The complicated four way acquisition battle between Disney, 21st Century Fox, Sky (Sky Broadband) and Comcast took an interesting turn yesterday after the latter dropped its own pursuit of Fox, which market analysts suggest will leave Disney to gobble Fox but open the door to a Comcast buy of Sky (i.e. Fox won’t increase their […]
Source:: ISPreview
Three firms are vying to be the first to reintroduce commercial supersonic flight in the next decade.
Source:: BBC News – Technology
BBC Click’s Jen Copestake looks at some of the best technology news stories of the week.
Source:: BBC News – Technology
The Broadband Stakeholder Group think-tank, which advises the UK Government, has today published new research from Analysys Mason that identifies 13 specific barriers (reflecting practical challenges in planning and roll-out) to deployment of future 5G mobile infrastructure. Some 21 recommendations are made. At the time of writing 5G has yet to finalise all of its […]
Source:: ISPreview
Cloud-based human resources company ComplyRight said this week that a security breach of its Web site may have jeopardized sensitive consumer information — including names, addresses, phone numbers, email addresses and Social Security numbers — from tax forms submitted by the company’s thousands of clients on behalf of employees.
Pompano Beach, Fla-based ComplyRight began mailing breach notification letters to affected consumers late last week, but the form letters are extremely vague about the scope and cause of the breach. Indeed, many readers who received these letters wrote to KrebsOnSecurity asking for more information, as the company hadn’t yet published any details about the breach on its Web site. Also, most of those folks said they’d never heard of ComplyRight and could not remember ever doing business with a company by that name.
Neither ComplyRight nor its parent company Taylor Corp. responded to multiple requests for comment this past week. But on Wednesday evening, ComplyRight posted additional facts about the incident on its site, saying a recently completed investigation suggests that fewer than 10 percent of individuals with tax forms prepared on the ComplyRight platform were impacted.
According to ComplyRight’s Web site, some 76,000 organizations — many of them small businesses — use its services to prepare tax forms such as 1099s and W2s on behalf of their employees and/or contractors. While the company didn’t explicitly say which of its cloud services was impacted by the breach, the Web site which handles its tax preparation business is efile4biz.com.
ComplyRight says it learned of the breach on May 22, 2018, and that the “unauthorized access” to its site persisted between April 20, 2018 and May 22, 2018.
Even with the additional disclosure published to ComplyRight’s site, it’s difficult to accurately gauge the size of this breach. ComplyRight includes information about its tax solutions division here and it appears that they also file Affordable Care Act (ACA) and HIPAA paperwork. So, if these “solutions” are indeed part of the “tax reporting web platform,” then we’re probably talking way more beyond efile4biz.com’s 76,000 customers. And remember that each “customer” is a business that employs multiple people.
ComplyRight’s efile4biz.com Web site has long stated that the company employs the latest, most sophisticated security measures, noting that “the result is a level of data protection that would thwart even the most determined cyber criminals.”
“Data security is a primary concern with reputable e-file providers like efile4Biz.com,” the site explains. “We use the strongest encryption program available, as recommended by the federal government, to block the interception or interruption of information by a third party. “Data is encrypted as soon as it’s entered on the site, and it says encrypted throughout the entire print, mail and e-file process.”
The site also includes a Geotrust security seal intended to reinforce the above statement. While ComplyRight hasn’t said exactly how this breached happened, the most likely explanation is that intruders managed to install malicious code on the efile4biz.com Web site — malware that recorded passwords entered into the site by employers using the service to prepare tax forms.
Translation: Assurances about the security of data in-transit to or from the company’s site do little to stop cyber thieves who have compromised the Web site itself, because there are countless tools bad guys can install on a hacked site that steals usernames, passwords and other sensitive data before the information is even encrypted and transmitted across the wire.
Also, it’s far from clear that data security is in fact a primary concern of ComplyRight. Let me explain: Very often when I’m having difficulty getting answers or responses from a company that I suspect or know has had a breach, I’ll start identifying and pestering the company’s executives via their profiles on LinkedIn.
As I did so in this case, I was surprised to discover that I couldn’t identify a single ComplyRight employee on Linkedin whose job is listed as at all related to security. Nor does it appear that ComplyRight is currently hiring anyone in these positions. I did, however, find plenty of network managers and software engineers, Web developers and designers, data specialists, and even several “poster guard specialists” (ComplyRight also produces workplace safety posters of the kind typically hung in corporate breakrooms).
It may well be that there are indeed security personnel working at ComplyRight, but if so they don’t seem to have a LinkedIn profile. Again, neither ComplyRight nor its parent firm responded to multiple requests for comment.
