Author: rescue@crimefire.in

A Los Angeles-based cyber security expert has warned of a data breach at social media site Twitter that has allegedly affected “millions” across the US and EU.
Chad Loder, who is the founder of cyber security awareness company Habitu8, took to the social media site on November 23 to warn users of the alleged data breach that Loder claims occurred “no earlier than 2021” and “has not been reported before”.
In a series of tweets, Loder claimed they had seen the data stolen in the alleged breach and spoken to potential victims of the breach, who had confirmed that the breached data was “accurate”.

Loder said that any Twitter account with the “let others find you by phone number” setting enabled in its “discoverability” settings is affected, with “all accounts for the entire country code of France” listed, with their full mobile numbers.
The breach also allegedly includes the “full phone number spaces for multiple country codes in the EU” and “some area code[s] in the US”, with the data set including personal information for “verified accounts, celebrities, prominent politicians and government agencies”.
Twitter previously confirmed a data breach that affected millions of user accounts in July of this year, however, Loder stated that this “cannot” be the same breach unless the company “lied” about the July breach. According to Loder, the data from this breach is “not the same data” as that seen in the July breach, as it is in a “completely different format” and has “different affected accounts”.
Loder believes that the breach occurred due to malicious actors exploiting the same vulnerability as the hack reported in July.

Loder’s Twitter account was suspended at some point in the last 24 hours as, according to Twitter, it “violate[d] the Twitter rules”.
On July 27 of this year, a hacker who went by the alias ‘devil’ claimed in a post in hacking forum Breach Forum that they were selling data stolen from more than 5.4 million Twitter accounts.
According to devil, the data stolen included email addresses and phone numbers from “celebrities, companies, randoms, OGs, etc”. ‘OGs’ refers to Twitter handles that are either short, comprising of one or two letters, or a desirable word, like a first name. Devil said they would not accept offers lower than US$30,000 for the data set.
The owner of Breach Forums first verified that the leak was authentic, stating that the data breach took place as devil was able to exploit a vulnerability on the social media site first flagged in January 2022.
A report on the vulnerability was published to bug bounty and vulnerability coordination platform HackerOne on January 1, 2022, by a member called zhirinovsky. In the report, they described the effects of the vulnerability, saying:
“The vulnerability allows any party without any authentication to obtain a Twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.”
This means the vulnerability could, and later did, allow “any attacker with a basic knowledge of scripting/coding [to] enumerate a big chunk of the Twitter user base” and collect user data into a database that linked Twitter usernames to their respective email addresses or phone numbers. This could then be sold to malicious parties who could use the data for advertising purposes, or to maliciously target specific Twitter accounts, for example celebrities.
Twitter itself verified the vulnerability on January 6 and subsequently paid zhirinovsky US$5,040 to patch the issue on January 13, with zhirinovsky confirming that the issue had been resolved that day.
On August 5, Twitter posted a statement about the breach, confirming that it had happened and that it was due to the vulnerability flagged in January. The company said it would “directly notify the account users [it] could confirm were affected by this issue”.
Twitter said the data breach was “unfortunate” and encouraged users to enable two-factor authentication to protect their accounts from unauthorized logins. 

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.
Join Now
The cyber attack saw confidential information held by the law enforcement office compromised
The cyber attack has reportedly affected NATOs response to the recent earthquakes affecting Syria an…
Two separate lawsuits have been filed against the company for allegedly failing to protect customer…
This marks the second social engineering attack the company has suffered in less than a year
The lawsuit alleges that LastPass stored crucial information that allowed hackers access to victims’…
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC

Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.

