client, user, authentication method used and other factors.

JWTs are a great technology that can save developers time and effort and ensure the security of APIs and systems. To fully reap their benefits, however, you must ensure that choosing JWTs fits your particular needs and use case. Moreover, it is essential to make sure they are used correctly. To do this, follow the best practices from security experts.

Here are some additional guidelines:

Read more from the original source:
JWTs: Connecting the Dots: Why, When and How - The New Stack

Read More..
Posted in Encryption | Leave a Comment

The security blanket: How business leaders can make their work … – Elite Business Magazine

March 20, 2023 | Author: admin

As an artist, watermarking your work is an essential practice that helps to safeguard the ownership and reputation of your brand and products. Whilst these small stamps go a long way, many creatives are failing to practise the same level of protection for the entirety of their business.

In todays market, avenues to share and sell our work online have become even more mainstream, which has enabled the value of digital content to rise as well. This has meant that our work is becoming progressively vulnerable to cyber threats.

According to Ernst & Youngs 2021 Global Information Security Survey, over three in four people surveyed said they have seen an increase in the number of disruptive attacks following the Covid-19 pandemic. With significant shifts to distributed working in that time, proactivity is essential to help business leaders to enable their teams and customers combat evolving security risks.

Businesses need to implement the right culture and tech tools that will do this. So, here is my advice for how businesses and consumers can better protect themselves and their work from todays cyber threats.

Encryption is protection

Maintaining good security practices should be something that businesses and their employees practice on a daily basis. Of course, no company is completely guarded against disruptive attacks, but, there are certainly things they can do to lower the chances of being affected.

Encryption is one of these features. Data encryption ensures that no unauthorised person can access, understand or use your data even if they get past security frameworks. This helps you to protect confidential information and intellectual property, all whilst collaborating remotely.

Businesses should be making end-to-end encryption the norm, so that data is encrypted right from the moment it leaves the device in the hands of the user, to when it is uploaded to the server they are using. It should then stay encrypted until the user decides to access their content again.

This essential feature is seeing heightened demand from customers, who are looking for built-in functionality and features that support it.

Protect your passwords like you would your keys

Mismanaging your passwords is one of those security risks that many businesses and individuals dont even think about. With so many devices and accounts, users primary concern is creating a password that is easy and memorable. After all, you want to avoid wasting time resetting passwords and trying to remember answers to security questions, when all you want to do is access your bank or watch your favourite show.

However, opting for an easy password is dangerous, and most of us know it already! One security study found that the password 123456 was the most popular among breached accounts used for more than 23 million passwords. Other top choices included qwerty and 1111111.

Using these easy-to-remember, but easy-to-breach passcodes is like leaving your front door keys hanging in the lock. A good password manager is a cost-effective way to help your businesses store, generate and manage passwords to keep your content and your employees safe. It also saves you time, so that you can efficiently log into different accounts, with centralised control that allows you to manage permissions.

Whatever your business, security matters. Businesses already have a breadth of examples to learn from in the industry, so they need to act now so that they can give themselves the protection they need, and their work deserves.

Read the original post:
The security blanket: How business leaders can make their work ... - Elite Business Magazine

Read More..
Posted in Encryption | Leave a Comment

Google adds contact photos to conversation threads in messages – Business Standard

March 20, 2023 | Author: admin

Google has added a contact's profile photo to the top of conversations in messages for Android, following larger changes to "RCS" branding and read receipt icons in recent weeks.

Messages have always allowed users to open Google Contacts by tapping a person's name in the app bar -- the company is now emphasising that shortcut by showing their profile pictures as well, according to 9to5Google.

It is the same image that appears in the main list of conversations when tapping on the space in group conversations opens that detail page.

This design is consistent with other apps, with Facebook Messenger and Telegram displaying avatars in the same left position, while iMessage displays it in the centre, the report said.

Moreover, the magnifying glass icon has been removed as part of this change, and "Search" has been added to the overflow menu.

In January, Google rolled out end-to-end encryption in group chats for messages app users enrolled in the beta programme.

With this feature, one-on-one texts sent using messages by Google will be encrypted so they are private and secure and can only be seen by the sender and recipient.

