State of Cybercrime

We were thrilled when Pen Testing veteran, Ken Munro joined our show to discuss the vulnerabilities of things. In this episode, Ken reveals the potential security risks in a multitude of IoT devices – cars, thermostats, kettle and more. We also covered GDPR, Privacy by Design and asked if Ken thinks “The Year of Vulnerabilities” will be hitting headlines any time soon. Munro runs Pen Testing Partners, a firm that focuses on penetration testing on the Internet of Things. He’s a regular on BBC, and most recently, he was interviewed by one of our bloggers, Andy Green. Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post The Vulnerability of Things – IOSS 21 appeared first on Varonis Blog. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Whether you’re a proponent of open-source or proprietary software, there’s no doubt that the promise of open-source is exciting for many. For one thing, it’s mostly free. It’s built and maintained by passionate developers who can easily “look under the hood”. The best part is that you’re not married to the vendor. Yes, there are many helpful open-source security tools as well as awesome projects based on Go. But lately, there has been a controversial case of open-source ransomware. Originally created to educate others about ransomware, it’s turned into a mashup ransomware without a way to backdoor the decryption key. In this episode, we discuss the benefits and shortcomings of open-source, a throwback to our passwords episode and more! Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post Go Open Source! – IOSS 20 appeared first on Varonis Blog. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

After reading about an IT admin at large bank who went rogue, we put on our empathy hats to understand why. And in this episode, we came up with three reasons: Instead of being recognized as a revenue generator, IT is seen as a cost center Despite all the tests and certificates, IT people aren’t as valued as, say, doctors or lawyers And lastly, IT people are often overworked and underappreciated Could changing the way you dress and improving your communication style be the answer? What do you think? Let us know! Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post Moods and Motives of a Smooth Criminal – IOSS 19 appeared first on Varonis Blog. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Hackers, Executives, Military Folks, IT People who work in Insurance, even Cab Drivers all had something to teach us about security and privacy at the latest Black Hat event in Vegas. Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post Excellent Adventures at Black Hat – IOSS 18 appeared first on Varonis Blog. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

Going from policy to implementation is no easy feat because some have said that Privacy by Design is an elusive concept. In this episode, we meditated on possible solutions such as incentivizing and making privacy as the default setting. We even talked about the extra expense of having a Privacy by Design mindset. What do you think about going from policy to implementation? Share with us your thoughts! Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post More Articles on Privacy by Design than Implementation – IOSS 17 appeared first on Varonis Blog. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

If there’s something strange on your network, who should we call? The security team! Well, I like to think of them as Threatbusters. Why? They’re insatiable learners and they work extremely hard to keep security threats at bay. In this episode, we talk about awesome new technologies(like computer chips that self-destruct and ghost towns that act like honeypots), how to get others within your organization to take security threats seriously, and awesome threatbusters that are doing applause-worthy work. Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post Threatbusters – IOSS 16 appeared first on Varonis Blog. Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrimeMore from Varonis ⬇️ Visit our website: https://www.varonis.comLinkedIn: https://www.linkedin.com/company/varonisX/Twitter: https://twitter.com/varonisInstagram: https://www.instagram.com/varonislife/

