1484806777641_1_111339 (1) (1) (1)

The Blockchain Hype

blockchain hype blog post title

With technology advances a-plenty – what’s going to be the next revolutionary technological development?

Big data? The Internet of Things (IoT)? Nope.

It’s going to be the blockchain

With more than 25 countries investing in the technology, and $1.3 billion invested – it looks like individuals, companies, and governments alike are putting their eggs in the blockchain basket.

The public blockchain is, simply put, a digital ledger where digital transactions are recorded publicly. Most widely-known for its use with cryptocurrencies like the Bitcoin, blockchain technology has enabled peer-to-peer transactions to be conducted without a banking system middle man, thereby challenging the power of banks to control currency. However, the applications of blockchain go far beyond cryptocurrency transactions to include supporting all kinds of informational exchange.

The idea of the blockchain is revolutionary because it allows for transparency and a new way of organizing the millions of transactions that society now handles on a daily basis. Its workings are defined perfectly by its name: transactions are recorded in “blocks” and placed chronologically in “chains.” Once a block is complete of transactions, a new block is added on and chained. Therefore, when the chain gets longer and longer, it becomes nearly impossible for hackers to penetrate it for scams, defacement, or theft. With security at maximum – what is there to worry about?

But let’s cut to the chase. Is blockchain technology secure? The short answer is, yes — yes it is.

The long answer is: Maybe. It depends on your perspective.

Time is (not) of the essence

First, there are many who complain about issues in terms of transaction verification. Because the blockchain is a distributed ledger, every block of transactions must compete to be added to the chain. This is done through a consensus process of selecting blocks contributed by miners who solve complex mathematical equations in the fastest time to receive a reward. This process can be sped up by paying an added fee, bumping up the transaction, but the average wait can be upwards of 40 minutes. In rare cases, it may take days for a transaction to be verified. Just so you can see how slow that time is: MasterCard’s 2012 report claimed that its network could take upwards to 160 million transactions every hour, with average response time of 130 milliseconds per transaction.

The duration of the wait is not only a cumbersome issue in terms of service, it’s also a security issue – a lot can happen in 40 minutes, and most people aren’t interested in being patient in exchange for reassurance in security.

Where are my keys?

When people talk about the blockchain, you’ll also hear the word “bitcoin” quite often – but don’t interchange these two terms, as they’re two very different ideas. The blockchain is a decentralized ledger, a database of transactions. Bitcoin is a form of virtual currency, or the preferred terminology “cryptocurrency” (encrypted currency). Bitcoin or ether, another cryptocurrency, are used in transactions that are noted on the blockchain. The currency is stored in a virtual “wallet” that will store and manage these currencies.

To make transactions, private keys (which many store in virtual wallets) are a necessity. Now, private keys are a completely separate entity from the blockchain, making security a bit more difficult to ensure. Despite the myriad of “must-do, top security tips” articles out there, many are still foolish in the way they store or remember their private keys. By choosing to save their keys in an unsafe digital or physical location, it no longer matters how secure the blockchain itself is – breach is still possible with a legitimate, albeit stolen, private key.

On top of possible theft, there’s the issue of the loss of a private key. Just like one may be able to lose a physical car key, private keys can also be lost. The loss isn’t a failure of the blockchain technology, but a result of the user’s misaction. This is a huge area of concern within the public blockchain, as some put the value of lost bitcoins at over $948 million.

Old habits don’t die hard

The reality of blockchain is that in order to truly deliver on the “revolution” in terms of economy, the traditional structures of government, financial institutions, and societal ideas of transactions will have to change.The most hyped up “security issue” with the blockchain technology was in 2016, when the Decentralised Autonomous Organisation (the DAO), an investment fund relying on the Ethereum platform, had 3.6 million “ether” (a cryptocurrency unit of the ethereum blockchain) stolen from them by a hacker who exploited a vulnerability in their system. With multiple heists, the DAO ended up losing around $150 million.

Now, did this mean that the blockchain technology isn’t secure? Not necessarily – the technology itself was and is secure, and strong cryptography is used to make sure that assets are transferred safely. Units of ether are also traceable, meaning that even if the hacker were to try to re-sell his goods, it would be flagged right away. Within the DAO, payouts also take a few weeks – which gave the DAO developers a bit more time to figure out how to remedy the hack. The damage was, however, done in terms of the credibility of the blockchain and the DAO. Ethereum enthusiasts were not fans of the incident, and it caused many to raise their eyebrows at the idea of a public ledger.

The future of the blockchain

So we can see that the “issues” deal more with the applications rather than the technology itself. But the reality is that resolving the security issues, albeit secondary from the actual technology of the blockchain, takes time and effort as public blockchains need acceptance by the community that is utilizing it in order to have any value within the social construct. Will the blockchain technology still catch on? Not only will it catch on, it’s already taking the world by storm. With the gargantuan amounts of money (both physical and virtual) being invested, this isn’t a hype that looks short lived. It still helps to keep in mind that no matter how secure a technology is, the applications surrounding the technology may still need quality security.

