Tag: security

By Aaron Holmes for Business Insider US

The most effective way to protect yourself against hackers is to build good password habits, experts say.

Cybersecurity experts shared straightforward tips with Business Insider that can make it exponentially harder for hackers to break into your account.

There’s no reason that your password should be a single word – a “passphrase” consisting of multiple words is much safer.

If your password is one word, you’re doing it wrong – it’s time to upgrade to a multi-word “passphrase.”

Password strength is one of the most important pieces of online security. The vast majority of hacks result from phishing – the act of guessing users’ login credentials based on information gleaned from messages and online profiles – which stems from human error and is easily preventable.

Hackers are also developing increasingly sophisticated methods to track and exchange peoples’ passwords, making preventative action all the more crucial.

Business Insider spoke to cybersecurity experts, who outlined simple steps users can take to make sure their online accounts are secure. Here’s what they recommend.

“‘Password’ is a bit of a misnomer. What you should actually be using is a passphrase,” says Kiersten Todt, managing director of the Cyber Readiness Institute and a former cybersecurity adviser to the Obama administration.

“Make that passphrase as long and difficult as possible,” Todt added. Four words long is safe, and five is even safer.
Contrary to popular belief, it’s perfectly fine to use spaces in your password. Many major sites, like Google and Facebook, accept “space” as a valid password character.

A “passphrase” is stronger than a single password because it increases entropy, or the amount of randomness in a password, making it harder to guess.
The creators of ProtonMail, a security-minded email service, say multi-word passphrases are a solution to the problem that “we humans are bad at creating randomness, and we’re bad at remembering things.”

Unlike complex one-word passwords with lots of special characters, passphrases are easy to remember. If your ‘secure system’ isn’t easy to use, people won’t use it, negating the security benefit,” the ProtonMail team argues.

Even when using passphrases, it’s crucial to change your password: “The people who are getting hit by hacks are the low hanging fruit who reuse the same passwords,” according to Alex Heid, chief technology officer at SecurityScoreCard.

Discovery Bank discovered a system flaw on Monday which allowed the incorrect credit card card verification value (CVV) numbers to be used for online payments.

The CVV is the last three digits on the back of a bank card, and is considered a critical as a last-ditch security measure against certain card fraud.

Business Insider South Africa was tipped off about the flaw, and on Monday morning was able to make payments with a random CVV code, such as 000.

  • Discovery Bank said it was alerted about the issue last week
  • The bank suffered no fraud losses due to the issue
  • The flaw has now been fixed
  • Previously, the Bank didn’t require further authorisation such as an OTP (one-time pin)
  • When Business Insider later tried to use an incorrect CVV number, a call centre agent phoned to let them know it was incorrect us after the transaction to alert us that an incorrect CVV number had been used.

 

First National Bank (FNB) has announced that users will no longer be able to save their online banking passwords in their browsers.

Going forward, whenever a user wants to log into their account they will have to do so manually.

This forces users to keep their banking passwords secure.

“All stored passwords on your device can be viewed during a malware attack. Passwords can be easily accessed on your unattended/unlocked/stolen device,” FNB stated in a MyBroadband article.

FNB advises that users do the following to keep their passwords safe:

  • Do not share login details with anyone
  • Always use a different password for different websites. Avoid using the same one over and over
  • Report any fraudulent activity immediately to the FNB Fraud Centre: 087 575 9444
  • This change may interfere with various third-party password lockers such as LastPass

The Shoprite Group is fighting crime by investing heavily in sophisticated security and other measures to make its shopping space secure, reduce the number of criminal incidents and increase the number of arrests.

This is in the wake of the retail industry experiencing significant crime incidents in which the Shoprite Group had to contend with 489 armed robberies and burglaries in its 2018 financial year.

Its investments in crime prevention, including a centralised Command Centre and anti-crime team, gives the Group the ability to monitor stores and vehicles, remotely trigger security devices, follow up on crime incidents and ensure suspects are arrested.

Through an extensive intelligence network, the Command Centre receives live information on strikes, protests and other incidents. This information can be used to react and take necessary measures to safeguard the Group’s fleet on the road as well as staff and customers in its stores.

Shoprite’s efforts to keep its customers and staff safe are reflected in a reduction of contact (violent) crime incidents and increased prosecutions. “It is a work in progress,” says Group Loss Prevention Manager, Oswald Meiring. “Incidents of violent crime and robberies are coming down, and we will continue to do everything we can to make us a harder target.”

Arrests have increased by 200% as a result of the Group increasing its capability to identify, trace and arrest suspects. Recently the Group was also able to assist with the arrest of two suspects after the manager of its Worcester branch was shot and killed in a robbery. A third suspect has been identified and arrest is imminent.