When technology doesn’t work when it should, is it a tech fail? Or perhaps because humans are creating the technology, fails should be more accurately called a human fail? In this episode, we discuss various types of “fails”, including the latest popular Pokémon Go, why we can’t vote online and the biggest fail of all, a data breach. Pokémon Go full access, tech fail or win Is it possible to delete an entire company with one line of code? Why can’t we vote online? Should one person be blamed for a tech fail? Technologies that can predict your next security fail Parting Gifts Pokémon Go full access: tech fail or win? Cindy: This week, I’m calling our show #techfails. But in preparing for this show and thinking deeply about our fails, I just want to echo what Kilian has been voicing these past couple of episodes, that when our technology fails; like for an instance, if my Skype for business isn’t working, then my first thought is, “Oh, it’s a tech fail. I can’t believe it’s not working.” But we’re the one creating the technology. So, for me, it feels, at the end of the day, a human fail. Let’s discuss this and debate it for a bit. To set the context, there was an article in the Harvard Business Review, and eventually turned into a LinkedIn post too. It’s titled “ A New Way for Entrepreneurs to Think About IT.” It said that IT’s primarily known as a necessary evil, IT support or IT as a product. With many different types of technologies at our fingertips, we can really do a blend of both. For instance, APIs have really changed how firms interact and share information with each other. And we really take this for granted these days, because back then you’d have to get permission from legal to sign contracts before experimenting with partnerships. Now you can easily partner up with another service within API or use OAuth . It’s really increased our productivity, but it can also have some potential problems if we’re not careful. For instance, if you downloaded Pokémon Go earlier this week, you might have been given Google full access. That meant that the Pokémon people could read all your emails and send out emails for you. But since then they fixed it. I think, Kilian, they fixed it pretty quick. Kilian: Yeah, in about, I think, 24 hours, more or less, they had a patch out that it addressed it already. I think, as opposed to a technology fail, that might be a technology win, for a company really taking these concerns seriously and addressing it as soon as it’s kind of brought up. Mike: Before we get into that, I just want to know, what’s your guys’ level? How you been doing on Pokémon Go? Have you been getting out there, doing your Pokémon? Cindy: I’ve been…I actually downloaded it at the office. And I could have thrown something at somebody, but I didn’t. I’m like, “Well, I’m just doing this for work, so better not start running after people and throwing stuff at them.” Mike: You couldn’t convince the rest of the office that playing Pokémon Go was part of your job? Cindy: Actually, we had a mobile photography class earlier this week, and Michelle, our HR person, was walking around telling people that Pokémon’s gonna be there. She was doing that for me. Mike: Nice. How about you, Kilian, have you tried it? Kilian: No, I haven’t downloaded it. That would require going outside and interacting with things, maybe. Mike: The first couple ones show up right around you. And I think this is kind of where I was going with this, which is that a lot of this…in terms of tech fails, this is really about managing complexity. In terms of IT, trying to manage these external services, it’s about managing complexity on an organizational level instead of a personal one. Because when you think about what is involved for this stupid game of Pokémon Go, you’re talking about interacting with geosynchronous orbital satellites for GPS, the internet to get all these apps, these multiple different services. And to pull all that together requires this huge thing. The security issue came about because Google was asking for OAuth access, and that’s just when you use Google to log into it. You log in with your account and it has these things. And it’s so complex because even though it doesn’t look like it, it actually uses Google Maps data underneath. A trick you can do, is if you have Google Maps installed on your iPhone, you can enable offline map access. And in order to achieve the app to app communication on your sandbox apps on the iPhone, it needs all these extra permissions, and it’s just insane trying to make that work. It’s so easy when you’re building something to just like, just give me all the permissions, and we’ll slowly back it down until where it’s supposed to be. Cindy: Do you think this is kind of like, “okay, we’re gonna use external service, and then just not really look at the settings because we’re so focused on making Pokémon Go just a wonderful experience?” Mike: Well, that’s the consumer side. The level we work at, peo

Layered security refers to the practice of combining various security defenses to protect the entire system against threats. The idea is that if one layer fails, there are other functioning security components that are still in place to thwart threats. In this episode of the Inside Out Security Show, we discuss the various security layers. Human Physical Endpoint Network Application Data Cindy: Hi and welcome to another edition of The Inside Out Security Show. I’m Cindy Ng, a writer for Varonis’ Inside Out Security Blog, and as always, I’m joined by security experts, Mike Buckbee and Kilian Englert. Hi, Kilian. Kilian. Hi, Cindy. Cindy: Hey, Mike. Mike: Hey, Cindy. You call us security experts. I’m actually, where I don’t know if you can see it, “I have a fake internet job”…because I still haven’t been able to explain my job to my mom and dad. “He does something.” Human Cindy: We’ll see who’s most fake at the end, okay? So recently, Rob wrote a layered security guide and I thought it would be interesting for us to go through each of the layers and share stories that we’ve read or heard as it relates to each of the layers. The idea with layered security is that you want to make sure that you have many different layers of defense that will protect you. If there are any holes, just in case something gets in, you might have a security layer that serves as a backup that will catch it. So the first layer to start is the human layer. So that layer is all about educating people to spot scams and be cautious about the passwords that they give out, their social security numbers that they give out, their credit card information. This layer, Kilian, you talk about this a lot. I feel like, increasingly, criminals are using and exploiting services that we rely on and turning it into like an attack vector, like there is an article recently about people texting you pretending to be Google and saying, “Hey, there was this suspicious attempt to get it in.” And we talked about passwords and alternatives and using two factor and it’s kind of like, “Oh man, I have to check my text messages and make sure I’m not scammed again,” like another thing to worry about. Kilian: Oh, yeah. People, by nature, want to be trusting of other people. We kind of have been trained since day one to feel kind of bad about being suspicious … The bad guys out there know this and they exploit it. It’s so much easier to go after a person and just kind of play off of emotions because they’re far more malleable than a system, and people often are not trained or educated around security practices. And even if they are, they’re kind of trained into a certain mindset. So if they see something that looks semi-legitimate like, “Hey, a text from Google. Oh, they’re protecting me. They have my login name or my IP address or something, NIC address,” because most people are not going to investigate that closely, it’s going to look fairly legitimate like, “Oh, hey, Google’s looking out for me. This is great.” It’s very easy to, just with a little bit of a legitimacy, to get people to kind of go along with it and it’s…the con of that sort is as old as time basically and it’s only getting easier any more, too. Mike: I’ll go with something that you said Kilian, which is that it’s really about our mindset. And I think from a security practitioners’ standpoint, we’re typically very focused on exploited time and this and do this things and so we forget a lot about on the human layer which is education and like how to educate your users and to help make them part of your line of defense. I think a fun activity for that is actually to do phishing, and there is a couple of companies that do this, that do like fake phishing attacks, and then basically, so I go, “You clicked on this so we are reporting you to IT.” And it’s kind of almost like in hospitals where they like shame the doctors into making sure they wash their hands all the time. You’re kind of like trying to enforce this IT hygiene aspects on all of your users, and either hire a company or you have some free time, you can just try to phish your users individually to mess with them. Kilian: Sure. Physical Cindy: Our next layer is the physical layer , and you know, I would be like the worst security person to hire because I wanted to skip talking about this layer. There are so many layers and Mike’s like, “Why aren’t we talking about it? It’s the most important one.” And Kilian is like, “It’s often overlooked.” And I said, “It’s just the physical layer, like everybody gets that.” Tell us a little bit more about the physical layer. Kilian: I guess I’ll jump in. It is so often overlooked. We worry about firewalling the data off to protect from external attacks and stuffs that come in over the wire. But how many times in businesses do people check badges? You can walk into a corporation. If the guy sitting at the desk is distracted for a minute, and then you’re inside and nobody looks twice at you. If the doors aren’t

