Category Archives: BUSINESS

Spying the new hacking method: Here’s how to retaliate

shadowy-virtual-reality-figure image

How can businesses defend themselves from hackers using traditional espionage techniques?

Education goes a long way to protect yourself from the wide variety of cyberthreats out there.

Once upon a time it was much easier to stay safe online; as long as you used an up-to-date antivirus package and were careful how you acted on the internet, you could expect to stay safe.

But now things have changed: new forms of malware and viruses appear every single day. Meanwhile the rise of social media means everything from your pet’s name to what you did at the weekend is online and could be exploited by cybercriminals to hack your devices and services.

Increasingly cybercriminals are using spying techniques better associated with intelligence agencies to identify relevant information about you and your life and turn that around to attack you.

“There are no hackers, they’re all gone — there are only spies,” says Eric O’Neill, national security strategist for Carbon Black and a former FBI counter-intelligence operative.

“The new hackers are using traditional espionage techniques and they’re blending it with advanced cyber penetrations in order to steal information,” he says, adding “just ask the DNC”.

Antivirus software was previously able to react to malicious activity but according to O’Neill, the rise of phishing and other social engineering techniques means companies are becoming more vulnerable to hackers than ever.

Ultimately, he argues, if a person can’t tell if any email is bogus — and in many cases they can’t — then antivirus has no chance.

“Antivirus can’t stop spear phishing if I’m going to leverage spy tradecraft, if I’m going to learn about you and learn everything I can from your social media accounts. And when I send a spear phishing email to you, it’s going to look like it’s from one of your pals. Once [cybercriminals] get in [to your devices], they get a foothold and antivirus isn’t going to touch that,” he says.

So how can you stay safe from these threats? For a start, don’t uninstall that antivirus yet because it still has a role to play.

“Many attacks can be ruled out by antivirus clients,” says Dr. Siraj Ahmed Shaikh, reader in cybersecurity at Coventry University.

At the most fundamental level, some sort of protection software is still required for any computer connected to the internet, especially when you consider the sheer amount of systems shipped and the amount of patching which is required to ensure they’re up-to-date.

“The role of a traditional antivirus is still useful because when you buy a computer, it’s already out of date because there have been so many patches since the software was released. Antivirus at least does a good job of raising the threshold, raising the minimum bar of our security systems,” says Dr. Shaikh.

But if protective software can’t be relied on to detect sophisticated attempts at coercion, how do we begin to take on the threat posed by cybercriminals attempting to trick people with espionage? The answer lies in education — training people to recognise what might be suspicious and reporting it.

“It’s about raising awareness that these emails are coming in and how sophisticated they can be. It’s about using examples, showing these emails, and breaking them down to show where the red flags are,” says cybersecurity consultant Dr Jessica Barker.

It’s also important to teach people that in the vast majority of cases, only those with malicious intent will ask for credentials and passwords to be sent over email. Even within an organisation, it’s unlikely that another department is going to ask for your login credentials over email.

“It’s about encouraging people that no company will ask you for your login details — but if they do, you should find another way of contacting them,” she says, detailing a simple way people can avoid falling victim to a phishing attempt. Within an organisation, that’s as simple as talking to the department where the email is said to be from.

It’s also important to make sure employees are aware they can come forward if they think they’ve fallen victim to phishing, because no matter what training is provided, it just takes one person clicking on a malicious link or accidentally providing corporate credentials to a criminal to breach a whole corporation’s network.

“What you need to do is build a culture when someone can immediately report that they’ve clicked a link they’re worried they shouldn’t have, and people feel safe to question and not be punished,” says Dr Barker. An organisation taking this approach can then move to minimise damage sooner rather than later.

“If you have an incident like that, where you get a phishing email and someone clicks the link, you can respond quickly and minimise the damage, whereas if someone doesn’t speak up, it’s harder to mitigate any damage.”

For O’Neill however, there’s only one way that the enterprise and cybersecurity providers will ensure that they remain secure — and that’s by using a similar level of intelligence to defend organisations.

Serious security: Three changes that could turn the tide on hackers

hacker-at-work image

We’re all guilty of making security an afterthought. We need to change that attitude, and fast.

“We need to think about spies, leverage human intelligence, not just machines. We need to start with human intelligence and use software to augment that,” he says.

