For the past year, I’ve been criticizing entities that
describe their data leaks as “hacks” (cf, this article of mine on The Daily Dot or this post as examples). More recently, Zack Whittaker has also
forcefully raised that issue on ZDNet. Whether
other journalists will adapt their language and correctly report incidents as
“leaks” instead of “hacks” – regardless of what the entity may claim – remains
to be seen over time. But there’s a
second language issue that this blogger would also like to see addressed:
overuse or misuse of the word “ransomware.”
[Much more
follows. Bob]
(Related)
Satan RaaS Promises Large Gains With Zero Coding Needed
A newly discovered family of
ransomware is being offered via the
Ransomware-as-a-Service (RaaS) business model, allowing cybercriminals
to easily customize their own versions of the malware, researchers explain.
Dubbed Satan, the new ransomware family was discovered by
security researcher Xylitol and is available for any wannabe criminal, as the
service only requires the creation of an account to get started. The profits are split with the malware
authors, who claim to retain only a 30% cut, thus making the RaaS sound highly
interesting to many.
This is not a good thing!
It means anyone can attack your systems!
Cyber Threat Intelligence Shows Majority of Cybercrime is NOT
Sophisticated
It’s a new year and while some things change, some things
stay the same (or similar). There’s lots
of FUD about the sophisticated cyber attacks that are multi-threaded and
obfuscated. Certainly there are attacks
that fall into this category, but if you look at all of the cybercrime activity
from the past year, it’s clear that the majority of threats do not have the
level of sophistication that is often talked about.
Rather, what cyber threat intelligence is showing us is
that most threats simply exploit a
series of well-documented vulnerabilities and other weak points to
move along the path of least resistance – and the most profit. Let’s look at some of the top threats
out there today through the prism of the threat
triangle, which is the actor’s capability, intent and
opportunity:
What Computer Security managers should be thinking about.
Sami Paracha of Taylor Wessing has an article on
cyber-extortion and ransom demands from a UK perspective. It makes for interesting reading. The article begins:
Cyber Security is an omnipresent
risk for most businesses. And it is a
growing risk given the more frequent and serious cyber attacks, higher costs
for proactively managing these risks (or curing a cyber security breach), and
potentially higher fines following a breach with implementation of the GDPR [General Data Protection Regulation
Bob] on the horizon. The approximately 500 million recently
compromised Yahoo accounts are a pertinent reminder of these risks. CFC
Underwriting has also recently commented that it is being notified of claims
under its policies at a rate of more than one a day, particularly
from SMEs with revenue under £50m and “ransomware” is behind a significant
number of claims[1].
Cyber extortion, including
threats and/or ransom demands connected with cyber attacks, is a risk which can
cause great uncertainty for businesses – particularly in relation to how the
extortion threat should be handled, for example, whether a ransom demand should
be paid, whether such payment is legal
and whether insurers may cover the ransom payments.
Read more on Lexology,
and ask yourself whether you know if your insurance policy would cover a ransom
or extortion demand, and under what conditions. Of course, that’s a somewhat separate question
of whether entities should pay a ransom demand, and the questions
Paracha raises are the same ones we’ve seen elsewhere, i.e., they do not appear
to be country-specific.
My students were discussing this last week. I don’t think they are ready to give up banks
altogether, but I did get them thinking.
Much has been made of the fact that a new breed of
financial technology (or fintech) companies is unbundling banks in
the developed world. Startups are
attacking all of the components of the traditional bank value proposition
(e.g., accounts, portfolio management, mortgages, car loans, person-to-person
payments). Over the past five to six
years there has been a rush of capital and talent into startups; investment in
them has grown nearly eightfold
since 2011. While their innovative
products have been a boon to consumers in mature economies, the resulting
efficiency and security benefits have largely bypassed the 2 billion consumers
in the developing world who lack formal banking services altogether.
However, there are signs that this is changing. Encouraged by the dramatic increase in the
number of people with mobile phones in the developing world, new fintech players
are attempting to disrupt the existing financial order in these markets: the
money lenders and informal remittance services that often have been the only
option for much of the population.
Our initiative, the Digital Financial Services Lab,
is trying to be a catalyst for this transformation. To that end, it is working with
entrepreneurs to introduce innovative solutions to the developing world. A number of the companies mentioned in this
article are in DFS Lab’s portfolio.
Because, yes you really do need one.
You’ve heard it a thousand times: you need antivirus
protection. Macs need it. Windows PCs need it. Linux machines need it. Modern antivirus apps have gotten so easy to
download and run that you barely need to do anything at all. Plus you can get some of the best ones for
free. You really have no excuse. So grab one of these ten and start protecting
your computer!