“We continue to focus on creating a safer environment for customers and staff. That is our first priority and we will go to any length to prosecute whoever is committing these crimes.”

The Group works closely with the South African Police Service (SAPS) and the National Prosecuting Authority (NPA) to affect the necessary arrests. It shares intelligence with them to ensure that bail is successfully opposed and that prosecution of criminals is successful.

In addition to tracking devices, the Group installed cameras and electronic locks on trucks which are managed from the Command Centre. Trucks can be remotely opened and closed, with alarms triggered if trucks are stationery for a certain length of time, or if unusual driving behaviour is detected. Since these devices were installed, there have been no incidents in transit on these vehicles.

It has also employed an in-house investigation team made up of experienced investigators. It has a team of Data and Crime Analysts who utilise predictive and historical analysis of all the crime data, to identify which stores or areas should be focused on. The Group has also employed an expert criminal lawyer to assist with the successful prosecution of criminals.

By James Pero for DailyMail.com

Malware that replaces victims’ legitimate apps with a malicious doppelgänger has infected 25-million devices across India, the UK and the US, say security researchers.

The virus, named ‘Agent Smith’ after a fictional character from the, ‘The Matrix’ who is able to make others into copies of himself, was highlighted by the security firm Check Point on Wednesday and affects users on Android devices.

Instead of stealing data, the malware covertly replaces apps inside a user’s phone with hacked versions which display ads selected by the hackers, allowing them to profit off their views.

To avoid detection, the malware — under its disguise as popular apps like WhatsApp or Flipkart — is also capable of replacing code in the original program with its own malicious version that prevents an app from being updated.

At least 15-million of the devices infected are located in India and 300,000 have been detected in the U.S. Other infections are spread across Asia as well as the U.K., and Australia.

‘The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own,’ said Jonathan Shimonovich, head of Mobile Threat Detection Research at Check Point.

‘Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first’ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like ‘Agent Smith”

A malware called ‘Agent Smith’ was found to have infected 25 million device mostly in India.

Malicious code was able to disguise itself as legitimate apps and take over the ads served inside those programs.

Hackers didn’t steal users data but were able to make money off serving up phoney ads.

Many users were unaware that they had been infected.

Code spread via third party app-store 9Apps and unsuccessfully tried to infect users in the Google Play store.

The malware is named after a fictional villain in the 1999 movie ‘The Matrix’ who was able to turn victims into copies of himself.

Researchers say Agent Smith was able to spread to devices through a third-party app store called 9Apps.

Malicious code was embedded into photo apps and sex-related apps which were then downloaded by users.

Once inside a victim’s device, the malware would disguise itself as a legitimate app and then begin replacing code.

As reported by The Verge, creators of the malware also attempted to infect users in the Google Play store through 11 apps containing bits of malicious code.

The foray was reportedly unsuccessful and Google has removed all the apps from its store.

A vulnerability in Android that allowed hackers to include their code was patched several years ago, but developers failed to patch their apps, leaving many open to attack.

To avoid being compromised by malware like Agent Smith, Check Point has some simple words of advice.

‘Users should only be downloading apps from trusted app stores to mitigate the risk of infection as third party app stores often lack the security measures required to block adware loaded apps,’ wrote researchers.

How loadshedding affects your security

By Ntwaagae Seleka for News24

Home owners and businesses have been urged to test their security systems as a matter of urgency and to pay particular attention to the battery back-up systems during load shedding periods.

“Many people are under the incorrect assumption that their home alarm system is deactivated when the power supply is interrupted. However, if you have a stable and correctly programmed system coupled with a battery that is in good condition, it will continue to protect the premises during a power outage – regardless if the outage is because of load shedding or not,” said Charnel Hattingh, national marketing and communications manager at Fidelity ADT.

The only time it may not function correctly is if there is a technical issue, or the battery power is low.

“Most modern alarm systems have a back-up battery pack that activates automatically when there is a power failure. There are a number of practical steps that can be taken to ensure security is not compromised during any power cuts.

“Some of these include ensuring that the alarm system has an adequate battery supply, that all automated gates and doors are secured and lastly to remain vigilant and report any suspicious activity to your security provider or the South African Police Service,” said Hattingh.

With the added inconvenience of the lights going out at night due to power cuts, candles and touch-lights are handy alternatives.

Home owners are also advised that it is important that their alarm systems have adequate battery supply and that batteries should be checked regularly. Alarms should be checked during extended power outages to keep systems running.

Power cuts can affect fire systems and fire control systems, so these also need to be checked regularly. The more frequent use of gas and candles can increase the risk of fire and home fire extinguishers should be on hand.

People are urged to remain vigilant during power cuts and be on the lookout for any suspicious activity and report this to their security company or the police immediately.

