Tag Archives: News

Panda Security

Ashley Madison. Should your company invest in cyber insurance?

ashley madison

What started out as a dating site – albeit a controversial one at that – has turned into a nightmare. Ashley Madison, a dating site for married people who are looking to have an affair on the side, suffered a devastating cyberattack this week as hackers published private details relating to nearly 40 million users.

The information released contained names, phone numbers, email addresses and even sexual preferences. The fallout of the attack, which took the form of a 10GB database on the “dark web” that could be accessed through a specialized web browser called Tor, was felt around the world. One radio show in Australia had listeners calling in to see if their partners had had accounts on the website, resulting in some unsavory moments.

This has resulted in the company’s reputation – like that of its users – lying in tatters and calls into the question the credibility of similar websites. How can a person be expected to sign up to a confidential website if their private information is so easily at risk of being exposed?

This is an example, recent and extreme, of what a cyberattack can mean for your company. The average cost of data theft is around $3.8 million (€3.4 million), according to the latest report by the Ponemon Institute. This is an increase of 23% compared to what a company would have lost to a hacker in the previous year.

Cyber insurances for companies

The damage done to a company’s credibility may not be repairable but there is at least a way of preventing the economic fallout from being too harsh. Large corporations are away of the risk that is posed and are looking for solutions. This has resulted in an increase in cyber insurance, which has seen an increase from 10% to 26% in the last year in the United State alone. It is estimated that up to 60 different insurance firms are offering this service.

Information theft is also a worry for European businesses and they are heading for a more rigorous legal framework for data protection, with a new law on the way. Protection against possible regulatory fines and penalties is something that every potential cyber-insurer must cover in Europe.

In general terms, you could say that there are two distinct risks that these policies cover: direct risks, which affect the company itself, and indirect risks which affect third parties (clients and users). In a typical information leak, the direct cover would help to defray the costs of notifying about an attack and the following analysis, the repair and restoration of the data, and the victims’ verification service. The indirect cover would take care of the costs of fines, legal fees, judges, and complaints on behalf of users.

hacking computer

So, is it worthwhile for your company to contract a cyber-insurer or is this just another way for insurance companies to increase their revenue by exploiting unchartered territory? It depends and the first thing to consider is rather obvious; prevention is always better than the cure. A good antivirus for businesses y and following recommended security steps is the best defense against a cyberattack.

That said, the main advantage of these insurance policies is that the company can continue operating if it suffers an attack. It doesn’t prevent or decrease the chances of being targeted, but it allows you to relax knowing that the future won’t be so grim.

However, no matter what insurance the company has, it will never recover its reputation after an attack and this can be devastating. According to a report by Ponemon, a cyberattack can cause a company to lose up to 4% of its clients and customers in some sectors.

So, if your company finally decides to contract a cyber-insurer there are a few things to consider. The insurer should offer retroactive cover (which pays for breaches that take place before the policy is activated), cover for unencrypted documents (text documents, spreadsheets, etc.), third party information, information stored on the cloud and mobile devices, and that it is clear what the company considers to be negligence – so they don’t leave you high and dry at the worst moment.

The post Ashley Madison. Should your company invest in cyber insurance? appeared first on MediaCenter Panda Security.

AVG

Ashley Madison Hack – what has been leaked?

As with all privacy breaches there are multiple victims here. The customers whose personal data has been leaked, as well as the company trusted to keep it secure; a trust that may never be regained.

However, what makes this case highly significant is the collateral damage that will likely spread beyond just the direct privacy breach.  Family ‘secrets’ are revealed and victims are ‘ousted’ – seemingly at the hands of anonymous hackers with a point to prove.

Another oddity in this case is that AshleyMadison.com charges only men for their subscriptions and message credits, while female users are able to use the site free of charge.  This has resulted in the victims consisting mostly of men, connected by way of their credit card transaction histories, causing an asymmetry rarely seen in data breaches made public.

While the hackers have released the data in what could best be described as a harsh and judgmental way, they do offer some clues about how trustworthy the data may or may not be, “Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles.”

On that note, remember that the information obtained and released by hackers in data breaches by their very definition is never verified by the companies who are breached, and so this brings into question the integrity of all the data, regardless of how authentic it might seem.  For example, there may be deliberately false information inserted by the hackers designed to damage reputations or serve another agenda.