We’re told data breaches cost millions on average – but this security study disagrees


New research suggests that the average cost of data breaches is lower than many estimates and too low to drive greater investment in cybersecurity.

Read more on cybersecurity


Henry Sapiecha


Intel snaps up Movidius to create future computer vision, virtual reality tech

The deal may propel Intel further into next-generation technologies including VR, drones and artificial intelligence.

intel & mividius ceos together image


Intel has announced the acquisition of Movidius, a chip manufacturer focusing on developing next-generation computer sensing and vision technology.

San Mateo, California-based Movidius, which already counts Google and Lenovo as customers, develops sight capabilities for machines and PCs.

The company’s vision processing unit (VPU), the main shunt of the company, is a platform for on-device vision processing which works in tandem with Intel RealSense technology to give computer systems the capability to view 3D images, understand surroundings and objects, and then react accordingly.

This technology can be found within drones, security cameras, artificial intelligence and virtual reality, and as these industries develop, the potential use for such inventions will also increase.

The financial terms of the deal were not disclosed.

Remi El-Ouazzane, CEO of Movidius said in a blog post that Movidius will continue to focus on the “mission to give the power of sight to machines,” but the deal will give the firm’s development teams more resources to boost research and execute at scale.

The executive also revealed that Movidius has recently begun to focus on granting “sight” to low-power hardware, a complex task considering the use of sophisticated algorithms at the device level. At Intel, this challenge will continue, but cloud computing and networking will also be included in the project.

“When computers can see, they can become autonomous and that’s just the beginning,” El-Ouazzane commented. “We’re on the cusp of big breakthroughs in artificial intelligence. In the years ahead, we’ll see new types of autonomous machines with more advanced capabilities as we make progress on one of the most difficult challenges of AI: getting our devices not just to see, but also to think.”

In August, Intel revealed Project Alloy, a virtual reality headset which combines RealSense technology with battery power, allowing users to experience what Intel CEO Brian Krzanich called a “merged reality.”

Considering Movidius’ specialisation in power-limited devices and VR, the combination of both companies’ technology appears to be a solid fit — and that may only scrape the surface of what Intel plans for the new acquisition.

“We see massive potential for Movidius to accelerate our initiatives in new and emerging technologies,” said Josh Walden, Senior Vice President and General Manager of Intel’s New Technology Group. “The ability to track, navigate, map and recognize both scenes and objects using Movidius’ low power and high-performance SoCs opens up opportunities in areas where heat, battery life and form factors are key.”


Henry Sapiecha


Nearly all companies still can’t spot incoming cyber attacks

Almost all organisations are vulnerable to hackers due to lack of cyber security staff or tools, report states.

cybersecurity-with-lock symbol image

Businesses know of cyberthreats – but lack the resources to adequately monitor them

Four out of five businesses lack the required infrastructure or security professionals with relevant skills to spot and defend against incoming cyberattacks.

According to a new report by US cybersecurity and privacy think tank Ponemon Institute on behalf of cybersecurity firm BrandProtect, 79 percent of cybersecurity professionals say that their organisations are struggling to monitor the internet for the external threats posed by hackers and cybercriminals.

Just 17 percent of respondents say that they have any sort of formal process in place for intelligence gathering which is applied across the whole company.

The report found that 38 percent of organisations don’t have any policy on threat intelligence gathering at all, while 23 percent have an approach that is ‘ad hoc’ at best. A further 18 percent say they do have a formal process in place, but it isn’t applied across the entire enterprise.

The Ponemon Institute claimed that businesses are on average experiencing more than one external cyberattack a month, with these repeated security breaches resulting in an annual average cost of around $3.5m.

But while many companies are failing to properly monitor external threats, the majority do recognise that they should be carrying out activities such as monitoring mobile apps, looking out for social engineering and phishing attempts, and keeping an eye on cyber threats – around 60 percent of respondents listed these activities as essential or very important to their business.

So why aren’t more organisations actively pursuing these leads in the interests of protecting themselves against hacks and data breaches? The study reported that there’s an insufficient awareness of risk across whole organisation.

Half of respondents suggested that this was one of the main barriers to achieving effective cybersecurity, while almost as many described a lack of knowledgeable staff and a lack of tools as barriers to this goal – echoing previous reports of a severe lack of cybersecurity professionals and understanding of the risks caused by poor defences.


