You Gave Facebook Your Number For Security. They Used It For Ads.

Two-Factor Authentication Is Not The Problem

First, when a user gives Facebook their number for security purposes—to set up 2FA, or to receive alerts about new logins to their account—that phone number can become fair game for advertisers within weeks. (This is not the first time Facebook has misused 2FA phone numbers.)

But the important message for users is: this is not a reason to turn off or avoid 2FA. The problem is not with two-factor authentication. It’s not even a problem with the inherent weaknesses of SMS-based 2FA in particular. Instead, this is a problem with how Facebook has handled users’ information and violated their reasonable security and privacy expectations.

Your Business Should Be More Afraid of Phishing than Malware

It seems not a day goes past without a security firm warning about a new strain of ransomware, or how criminals are planting cryptomining code on poorly-protected IoT devices and insecure data centres.

And although these are real problems and shouldn’t be ignored, I would argue that there is another more down-to-earth threat that is more commonly encountered and has the potential to cause massive harm to your organisation.

If you were to make a list of the most common causes of security breaches, it is phishing attacks that would surely dominate.

How does DuckDuckGo know where I am?

Searching the web with DuckDuckGo is completely anonymous; we simply never collect or share any personal information, in line with our strict privacy policy. For example, we don’t store IP addresses or any other unique identifiers in our server logs. As a result, we don’t even have the ability to create search histories or sessions for any individual. It’s privacy by design.

When you hit the search button, your computer sends your search request to us. In that request, your computer embeds additional information. For example, if you opt-in to location sharing for a site, this information includes your approximate location. And even if you don’t, your request includes your IP address, and an approximate location can be inferred from it, though it isn’t always accurate.

What we do is read that embedded information, use the location contained within it to display the weather or other local information requested, and then immediately throw it away – without storing any of your personal information. In that way, we can serve localized results (weather, restaurants, maps, etc.) without tracking you. For all the nitty-gritty technical details, check out our help page

Huggsexa om säkerhetsproffs – ”många bolag är väldigt aggressiva”

It-säkerhetsfrågor har alltid legat högt på företagens agendor. Och i takt med att allt mer av verksamheterna digitaliseras blir givetvis säkerhetsbehoven ännu större. Men i en bransch som skriker efter kompetens är jakten på duktigt it-säkerhetsfolk en utmaning, inte minst eftersom säkerhetsaffärerna lockar fler och fler aktörer.

Vi har tidigare rapporterat om IT&Telekomföretagens stora rapport It-kompetensbristen, där organisationen flaggar för att det kommer att behövas 70 000 personer för att täcka behoven fram till 2022. När man tittar mer specifikt på siffrorna framkommer det att det skriande behovet under de närmaste fyra åren är minst 500 it-säkerhetsexperter.

For safety’s sake, we must slow innovation in internet-connected things

In a new book called Click Here to Kill Everybody, Bruce Schneier argues that governments must step in now to force companies developing connected gadgets to make security a priority rather than an afterthought.

Can’t we just unplug ourselves somewhat to limit the risks?

That’s getting harder and harder to do. I tried to buy a car that wasn’t connected to the internet, and I failed. It’s not that there were no cars available like this, but the ones in the range I wanted all came with an internet connection. Even if it could be turned off, there was no guarantee hackers couldn’t turn it back on remotely.

Sammanställning av Internet Organised Crime Threat Assessment (IOCTA) 2018

För några dagar sedan publicerade Europol sin årliga IOCTA-rapport. Organiserad brottslighet fortsätter att tjäna pengar, de uppdaterar modus men cyber-terroristerna lyser med sin frånvaro.

  • Absolut mest vanligt att genomföra angrepp via e-post. Sverige tillsammans med Norge och Irland har högsta andelen e-post med skadliga länkar.
  • Phishing är extremt vanligt förekommande i cyber-relaterade angrepp. Det finns således starka incitament att arbeta med förmågor kring detta.
    En vanlig typ av phishing, som flera medlemsstater har rapporterat, är CEO-bedrägerier.
  • Ökad användning av HTTPS leder till att användare inbillar sig att sajten de besöker är “säker”.

Sammanställning av Internet Organised Crime Threat Assessment (IOCTA) 2018

12 things every IT security professional should know

Fighting the good fight takes specialized knowledge. Here’s the baseline of what all security pros should know.