DDos types include volumed based, protocol, and application layer attacks

Types of DDoS Attacks: Explanation for the Non-Tech-Savvy

DDos types include volumed based, protocol, and application layer attacks

When major cyber attacks are made public, we often hear about their magnitude and strength. More often than not, the media is talking about DDoS attacks. Deloitte for example revealed that the year 2016 “saw the first two [DDoS] attacks of one terabit per second (Tbps) or more.” But what does this actually mean? One terabit in itself sounds huge, but in order to understand what these measurements mean it’s important to understand the different types of DDoS attacks. It’s likely that you’ve heard of very specific DDoS attacks with unique names like ‘Ping of Death’ and ‘Smurf DDoS.’ But in spite of these fancy names DDoS attacks can generally be divided into three broad categories: volume-based attacks, protocol attacks, and application layer attacks. With these frameworks in mind, you’ll be able to decode all that talk about DDoS – even if you consider yourself to be among the non-tech-savvy. 

Volume-Based Attacks


Volume-based DDoS attacks are the most common out of the three. To carry out this kind of cyber attack, hackers utilize many computers and internet connections (often distributed around the world) to flood a website with traffic so that an overwhelming amount clogs up the website’s available bandwidth. As a result, legitimate traffic is unable to pass through, and hackers are able to successfully take down the website. Volume-based attacks are measured in bits per second (Bps).

An example of a volume based attack is the UDP flood. Hackers take advantage of a sessionless networking protocol known as the User Datagram Protocol (UDP), which is essential to the Internet protocol (IP) suite. (To read about how UDP works read here). In a UDP flood, a hacker overwhelms random ports on the targeted host so that as more UDP packets are received and answered, the system is unable to handle the volume of requests and thus becomes unresponsive.

Protocol Attacks


Unlike volume-based attacks, protocol attacks aim to exhaust server resources instead of bandwidth. They also target what is known as “intermediate communication equipment,” which in simpler terms refers to intermediaries between the server and website, such as firewalls and load balancers. Hackers overwhelm websites and these server resources by making phony protocol requests in order to consume the available resources. The strength of these attacks are measured in packets per second (Pps).

One example of this type of attack is the Smurf DDoS. Hackers exploit Internet Control Message Protocol (ICMP) packets which contain the victim’s spoofed IP and then broadcast the IP to a computer network using an IP broadcast address (used to transmit messages and data packets to network systems). If the number of devices on the network is large enough, the victim’s computer will be flooded with traffic since most devices on network respond by default to the source IP address.

Application Layer Attacks

Generally, application layer attacks require fewer resources than volume-based attacks and protocol attacks. This type of attack targets vulnerabilities within applications (hence their name) such as Apache, Windows and OpenBSD. In true DDoS nature, application layer attacks bring down servers by making a large number of requests that appear legitimate at first by mimicking a users’ traffic behavior. But because application layer attacks are only targeting specific application packets, they can go unnoticed. Application layer attacks look to disrupt specific functions or features of a website such as online transactions. The strength of these attacks are measured in requests per second (Rps).

One example of an application layer attack is the Slowloris. Slowloris is able to cause one web server to take down another. By establishing connections to the target server and only sending partial requests, Slowloris “holds” open many connections to the server for as long as possible. As it constantly sends more HTTP headers (HTTP headers allow the client and the server to exchange additional information) and only sends partial requests, it never completes a request which eventually overwhelms the maximum allowed and prevents further connections from being made.

While volume-based attacks, protocol attacks, and application layer attacks define broad categories of DDoS attacks, not all attacks fall into a perfect category. This is because DDoS attack methods are evolving everyday. In fact, a new trend includes “blended attacks.” Hackers may launch a protocol attack to create a distraction and then launch an application layer attack since they take more time to find the vulnerabilities within the application layer. Blended attacks are increasing in frequency, complexity and size. Without the proper defense system in place, they have the potential to cause unimaginable damage. To read more about how DDoS attacks affect different industries check the blog post, “DDoS Attacks: Their Top 5 Favorite Industry Targets.”

six personalities and types of hackers online kids older white hat and black hat

The 6 Types of Hackers You May Come Across Online

 

These days it’s easy to look at the mountain of cyber crime news out there, and imagine a hoodie-wearing, tech-savvy loner in a dark corner of a room trying to get into a network for information. However, times have changed. It’s not just technology that changes or security measures that evolve. Hackers are also evolving.

In order to properly detect hacking attempts, it’s also important to understand who’s behind the attacks as well. Hackers come in all shapes, sizes, and intentions, so never judge a hacker by their cover as it might be a whole different facade then what you believe. We’ll give you our top six types of hackers you may come across online.

six personalities and types of hackers online kids older white hat and black hat

The White Hat Hacker

The least malicious of the bunch, the white hat hacker breaks into protected systems to either test the security of the system, or conduct vulnerability assessments for a client. Most of the time, they work for a security company which makes the security software or product and wants to find weaknesses in the software before releasing it for open or commercial usage. Most recently, white hat hacker Tavis Ormandy discovered the vulnerability for Cloudflare. Ormandy, employed at Google, found and reported the bug, termed Cloudbleed, which was affecting millions of sites worldwide. 

