If you use the Internet, you use OpenSSL. It’s as simple as that. OpenSSL is the most frequently used software package when it comes to online data security. There’s just one problem. It may not be as secure as everyone thinks.
At least that is what researchers have discovered while looking for vulnerabilities in the extremely common security protocol. They referred to the vulnerability as a side channel attack.
What is this type of attack, and what is being done to protect your browser use?
What is a Side Channel Attack?
This type of attack allows a hacker to glean information regarding software through examining the use of a computer system. Some examples include how much of the system’s power is being used during activity or the timing in which the software is used.
Why is this ability to listen in on a computer so dangerous? Researchers were able to use this method to acquire the unique key that identifies who is using the computer. Does this have implications for your internet use?
What OpenSSL Vulnerability Means for Your Security
The fact is that hackers are unlikely to use this method to hack a computer at your home. Unfortunately, the reason for that is simply because there are many easier ways to hack a personal computer.
For businesses, we’ll just have to wait and see what kind of fix the researchers come up with, and hope that this exploit is deemed too time-consuming for most hackers who seem to be opportunists. After all, this type of hack doesn’t seem to be common, and OpenSSL has had this vulnerability for as long as it has been in existence.
While most manufacturers are sticking to their guns about this hack not being possible—but because it was repeated under controlled circumstance by the researchers, this was enough for the OpenSLL developers to start looking for a fix. In the meantime, it’s important to keep an eye out for potential attacks though this type of hack, no matter how unlikely it may be for someone to use it.
When it comes to defending yourself and your company from potential threats, knowledge is power. That’s why we will report on an extremely common type of cyberattack in the most basic terms possible. Knowing what an exploit kit is can help you to be able to defend yourself and your company’s assets.
Defining the Exploit Kit
Basically, this is a collection of different things that can be used to infiltrate a stream of revenue. It would include redirecting browser URLs as well as other exploits. An exploit kit is not generally used to target one particular system or company. It’s simply placed out on the internet, and it constantly searches for places it can go and do what it has been designed to do.
Many types of exploit kits are online today, including common ones like Nuclear, Angler, and RIG. Some of these kits exploit thousands of systems on a daily basis. Often, they are used to deliver ransomware or other exploits designed to cheat businesses and consumers alike out of money.
How the Exploit Kit Infects a System
It’s quite a simple process. These kits are already out there just waiting to find an in. It all starts when a user goes to an infected website. Frequently, it is an advertisement on the site and not the site itself that contains the exploit. This means the user doesn’t have to do anything wrong to start the process other than going to the shady site. The ad redirects the user to a landing page that actually uploads the exploit. However, this often happens in short time-frame, so the user never knows that something is happening until it is too late.
Defending Yourself from Exploit Kits
For a business, defense from exploit kits means restricting the sites that employees can go to on the company network. It also means educating employees. After all, your firewall doesn’t help if an employee takes a business laptop home, and then gets on a malicious site.
Knowing that these kits exist, and training users to avoid shady sites on any device being used for work, are the best ways to keep your company safe from an attack.
Cybersecurity is on the forefront of everyone’s minds. Just ask the Democratic National Committee (DNC) if they wish their email servers had been more secure. In the world of digital data, the hacker can do more damage in a day than almost any weapon. Businesses can be greatly compromised overnight due to hacks. How can you protect your business? Have you ever considered hiring white hat hackers to help?
That’s just what the Department of Defense (DoD) did a few months ago—setting loose 1,400 white hat (no criminal intent) hackers on the Pentagon’s cyber defenses. They were promised rewards for finding security flaws in the system so that the government could close the gaps to future black hat (criminal) hackers.
The white hat hackers filed a total of 1,189 reports on things they discovered. Of these, the government determined that 138 reports qualified as valid security concerns. In total, more than $70,000 was paid out to the hackers as rewards for the legitimate reports. In the end, the program was viewed as a success. The total cost of the program was estimated at about one-seventh (14%) of what a professional contractor would have cost.