source

Data breaches have, unfortunately, become an all-too-common reality. The Varonis 2021 Data Risk Report indicates that most corporations have poor cybersecurity practices and unprotected data, making them vulnerable to cyberattacks and data loss.
With a single data breach costing a company an average of $3.86 million and eroding a brand’s reputation and its consumers’ trust, mitigating the risks is no longer a luxury. However, as cyberattacks get more pervasive and sophisticated, merely patching up traditional cybersecurity measures may not be enough to fend off future data breaches.
Instead, it’s imperative to start seeking more advanced security solutions. As far as innovative solutions go, preventing data breaches by utilizing the blockchain may be our best hope.
Blockchain technology, also referred to as distributed ledger technology (DLT), is the culmination of decades of research and advancement in cryptography and cybersecurity. The term “blockchain” was first popularized thanks to cryptocurrency, as it’s the technology behind record-keeping in the Bitcoin network. 
This technology makes it extremely difficult to change or hack a system, as it allows for the data to be recorded and distributed but not copied. Since it provides a brand-new approach to storing data securely, it can be a promising solution for data breaches in any environment with high-security requirements.
Built on the idea of P2P networks, a blockchain is a public, digital ledger of stored data shared across a whole network of computer systems. Each block holds several transactions, and whenever a new transaction happens, a record of that transaction gets added to every network participant’s ledger.
Its robust encryption and decentralized and immutable nature could be the answer to preventing data breaches.
World Wide Web inventor Tim Berners-Lee has said recently that “we’ve lost control of our personal data.” Companies store enormous amounts of personally identifiable information (PII), including usernames, passwords, payment details, and even social security numbers, as the Domino’s data leak in India (amongst others) has made clear.
While this data is almost always encrypted, it’s never as secure as it would be in a blockchain. By making use of the best aspects of cryptography, blockchain can finally put an end to data breaches.
How can a shared ledger be more secure than standard encryption methods?
To secure stored data, blockchain employs two different types of cryptographic algorithms: hash functions and asymmetric-key algorithms. This way, the data can only be shared with the member’s consent, and they can also specify how the recipient of their data can use the data and the window of time in which the recipient is allowed to do so.
When the first transaction of a chain occurs, the blockchain’s code gives it a unique hash value. As more transactions occur, their hash values are then hashed and encoded into a Merkle tree, thereby creating a block. Every block gets a unique hash with the hash of the previous block’s header and timestamp encoded.
This creates a link between the two blocks, which, in turn, becomes the first link in the chain. Since this link is created using unique information from each block, the two are immutably bound.
Asymmetric encryption, also known as public-key cryptography, encrypts plain text using two keys: a private key that’s typically produced via a random number algorithm, and a public one. The public key is available freely and can be transferred over unsecured channels.
On the other hand, the private key is kept a secret so that only the user can know it. Without it, it’s almost impossible to access the data. It functions as a digital signature, like real-world signatures.
This way, blockchain gives individual consumers the ability to manage their own data and specify with whom to share it over cryptographically encoded networks. 
A primary reason for the increase in data breaches is over-reliance on centralized servers. Once consumers and app users enter their personal data, it’s directly written into the company’s database, and the user doesn’t get much say in what happens to it afterward.
Even if users attempt to limit the data the company can share with third parties, there will be loopholes to exploit. As the Facebook–Cambridge Analytica data-mining scandal showed, the results of such centralization can be catastrophic. Additionally, even assuming goodwill, the company’s servers could still get hacked by cybercriminals.
In contrast, blockchains are decentralized, immutable records of data. This decentralization eliminates the need for one trusted, centralized authority to verify data integrity. Instead, it allows users to share data in a trustless environment. Each member has access to their own data, a system known as zero-knowledge storage.
This also makes the network less likely to fall victim to hackers. Unless they bring down the whole network simultaneously, the undamaged nodes will quickly detect the intrusion.
Since decentralization reduces points of weakness, blockchains also have a much lower chance of succumbing to an IP-based DDoS attack than centralized systems using client/server architectures.
In addition to being decentralized, blockchains are also designed to be immutable, which increases data integrity. The blockchains’ immutability makes all the data stored therein almost impossible to alter.
Because every individual in the network has access to a copy of the distributed ledger, any corruption that occurs in a member’s ledger will automatically cause it to be rejected by the rest of the network members. Therefore, any alteration or change in the block data will lead to inconsistency and break the blockchain, rendering it invalid.
Even though blockchain technology has been around since 2009, it has much untapped potential in the field of cybersecurity, especially when it comes to preventing data breaches.
The top-notch cryptography employed by blockchain protocols guarantees the safety of all data stored in the ledger, making it a promising solution.
Since nodes running the blockchain must always verify any transaction’s validity before it’s executed, cybercriminals are almost guaranteed to be stopped in their tracks before they gain access to any private data.
Jenelle Fulton-Brown is a security architect and internet privacy advocate based in Toronto, Canada helping Fortune 500 companies build future-proof internal systems.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.
You might even consider contributing an article of your own!
Read More From DataDecisionMakers
Want must read news straight to your inbox?
© 2023 VentureBeat. All rights reserved.