While they may use methods similar to “mal-intentioned” hackers, white hat hackers do not use the data that they’ve found for ill will. Simply put, the white hacker does what he or she does for ethical reasons, and there are even classes and certifications available to become a white hat hacker.

The Black Hat Hacker

A black hat hacker is most likely what the general public thinks of when they hear the word “hacker.” The black hat hacker is the opposite of the white hacker, where their intentions are always for personal gain rather than for the good of society. Also known as “crackers,” they gain joy from cracking into systems and bypassing security. A black hat hacker usually intends to profit from breaking into systems or does so simply to satisfy a craving for mischief – they can be differentiated from hacktivists who have a political motive for their hacking.

The Grey Hat Hacker

You guessed it, the grey hat hacker is a mix of the white hat and black hat hackers. While the grey hat hacker might break some rules and violate laws, they usually don’t have the malicious intent that the black hat hacker has. The white hat hacker will always hack under supervision or prior consent, but the grey hat hacker will not go to the lengths to receive permission before breaking into systems.

When a grey hat hacker finds a vulnerability, instead of alerting the authorities or the company, they will most likely offer to repair it for a fee – utilizing it as an opportunity to make some financial gain. Grey hat hackers argue that they only violate the law to help others, but because of the nature of their breaking and entering – companies may choose to prosecute rather than appreciate the “help.”

The Hacktivist

A hacktivist uses the world of computing and networks for a political movement. Whether it’s related to free speech, freedom of information, or proving a conspiracy theory, hacktivists span many ideals and issues. Many hacktivists work towards a common goal without reporting to a boss or an organization.

Even people unfamiliar with the IT world have heard of hacktivist groups like Anonymous, who have been active in their political movement over the past decade. Whether it’s combatting terror groups or calling for protests of retaliation, hacktivist groups hope to impact change in the real world through their programming skills in the cyber world.

The Script Kiddie

This is a wannabe hacker who lacks expertise. Just like it takes time to earn your Ph.D., it is difficult to go up the ranks to becoming a skilled hacker. A script kiddie is usually nowhere near the level of being able to hack into an advanced system, hence tending to stick to weakly secured systems. This “kid” may also get premade scripts or codes from other sources because they lack the knowledge to develop their own code. Script kiddies’ careers are generally short-lived as they might lack the discipline and creativity it takes to become an advanced hacker.

The Green Hat Hacker

Unlike a script kiddie, the green hat hacker is a newbie to the hacking game but is working passionately to excel at it. Also referred to as a neophyte or “noob,” this is a hacker who is fresh in the hacking world and often gets flak for it, having little to no knowledge of the inner workings of the web. Although it may seem unlikely that this newbie may cause any serious issues, because they’re blind to their own actions, green hat hackers can cause significant damage to a system without knowing what they’ve done and worse – how to reverse it.


It’s easy to compartmentalize hackers into good or bad, but it’s not always so black and white (pun intended). Whatever colored hat the hacker may wear, it’s important to note the differences in their techniques, results, and intentions. Then, once you understand the motives, it may be easier to either ask for assistance or perhaps look for a better security solution to guard your data and applications.

For more information on security solutions for your data or applications, visit www.pentasecurity.com or email us at info@pentasecurity.com.

blog-cover-image

Tax Season: Cyber Security Defenses to Make (and Keep) Your Returns

tax season cyber security tips

It’s that time of year again the time of the year where winter coats are abandoned, flowers are in full bloom… and everyone starts to rack their brains for how to deal with their taxes from the last fiscal year. Tax season is a stressful time for most and, whether you hire an accountant or decide to tackle the numbers yourself, it’s no time for haphazard calculations. Every single cent counts in order to get the best return possible. But could your hard work go down the drain with a single click? According to a report from the Federal Trade Commission, of the half a million complaints registered in 2015, nearly half were tax fraud-related, and these frauds are increasingly conducted online.

Cybersecurity and tax fraud are two ideas that people don’t usually look at side-by-side. After all, the IRS will never send out an email to contact you (if they do, it’s probably a scam), but with the rise of the digital age, many accounting firms have seen the benefits of having taxpayers fill out necessary forms online, facilitating the process for both the taxpayer and the agency. However, digitizing the process has opened up a Pandora’s Box in the realm of cybersecurity.

Now, by no means does this mean that taxpayers absolutely need to revert to the pen-and-paper method of tax filing. Electronic forms are an enormous load off everyone’s burden during tax season, but here are some tips to keep in mind as you file your taxes so that at the end, you do make returns and keep them. Here are our top five tips for making your tax season a little more secure:

Get it out of the way

Did you know that employers are by law required to provide W-2 forms to their employees by the end of January? Some may give their forms out earlier, and the IRS officially began accepting 2016 tax returns on January 23, 2017.