This isn’t the only DoD project in place that provides bounties to hackers. Others in the future will allow hackers to search for potential exploits in applications and websites used by the government.
White Hat Hackers: What Does This Mean for Your Business?
The U.S. government may be happy with the results, but this probably isn’t the route you want to go with your business. Why not? What if, while fooling around in your system, a hacker leaves himself a backdoor to get in later? You simply don’t want to take that chance with your livelihood.
The fact is that, for an SMB (small to medium-sized business), a security audit is affordable. So there’s no need to provide a bounty to hackers and let them run wild on your system. A security audit can allow a consulting agency to determine the weak points in your data security, so these can then be secured.
If you want to protect your business, you have to protect your data, which means getting professional assistance.
Threats to your data security come from many different angles. The secret to being able to defend your organization is knowledge. That’s why threat intelligence is becoming an important part of data security. But what types of threat intelligence are there? We’re going to identify three.
1) Preemptive Threat Intelligence:
This type of intelligence involves gathering data on things that could potentially happen in the future. Your IT department or agency should look at trends in cybercrime to determine threat that will exist in the next 1–2 years. This will give your organization time to plan ahead to rebuff such attacks by updating hardware and software as needed. It also gives you the chance to train your staff to avoid risky behavior that could invite an attack.
2) Active Threat Intelligence:
Looking at the data collected by your network logs and other security features will help you determine current behavior that needs to be adjusted. It also allows you to see indicators of attacks that have already occurred so as to adjust your future defenses. Basically, you are auditing your current security to find the gaps that future hackers will use as an in to your system so you can proactively plug those holes accordingly. It can be something as simple as updating software or training a particular team member who needs to be more careful online.
3) Tactical Threat Intelligence:
Know your enemy in order to defend yourself from future threats. This means thinking like a hacker. What does your organization have that is worth stealing? How would you try to get into the system? Is your weak link the lack of a firewall? Perhaps the biggest threat is an unhappy employee who is willing to sell his login credentials to the highest bidder. Once you know which tactics hackers are most likely to employ to steal from you, this provides a starting point for developing a plan of preventative action.
If your organization is employing these three types of threat intelligence, you are not only making it tougher for hackers to attack your company, but you are also setting yourselves up to be able to say “We did everything we could,” if a data breach should occur, and that is important for PR.
What would you say if someone walked up to you and asked for your email password? You would probably immediately say no, even if you knew the person. You may allow only your most intimate associate, such as a mate, to have that information. So how do hackers manipulate people into giving out login credentials on a daily basis? Welcome to the world of social engineering.
Social Engineering: Infiltration Doesn’t Come Cheap
It can be expensive and time consuming for a hacker to develop a way into a secure system. It is far easier to manipulate someone into giving away his credentials. Not easy, just easier.
That’s why psychologists studied 1,208 individuals to learn some of the methods that prove to be effective in getting a person to reveal login information.
One of the methods used in the study was to give the user a reward. After first receiving a piece of chocolate, half of the users were asked for passwords during an interview. Others were asked about the password first, and then given the chocolate when the interview was over (fair is fair).
Over 43% who received the chocolate first were willing to give away login credentials. In fact, almost half of people who were given the chocolate immediately—before being asked the question—gave away their password, while just under 40% caved when the reward was provided early in the interview, and long before the question was asked.
People Cave to the Idea of Reciprocity
When an incentive is provided, many people reciprocate without considering whether the trade is equal. Even the timing of the reward or gift is crucial to how likely a person is to respond. Don’t get us wrong—nearly 1 in 3 people in the control group gave out their credentials without any “gift,”—but a reward increases the likelihood of a positive response. Clearly, the reward does not have to be much.
Knowing this, calls for employee training that encourages your staff members not to trust freebies online, especially if there is something required in return. Employees need to be taught never to share passwords.