The Google messages app already includes end-to-end encryption when messaging someone who also has the RCS (Rich Communication Services) chat features enabled, however, this has so far been limited to messages between two parties and not group chats.

--IANS

shs/prw

(Only the headline and picture of this report may have been reworked by the Business Standard staff; the rest of the content is auto-generated from a syndicated feed.)

Read more here:
Google adds contact photos to conversation threads in messages - Business Standard

Read More..
Posted in Encryption | Leave a Comment

Should You Download the CyberGhost VPN Free Proxy Browser … – MUO – MakeUseOf

March 20, 2023 | Author: admin

VPNs and proxies can be a big help in anonymizing and securing your online activity. While you can download a VPN app to your device, you can also install a browser add-on and encrypt your traffic in seconds. CyberGhost, a popular VPN service, offers such an add-on. But what can this do for you, and is it worth downloading?

CyberGhost is a Romanian company founded in 2011 by Robert Knapp. It was bought by Kape in 2017, a conglomerate that has also acquired ExpressVPN, Private Internet Access, and ZenMate.

CyberGhost's VPN service is currently used by more than 38 million people worldwide, making it one of the most popular VPN services out there today.

CyberGhost uses AES-256 encryption to secure users' internet traffic and keep it from prying eyes. AES-256 is a particularly secure encryption cipher used by many VPN services and even governments to keep data safe. This cipher is incredibly difficult to hack, which means you can rest easy using CyberGhost knowing that your traffic is being fully protected.

CyberGhost also has a no-log policy. This means that the company doesn't keep VPN logs, which are records of your activity or personal information that can be sold onto third parties. VPN logs can put your data at risk, so it's best to stick to no-log providers. In this respect, CyberGhost's VPN is a great choice.

According to the CyberGhost website, the company has over 6,000 servers in 88 countries around the globe. So, if it's a wide array of servers you're looking for, CyberGhost may very well be the right choice for you, as the provider has a considerably higher server number than many other VPN services (including ExpressVPN, NordVPN, and SurfShark).

But CyberGhost isn't just a premium app. It also offers a free browser extension. So, what does this provide users, and is it worth using?

CyberGhost's free browser add-on is available to download for Google Chrome and Mozilla Firefox.

Importantly, the CyberGhost browser extension is super simple to use.

This extension only has one page, which consists of an on/off VPN activation button, and a list of server locations you can connect to. There are no settings, no sign-in options, or anything else. You don't even need a CyberGhost account to use this add-on. Simply download the extension, activate the VPN, and you're good to go!

You can also opt to sign up for the premium version of CyberGhost's VPN app at the bottom of the extension window.

Because this browser extension is entirely free, there are limitations set on what you can do. For example, there are only four server locations available to free extension users: the US, Romania, the Netherlands, and Germany.

If you're looking to bypass geo-blocking and access content in a wide range of countries, CyberGhost's free extension likely won't suit you well. While you can access geo-blocked content in the limited number of countries listed, all other regions will be off-limits to you.

You should also note that the CyberGhost VPN browser extension does not encrypt all of your outgoing online traffic. Rather, it just encrypts what's coming from your browser, as well as your IP address. This means that other internet-connected applications on your device will not have their data encrypted by CyberGhost via the browser extension. For this, you'll need to sign up to the premium version of the app.

If you already have a VPN app that encrypts all your outgoing online traffic, there's likely no need to use CyberGhost's extension. But, if you want to encrypt your browser data and don't want to spend money on a premium app, this free extension might be the way to go.

Download: CyberGhost VPN Free Proxy for Chrome | Firefox (Free)

There's no denying that the free CyberGhost extension is basic, and won't suit you if you're looking for an extended range of servers and features. But if you're simply looking to encrypt your browser traffic to keep your data safe, the free extension is by no means a bad option. After all, who wants to pay for a premium VPN service if you're not looking to make use of the premium features?

Here is the original post:
Should You Download the CyberGhost VPN Free Proxy Browser ... - MUO - MakeUseOf

Read More..
Posted in Encryption | Leave a Comment

Today’s Business: Cryptocurrency and estate planning – New Haven Register

March 20, 2023 | Author: admin

Cryptocurrency has become a new wrinkle in development of an estate plan.

The secure nature of crypto assets results partially from the fact that there is no personally identifiable information associated with an individual crypto account. As a result, these types of assets might not be easily identifiable to heirs.