While it may be tempting to push it off until April, there are benefits to being an early bird. Not only do you get to be stress-free for Spring, but filling early means you 1) give the IRS time to immediately process and check your return, 2) avoid the peak period when hackers fish for victims in March and April. The latter part of tax season is when potential victims tend to be a little more scatterbrained, not utilizing as much discernment as they should in their securing their tax returns. Hackers are less likely to be looking for prey in January or February.

Watch out for phishing scams and links

As mentioned before, the IRS will never, under any circumstances contact you via emails, texts, or phone to demand money. They will always send a postmarked notice to “kindly” remind you to pay your dues. However, because this is a rather unknown fact, many fall prey to the phishing and pharming scams that hackers love to execute.

Especially in emails or text messages, be careful not to click on any links or attachments. Although it may be tempting to see what the IRS could want, these seemingly harmless links could trigger malware, and viruses could get installed on your devices to infect entire systems. The IRS encourages users to forward any emails you suspect of being fraudulent to phishing@irs.gov and delete it permanently from your inbox.

Keep your devices and connections clean

Updates are cumbersome and might take more time than you are willing to put in. However, an update could be the difference between a vulnerability and a strong defense against a loophole. Software, browsers, and applications should have the latest updates and any unnecessary software is best deleted to avoid cluttering your system.

Additionally, when filing your taxes, make sure to use a secure wireless connection. Public Wi-Fi is not your safest bet (read about our research on public Wi-Fi networks here), and hackers may be able to take a clear look at your sensitive data if they intercept your wireless connection.

Use Encryption

When sharing information with your accountant, make sure that your information is well-encrypted to ensure that a hacker will not be able to see the contents even if they do succeed in interception. Along those lines, double-check to make sure your online tax-filing agency is using SSL, which applies encryption to sites. Look for “HTTPS” in the URL, with a lock icon signifying a secure SSL connection. While an agency may claim to be “easy filing,” you don’t want that to mean “easy access” to your financial information.

Be careful of your… social media???

While social media may seem to be the furthest platform from your tax returns, many hackers have been utilizing a social engineering method called “social sleuthing,” where they will stalk a high-level executive to see if and when they go away on holiday or travel during these chillier months. Then, impersonating the executive, they may reach out to a lower-level employee back at the office, asking for help with paying taxes, or for sensitive information that they conveniently “forgot.”

Although hackers work year-around to try accessing our data, tax season is ripe for harvest when it comes to getting sensitive information, making it much more lucrative for hackers. The sad reality is that though the IRS may do their best to put preventative measures in place in terms of your W-2 or through public service announcements warning of fraud, the consequences that you may potentially encounter are solely your responsibility. At the end of the day, taxes are owed to the IRS, regardless of the situation.

But remember, many prevention tips are simple to implement it just takes a bit of awareness and effort. Remember, no one enjoys tax season (except hackers), especially if there are any heavy consequences that may await in case of any loss, damage of data, fraud or scam.

Data breach on laptop with warning sign

Majority of Companies Are Not Disclosing Their Data Breaches

Data breach on laptop with warning sign

It is a common misconception to think that companies absolutely must disclose details of any internal breaches they may have suffered. In reality, the majority of data breaches go unreported, and details of the leak are rarely revealed to the public. Recently in the media, Yahoo came under fire and heavy scrutiny for late disclosure of two major data breaches of user account data. The Internet service company suffered two massive breaches in both 2013 and 2014 – resulting in the largest discovered data breaches in the history of the Internet – but this situation was only made public during the latter part of 2016.

This begs the question, should companies be forced to disclose data breaches? As we shall soon see being PCI compliant is only the beginning to assessing the security practices of a company.

False sense of security protection

Just because a company is internationally known it doesn’t automatically mean that your data is safe. Many users have a false sense of protection, simply because they trust the brand. But when it comes to these companies’ cybersecurity practices, quality security measures may not be a top priority since most are typically sales-driven. For example, besides the recent Yahoo breach, there have been numerous cyberattacks that have made headlines like Dropbox’s 68 million users’ data leakage that remains engraved in the minds of the public.

Part of that reason that so many attacks go unreported is because most companies simply do not need to disclose that sort of information in the first place. There is no current law requiring corporations to reveal when customer data has been compromised, so it makes sense that data breaches go unreported. A hacking incident could tarnish the reputation of the brand and instill mistrust among customers, which is never something corporations want. Even if large corporations choose to disclose data breaches, the extent to which data has been compromised are probably not revealed in full and downplayed.

For instance in the case of credit card breaches, customers will simply receive email reminders to change their account passwords or the bank will issue new cards to mask the data breach. Cases like this provide a sense that nothing is wrong and it is simply “routine procedure.” So, what can you as the customer do?

PCI Compliance?

