Your voice is yours alone – as unique to you as your fingerprints, eyeballs and DNA.

Unfortunately, that doesn’t mean it can’t be spoofed. And that reality could undermine one of the promised security benefits of multi-factor authentication, which requires “something you are,“ along with something you have or you know. In theory, even if attackers can steal passwords, they can’t turn into you.

But given the march of technology, that is no longer a sure thing. Fingerprints are no longer an entirely hack-proof method of authentication – they can be spoofed.

To read this article in full, please click here

It may be time for a revision of, “the customer is always right,” at least in the financial sector.

That, Boston Police Detective Steven Blair told an audience of bankers at the Boston Fed’s 2017 Cybersecurity Conference on Monday, is because too many banking “customers” are fraudsters, who take advantage of the generally laudable desire of front-line employees to provide good customer service.

Attendees had heard Kenneth Montgomery, first vice president and COO of the Boston Fed, say earlier that cybersecurity is now, “the number-one operational and enterprise issue” for the financial sector. He said the worldwide costs of cybercrime are estimated at $3 trillion annually now, and expected to double by 2021.

To read this article in full, please click here

At least one of the major reasons for the ongoing exponential increase in ransomware as a criminal business model could be summed up with the iconic line from the prison boss in 1967’s “Cool Hand Luke”: “What we got here is a failure to communicate.”

That was a recurring theme from those on a “Ransomware Panel” Thursday at SOURCE Boston 2017, moderated by Paul Roberts, founder and editor in chief of The Security Ledger.

The communication breakdown occurs at all levels, the panelists said, starting with victims.

Frank McLaughlin, a Boston Police detective, said when a business gets hit with ransomware, “the police are the last people they want to call, for obvious reasons. It becomes a public record.”

To read this article in full, please click here

It’s common knowledge that healthcare organizations are prime – and relatively easy – targets for ransomware attacks. So it is no surprise that those attacks have become rampant in the past several years. The term “low-hanging fruit” is frequently invoked.

But according to at least one report, and some experts, it doesn’t have to be that way. ICIT – the Institute for Critical Infrastructure Technology – contends in a recent whitepaper that the power of artificial intelligence and machine learning (AI/ML) can “crush the health sector’s ransomware pandemic.”

To read this article in full, please click here

Robots are supposed to do good things for us, not bad things to us.

But there is plenty of evidence that, like the billions of other connected devices that make up the Internet of Things (IoT), the growth of robot technology is coming with loads of features, but not much of a security blanket.

More evidence came in a report on home, business and industrial robots released last month by security research firm IOActive, which found that “most” of them lacked what experts generally call “basic security hygiene.”

Those included the predictable list: Insecure communication channels, critical information sent in cleartext or with weak encryption, no requirement for user names or passwords for some services, weak authentication in others, and a lack of sufficient authorization to protect critical functions such as software installation or updates.

To read this article in full, please click here

Eighteen months ago, President Obama and Chinese President Xi Jinping announced, with considerable fanfare, an agreement aimed at curbing economic espionage.

According to the Sept. 25, 2015 White House press release, “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

So, with Xi due to meet with President Trump in early April, an obvious question is: Has the agreement been effective?

The reviews on that are mixed, but there is general agreement that while it hasn’t stopped, the theft of intellectual property (IP) by the Chinese against the US is not as rampant as it was several years ago when The Commission on the Theft of American Intellectual Property estimated total losses, including jobs, competitiveness, stock value, market share, in the hundreds of billions, and former National Security Agency director Gen. Keith Alexander famously called it, “the greatest transfer of wealth in human history.”

To read this article in full, please click here

The debate over the chances of a catastrophic cyber attack taking down a major part of the nation’s critical infrastructure (CI) has been ongoing for a generation.

But it hasn’t been settled – in some ways it is more intense now than ever.

On one side are those, including high government officials, who warn of a “cyber Pearl Harbor” that could leave swaths of the country in darkness and cold – without electric power – for months.

Retired Adm. James Stavridis, dean at Tufts Fletcher School and a former NATO supreme allied commander, used that term just three months ago, saying such an attack would be aimed either at the electrical grid or the financial sector.