While employees often do things such as open email attachments that they shouldn’t, fail to update software and apps, or visit websites that have been compromised, these aren’t the only ways someone can get to your data through your staff. Let’s look at a few more serious data security mistakes your employees should be trained to avoid.
Common Data Security Mistakes
- Password problems – Start with the concept of using passwords that are not secure. Not only should things like 12345 be avoided—and your IT team should make sure passwords like that can’t be used—but “personal-type” passwords should also be avoided. For example, it’s not a huge reach for a hacker to learn personal info about an employee, and then try the person’s birthdate or anniversary as a password. Besides these things, employees should be instructed to effectively protect passwords by never sharing them, even with another employee. Having a list of passwords on a mobile device, or even on a piece of paper under the keyboard, are also terrible ideas.
- Cloud computing – First of all, there’s nothing wrong or not secure about using cloud computing for The problem begins when employees feel they can share private company information through cloud file-sharing services that are not designed for business, and are thus less secure.
- Losing data/devices – Any time that data is removed from the office on a device like a laptop or a phone or even on something like a thumb drive, loss becomes an issue. Something as simple as leaving a smartphone at a restaurant can lead to theft. And once a thief finds private corporate information on the device, what is to stop him from trying to increase his payday by selling the information before selling the device?
It all comes back to proper training. Your employees need to know how to create strong passwords and manage them properly. They need to understand the difference between a secure way to send a file and a way that is inviting trouble. And they need to understand the importance of protecting devices with sensitive information on them, especially if such devices are taken out of the building.
Sometimes your worst security threat is an untrained or careless staff. A well-maintained online security setup can easily be overcome by a hacker if an employee makes a simple mistake. Let’s go over some of those common data security mistakes that lead to many of the data breaches that companies suffer today.
Common Data Security Mistakes
- Opening an email attachment – No matter how many times management may have told employees to be careful about emails from people they don’t know, this is still one of the most common issues. The fact is that sometimes the sender isn’t a stranger. If a friend’s email gets hacked, cyber criminals can send everyone in that person’s address book a malicious link. A message from a friend arrives with the title, “You’ve got to see this!” or something else that is innocuous. The employee clicks the link, and the damage is done. Employees need to be trained to question links, even from someone they know, if they were not expecting the message.
- Putting off updates – The computer says it needs to restart for new updates to take effect. However, the staff member is in the middle of a project and delays the restart. Days pass. The problem is that the update was for a security issue, and now that employee’s computer is a hacker’s way into your network because the exploit is still useable. You must train employees to apply updates as soon as they are available.
- Pornography, pirating, and other shady websites – If a visited website is compromised, it doesn’t take long for a computer to become compromised. Obviously, these are the kinds of websites employees should not be using on company time or company devices. Unfortunately, employees may also work from personal devices and save login credentials. It’s not a long stretch to have those credentials stolen if shady websites are being accessed on the same device. Train your employees to save logins only on their work devices, and to use such devices only for work.
These are just three of the most common data security mistakes made by employees. We will consider more in future articles.
The digital world is shifting toward artificial intelligence (AI). We want voice searches and digital assistants to be more human-like—and that means artificial intelligence. While the idea that someday there will be a robot apocalypse is the work of science fiction; however, there are legitimate concerns that make AI a difficult thing to accomplish. Here are a few of those worries.
Artificial Intelligence Have a Single-Minded Focus
One of the primary things that always come up in fictional AI storylines is the concept that robots take over the world to save it from humans, or to save humans from themselves. It demonstrates an interesting point. Even a machine that is programmed with a degree of AI will still struggle to weigh decisions like a human does. For example, a cleaning robot will not have the same sentimental attitude toward your trophy collection, and may knock it to the ground to get to all of the dust on the mantle. How do you program a robot to care about your things in the same way as you do?