If you are engaging in online transactions, ensure that the company is PCI-DSS (Payment Card Industry Data Security Standard) compliant.

Below is a clear definition of this industry standard:

The Payment Card Industry Data Security Standard, or simply PCI DSS, is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

With most brands moving their businesses online, there is a growing concern for the security implications of online transactions. When a corporation is not PCI compliant, there is a higher chance of data leakage – but even this industry standard is purely a minimal requirement. Just like how it is not a law for corporations to reveal internal data breaches, PCI compliance is just a security standard for online transactions – but not the law. That means businesses can continue to sell products online without the proper security standards intact. Furthermore, research by Verizon has shown that seven in ten businesses who achieve PCI compliance fail to maintain this compliance for a minimum period of one year.

Because corporations do not differentiate between what it means to “be validated” and to “be compliant,” this finding is extremely daunting especially in the light of recent data breaches. To be validated specifies a precise point in time when a business chooses to be assessed for compliance. This assessment is therefore a snapshot in time and says virtually nothing about the business during the rest of the year. For example, a company that suffered a data breach may reveal to its customers that they were validated for PCI compliance within the past year, but it doesn’t necessarily mean they were compliant at the time of the actual data breach.

In fact, according to one of the authors of the Verizon report, “…data from the past 10 years shows, that not a single company that suffered a data breach was compliant with PCI requirements at the time of the incident.” PCI standards set a strong baseline protection for any business but at the end of the day it is just the “minimum bar” to entice competitors to reach that same level of security simply because customers expect at least that much.

But is it enough? In many cases, no.

For example, Home Depot, who was PCI compliant, suffered a massive data breach in 2014. Many questioned how this breach could have occurred to such a huge retailer especially when it was supposedly certified to the security standards associated with credit card transactions. However, according to CIO, Home Depot’s data breach stemmed from using outdated Symantec antivirus software, not monitoring the network continuously for suspicious behavior, and performing vulnerability scans irregularly at only a  few of its stores. Stolen customer information also went unnoticed for several months. This is a perfect example that demonstrates that there is more to being secure than being PCI compliant.

Security beyond PCI compliance

A larger company like Home Depot can certainly afford to hire a security team but because security was not prioritized, it was too little too late when they were struck with a massive data breach. Adhering to the PCI standards sets the minimum bar but there is more to security – to start off, companies should be incorporating a Web Application Firewall (WAF) to their security platforms. Not only does a good WAF do much more to protect your website against external threats including DDoS and data leakages, the best part is that they also do not require a special security team to operate and manage the system.

With the rise of cloud services, WAF-as-a-service has also become popular since it doesn’t require additional hardware.Only minimal technical knowledge is needed involving a simple DNS configuration to register websites under WAF protection. Cloud WAFs manage all inbound and outbound traffic and are able to automatically detect and filter malicious attacks. This is huge for businesses who may still be starting out and cannot necessarily afford specialized security teams. For example, Cloudbric, a cloud-based WAF service, offers easy to understand web traffic analytics and allows users with little to no IT-security knowledge to manually look at their web traffic data in search of any inconsistencies.

The reality is that hackers can gain access to confidential information with relative ease so data leaks will likely continue to prevail. It’s important to keep in mind that just because it doesn’t make news headlines doesn’t mean that data breaches are not a common occurrence. We can have a false sense of security believing that entrusting our sites to well-known and successful companies can keep our information secure. But while following standards like PCI DSS is a great start, when thinking about the best security practices it’s best to think about the long-term and how to implement a solution that has you covered any time and anywhere.

hearts on valentine's day

Love in All the Wrong Places: the Dangers of Online Dating

online dating can result in cyber crime or scams especially on valentine's day

As February 14th creeps closer, hype over finding a valentine is at its peak. But finding a significant other does pose more difficulty in this day and age with the rise of career-driven individuals, slaving away with the chaotic schedules of everyday life. Furthermore, with the digital world just an arm’s length away, it’s not surprising that many have opted to look for a match in cyberspace. The use of online dating apps has increased nearly threefold since 2013, and social stigma for online dating has largely subsided, with mentions in popular media and even attractive celebrity endorsements. But unfortunately, like any other new phenomenon, many fail to realize the security implications of finding love online.

The oversight is understandable as the desire for love and companionship often trumps over protective instincts, but with the increase of online dating also comes an increase in cybercrime. In the UK, as many as 350 online dating scams were reported monthly, with victims handing over not only their hearts but more than £39m to false lovers in 2016. There may be those who would be baffled by the enormous amount of money handed over to hackers and scam artists, but with love – anything is possible.

The Consequences of Finding Love Online

We’ve all heard of stories of someone getting “catfished,” when unsuspecting individuals may be lured by a fake online profile. The scammer could be using an attractive picture, extraordinary details, but suddenly disappear when the time comes to meet. Worse, they could extort money out of their innocent “catfish catch,” who being madly in love will gladly acquiesce to aid their partner.