Henry Sapiecha

Japan its Own Enemy in Push to Improve Cybersecurity

FILE - In this Dec. 18, 2014 file photo, a man walks out from the headquarters of Sony Corp. in Tokyo. Improving cybersecurity practices has emerged as a top national priority for Japan, stung in recent years by embarrassing leaks at Sony Pictures, the national pension fund and its biggest defense contractor, Mitsubishi Heavy Industries, which possibly suffered the theft of submarine and missile designs. (AP Photo/Eugene Hoshiko)

FILE – In this Dec. 18, 2014 file photo, a man walks out from the headquarters of Sony Corp. in Tokyo. Improving cybersecurity practices has emerged as a top national priority for Japan, stung in recent years by embarrassing leaks at Sony Pictures, the national pension fund and its biggest defense contractor, Mitsubishi Heavy Industries, which possibly suffered the theft of submarine and missile designs. (AP Photo/Eugene Hoshiko)

In this Dec. 18, 2014 file photo, a man walks out from the headquarters of Sony Corp. in Tokyo. Improving cybersecurity practices has emerged as a top national priority for Japan, stung in recent years by embarrassing leaks at Sony Pictures, the national pension fund and its biggest defense contractor, Mitsubishi Heavy Industries, which possibly suffered the theft of submarine and missile designs. (AP Photo/Eugene Hoshiko)

Apart from rogue hackers, criminal organizations or even state-backed cyberwarfare units, Japan’s businesses and government agencies are facing a unique cybersecurity foe: themselves.

Even with the frequency and severity of cyberattacks increasing rapidly worldwide, efforts by the world’s third-largest economy to improve its data security are being hobbled by a widespread corporate culture that views security breaches as a loss of face, leading to poor disclosure of incidents or information sharing at critical moments, Japanese experts and government officials say.

Improving cybersecurity practices has emerged as a top national priority for Japan, stung in recent years by embarrassing leaks at Sony Pictures, the national pension fund and its biggest defense contractor, Mitsubishi Heavy Industries, which possibly suffered the theft of submarine and missile designs.

Toshio Nawa, a top Japanese security consultant who is advising the Tokyo 2020 Olympics organizers, said he encountered a telling instance this summer when he was called to investigate a breach at a major Japanese government agency.

Nawa found that five different cybersecurity contractors employed by the agency had discovered the breach, but not one reported or shared their findings.

With evidence from the contractors pooled together, Nawa matched the digital fingerprints to a Mexican group that he believes was responsible for a previous attack on Japanese diplomatic servers. The breach was patched, but Nawa walked away flustered.

“In the U.S., if they find a problem, they have to report,” he said. “The Japanese engineer feels he fails his duty if he escalates a report. They feel ashamed.”

To be sure, the cybersecurity industry around the world, not just in Japan, frequently echoes the call for greater transparency within and among organizations. The U.S. Senate last month passed the Cybersecurity Information Sharing Act to ease data sharing between private companies and the government for security purposes, although civil liberties advocates warned it posed a threat to privacy.

But the problem may be particularly acute for Japan’s private sector behemoths and government ministries. These sprawling bureaucracies are wrapped in a “negative culture that cuts against wanting to communicate quickly,” said William H. Saito, the top cybersecurity adviser to Prime Minister Shinzo Abe.

While rank-and-file workers fear reports of security lapses may get them punished, the problem reflects a broad lack of understanding of cybersecurity among the top ranks of Japanese executives, Saito said in an interview on the sidelines of the Cyber3 conference in Okinawa.

“This is Japanese culture where in some situations the upper management doesn’t know how to use email and IT integration is voodoo magic,” said U.S.-born Saito, also an executive at Palo Alto Networks, a security firm. “The reality is companies either have been hacked or will be hacked. My message is, ‘It’s not your fault.'”

In 2013, the latest year of available data, the Japanese government network faced an eightfold increase in cyberattacks from two years prior, with attacks spreading into civil infrastructure, as well as the telecommunications and energy sectors.

Against that backdrop, the Abe administration has pinpointed the 2020 Tokyo Olympics as a chance to upgrade Japan’s national security capabilities while calling for a more hands-on government role to nudge companies to take cybersecurity seriously.