They Are Rewarded for Shortcuts
True artificial intelligence would require a machine to have a sense of satisfaction in accomplishing its assign tasks. The problem is: how do you stop the robot from taking on the human attitude of looking for shortcuts to get to the reward? Will a cleaning robot (bot) feel just as good if it tosses your clothes under the bed and your kid’s toys in the closet as doing the actually cleaning? What if the robot goes truly rogue and starts messing things up just to clean and complete an assignment?
Like a human, a machine programmed with AI will want to explore possibilities and expand horizons. What if your cooking robot decides to experiment with an ingredient that in theory will taste good, but in reality, is deadly? The droid may be programmed to never intentionally poison someone, but what if it was an accident in an effort to create a new and exciting dish?
These are just a few of the concerns that developers have as they work on AI for future automated helpers. For now, about the worst things a digital assistant can do is to give you bad directions or a recommend a crummy restaurant.
When it comes to treatment of disease, early detection is vital. However, this is a catch-22 when related to patient files because of privacy issues. You want to be able to look at the data and know which screenings are the most appropriate, but you legally can’t disclose much of the relevant data to a team of statisticians. Mathematicians are trying to give you a way around this.
Keeping Patient Files Anonymous
The first step in maintaining privacy is altering patient data so that the patient is anonymous. This may sound like it defeats the purpose, but there are computer programs that can use the changed data just as effectively as the real data. While the data is no longer attached to an individual in any significant way, it is still relevant for the sake of observing trends and looking at summaries of statistics.
Researchers are working hard to ensure that the changed data does not result in statistics that have been altered. The computer system looks at the answers to yes and no questions like:
- Is the patient overweight?
- Does the patient smoke?
- Is there a family history of illness?
Then it turns this data into geometric patterns. Now, while disguised as shapes, the data is still there for the computer to see, while the patients remain anonymous. How does this help a practice to treat patients?
The data can be collated, and statistics can be determined. At the same time, no one ever sees the name of a particular patient while doing data entry or figuring up the statistics. In this way, patients are protected, but health care providers still get much-needed data to determine the importance of various types of screening and other preventative measures.
Computers and the Health Care Industry
Patient privacy is a vital aspect of the health care industry despite the fact that we live in a digital age of information sharing. You need an agency to help you navigate the line between storing data and protecting data. After all, you want to be able to provide patients with the best possible care while submitting to the law.
As we can clearly see, Microsoft has discovered the importance of moving forward while not leaving behind the things that made Windows the most popular operating system in the first place. With Windows 10, Microsoft incorporated many of the beneficial aspects of 8 that worked well on Windows phones and tablets, but now has returned many of the things we love from the previous desktop versions. We also finally get to enjoy Cortana without having to be on a mobile device. But Microsoft isn’t done yet.
Why the Start Menu Is So Important
The one thing that made Windows 8 unusable to many longtime fans of the operating system was the drastic Start menu change. It basically wasn’t there at all. In Windows 10, we get to enjoy the old menu with some new additions.
Right next to your Start menu on a Windows 10 desktop is Cortana. You don’t even have to open a browser to search. You can type in the taskbar box or just speak to Cortana if you enable the speech option. You can even set reminder notices for meetings and projects that you have to work on, and Cortana will alert you so you don’t need little reminder notes all over the office.
Apps Are Good
Whether you are using Windows 10 on a mobile or desktop device, you have access to the growing number of apps for Windows devices. This addition helps to streamline the operating system and make it workable across devices rather than requiring a completely unique operating system for mobile and desktop.
Plus, Microsoft has stepped up its web browser usability, replacing the virtually unusable Explorer with Edge. Edge is particularly useful on touchscreen devices, although using the drawing tool with your mouse to edit directly on the screen can be fun too.
Is This Operating System the Final Iteration of Windows?
There are rumors that Windows 10 may be the final version of the operating system and that future updates and enhancements will just be additions to Windows 10. Whether or not that is the way Microsoft intends to go, and how long it will last, remain to be seen.