But as scary as a “catfish” exchange may be, the consequences may stretch even further and deeper in cyberspace – as information can be transmitted across the world in just seconds. In 2013, Cupid Media, a media group housing over 30 online dating sites, had 42 million passwords in plain text taken from their server. While many of these passwords were taken from inactive accounts, the millions of members that were active users now have their personal information in the hands of hackers.

When Ashley Madison, a site serving as a platform for individuals looking for extramarital affairs and casual hook-ups, was hacked in the summer of 2015, many were harassed with ransom and blackmail threats to distribute their names, credit card information, and email addresses. The threats demanded payment – the alternative? All personal information and data on website activity would be openly displayed on a public website. Some paid up, and some didn’t – citing that information had already been leaked anyway.

Nevertheless, online dating can have dire consequences on both your wallet and ego. So for Valentine’s Day this year, while you don’t necessarily need to skip the web-browsing tango, take these tips with you to have a loving, safe February 14th.

1. Watch out for the telltale signs

Avoid the “catfish” traps. Blonde, loves sunsets by the beach, and has the body of a model? If someone looks too good to be true, it’s a real possibility that you’re talking to a made-up persona. Before you reveal your deepest and darkest secrets, check for inconsistencies throughout their profile. Even if it’s not a con-artist on the other side of the screen, it’s estimated that around one-fifth of all online daters have asked a friend or family member to help them “tweak” their profile

And with more than 60% percent of web traffic comprised of bots, it is not surprising to run into “chatbots” on online dating sites and apps. These chatbots are designed to simulate real-life conversation and can convince you to click on a link or give away personal information. The telltale signs include the “bots” responding suspiciously quickly, chatting  in an unnatural way or using weird syntax, or sending links without asking you.

2. No advance fees

No matter how in love you may be, don’t fork over the cash just yet. Once an online relationship has built a basis of trust, the requests for favors may start rolling in. Perhaps a loved one is having a medical emergency, or they’re a little short on rent that month.

After a certain, most likely pre-planned, amount of time has passed, the scammer may even ask you to wire some money to purchase a plane ticket… to finally meet. While some may be wooed by the idea of finally meeting in person – perhaps a safe way to respond would be to suggest that they borrow money from a family member or the bank.

3. Find a worthy website using a WAF service and encryption

Although the examples we’ve given so far may be on the scarier side, not all online dating sites are vulnerable. Especially if a company has taken the time to employ a Web Application Firewall (WAF) or WAF service, as well as encryption for their data, your personal information has less of a chance of being compromised.

Think this is a given? Many companies will keep their data in plain text out of sheer convenience – but they might have to face dire consequences. Don’t play with fire, and bet on a company that is transparent about their security practices. Better safe than sorry, especially when your future relationship is at stake.

4. Nothing’s as good as (secure) face-to-face

“Let’s meet in real life” are the words that an online lover might be impatiently waiting to hear. However, if you’re not feeling ready about a potential meetup – then be firm and put your foot down. If meeting in-person, meet in a predetermined and public location, never at home or in your office. Consider having a friend to be a “safe buddy” so that if things aren’t going well they will be on standby to get you out of a potentially risky situation.

Some might choose to “meet” via video chat programs like Skype or FaceTime. Even then, make sure to have a secure connection, turn off any kind of geolocation settings, and be on guard to not disclose too much about yourself.

The Future of Online Dating?

The majority of people will first think of the physical dangers of online dating. However, in this day and age, cybercrime can go a long way, and even faster at that. Be smart offline and online, but to not be a downer – keep your hopes up: 5% of Americans say that they met their significant other online, and with other statistics in the cyber realm, it seems like this number has nowhere to go but up.

Perhaps love is just around the website. And hopefully a secure one.

Penta given Data Privacy Day Champion badge

Online Safety Tips from Penta Security, 2017 Data Privacy Day Champion

Data Privacy locks

Penta Security named Data Privacy Day Champion

A Data Privacy Day Champion this year, Penta Security believes that organizations, businesses and governments are collectively responsible for being conscientious stewards of personal information. For Penta Security, this year marks two decades of experience in protecting an asset valued by all: personal data.

Data Privacy Day, held annually on January 28, is a worldwide effort to create awareness about the importance of privacy, safeguarding data and reminding organizations that privacy is good for business. Penta Security has consistently been committed to the cause by informing clients and the public about basic steps in protecting personal information, through security threat reports, eBooks, infographics, and other media.

To commemorate this significant day, here are Penta Security’s top five online safety tips for improving your data privacy efforts ahead of Data Privacy Day:

Change your passwords frequently

“The Most Common Passwords In 2016 Are Truly Terrible” by the Huffington Post reveals that despite living in era of cyber threats and data breaches, people are still resorting to using ‘123456’ or ‘password’ to keep guard of their personal data online. While it’s been mentioned repetitively, here is another reminder in enhancing your passwords (adding special characters are always a good idea) and to change them frequently, preferably once a year. Furthermore, it’s best to avoid using the same password for multiple accounts as this exposes you to a greater risk of data theft should one account be comprised. Lastly, consider enabling two-factor authentication as this adds an extra layer of protection to your personal accounts.