source

[1/3] A T-Mobile store is pictured in the Manhattan borough of New York, New York, U.S., May 20, 2019. REUTERS/Carlo Allegri
Jan 20 (Reuters) – U.S. wireless carrier T-Mobile (TMUS.O) said on Thursday it was investigating a data breach that may have exposed 37 million postpaid and prepaid accounts, and hinted at incurring significant costs related to the incident.
It's the second major cyberattack in less than two years and comes months after the carrier agreed to upgrade its data security to settle a litigation related to a 2021 incident that compromised information of an estimated 76.6 million people.
The company identified malicious activity on Jan. 5 and contained it within a day, it said, adding no sensitive data such as financial information was exposed.
T-Mobile, however, added that basic customer data – such as name, billing address, email and phone number – was breached and that it had begun notifying impacted customers. The company has more than 110 million subscribers.
A spokesperson for the U.S. Federal Communications Commission (FCC) said the regulator had opened an investigation into the incident.
View 2 more stories
"Carriers have a unique responsibility to protect customer information. When they fail to do so, we will hold them accountable. This incident is the latest in a string of data breaches at the company, and the FCC is investigating," the spokesperson said.
T-Mobile declined to comment on the investigation. The company's shares fell 1% in Friday morning trade.
The news of the incident also drew sharp reaction from analysts.
"While these cybersecurity breaches may not be systemic in nature, their frequency of occurrence at T-Mobile is an alarming outlier relative to telecom peers," said Neil Mack, senior analyst for Moody's Investors Service.
"It could negatively impact customer behavior, cause churn to spike and potentially attract the scrutiny of the FCC and other regulators."
Our Standards: The Thomson Reuters Trust Principles.
Reuters, the news and media division of Thomson Reuters, is the world’s largest multimedia news provider, reaching billions of people worldwide every day. Reuters provides business, financial, national and international news to professionals via desktop terminals, the world's media organizations, industry events and directly to consumers.
Build the strongest argument relying on authoritative content, attorney-editor expertise, and industry defining technology.
The most comprehensive solution to manage all your complex and ever-expanding tax and compliance needs.
The industry leader for online information for tax, accounting and finance professionals.
Access unmatched financial data, news and content in a highly-customised workflow experience on desktop, web and mobile.
Browse an unrivalled portfolio of real-time and historical market data and insights from worldwide sources and experts.
Screen for heightened risk individual and entities globally to help uncover hidden risks in business relationships and human networks.
All quotes delayed a minimum of 15 minutes. See here for a complete list of exchanges and delays.
© 2023 Reuters. All rights reserved

source

An official website of the United States government.
Here’s how you know
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Back
Key Topics
Back
Back
Back