We’ve been writing about the GDPR for the past few months now and with the GDPR recently passed into law, we thought it was worth bringing together a panel to discuss its implications. In this episode of the Inside Out Security Show, we discuss how the GDPR will impact businesses, Brexit, first steps you should take in order to protect EU consumer data and much more. Go from beginning to end, or feel free to bounce around. What is the EU General Data Protection Regulation? Who will be tasked to implement GDPR? What’s the first step you need to take to take when implementing GDPR? Data Breach Notification Brexit and GDPR Territorial Scope Tension between Innovation and Security Tips on Protecting Customer Data Final Thoughts Upcoming Webinars: July 21st English, July 28th German and French Cindy: Hi and welcome to another edition of the Inside Out Security show. I’m Cindy Ng, a writer for Varonis’s Inside Out Security blog. And as always, I’m joined by security experts Mike Buckbee, Rob Sobers, and Kilian Englert. Hey, Kilian. Kilian: Hi Cindy. Cindy: Hey Rob. Rob: Hey Cindy, how is it going? Cindy: Good. And hey, Mike. Mike: Hey Cindy, you made me go last this week. That’s all right. Cindy: This week, we also have two special guests, also security experts. Andy Green, who is based in New York, and Dietrich Benjies who is based in the UK. And they’re here to join us to share their insights on the latest General Data Protection Regulation that was just passed with an aim to protect consumer data that will impact not only businesses in the EU, Britain and the US and the rest of the world. So Hi Andy. Andy: Hey Cindy. Cindy : Hey Dietrich. Dietrich: Hi Cindy. What is the EU General Data Protection Regulation? Cindy: So, let’s start with the facts. First, what is GDPR and what are its goals? Andy: In one sentence? Can I get two? Cindy: You get two and a half. Andy: Okay, two and a half. So it stands for General Data Protection Regulation. It’s a successor to the EU’s current data security directive which is called the Data Protection Directive, DPD. And it really…I mean if you are under the rules now, the GDPR will not be a major change but it does add a few key major additions. And one of those is…well there is a stronger rules on, let’s say right to access your data. You really have … almost like a bill of rights. One of them is that you can see your data, which is maybe not something in the US we are experienced with. Also, another new thing is you have a right of portability, which is something that Facebook probably hates. In other words, you can download the [personal] data. If I were, I assume this would happen in the UK or the EU, that if you are a Facebook customer you will be able to download everything that Facebook has and have it in some sort of portable format. And I guess that [if you have another] social media service, you can then upload that data to that social media service and say goodbye to Facebook, which is kind of not something they’re very happy about. … You have almost like a consumer data rights under the new rule. I don’t know if anyone has any comments on some of these things but I think that’s…that, I think, is like a big deal. Dietrich: I’m sorry Mike. Were you going to go next? I chimed in so I suppose I’ll carry on- Cindy: Go ahead, Dietrich. Dietrich: So I think in terms of your attendance, it’s the European Union recognizing that data is…the European citizens recognize their data as important and historically, recently and historically, there has been many cases where it hasn’t been demonstrated to be appropriately controlled. And as it’s a commodity, the information on them is a commodity traded on the open market to a degree that there has just been an increasing demand to have greater safeguards on their data. And those greater safeguards on European citizen data gives them greater confidence in the market, in the electronic market that the world economic market has become. So that the two pillars, which we’ll get to, or the two tenants are Privacy by Design and accountability by design … we’ll get to a lot of things but that’s synopsis on it. Mike: I was curious about to what extent this was targeting enterprises or is it targeting, say like you brought up Facebook, which I consider an application, like a web application service. Was there an intent behind this, that it’s targeting more one or the other? Andy: Yeah. It’s definitely, I would say consumers. I mean it’s really very consumer-oriented. Dietrich: Mike do you mean in terms of it’s targeting the consumers? Yes, it’s consumer data. It’s related to but do you mean in terms of the types of businesses where it’s most applicable? Is that what you mean Mike? Mike: Well, you know, there is a decision-making framework that, so now with GDPR as the Data protection Directive to need to make decisions, that I’m building an application, I’m going to need to have new privacy features. We talked about Privacy by Design which has