The only way for an heir or designated fiduciary to gain access to crypto accounts after the original owners death is to have the password or private key. Without that private key, there is no access. Without access, the cryptocurrency is gone. Worthless.

Safeguarding passwords, especially the so-called crypto seed phrases, is critical.

The key to a persons cryptocurrency must never be solely in the owners brain: the owner must never be the only person who knows where the passwords are printed, stored on a hidden piece of paper, in a hard-to-find file on a thumb drive or laptop. At the same time, this vital information must be secure.

The first step it to make sure your estate planning attorney knows that your cryptocurrency actually exists.

To properly safeguarding seed phrases and other passwords for estate planning purposes, consider some of the following recommendations.

One of the most straightforward ways to store passwords and seed phrases is to write them down on a piece of paper and store the paper in a secure location, such as a safe or a safe deposit box with other estate planning documents. This ensures that loved ones will have access to those digital assets when it becomes necessary.

Using a password manager can be an important tool, as well. This is software that stores all of your passwords in an encrypted format. It allows you storage of secret seed phrases, passwords, and other sensitive information securely with access through a single master password.

Of course, it is important to select a reputable, highly rated password manager. There are a number of options on the market. Storing the master password in a secure location is critical as it can become extremely difficult to gain access to your information without it. Never store seed phrase or passwords with the cryptocurrency wallet address as this may give hackers a way to get to your wallet and your assets.

Encrypting the information is a key step. Encryption is the process of converting plain text into a coded format that can only be deciphered using a decryption key. You can encrypt your seed phrases and passwords using encryption software, such as VeraCrypt or AxCrypt, and store the decryption key in a secure location.

It is essential to store this important information in a way that is secure from both physical and digital threats. A safe deposit box or a fireproof safe are two options. Consider giving a trusted friend or relative a way to access that stored information.

Of course, individuals also can provide a trusted friend or family member with the passwords and seed phrases themselves, as long as he or she can be trusted to be responsible and will not share the information with others, even accidentally.

As the security landscape changes, it is important to regularly update your passwords and seed phrases. This will ensure that your digital assets remain secure and that your loved ones have access to them, should you become incapacitated or you pass away.

By the way, it is important to recognize that the Internal Revenue Service treats cryptocurrency as personal property not currency. That means the property transaction rules that apply to virtual currency are generally the same as they may apply to transfers of other types of property. There may be a tax consequence, for example, if there is a capital gain or loss. It would be wise to consult with a tax advisor familiar with these issues before finalizing plans for eventual distribution of these assets.

Properly safeguarding seed phrases and other passwords is an essential aspect of estate planning. You can ensure that your digital assets are properly managed and passed on to your loved ones after you pass away, without having to include sensitive information in a public document.

Attorney Christine Thomas focuses her practice on estate planning and represents a diverse range of clients from all walks of life. She is a principal at Naugatuck-based Burns Thomas, LLC, and can be reached at 203-723-9420. http://www.burnsthomas.com.

See original here:
Today's Business: Cryptocurrency and estate planning - New Haven Register

Read More..
Posted in Encryption | Leave a Comment

Up-and-Coming Payments Security and Fraud Prevention Tools – Finextra

March 20, 2023 | Author: admin

In recent years, online shopping and electronic payments have become increasingly popular, leading to a rise in payment fraud. Cybersecurity has become a top priority in the payments industry, as fraudsters use new schemes to exploit the growing e-commerce industry.

Faster non-cash payments and the growing popularity of cryptocurrencies have also brought new challenges to the field of anti-fraud tactics. As the digital economy plays an increasing part in our lives, businesses must prioritize secure electronic payments that are convenient and accessible to all.

In the world of online payments, security is particularly important because there is a higher risk that sensitive information, such as credit card numbers and bank account details, could be accessed by unauthorized parties.

Fraud is expected to cost the card industry over $400 billion in the next decade.

Recommended Security Measures

To combat payment fraud, businesses can implement strong security measures such as encryption, two-factor authentication, and tokenization.

When you regularly monitor for suspicious activity, you are able to respond quickly to any potential threats. The use of digital IDs can also be helpful in verifying users' identities and preventing fraud.