Accordingly, as already reported the hackers also provided this disclaimer of sorts, “Chances are your man signed up on the world’s biggest affair site, but never had one.”  In short, make sure you have all the facts before a potentially dangerous and damaging real-life Internet hoax unfolds in your own backyard.

Here’s a summary of the exact data that was breached:

  • Full names and addresses
  • Birthdates
  • Email addresses
  • Credit card transactions
  • GPS Coordinates
  • User Names & Passwords
  • Sexual Preference
  • Height, Weight, physical characteristics
  • Smoking and drinking habits

Lastly, while it may be easy to fall into the trap of victim-blaming and judging based on your own set of moral or ethical standards in this case – as social media opinions begin to rush forth in the coming days and beyond, it’s important to keep sight of the broader picture of what is transpiring.

Today’s breach may well affect nearly 30 million victims, and maybe you don’t know any of them… this time.  Next time, in another context, it could be you.

In the meantime, let’s hope that the active investigation into the perpetrators behind this hack are brought to justice, because as the statement from Avid Life Media rightly asserts, this is an act of criminality.

Until next time, stay safe out there.

AVG

Google announces a restructure – it’s now owned by Alphabet

Why the restructure? According to Larry it’s to help them streamline management of their various companies and also stay focused on their initiatives and new opportunities. It’s “ …about businesses prospering through strong leaders and independence.” – Larry Page.

So Search, Youtube, Apps, Maps, Android and Advertising remain under Google and according to their filing with the US Securities and Exchange Commission, “Businesses such as Calico, Nest, and Fiber, as well as its investing arms, such as Google Ventures and Google Capital, and incubator projects, such as Google X, will be managed separately from the Google business.”

For anyone who enjoys innovation in tech, this should come as exciting news – it means Google’s core internet product teams will be even more focused on improving and innovating their internet products; and we might start to see more ambitious and technological milestone projects being developed by Google X and Google Ventures.

Congratulations Google, uh…I mean Alphabet, for moving tech forward. Let’s see what you do next.

AVG

From Tesla to Baby Monitors: A Collaborative Approach to Security and Hackers

There was a “car hacking” area at Defcon 23 last week, where Tesla proudly displayed their brand and a new Model S. While there were a couple of other vehicles at the show (in various states of having their electronics torn down), the buzz was all about Tesla.

The Model S was hacked, and that was big news at the conference. After the hack, Tesla fixed the vulnerabilities and delivered patches to their vehicles using an Over The Air (OTA) update. With OTA, drivers didn’t need to bring their vehicles in for service or worry about managing software upgrades; updates happened automatically.

By being an active participant at Defcon, Tesla is showing how to build a positive, trusting and productive relationship with white hat hackers. When the hackers called Tesla with the vulnerabilities, Tesla quickly responded. As a result, they now have a more secure system and better separation between core car systems (engine, brakes, etc.) and the infotainment functions. The differences between Tesla’s approach and the Jeep approach are pretty stark.

Tesla

 

Manufacturers across industries should take note of Tesla’s engagement of the Defcon community as a model to follow. Companies need to engage and build trust with white hat hackers if they are to fully utilize the knowledge and expertise the community offers.

The Model S is just one example of a Thing connected to the Internet – an IoT device. A Tesla is a big-ticket item, with serious implications if it is compromised. From that perspective, Tesla’s investment in back-end infrastructure and OTA systems makes a lot of sense. Similar infrastructure should be in place for other IoT devices, but is often not.

Take IoT baby monitors, for example. None of the products tested at Defcon met even a minimal level of security, including several products that lack encrypted video and audio feeds. The problem is that a baby monitor is an inexpensive device (compared to a Tesla), and the economics make it harder to justify large investments in security and back end systems. This is a problem (and opportunity) the industry needs to address. Some security frameworks are emerging, but we don’t yet have a comprehensive approach. Until we do, we will see more IoT hacks. While they may not get the media attention the Tesla hack got, in many ways they are just as serious and are more difficult to fix.

We need to get to a place where more IoT vendors are proud to display their brands at Defcon (and other security conferences) because they understand the importance of security and are willing to engage positively with hackers. Perhaps next year, we will see many more companies alongside Tesla at Defcon, proudly displaying their brand.

Software and Security Information