Hattingh said home and business owners should consider installing Light Emitting Diode (LED) technology, which is integrated into the alarm system’s wiring and automatically switches on for a maximum of 15 minutes when there is a power outage.

“If there is an additional battery pack, the small, non-intrusive LED lights can stay on for the duration of the power outage – or a maximum of 40 hours – without draining the primary alarm battery. Because of load shedding, there might also be a higher than usual number of alarm activation signals received by security companies and their monitoring centres.

“This could lead to a delay in monitoring centre agents making contact with customers. You can assist by manually cancelling any potential false alarms caused by load shedding, and thus help call centre agents in prioritising the calls needing urgent attention,” said Hattingh.

 

15 000 CCTV cameras coming to Jo’burg

Source: Vumacam

Vumatel unveiled its CCTV platform Vumacam this week, which it hopes will help make South Africa’s streets and neighbourhoods safer.

The Vumacam system is initially only available in Johannesburg, and currently consists of 889 cameras covering 48 suburbs.

There are 917 camera poles installed around the city, however, which when fully populated will hold over 3 000 cameras.

The video feeds from Vumacam’s CCTV system are then made available to security companies for a monthly fee, depending how many cameras they would like access to.

Vumacam is also in discussions with the police and car tracking companies to provide their CCTV feeds, it said.

How Vumacam works
Vumacam’s business model is based on providing its video feeds to security companies and enforcement agencies for a subscription fee, which is based on how many cameras they want access to.

Vumacam assembles and installs the CCTV cameras in the areas it rolls out to, ensuring there is adequate coverage and the quality of the video feed is up to its standards. Its “video as a service” is then open to companies after they have been heavily vetted.

This means that multiple security companies can subscribed to the same camera feed, and if a new security company is hired by a resident’s organisation, for example, it can access the vendor-neutral CCTV infrastructure.

Vumacam said its CCTV system transfers its UHD feed via fibre connections to Teraco’s data centre. From there, it can be distributed to security control rooms which have subscribed to their service.

Security companies have the ability to view the feeds they have access to, lay intelligent software on top of the feed to make footage processing quicker and easier, and rewind their feeds to look back at certain places at certain times.

Vumacam emphasised that the companies cannot download the footage, however, and footage is only stored on their system for 30 days.

“Data is securely stored in a Tier 3 data centre, which is accessed by a secure connection. This ensures it is not subject to interference and not at risk of local disturbance.”

It added that 96% uptime for its systems is guaranteed, unless an issue is beyond its control – such as extended load-shedding.

In terms of regulation, Vumacam said their system is POPI Act compliant and meets the most stringent privacy requirements.

Software
Where Vumacam’s system really stands out from your standard CCTV camera installation, however, is its advanced software features.

It not only provides a live feed from cameras, but also serves licence plate recognition (LPR) services, exception alerts, and the ability to isolate elements in an area.

The LPR functionality does as its name suggests, and every vehicle passing an LPR camera is checked against multiple databases – including SAPS-listed stolen vehicles.

The “exception” notifications allow incidents to be surfaced to a security command centre, such as a vehicle illegally dumping in a park, which means operators do not need to watch hundreds of screens the time looking for potential crimes.

Software can also be laid on top of the video feed which allows security operators to search for specific objects during a set time period – such as a red car on a particular street on a Wednesday. This makes investigating incidents reported after the fact much quicker and easier.

Expansion
Vumacam said it plans to expand across Johannesburg in the next 12 months, with a rollout from Braamfontein in the south to Woodmead in the north.

This will consist of 15,000 cameras when complete and R500-million has been allocated for this expansion.

By Benjamin Mayo for 9to5Mac

A significant bug has been discovered in FaceTime and is currently spreading virally over social media. The bug lets you call anyone with FaceTime, and immediately hear the audio coming from their phone — before the person on the other end has accepted or rejected the incoming call. Apple says the issue will be addressed in a software update “later this week”.

Naturally, this poses a pretty big privacy problem as you can essentially listen in on any iOS user, although it still rings like normal, so you can’t be 100% covert about it. Nevertheless, there is no indication on the recipient’s side that you could hear any of their audio. There’s a second part to this which can expose video too.

9to5Mac has reproduced the FaceTime bug with an iPhone X calling an iPhone XR, but it is believed to affect any pair of iOS devices running iOS 12.1 or later.

The iPhone FaceTime bug could be reproduced by doing the following:

Start a FaceTime Video call with an iPhone contact.
Whilst the call is dialling, swipe up from the bottom of the screen and tap Add Person.
Add your own phone number in the Add Person screen.
You will then start a group FaceTime call including yourself and the audio of the person you originally called, even if they haven’t accepted the call yet.
It will look like in the UI like the other person has joined the group chat, but on their actual device it will still be ringing on the Lock screen.