It's also important to protect your customers by maintaining a proper level of security over cardholder data. A business that is PCI compliant assures customers that the security of their data and sensitive information is taken seriously.

Not only does it help build trust with clients, but being PCI compliant also safeguards the company against malignant online scammers and fraud attempts.

PCI compliance is divided into four levels that are assigned depending on the annual number of card transactions of a company. Each level has its own criteria that a business must follow in order to remain compliant.

Do you know which level of PCI compliance your business falls into, and what regulations you must follow based on your level? See our handyPCI compliance guide to learn more, including how to stay compliant with the new 2022 PCI compliance standard update.

Additionally, you can rely on a technology partner to help you clearly understand exactly which PCI requirements are applicable to your business. This avoids wasting time and money associated with filling out the wrong assessment. Plus, the cost of being non-PCI compliant is way too high to risk, in terms of reputation, loss of customers, lawsuits, and fines.

Security & Fraud Prevention Use Cases

A company with award-winning fraud prevention measures is Revolut. They use a combination of facial recognition and other biometrics, PIN codes, and SMS for login, as well as utilizing payment security, such as single-use virtual disposable cards, temporary card freezes, and an automated security system.

In addition to traditional security measures, new fraud management tools are emerging that use advanced technologies such as machine learning (ML) and artificial intelligence (AI).

By analyzing past data and developing a mathematical model to determine normal user behavior, ML helps financial institutions monitor customer spending habits and detect any unusual activity, without inconveniencing the customer with additional verification steps.

The use of ML and AI is expected to grow in the fintech industry, with more companies implementing these technologies to prevent payment fraud.

In 2023, we will see more specialized AI models that transform processes like expense and spend management. For example, one type of AI model might provide the full rationale of any transaction based on emails, calendars, sales call notes, and CRMs so a companys finance department doesn't have to ask individual employees to justify expenses.

One company that is working on new fraud management tools is the Ireland-based Encryption-as-a-service company, Vaultree. They recently raised $12.8 million in funding to create the first fully functional data-in-use encryption.

Vaultree's end-to-end encryption allows users to work with fully encrypted data without needing to decrypt the information or surrender security keys. Unlike traditional data-at-rest or data-in-transit security controls, Vaultree's technology protects data all the time, whether in use, at rest, or in transit.

Keep Your Business Protected

Payment fraud is a serious threat to the payments industry, and businesses must stay ahead of payment trends and implement strong security measures to protect their customers' financial information.

Additionally, partnering with payment service providers and other partners who have experience in preventing and detecting payment fraud can be helpful in identifying and mitigating potential risks.

As technology advances, the use of advanced technologies such as ML and AI will become increasingly important in preventing payment fraud and ensuring the security of electronic payments.

Read the original post:
Up-and-Coming Payments Security and Fraud Prevention Tools - Finextra

Read More..
Posted in Encryption | Leave a Comment

Scammers can slip fake texts into legitimate SMS threads. Will a government crackdown stop them? – The Conversation

March 20, 2023 | Author: admin

Are you tired of receiving SMS scams pretending to be from Australia Post, the tax office, MyGov and banks? Youre not alone. Each year, thousands of Australians fall victim to SMS scams. And losses have surged in recent years.

In 2022 SMS scam losses exceeded A$28 million, which is nearly triple the amount from 2021. This year theyve already reached A$4 million more than the 2020 total. These figures are probably much higher if you include unreported losses, as victims often wont speak up due to shame and social stigma.

Last month, the federal government announced plans to fight SMS-based scams by implementing an SMS sender ID registry. Under this system, organisations that want to SMS customers will first have to register their sender ID with a government body.

What kinds of scams would the proposed registry help prevent? And is it too little, too late?

One of the more concerning types of SMS scams is when fraudulent messages creep into legitimate message threads, making it difficult to differentiate between a legitimate service and a scam.

SMS is an older technology that lacks many modern security features, including end-to-end encryption and origin authentication (which lets you verify whether a message is sent by the claimed sender). The absence of the latter is the reason we see highly believable scams like the one below.

There are two main types of SMS:

peer-to-peer (P2P) is what most people use to send messages to friends and family

application-to-person (A2P) is a way for companies to send messages in bulk through the use of a web portal or application.