The company is offering 12 months of free credit monitoring to those affected by the breach. As I’ve noted several times here, credit monitoring can be useful for helping people recover from identity theft, it is virtually useless in stopping identity thieves from opening new accounts in your name.
A more comprehensive approach to combating ID theft involves adopting the assumption that all of this static data about you as a consumer — including your name, date of birth, address, previous address, phone number, credit card number, Social Security number and possibly a great deal more sensitive information — is already breached, stolen and/or actively for sale in the cybercrime underground.
One response to this increasingly obvious reality involves enacting a security freeze on one’s credit files with the major consumer credit reporting bureaus. See this primer from last year’s breach at Equifax for more details on how to do that, and for information on slightly less restrictive alternatives.
In addition, people who received a letter from ComplyRight may also file a Form 14039 with the U.S. Internal Revenue Service (IRS) to help reduce the likelihood of becoming victims of tax refund fraud, an increasingly common scam in which fraudsters file a tax refund request with the IRS in your name and then pocket the refund money.
Any American can be a victim of refund fraud, whether or not they are owed money by the IRS. Most people first learn they are victims when they go to file their tax return and the submission is rejected because someone already filed in their name.
By filing a Form 14039, you are asking the IRS to issue you a special one-time code — called an IP PIN — via snail mail that must be entered on subsequent tax returns before the return can be accepted by the IRS.
A couple of caveats about this form: If you request and are granted an IP PIN, make sure you store the information in a safe place that you will be able to access next year when it comes time to file your taxes again (a clearly labeled folder in a locked filing cabinet is a good start).
Also, understand that enrolling in the IP PIN program requires taxpayers to pass an identity-proofing process called Secure Access. This process includes making specific credit inquiries to big-three credit bureau Experian, which means if you already have a security freeze on your consumer credit file with Experian you will need to temporarily thaw the freeze before completing the enrollment. For those contemplating a freeze and seeking an IP PIN, complete the Secure Access enrollment with the IRS before enacting a freeze.
Source:: KrebsOnSecurity
The fourth annual report from the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board has identified “shortcomings” in Huawei’s engineering processes, which they say have “exposed new risks in the UK telecommunication networks.” A number of operators, such as Openreach (BT), make use of kit from the Chinese firm. The HCSEC has been running for […]
Source:: ISPreview
The report revealed shortcomings in the Chinese firm’s engineering processes.
Source:: BBC News – Technology
A software company criticised for working with US Border Control has a donation to a refugee charity rejected.
Source:: BBC News – Technology
Last December, Cloudflare announced the Athenian Project to help protect U.S. state and local election websites from cyber attack.
Since then, the need to protect our electoral systems has become increasingly urgent. As described by Director of National Intelligence Dan Coats, the “digital infrastructure that serves this country is literally under attack.” Just last week, we learned new details about how state election systems were targeted for cyberattack during the 2016 election. The U.S. government’s indictment of twelve Russian military intelligence officers describes the scanning of state election-related websites for vulnerabilities and theft of personal information related to approximately 500,000 voters.
This direct attack on the U.S. election systems using common Internet vulnerabilities reinforces the need to ensure democratic institutions are protected from attack in the future. The Athenian Project is Cloudflare’s attempt to do our part to secure our democracy.
Since announcing the Athenian Project, we’ve talked to state, county, and municipal officials around the country about protecting their election and voter registration websites. Today, we’re proud to report that we have Athenian Project participants in 19 states, and are in talks with many more. We have also strategized with civil society organizations, government associations, and federal government officials who share the goal of ensuring state and local officials have the tools they need to protect their institutions from cyberattack.
Working with state and local election officials has given us new appreciation for the dedication of those who serve as election officials, and how difficult it can be for those officials to identify and get the resources they need.
Local election officials — like ordinary voters — are the foundation of democracy. They guard the infrastructure of our constitutional system. Many officials juggle multiple roles within local government. They may manage multiple election websites, with limited information technology staff. Yet they know that their community, and sometimes the entire country, is relying on them to protect election integrity from countless global threats against it. The Athenian Project is about giving these dedicated professionals the tools they need to fight back and secure their systems.
A county Clerk-Recorder and Registrar of Voters, who is responsible for a number of election-related websites, told us that election officials worry about drawing attention to themselves, for fear they may be targeted for attack. Although cybersecurity is only one of the many responsibilities on her plate, this official is determined protect the county, using all the resources at her disposal. But without dedicated information technology staff, she has had difficulty identifying how best to protect county infrastructure.
Cloudflare can help, with both tools and know how.