Whilst the call is ringing, swipe up from the bottom of the screen and add yourself to the call.

The damage potential here is real. You can listen in to soundbites of any iPhone user’s ongoing conversation without them ever knowing that you could hear them. Until Apple fixes the bug, it’s not clear how to defend yourself against this attack either aside from disabling FaceTime altogether.

As it stands, if your phone is ringing with an incoming FaceTime request, the person on the other end could be listening in.

What we have also found is that if the person presses the Power button from the Lock screen, their video is also sent to the caller — unbeknownst to them. In this situation, the receiver can now hear your own audio, but they do not know they are transmitting their audio and video back to you. From their perspective, all they can see is accept and decline. (Another update: It seems there are other ways of triggering the video feed eavesdrop too.)

We have also replicated the problem with an iPhone calling a Mac. By default, the Mac rings for longer than a phone so it can act as a bug for an even longer duration.

Apple has taken Group FaceTime offline in an attempt to address the issue in the interim. They have said the issue will be fixed in a software update later in the week. Until then, if you are concerned, you should disable FaceTime in iOS Settings.

By Tehillah Niselow for Fin24 

Liberty Holdings customers received SMSs on Saturday alerting them that personal information related to their insurance policies could have been stolen by an external party.

The Information Regulator, which has asked for information about the Liberty breach, is clearly concerned about the increasing number of cyber attacks affecting personal data in South Africa.

“Without a fully functional Information Regulator, these breaches will continue to occur without sanctions provided for in the Protection of Personal Information Act (POPIA),” said chairperson Advocate Pansy Tlakula.

Tlakula urged “the powers that be to assist it in fast tracking its operationalisation”.

According to corporate law firm Michalsons, certain limited sections of POPIA have already been implemented. However, the bulk of the legislation will only commence at a later date, to be proclaimed by the president. As there is a one-year grace period, the POPIA deadline might only be set for the end of 2019 or in 2020.

In the meantime, South Africans are coming under heightened attack from cyber criminals and hackers.

Andrew Chester, MD of Ukuvuma Security, told Fin24 that affected clients or users should immediately alert their banks and cellphone provider. They should also undertake a credit check as well as a Google search to determine whether their personal information is in the public domain.

Liberty email hack

In SMSs to clients on Saturday, financial services company Liberty informed them that its email repository had been breached by a third party trying to demand a “ransom” in exchange for the data.

Liberty has not revealed much about the breach, citing a police investigation. CEO David Munro confirmed that Liberty’s insurance clients were the only ones affected, and that none of its other business had been compromised.

The company said none of its clients have been impacted financially, and that individuals will be personally advised if their information has been affected.

ViewFines licence details

In May the Hawks, the State Security Agency and the Information Regulator said they would probe the breach of personal records of 943 000 South African drivers, allegedly from online traffic fine website ViewFines.

The information reportedly contained the names, identity numbers and email addresses of South African drivers stored on the ViewFines website in plaintext.

The ViewFines website is owned by Aggregated Payment Systems. News24 reported that its operations manager confirmed the company was “implementing security measures immediately” to improve the website after being informed of the breach.

The source of the data was located by Troy Hunt, an Australian security researcher and creator of the free service Have I Been Pwned, which checks whether an individual’s information has been compromised.

Facebook scandal

While Facebook founder and CEO Mark Zuckerberg had to face angry lawmakers in the US and European Union, it was reported that the data breach involving the UK political consultancy affected almost 60 000 South African users.

In May, the Information Commissioner’s Office of the United Kingdom (which regulates Facebook outside the US and Canada) advised the Information Regulator of South Africa that over 87 million people had been affected worldwide.

However, no evidence could be found of South Africans having been targeted, as the majority of users involved were in the US.

Master Deed’s data breach “biggest” digital security threat in SA

Hunt was once again instrumental in revealing what was known as the “biggest” data breach in South African history, together with iAfrikan CEO Tefo Mohapi in October 2017.

Over 60 million South Africans’ personal data, from ID numbers to company directorships, was believed to have been affected.

The information was traced to Jigsaw Holdings, a holding company for several real estate firms including Realty1, ERA and Aida. The information reportedly came from credit bureau agencies, and was used to vet potential clients.

The information trove was found not to have been hacked, as it was stored in an easily accessible manner on an open web server.

Ster-Kinekor’s database compromised

Movie theatre chain Ster-Kinekor was responsible for up to 7 million South Africans falling victim to a data leak in March 2017.

Fin24 reported that Durban developer Matt Cavanagh announced he had discovered a flaw in Ster-Kinekor’s booking website, and that he had reported it to the company.

There were between 6 and 7 million users in the database. Of those, 1.6 million people had email addresses linked to them on the movie theatre chain’s database.

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top