The problem with A2P messaging is that applications can be used to enter any text or number (or combination) in the sender ID field and the recipients phone uses this sender ID to group messages into threads.

In the example above, the scammer would have simply needed to write ANZ in the sender ID field for their fraudulent message to show up in the real message thread with ANZ. And, of course, they could still impersonate ANZ even if no previous legitimate thread existed, in which case it would show up in a new thread.

Web portals and apps offering A2P services generally dont do their due diligence and check whether a sender is the actual owner of the sender ID theyre using. There are also no requirements for telecom companies to verify this.

Moreover, telecom providers generally cant block scam SMS messages due to how difficult it is to distinguish them from genuine messages.

Last year the Australian Communications and Media Authority introduced new rules for the telecom industry to combat SMS scams by tracing and blocking them. The Reducing Scam Calls and Scam Short Messages Industry Code required providers to share threat intelligence about scams and report them to authorities.

In January, A2P texting solutions company Modica received a warning for failing to comply with the rules. ACMA found Modica didnt have proper procedures to verify the legitimacy of text-based SMS sender IDs, which allowed scammers to reach many mobile users in Australia.

Although ACMAs code is useful, its challenging to identify all A2P providers who arent following it. More action was needed.

In February, the government instructed ACMA to explore establishing an SMS sender ID registry. This would essentially be a whitelist of all alphanumeric sender IDs that can be legitimately used in Australia (such as ANZ, T20WorldCup or Uber).

Any company wanting to use a sender ID would have to provide identification and register it. This way, telecom providers could refer to the registry and block suspicious messages at the network level allowing an extra defence in case A2P providers dont do their due diligence (or become compromised).

Its not yet decided what identification details an Australia registry would collect, but these could include sender numbers associated with an organisation, and/or a list of A2P providers they use.

So, if there are messages being sent by ANZ from a number that ANZ hasnt registered, or through an A2P provider ANZ hasnt nominated, the telecom provider could then flag these as scams.

An SMS sender ID registry would be a positive step, but arguably long overdue and sluggishly taken. The UK and Singapore have had similar systems in place since 2018 and last year, respectively. But theres no clear timeline for Australia. Decision makers must act quickly, bearing in mind that adoption by telecom providers will take time.

An SMS sender ID registry will reduce company impersonation, but it wont prevent all SMS scams. Scammers can still use regular sender numbers for scams such as the Hi Mum scam.

Also, as SMS security comes under increased scrutiny, bad actors may shift to messaging apps such as WhatsApp or Viber, in which case regulatory control will be challenging.

These apps are often end-to-end encrypted, which makes it very difficult for regulators and service providers to detect and block scams sent through them. So even once a registry is established, whenever that may be, users will need to remain alert.

If so, youll be interested in our free daily newsletter. Its filled with the insights of academic experts, written so that everyone can understand whats going on in the world. With the latest scientific discoveries, thoughtful analysis on political issues and research-based life tips, each email is filled with articles that will inform you and often intrigue you.

Get our newsletters

Editor and General Manager

Find peace of mind, and the facts, with experts. Add evidence-based articles to your news digest. No uninformed commentariat. Just experts. 90,000 of them have written for us. They trust us. Give it a go.

Get our newsletter

If you found the article you just read to be insightful, youll be interested in our free daily newsletter. Its filled with the insights of academic experts, written so that everyone can understand whats going on in the world. Each newsletter has articles that will inform and intrigue you.

Subscribe now

CEO | Editor-in-Chief

It helps you go deeper into key political issues and also introduces you to the diversity of research coming out of the continent. It's not about breaking news. It's not about unfounded opinions. The Europe newsletter is evidence-based expertise from European scholars, presented by myself in France, and two of my colleagues in Spain and the UK.

Get our newsletter

Head of English section, France edition

Here is the original post:
Scammers can slip fake texts into legitimate SMS threads. Will a government crackdown stop them? - The Conversation

Read More..
Posted in Encryption | Leave a Comment

The righteous path to zero trust in software development process – ITWeb

March 20, 2023 | Author: admin

As cyber threats and data breaches continue to pose a serious risk, DevOps/DevSecOps teams are focusing on implementing more effective security measures and strategies to protect their systems and data at every stage of the software development process.