News Release
WASHINGTON – At today’s National Cyber Workforce and Education Summit at the White House, Secretary of Labor Marty Walsh and Secretary of Commerce Gina Raimondo announced the 120-Day Cybersecurity Apprenticeship Sprint, an effort to support numerous industries’ use of Registered Apprenticeships to develop and train a skilled and diverse cybersecurity workforce.
The 120-Day Cybersecurity Apprenticeship Sprint supports the Biden-Harris administration’s commitment to expand Registered Apprenticeships to meet industry’s need for talent and to connect underserved communities to good jobs. Improving the nation’s cybersecurity apparatus is critical to the nation’s economic and national security, and today’s announcement will ensure enough qualified applicants are prepared for these careers.
“The 120-Day Cybersecurity Apprenticeship Sprint will increase awareness of current successful cybersecurity-related Registered Apprenticeship programs while recruiting employers and industry associations to expand and promote Registered Apprenticeships as a means to provide workers with high-quality, earn-as-you-learn training for good-paying cybersecurity jobs,” said Secretary of Labor Marty Walsh. “These newly trained workers will help protect our critical infrastructure, advance our digital way of life, strengthen our economy and improve access to cybersecurity career paths for underrepresented communities, especially women, people of color, veterans and people with disabilities.”
“Right now, we have hundreds of thousands of critical cybersecurity jobs open, and Registered Apprenticeships are key to training new workers and connecting them to these opportunities,” said Secretary of Commerce Gina Raimondo. “The Cybersecurity Apprenticeship Sprint will help build employer-led partnerships that will meet the industry’s need for talent and allow Americans to access quality, high-paying jobs. By using the National Initiative for Cybersecurity Education Workforce Framework for Cybersecurity, employers will ensure that all apprentices benefit from a standardized approach to cybersecurity education and training.”
The partnership between the departments of Labor, Commerce, other federal agencies and the White House Office of the National Cyber Director seeks to recruit employers, industry associations, labor unions, educational providers, community-based organizations and others to establish Registered Apprenticeship programs or to join existing programs to ensure the nation’s economic sectors have greater numbers of qualified cybersecurity workers. The sprint will continue until National Apprenticeship Week, Nov. 14-20, 2022.
There are currently 714 registered apprenticeship programs and 42,260 apprentices in cybersecurity-related occupations. Since Jan. 20, 2021, 199 new programs have been created – a 28 percent increase during the Biden-Harris administration. The 120-Day Cybersecurity Apprenticeship Sprint will build upon this progress and focus on creating new pathways for workers in cybersecurity or a related field through partnerships with K-12, higher education, workforce partners and training programs. Introducing more employers to the potential of cybersecurity Registered Apprenticeships is essential to fill the nearly 700,000 open cybersecurity jobs, which span all industries.
Registered Apprenticeship is an industry-driven, high-quality career pathway where employers can develop and prepare their future workforce, and individuals can obtain paid work experience with a mentor, classroom instruction and a portable, nationally recognized credential. Registered Apprenticeships are an effective recruitment, retention and training strategy to build a skilled and diverse workforce. 
Learn more about the Cybersecurity Apprenticeship Sprint and Registered Apprenticeships.
200 Constitution Ave NW
Washington, DC 20210
1-866-4-USA-DOL
1-866-487-2365
www.dol.gov
Connect With DOL source

Weee!, a U.S. online grocery delivery startup that specializes in Asian and Hispanic foods, says it was hacked and that a year’s worth of customer data was stolen.
In a brief statement published this week, the company said that cybercriminals stole the name, address, email address, phone number, order number and order comments — such as where to drop off or leave orders — of customers who placed orders between July 12, 2021 and July 12, 2022.
The statement said that the company does not retain customer payment information and as such was unaffected.
It’s not clear who was behind the breach, but a person on a known cybercrime forum claims to be offering information on 11.3 million orders and 1.1 million customer accounts stolen from Weee! earlier in February. Troy Hunt, who runs breach notification site Have I Been Pwned, obtained a copy of the 1.1 million customer email addresses, allowing affected individuals to check if their information was compromised.
The seller also says that the type of device used by customers to place orders, such as iPhone or Android, was taken in the breach.
As of February 2022, Weee! was valued at $4.1 billion following a monster $425 million Series E raise, and has more than 1,500 employees.
A Weee! spokesperson did not immediately respond to a request for comment and questions about the breach.
What grocery startup Weee! learned from China’s tech giants