Recognize the signs of online phishing scams

Warding against phishing scams have come a long way, but many still fall prey to scams like the Nigerian prince email. With the right social engineering tactics, phishing scams can be convincing enough to solicit your personal information and, in a worst-case scenario, provide a gateway to your financial information. That’s why it’s extremely important to know the warning signs.

Avoid clicking on links within emails from unknown senders. Basic red flags include shortened links concealing their destination URL and website banner ads advertising too-good-to-be-true offers. Clicking on these will likely redirect you to a malicious site. Emails that impersonate major banking or retail corporations to ask for personal or financial information are commonplace these days. A good practice is to always enter a website address directly into your browser to avoid ending up on spoofed sites.

Be smart when using public Wi-Fi

Public Wi-Fi should be used with extra caution since cyber criminals can use unprotected Wi-Fi networks to sniff out private credentials and other sensitive data online. While it’s great that many restaurants, cafes, retail shops, and other public places offer free Wi-Fi, these hotspots could also serve as inlets for unauthorized monitoring of your private web activity. Public Wi-Fi should therefore be reserved for basic web surfing like reading the latest news or scrolling through social media feeds. Logging into your social media accounts, making online purchases, or doing online banking should only be done over a secured connection.

Don’t ignore your computer updates

Reminders to update your current operating system or software are critical in reducing the risk of exposing your data to cyber criminals. Developers often roll out new updates not just for improved functionality but also for urgent security updates and vulnerability patches. If automatic updates isn’t an option, setting up a regular schedule to scan through all your software and operating systems to check whether they are up-to-date will help you keep up good cyber hygiene.

Consider encrypting data that matters most to you

Data encryption is no longer reserved for the techies. If you have data that is highly sensitive, then consider encrypting it. Currently, there are many tools available online that can encrypt and decrypt files either for free or at a low cost. Encryption ensures that your data is only readable by the intended recipients. This is because data encryption utilizes special keys to algorithmically scramble and unscramble data so only you and whoever possesses the right keys can gain meaningful access to your data. We also recommend that you do not store encryption keys in the cloud and leave them in the possession of your cloud provider.

By participating in Data Privacy Day, Penta Security is joining the growing global effort among nonprofits, academic institutions, corporations, government entities and individuals to raise privacy awareness at home, at work and in communities. Penta Security seeks to help cultivate a greater prudence in data-handling by educating others about online safety through our blog, press releases, and other media. If you have extra tips to share with us, follow us on Twitter @pentasecsystems and send us a Tweet with the hashtag #PrivacyAware!

About Data Privacy Day

Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the signing of Convention 108 on January 28 1981, the first legally binding international treaty dealing with privacy and data protection. The National Cyber Security Alliance, the nation’s leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness, leads the effort in North America. The Data Privacy Day initiative is advised by a distinguished advisory committee of privacy professionals. For more information, visit https://staysafeonline.org/data-privacy-day/about.

money

3 Devastating Cyber Attacks on Banks That Show How Vulnerable Our Money Is

When it comes to online banking, there’s no room for tolerating sloppy data security. You might not lose any sleep if your (hopefully unique) Adobe password is leaked and you may only experience a few minutes of rage if your Dota 2 game is DDoSed. But if your bank goes offline, better hope it’s only for a few minutes and that your money is safe.

These 3 Cyber Attacks on Banks Had Devastating Consequences

Whether we’re talking about large banks or scrappy new fintechs, any financial companies that do business online are vulnerable to security risks, just like anyone else. Here are three major incidents w

here online banks had their security compromised.

1. American Banks Targeted With Extended DDoS Campaign

Starting in early 2012, a wave of malicious traffic swept over several American banks, targeting banking web applications one at a time. The attacks affected Bank of America, Citigroup, Wells Fargo, Capital One, and HSBC, among others. Rather than targeting customer data or stealing money, the hackers used DDoS attacks to overwhelm online banking websites and prevent actual customers from accessing bank services.

A group called Izz ad-Din al-Qassam Cyber Fighters took credit for the attacks, dubbed Operation Ababil, claiming it was retribution for an anti-Islam video. But due to the sophistication of the attacks, the US government suspects the group is just a front for the Iranian government, seeking their own retribution for American cyberwarfare attacks.

The campaign was the largest cyberattack in history (a record since surpassed many times). Attacks were carried out in three phases, the final launching in March 2013. More than just a nuisance, a successful DDoS attack costs banks an estimated $100,000 per hour. Worse, any server, web application, device, or IoT device compromised by a botnet can be used in such a DDoS attack.

 

money

Terrorists acting on their own or state-sponsored warfare. Whoever they were, they weren’t after this stuff.