The zero trust security model is one such strategy that has attracted a significant amount of attention.

Zero trust is a security model that assumes that whether a cloud infrastructure is on-premises, or both inside and outside an organisation's network, there is a potential threat for resources, configurations, users data, management tools, devices, etc, to be compromised. To address this, security leaders and product teams should eliminate assumed trust of all third-party tools, team members and services and instead validate every step of every interaction.

Hence this model/framework requires continuous authentication and authorisations of users, devices and applications, regardless of their location or network.

In this article, we'll discuss three ways to achieve zero trust security in your infrastructure.

Having a solid identity and access management (IAM) strategy in place is the first step in putting a zero trust security paradigm into practice.

In order to do this, user and workload identities and their access rights must be identified and verified prior to every interaction. To guarantee that only authorised people and machines have access to critical data, the IAM policy should also contain strong password policies, multi-factor authentication (MFA) and regular access reviews.

IAM automates this process while also providing administrators with auditing features and more precise control over access across the entire organisation. It is timely, given the recent advances in IOT devices and zero trust models, which have increased the requirements for cyber security stringency.

For instance, if we talk about cloud infrastructure, whether its on GCP, Azure or AWS, using the providers built-in IAM policies and roles allows us to restrict access to resources so that one service wont be aware and open to other resources. Leaving the production environment exposed can lead to a scenario where one system that became vulnerable to an attack or malicious activity would likely harm other resources as well.

More specifically, consider a web app hosted on an EC2 instance in AWS. Now lets say the app has a feature that requires regular data upload to an S3 bucket. In order to use AWS keys, we can directly attach a role to that EC2 instance with a specific bucket access that allows GET, PUT, LIST methods so that the access will indeed be specific.

This can be controlled by RBAC and network policies in Kubernetes clusters. A tool called Akeyless can integrate with your cloud provider and Kubernetes cluster to make authentication and authorisation more secure.

For Kubernetes, the JWT token is used by the Akeyless Kubernetes Auth Method to verify the Kubernetes application. This JWT is only ever shared with the Gateway, which is managed and runs in the users environment and never with Akeyless or any other third party during the process. As a result, it is authenticated in a truly zero trust-complaint manner. While there are many services that help with IAM, Akeylesss centralised SaaS structure is optimised for multicloud development environments.

The second step to implementing a zero trust security model is to segment your network. This involves creating smaller sub-networks within the larger enterprise cluster, with strict controls on the communication between them, ensuring that if one sub-network is compromised, the others remain secure.

In addition to this, there are also external tools that ensure the observability and traceability of the network, such as Hashicorps Consul, Cilium and Isitios Service Mesh.

These tools help with the implementation of network policies between different services deployed on the cluster, their flow and the monitoring of it.

SaaS extensions based on stateless gateways, with transparency to internal operations, allow for service continuity and recovery. You dont need to change any network infrastructure in order for them to work with your internal resources.

The third methodology to implement zero trust is to encrypt all sensitive data, both in transit and at rest. To achieve this, it is recommended to use industry-standard encryption algorithms such as AES-256and RSA.

Encrypting data at rest involves using encryption techniques to protect data stored in databases, servers and other storage devices. To achieve this, Akeyless uses proprietary encryption algorithms to protect secrets stored in their vault at rest, while also providing key management services. As an added layer of security, only parts of your keys are encrypted in the Akeyless vaults storage, while other parts are stored by your own infrastructure.

There are several features available when you are using cloud services, where you can enable encryption at REST. In S3 buckets, RDS and other AWS cloud services, you can enable encryption at REST, and in K8s clusters, you can enable REST encryption for your etcd so that your request is end-to-end encrypted.

To achieve encryption of data in transit, you can use tools such as secure sockets layer (SSL) or transport layer security (TLS) to encrypt your data as it travels between different devices, networks and systems.

Using the three above-mentioned pillars, you can implement the zero trust model in your infrastructure. Making sure it is being used in your production environment supercharges your security stance and is essential for compliance.

But most importantly, it helps developers and DevOps teams to build more secure products, ensuring that once a project has been deployed, it will be less exposed to external threats.

Continue reading here:
The righteous path to zero trust in software development process - ITWeb

Read More..
Posted in Encryption | Leave a Comment