source

A U.S. federal court jury has found former Uber Chief Security Officer Joseph Sullivan guilty of not disclosing a 2016 breach of customer and driver records to regulators and attempting to cover up the incident.
Sullivan has been convicted on two counts: One for obstructing justice by not reporting the incident and another for misprision. He faces a maximum of five years in prison for the obstruction charge, and a maximum of three years for the latter.
“Technology companies in the Northern District of California collect and store vast amounts of data from users,” U.S. Attorney Stephanie M. Hinds said in a press statement.
“We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers. Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught.”
The 2016 breach of Uber occurred as a result of two hackers gaining unauthorized access to the company’s database backups, prompting the ride-hailing firm to secretly pay a $100,000 ransom in December 2016 in exchange for deleting the stolen information.
Uber also had the extortionists sign a non-disclosure agreement in an attempt to pass-off the break-in as a bug bounty reward. The backups contained data belonging to 50 million Uber riders and seven million drivers.
Complicating things further, the incident occurred when the U.S. Justice Department and the Federal Trade Commission (FTC) were already probing the company for another data breach that took place on May 13, 2014.
In February 2015, Uber revealed that one of its databases had been improperly accessed following a potential compromise of one of the encryption keys, resulting in the exposure of names and license numbers of about 50,000 drivers. The incident was discovered on September 14, 2016.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” the FTC noted in 2018.
The DoJ said that Sullivan played a crucial role in shaping Uber’s response to FTC regarding the 2014 breach, with the defendant testifying under oath on November 4, 2016, about the number of steps that he claimed the company had taken to secure user data.
But upon learning that Uber was compromised again, that too merely ten days after his FTC testimony, the agency said “Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC” instead of opting to divulge the matter to the authorities and its users.
Federal prosecutors also accused Sullivan of lying to Uber’s chief executive Dara Khosrowshahi as well as the company’s outside lawyers investigating the 2016 incident, stating the “truth about the breach” finally came to light in November 2017.
What’s more, Travis Kalanick, Uber’s co-founder and then CEO, who resigned from the company in June 2017, is said to have approved Sullivan’s strategy for handling the unauthorized intrusion. Kalanick has not been charged.
In a statement shared with The New York Times, Sullivan’s legal team said his only focus during the course of the incident and his professional career has been to ensure the “safety of people’s personal data on the internet.”
The development, which marks the first time a senior company executive has faced criminal charges over a data breach, comes as the two hackers involved in the 2016 incident await sentencing for their fraud conspiracy charges after pleading guilty to the crime in October 2019.
“The separate guilty pleas entered by the hackers demonstrate that after Sullivan assisted in covering up the hack of Uber, the hackers were able to commit an additional intrusion at another corporate entity — Lynda.com — and attempt to ransom that data as well,” the DoJ pointed out.
The fact that the 2014 and 2016 security lapses mirrored each other notwithstanding, Uber came under spotlight last month for the wrong reasons when its systems were breached a third time in a hack that it has since linked to the LAPSUS$ cybercrime group.
This past July, Uber also settled with the DoJ to pay $148 million and agreed to “implement a corporate integrity program, specific data security safeguards, and incident response and data breach notification plans, along with biennial assessments.”
“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” FBI San Francisco Special Agent in Charge Robert K. Tripp said.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