2. South Korea’s Banking Industry Hit By Massive Coordinated Attack

On March 20, 2013, South Korean citizens were rattled by a far-reaching cyber blackout that froze computer terminals and paralyzed ATMs and mobile payments. At two banks, Windows and Linux computer systems were affected and entire hard drives were wiped. Others such as Woori Bank reported intrusion attempts but claimed they fended off the hackers. The attackers also managed to disrupt broadcasts of three major TV stations.

The South Korean government accused North Korean operatives of orchestrating this cyberwarfare campaign from China, where the attacker IP was traced. It is possible either a North Korean cyberwarfare unit was active in China, or they hired a China-based mercenary botnet that had already compromised South Korean targets.

This attack was carried out by a relatively unsophisticated malware program known as “DarkSeoul,” and could have been prevented had adequate cyber security measures been put in place. Despite the disruption to services and deletion of data, it is clear the attack was mainly intended to disrupt business and cause chaos. The total cost of the carnage, both through denial of service and data loss,  was calculated at $725 million.

 

wild west bank

This is what our banks will look like in the future if we don’t start taking cyber security seriously.

3. Russian Hackers Pull Off World’s Biggest Bank Heist

A cybercriminal gang has been attributed to a crime spree that launched a diverse repertory of well-planned attacks against as many as 100 banks across 30 countries. The group, dubbed Carbanak by Kaspersky Lab, is believed to consist of Russians, Ukrainians, and Chinese, with their targets being located primarily in Russia, followed by the US, Germany, China, and Ukraine. Their crime spree began in early 2014, peaking in June, and went unaddressed until February 2015.

The hackers used botnets to send out malware-infected e-mails to bank employees, a tactic called spearphishing, and were able to infiltrate many employee accounts. This allowed them to steal many different kinds of sensitive information, including customer data, secret keys used by ATMs to confirm PINs, bank video surveillance, and information on security systems and anti-fraud measures. They could also manipulate account balances and create fake accounts to move stolen money around. Each attack took around two to four months.

One bank was robbed of $7.3 million when the hackers reprogrammed its ATMs. Another bank’s online platform was accessed and the thieves made away with $10 million. Some of these attacks could have been prevented had employees only updated their Microsoft software. The thieves were able to make off with as much as $1 billion, and authorities have been unable to catch them.

bank robber

No, Carbanak is not like your granddaddy’s bank robbers.

These three incidents show hackers with varying motivations and means, using differing techniques to achieve their own unique goals. Whether disrupting service or stealing money, or cybercrime or cyberwarfare, cyber threats cannot go unaddressed. And rather than going after only the biggest banks, hackers are increasingly targeting smaller fintech startups with fewer resources and less experience with cyber security. We must cooperate to secure the Internet from these actions, or we’ll pay the price in the end.

cloudbric website protection

Your Guide to the 3 Layers of Website Protection

Of course, it’s difficult to talk about completeness when it comes to information security. Even the professionals need serious resources for comprehensive protection, from architecture to operation, and even then, perfection still isn’t guaranteed. There are no standard web security measures, so every individual builds security depending on their own unique situation. Web security solutions need to fit each company’s IT system. This begins with understanding how a company’s IT system is structured.

 

Cloudbric free website protection

What’s the shortcut to website security?

The Three Layers of an IT System: Network, System, Application

Generally, an IT system consists of networks, systems, and applications. Each of these three layers need their own unique level of protection. The networks layer at the bottom of this stack deals with data transfer, while the systems layer (what we know as operating systems such as Windows or Linux) works as a platform that enables the applications layer to operate. The applications layer itself offer protocols and services with many features. Many kinds of server systems are just like this structure, so securing the server means all these three layers are safe.

IT system layer structure

IT system layer structure

Don’t Overlook Web Application Security

Despite the importance of web application security, most companies spend 10 percent on web application security compared to network security. The reason is simple: companies don’t know what to do about web application security. The application layer is technically more complicated and the kinds of applications also vary.

Most security professionals find it difficult to set up a security policy and apply security measures. What we think of as the ‘web’ actually consists of applications. Websites and mobile apps are all applications, and attacks on these also take advantage of the vulnerabilities of applications.

Web attacks such as SQL injection or XSS also target the vulnerabilities of website applications. Malicious code called a ‘web shell’ also consists of a type of web application. The Open Web Application Security Project (OWASP), famous in the web security industry, named 10 web vulnerabilities, all of which are web application attacks.

More than 90% of web attacks target web applications. A web application firewall (WAF) is what protects your website from unwanted visitors. Its role is like a fence. It monitors traffic, detects web attacks and protects your website. What’s important is that it prevents vulnerabilities from being exposed. From the outside shell, it limits access from malicious traffic. Also, it hinders malicious code from being uploaded to your web server.

 

cloudbric website protection

A Web Application Firewall blocks all sorts of web attacks

If you look into web application firewall solutions, there is a comprehensive yet free solution called Cloudbric. Cloudbric is the most advanced web application firewall, with algorithms that progressively learn from past experience. Go to the top of this page and click to get started with Cloudbric protection for your website!