To read this article in full, please click here

One of the main reasons to buy insurance is to prevent the cost of an accident or other disaster from breaking the bank. But what if simply buying insurance threatens to break the bank?

That scenario is starting to worry some organizations, for several reasons.

First is the simple but powerful market force of supply and demand. More and more organizations, spooked by regular stories of catastrophic breaches – such as the compromise of more than 1.5 billion Yahoo! accounts, which took down its acquisition value by a reported $350 million – are seeking insurance. And when demand rises, the price tends to do so as well.

To read this article in full, please click here

In the world of cybercrime, ransomware and DDoS attacks had the highest profile by far during the past year. There was an entire day devoted to a ransomware “summit” at the recent RSA conference in San Francisco.

But when it comes to money being lost (and made), bot fraud is king – by a lot.

Most estimates of losses in the US from ransomware during 2016 were in the $1 billion range. By contrast, a study published in January 2016 by White Ops and the Association of National Advertisers (ANA) titled “Bot Baseline: Fraud in Digital Advertising,” estimated global losses in 2016 would be $7.2 billion.

To read this article in full, please click here

FBI Director James Comey told a Boston audience this morning that “ubiquitous strong encryption” – the kind now available on most smartphones and other digital devices – is threatening to undermine the “bargain” that he said has balanced privacy and security in the US since its founding.

Actually, he went further, declaring that such default encryption “shatters” the bargain.

“This is a big deal, and I urge you to continue to engage in a hard conversation about it. I love privacy, but I also love the bargain,” he said, noting that the FBI’s inability to crack encrypted devices means the investigative “room” where the agency works is increasingly growing dark, and therefore undermining security.

To read this article in full, please click here

While plenty of controversy has surrounded President Donald Trump’s fledgling administration, it hasn’t yet faced a major crisis.

But according to Forrester Research, aside from any political or military events, the new president will face a cyber crisis sometime within his first 100 days.

The company made the prediction last fall, prior to the election, as part of its “Predictions 2017” brief, so it didn’t specifically focus on either Trump or Democratic candidate Hillary Clinton.

To read this article in full, please click here

The U.S. Food and Drug Administration (FDA) has, for the second time in two years, issued recommendations to improve the security of connected medical devices. Not mandates – recommendations.

Which immediately raises the question: Will anything that is non-binding put enough pressure on manufacturers to spend the time and money it will take to improve device security?

That, as is frequently said, remains to be seen.

The FDA issued what it called “guidance” on the “postmarket management of cybersecurity for medical devices,” at the end of last year.

To read this article in full, please click here

If you are a victim of ransomware, don’t pay!

That has been the mantra of the FBI for several years now – one that was forcefully echoed by one of the nation’s highest-profile security bloggers – Brian Krebs – in a recent post.

But based on the statistics, either a lot of people aren’t listening, or it’s a bit more complicated than that. The reality is that the success of ransomware isn’t just increasing. It’s exploding.

To read this article in full, please click here

Nobody in the IT industry would argue that the Internet of Things (IoT) is becoming more secure. Pretty much the opposite.

But not for lack of effort. There have been multiple, ongoing initiatives over the past decade, both public and private. There have been dire warnings, publication of various standards and best practices, technology improvements, legislation to encourage threat information sharing and exhortations from government agencies, congressional committees, security firms and conference speakers.

Unfortunately, none of them has worked very well so far.

In spite of some of the best minds and technology improvements in the world focused on it, most of the IoT’s billions and billions of connected devices remain catastrophically insecure, lacking what experts call the most basic “security hygiene.” The flaws include hard-coded credentials, simple and default user names and passwords and the lack of any way to patch or update exploitable vulnerabilities.

To read this article in full, please click here

President Obama is only a couple of weeks out of office, but his legacy on cybersecurity is already getting reviews – mixed reviews.

According to a number of experts, Obama said a lot of good things, did a lot of good things and devoted considerable energy to making cybersecurity a priority, but ultimately didn't accomplish the goal of making either government or the private sector more secure.

The most recent, stark illustration was the series of leaks, enabled by hacks that US intelligence agencies attribute to Russia, that undermined both the credibility of Democratic presidential candidate Hillary Clinton and the election itself.

To read this article in full, please click here