source

Australia’s largest telecommunications company Telstra disclosed that it was the victim of a data breach through a third-party, nearly two weeks after Optus reported a breach of its own.
“There has been no breach of Telstra’s systems,” Narelle Devine, the company’s chief information security officer for the Asia Pacific region, said. “And no customer account data was involved.”
It said the breach targeted a third-party platform called Work Life NAB that’s no longer actively used by the company, and that the leaked data posted on the internet concerned a “now-obsolete Telstra employee rewards program.”
Telstra also noted it became aware of the breach last week, adding the information included first and last names and the email addresses used to sign up for the program. It further clarified that the data posted was from 2017.
The data was “basic in nature,” Devine said.
The company did not reveal how many employees were affected, but a Reuters report pegged the number at 30,000, citing internal staff email sent by Telstra.
The revelation comes a day after its rival Optus confirmed that nearly 2.1 million of its current and former customers suffered a leak of their personal information in the aftermath of a massive hack.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

source

Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, February 17th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

In a few minutes David Shipley of New Brunswick’s Beauceron Security will be here to discuss some recent cybersecurity news. One is that Canadian government and hospital leaders got a shellacking on a webinar for not putting enough funds into healthcare cybersecurity. David will have thoughts on that.
We’ll also talk about the compromise of the GoAnywhere MFT managed file transfer service, whether cyber threat intelligence is used well and why corporate managers and IT security staff don’t communicate better. But first a look back at some of the headlines from the past seven days:
A variant of the Mirai botnet is being used to infect a number of internet-connected devices with old and unpatched vulnerabilities. These include Atlassian’s Confluence collaboration suite, the FreePBX telephony management suite, the Mitel AWC audio conferencing platform, the DrayTek Vigor router, surveillance cameras and more. According to researchers at Palo Alto Networks, infected devices create a new botnet for spreading malware or to launch denial of service attacks. These device are being compromised by brute force credential attacks. IT administrators of any device that connects to the internet must make sure they have secure passwords.
Attackers are still exploiting unpatched versions of Windows Exchange. According to researchers at Morphisec the latest campaign installs cryptomining software on computers. By stealing computing power attackers get to mine for cryptocurrency faster — and slow computers from doing company business. IT departments that for some reason haven’t installed two-year-old patches to close the Exchange vulnerabilities need to scan systems for compromise, then install the patches.
Atlassian is the latest company to be a victim of a successful cyber attack on an outside service provider. According to Cyberscoop, Atlassian initially acknowledged the theft of company data held by a service called Envoy. Envoy is used to co-ordinate in-office resources. A hacking group called SiegedSec posted what appears to be the names and email addresses of Atlassian employees. Atlassian makes the Confluence, Jira and Trello project management and collaboration suites. The company says no customer data was stolen.
UPDATE: Atlassian now says the data theft wasn’t from Envoy but from one of its own employees. TechCrunch says an Atlassian official told it that after closer investigation the attacker had actually compromised Atlassian data from the Envoy app “using an Atlassian employee’s credentials that had been mistakenly posted in a public repository by the employee … The compromised employee’s account was promptly disabled eliminating any further threat to Atlassian’s Envoy data.”
Washington is bringing its talent together to better protect American technology. The new Disruptive Technology Strike Force will include experts from the FBI, Homeland Security and federal prosecutors to strengthen supply chains and protect critical technology from being stolen or illegally exported. This includes knowledge about supercomputers, quantum computers, artificial intelligence, advanced manufacturing and biosciences.
And a Russian man was convicted this week by a Boston jury for his part in a scam that used inside knowledge of the finances of publicly-traded companies to get rich. The man and other co-conspirators hacked into and stole about-to-be published earnings information of companies from two corporate filing firms. How did they do it? By stealing employees’ passwords. It is alleged the group netted US$90 million. The man, who was arrested in Switzerland and extradited to the U.S., will be sentenced in May. His alleged accomplices are at large.
(The following transcript is part of the discussion. To hear the full conversation play the podcast.)