Basic common defenses

Almost every computer has common basic defenses, which good IT pros consider and apply. These are the “standards” of computer security. They include:

  • Patch Management
  • End-User Training
  • Firewalls
  • Antivirus
  • Secure Configurations
  • Encryption/Cryptography
  • Authentication
  • Intrusion Detection
  • Logging

Understanding and using the basic common IT security defenses is a must for every IT security professional. But don’t stop at simply knowing about them. Know, too, what they are good at stopping and what they fail to do. If you want to know which two defenses help decrease the most risk, read this.

Cloud security

What four factors make cloud security more complex than traditional networks?

  • Lack of control
  • Always available on the internet
  • Multi-tenancy (shared services/servers)
  • Virtualization/containerization/microservices

The joke is (and isn’t) that cloud really means “other people’s computers” and all the risk that entails. Traditional corporate administrators no longer control the servers, services, and infrastructure used to store sensitive data and service users in the cloud. You have to trust that the cloud vendor’s security team is doing its job. Cloud infrastructures are almost always multi-tenant architectures, where keeping different customers’ data separate can be complicated by virtualization and the recent containerization and development of microservices. Heralded by some as a way to help make security easier to do, each development usually makes the infrastructure more complex. And complexity and security do not usually go hand-in-hand. Want to dig deeper into this topic? I recommend starting with this article on cloud security.

Threat education and communication

Most threats are well known and re-occur frequently. Every stakeholder from end-users to senior management and the board of directors needs to know the current top threats against your company and what you are doing to stop them. Some of the threats you face, like social engineering, can only be stopped by educating the people in your company.  So the ability to communicate is often the thing that separates a great IT pro from a mediocre one.

Communication is an essential IT security professional skill. But you can’t simply rely on your charming personality because communication happens through a variety of methods including: face-to-face conversation, written documentation, emails, online learning modules, newsletters, tests, and simulated phishing.

Every good IT pro needs to be able to clearly and effectively communicate using verbal and written methods. When appropriate, she knows how to create or purchase the needed education and communication vehicles. No matter what technical controls you deploy, every year something will make it past them. So, make sure your stakeholders are prepared. At the very least, the following items should be covered in your education program:

  • The most likely, significant, threats and risks against the organization
  • Acceptable use
  • Security policy
  • How to authenticate and what to avoid
  • Data protection
  • Social engineering awareness
  • How and when to report suspicious security incidents

Looking for some hands-on, practical information security education advice? Check out “Ways to improve security education in the New Year” at CSO Online.


Follow the link to find all twelve;

Globally, just under 23 percent of organizations are likely to suffer at least one breach over the next 24 months

According to the IBM report, it now takes 197 days to identify a breach and 69 days to contain it. <…> Entertainment and healthcare organizations take the longest time to discover and contain a breach – averaging more than 300 days – while financial services and energy sectors were quickest at discovery and remediation.

Time is money and being slow to detect and contain a breach can be costly. Taking more than 100 days to discover a breach could add as much as $1 million to the final bill. Likewise taking longer than 30 days to contain the breach once discovered can also add over $1 million to costs. Investment in monitoring and forensics capabilities could be valuable in the long run.

The size of your average data breach is now 24,615 records; an increase of 2.2 percent compared to 2017. Each record lost costs around $148 on average globally, while in the US that figure rises to $233. The final cost per record can be impacted by a number of factors relating to how well-prepared an organization is and how well it reacts to a breach.

Given the highly sensitive and regulated nature of the data they manage it should come as little surprise that the health and financial sectors face the largest costs per record; up to $400 each.

A significant outlay organizations are faced with post-breach is notification costs. These include the creation of contact databases, determining regulatory requirement, consultancy fees, postal expenditures, email bounce-backs, and more. India has the lowest notification costs at just $20,000, while the U.S. has the highest at $740,000 per breach, largely due to data breach notification regulations.

However, now that the European Union’s regulation is in effect, companies are likely to see “huge increases throughout the world” in the future when it comes to notification costs. One key thing with GDPR is you have that 72-hour disclosure window. And that time can go by very, very fast. Folks really need to understand the need for preparation.”

Mega breaches can incur large indirect costs

According to IBM a ”mega-breach” of 1 million records could cost a company $40 million, while the loss of 50 million records might lose a company $350 million.

“If you’re a company who loses fifty million records, first and foremost there’s an expectation that you’re likely a very large company who certainly has the financial means to be able to put an adequate level of protection in place. Folks will look at that and say that is a catastrophic failure, and clients are going to make an alternative choice of who they do business with as a result.”