A Cabinet-level cybersecurity agency in September published a strategy paper that proposed, among other things, extending government-run cybersecurity classes to companies, awarding financial incentives for firms that demonstrate improved security capabilities and requiring companies to fill a chief cybersecurity officer role.

The Cabinet report also highlighted the issue of disclosure, saying “it is essential to relieve (network) operators’ psychological burden of possibly losing credit or ruining reputation of their business if providing information to others.”

Jim Foster, a former U.S. diplomat and Microsoft Japan executive who heads the Keio International Center for the Internet and Society in Tokyo, said the fast-evolving threat of hacking poses a looming challenge for Japanese industry, which never developed a deep pool of cybersecurity expertise with active exchange of ideas and know-how.

“Japanese companies grew up too big too quick and didn’t have to cooperate or rely on outside expertise,” he said. “But now there’s this new threat unlike anything else and things suddenly get difficult.”

But changing habits is hard, said Nawa, the security adviser for the Olympics, who is now holding simulations and educational sessions around the country, where he emphasizes to security engineers – who do not necessarily lack technical chops – the importance of sharing findings and speaking up when they spot a problem.

He said he uses a simple mantra on the training circuit: “What I say is: ‘Please remove your pride.'”

Source: Associated Press


Henry Sapiecha

Three baseline IT security tips for small businesses

Millions of small businesses are vulnerable to cybersecurity attacks that can cost an average of $20,000 per attack. Here is some basic wisdom to help SMBs protect themselves.

databreach codes image screen

When massive organizations like Sony, Home Depot, and the Office of Personnel Management are hacked they grab equally massive headlines. Yet, while they rarely grab headlines, small and middle-market companies are particularly susceptible to hacks, said Chris Crellin, Senior Director of Product Management at Intronis, a data protection firm, because many SMBs can’t afford to employ a security team, or are uninformed of the risks posed by attackers.

“A lot of companies rely on the idea of ‘security through obscurity,'” said Crellin. “They’re focused on running their business and probably don’t spend a lot of time thinking about hackers.”

These attackers probably aren’t interested in any one particular small business, said Crellin, but they tend to rely on a shotgun strategy. “Small and middle-market businesses are targets because there are so many of them. It’s like a thief in a parking lot looking for one unlocked car.” If your organization is unlocked, he said, you’re a likely target.

Common methods of hacking—phishing, brute-force password attacks, keylogging spyware, and social engineering—can cost small and medium businesses thousands of dollars. According to the National Small Business Association 2014 year end report, both the frequency and cost of small and middle-market business hacks are on the rise. In 2013 the cost of an average cyber-attack for a small business was just over $8,000 per attack. In 2014, that number jumped to over $20,000.

When integrating your service with other web tools, Gary Chou, founder of New York-based incubator OrbitalNYC, strongly recommends using tested and widely-used services. For example, if your company needs to process payments, “don’t try to host solutions yourself,” he advised. “Keeping [services] patched and secure is a full-time job, which can be hard to do as a small business. Use a service like Stripe for payments so that you don’t need to store customers credit card numbers.”

Chou had three other basic security tips for small business owners:

1. Don’t assume anything is secure. “If you have something hackers want (e.g. passwords, bank account numbers),” Chou said, “they will find a way to get it. Be selective about the information you choose to store in a database, whether it’s sensitive financial information or confidential data around customers.”

2. Change company and personal passwords regularly. Use a password that is long and difficult to guess. Strong passwords can equate to stronger security. Password managers like 1Password and Dashlane store and manage the keys to websites you visit frequently. A few bucks for an app, said Chou, can save thousands over time.

3. Use Open Source solutions whenever possible. “If you’re building a technology product, the value—and security—of open source projects is critical. [Open source projects] are most likely to find and quickly patch any discovered security flaws,” said Chou. “You can build faster and stay secure on reliable open source code.”

For many small and middle-market businesses the true cost of good security is time. But technology experts like Chou say good security doesn’t have to be expensive, and security best practices can be implemented for free or at low-cost. “Don’t try to simultaneously be a technology company alongside your core business,” he said.

Chris Crellin agrees: “Good security can be expensive, but locking your ‘car’ is free and can save your company a lot of money in the long run.”


Henry Sapiecha