Howard: Let’s start with the state of cybersecurity in the healthcare care sector. Participants on a Globe and Mail webinar this week had a lot to say about the poor state of cybersecurity at Canadian hospitals. They blame small budgets for hospitals having outdated IT equipment. And the lack of support from hospital executives in Canada. Provincial governments supply most of the budgets of hospitals. COVID didn’t help, the panelists said, because hospitals had to scramble to buy solutions in the short term so that administrative staff could work from home, and that opened up cybersecurity risk. David, who’s to blame?
David Shipley: I’m going to be controversial and say we are. And by that I mean those of us in Canada that consistently picture health care as being doctors, nurses and sometimes allied Health care workers. But if our conversation consistently is about lack of doctors, nurses or staff and not about the tools that they need to enable them we miss the story. The one silver lining to IT disasters and ransomware at hospitals is that they have categorically demonstrated the value of IT: When you don’t have IT working properly in a modern Canadian or an American hospital your capacity is reduced by 75 to 90 per cent. That’s massive. Yet we consistently underinvest — not just in security tools, because this isn’t just a story about not having antivirus or SOCs [security operations centres] or all these things, but even in the basics. Patient record systems are massively outdated. They don’t even necessarily have encryption enabled. We are in a health IT Code Red and it still can’t get the attention of policymakers. Why? because we’re not taking it seriously as Canadians.
Howard: Well, the federal government has just offered billions of dollars to the provinces and territories for health care. Some of it can go to modernizing IT systems but to my knowledge none of is dedicated to cyber. That doesn’t mean that upgrading systems and policies won’t be cyber-related, but there’s that huge chunk of money that we’ve been talking about in Canada in the past week and no conversation about that relating to cyber.
The other thing is I can’t help but notice that Newfoundland, Nova Scotia and New Brunswick — to name three of the smaller provinces in Canada — all have budget surpluses. I just have to wonder with the money sloshing around, the provinces have money to spend on hospital cybersecurity if they want to.
David: I don’t know if they have the money that’s needed for not just cybersecurity but the overhaul of IT. The fact is that is going to be a decade-long adventure. New Brunswick, where I live, is also a province where their debt has doubled in the last decade. We’re not fiscally healthy. We’ve shown a few signs of life, and particularly with the influx of Ontarians to our province as a result of the pandemic. That’s been a net benefit from an income tax point of view. But it’s not a long-term good health indicator. That being said, the provinces do own the delivery of health care, they do own the underinvestment in it. But at the end of the day politicians put the money where people ask them to. And until we evolve the conversation to be about more than staffing, to be about the actual IT equipment that’s required which is so fundamental to changing the equation [nothing will change]. This also speaks to the executives who are terrible at understanding risk. We will go with the stuff that we have the greatest handle on. Until the eruption of ransomware gangs into health care — which is even worse now that North Korea is getting more serious about it — we didn’t take it seriously as a risk. And, unfortunately, you can’t have downtime in a hospital There’s never a good time to plan a rip-and-replace of IT equipment. But that’s exactly the kind of effort we have to pour into this. We missed a freight train-size opportunity to tie IT modernization and cybersecurity outcomes into the health care story, and that’s on everybody: The federal government, the provinces and us as Canadians, for not demanding it …
I briefly participated on the board of one of Canada’s healthcare corporations, so I got a small insight into this. And their struggles are so enormous in terms of staffing challenges, the physical infrastructure that they’re trying to run, trying to keep things modernized. Keep in mind that many hospitals in this country still have to fundraise to get necessary medical capital equipment. We still have to hit the streets with a tin can to get new CT scanners in some hospitals in Canada. It’s really hard to make a compelling case for spending multimillions of dollars upgrading our patient information system which you [taxpayers and patients] will never see. You will never understand how that [positively] impacts the patient flow. And I think the challenge is we haven’t necessarily spoken the language of capacity and impact on patients of IT. The translation issue is that their [poliitcians and hospital executives] focus has always been patient outcomes. We probably haven’t been as clear about how vital IT is to patient outcomes.
©
IT World Canada. All Rights Reserved.

source

Criminals have many means of stealing money and information from consumers, from scamming consumers directly to stealing their information from companies that hold it for them. For many cybercriminals, the quickest way to get a massive amount of valuable data is by targeting financial institutions.
Cybersecurity firm Flashpoint said in recently released data that the financial sector experienced the second highest number of data breaches in 2022, globally, behind government. U.S. banks were hit hardest, followed by institutions in Argentina, Brazil, and China.
This year, the number of consumer records leaked in breaches globally exceeded 254 million, according to Flashpoint. In the U.S. alone, data from the Maine attorney general indicates that around 9.4 million consumers across the country were affected by data breaches against financial companies.
At least 79 U.S. financial services companies reported data breaches affecting 1,000 or more consumers in 2022, and the largest breaches affect millions of consumers each. Here are some of the biggest data breaches affecting financial services companies this year.
The top five have more than $2.5 million in first mortgage loans as of September 30, 2022.
The abrupt downfall of Silicon Valley Bank prompted investors to question whether other banks that hold tech-related deposits could also be at risk. But one analyst said there could be opportunities for banks to add deposits from customers of the failed bank.
This week in banking news: Discover EVP Diane Offereins is retiring, Worldline enters the metaverse, SNAP pilots mobile payments and more.
A $13.5 billion advance to Silicon Valley Bank months before its collapse is another sign that the Home Loan banks encourage risk-taking that can burden the Federal Deposit Insurance Corp. or even the system itself, critics say.
The Philadelphia bank’s new CEO says a planned infusion would let it update its branch footprint, technology and other resources as part of a turnaround.
Old-fashioned check fraud is growing, and fraudsters find people to cash their checks — and tell them what to wear while doing it — through a popular messaging service.
Wells Fargo’s asset cap has been in place for fi ve years, and there’s no end in sight. Where does the bank — and the Fed — go from here?

source

Check Point is proud to offer new cybersecurity training courses from Offensive Security to partners and customers, as a part of MIND – Check Point’s Learning and Training organization. As a leading provider of continuous workforce development, training and education, Offensive Security’s hands-on training and certification programs, virtual labs, and open source projects provide practitioners with highly-desired offensive skills to advance their careers and better protect their organizations.
The courses that will be offered through Check Point are:
Learn Fundamentals Subscription- OffSec’s entry-level, or beginner, training plan. Learn Fundamentals is designed to help students learn basic technical adjacent concepts, cultivate the mindset necessary for a successful cybersecurity career, and provide the prerequisites for advanced courses. Learn Fundamentals includes access to: PEN-100, SOC-100, WEB-100, CLD-100 and EXP-100. Assessments and Badges are available upon successful completion.
Learn One Subscription – includes one year of lab access plus two exam attempts for one of the following advanced cybersecurity courses: PEN-200, PEN-300, SOC-200, WEB-200, WEB-300, EXP-301, EXP-312 + access to all Learn Fundamentals courses.
Learn Unlimited Subscription – With a Learn Unlimited subscription, the learner can unlock all topics and courses in OffSec’s Training Library for 100, 200 and 300 level-training, access to Proving Grounds Practice + unlimited exam attempts for one year.
Learners in the platforms testify:
“As a Learn One student, I gained extremely robust knowledge after finishing the 100-levels; this level’s benefits are countless. It’s recommended to everyone. Thanks to Offensive Security for this gamify fun course.”
Practitioners can now access three Offensive Security courses to stay up to date on the newest and most relevant cybersecurity topics, while testing their skills in a hands-on environment. All subscriptions are open to use for a period of one year.
Bonus part: OffSec’s CEO, Ning Wang was a guest on Check Point’s CISO’s Secrets podcast in 2021. Tune in to learn more of her vision and the company.
Check Point’s MIND program provides training and certification for students, early and mid-career professionals in cybersecurity topics. Since its inception, MIND has provided training to 50,000 learners around the world.
Learn more here: https://training-certifications.checkpoint.com/#/
 
 

source