Given the current threats, we think it’s important to provide more details about what our services do, and how they can help election officials. We’ve understood since the beginning that election websites would benefit from Cloudflare’s security features, including our DDoS mitigation, Web Application Firewall (WAF), IP reputation database, and ability to block traffic by country or IP address. In fact, reports of DDoS attacks on state and local government websites often get the most coverage because the impact — loss of service to the site — is visible to the public. Until our conversations, however, we did not fully appreciate how our services could solve other common problems for state and local government officials.
For election officials, the last day of voter registration and election day are often nerve-wracking events. Their websites can see more traffic in an hour than they’ve seen all year. For example, when the Special Election in Alabama in 2017 drew traffic from around the country, Alabama needed a distributed network and a CDN to ensure that the nearly 5 million Alabamians and everyone else in the U.S. could follow along.
Cloudflare’s other features can also help state and local election websites. The Senate Select Committee on Intelligence summary of the 2016 election hacking attempts concluded that the majority of malicious access attempts on voting-related websites were perpetrated using SQL injection. Cloudflare’s WAF protects against SQL injection, as well as other forms of attack.
Recently, one of the states whose election websites are part of the Athenian Project was attacked and two non-election related websites were defaced. Website defacement occurs when someone who is not authorized to make website changes alters the content on the site, often changing the home page to display the hacker’s logo or other material. Although the state’s election websites saw a 100-fold increase in threat traffic, our WAF helped prevent a similar defacement on those sites.
For election websites that are not already running on HTTPS, Cloudflare can also simplify the process of transitioning to use of SSL. With Google Chrome’s new initiative to mark non-HTTPS sites as insecure, potential voters visiting non-encrypted voter registration websites will be warned not to enter sensitive information on the site “because it could be stolen by attackers.” That is not the message officials want to send to a public nervous about cyberattacks on election infrastructure. Adding a security certificate can be a daunting task for local officials without IT resources, but for Athenian Project participants, it’s available at the click of a button. Athenian Project participants who need help with certificate management are given dedicated, auto-renewed certificates to improve the security of their sites. Cloudflare page rules can then direct all traffic to the HTTPS site.
We’ve also tailored the Athenian Project to better address the needs of those we are serving. So what have we done?
More tools: We wanted to provide more tools for those who want to learn about and set up our service. We’ve therefore revamped our website to be more intuitive to navigate and to provide more information. We’ve created a new, interactive guide discussing website protection and a short video sharing the experience of current Athenian Project participants.
How-to videos: There are videos to not only walk new participants through creating an account and transitioning their DNS servers, but also to provide best practices so that new participants can identify and turn on important features.
Getting Started
Best Practices
Support help: We have found that state and local election officials often have challenges at the onboarding stage that are best addressed through personal attention. We’ve therefore added support features — including Athenian-specific support — to increase the personal interaction we have with officials and to provide them an opportunity to describe their own situation and needs.
Set up flexibility: We’ve learned to be flexible with how we set up our service. While some counties were eager to leverage as much of the service as possible, including using full DNS delegation and dedicated certificates, others preferred to pick and choose between options. Depending on the circumstances for a given jurisdiction, we customize protection so they can use Cloudflare without needing to change the IT system for the whole state or county.
Athenian Project-specific terms of service: To address common government contracting restrictions, we’ve drafted an Athenian Project-specific terms of service.
We hope these new details will make it even easier for election officials to get access to tools that can help them fulfill their critical responsibility to protect our elections.
In November, every state and district in the country will hold congressional elections. Election officials — and all of us — want to make sure that voter information remains secure and that websites stay online as voters seek out information on polling places and voting requirements, and anxiously refresh results pages on election night.
The entire American experiment is built on a simple act: a vote. To work as designed, citizens must trust the electoral system, its strength, integrity, and the people who protect it. Cloudflare is proud to support local officials on the front lines of election security.
And we, like election officials, know that building a resilient system requires long-term commitment. We are committed to continuing to do our part to keep U.S. election websites secure in this election and beyond.
If you would like more information about the Athenian Project, please visit our website cloudflare.com/athenian-project.
Source:: CloudFlare
We live in a connected world. Globally, we’ve become a tighter community, while locally, we’ve become more global. The internet has delivered on convenience, allowing anyone with a connection to see, learn about, and communicate with any individual or business on the planet. This convenience is coupled with virtually every new tech product rolling off the line, and our homes are quickly filling up with an ever-growing universe of IoT devices.
Source:: Avast
Microsoft is not playing around with the Xbox Ultimate Game Sale that runs now through July 30. There are a bunch of Xbox Play Anywhere games in the sale that allows you to play the games on either Xbox or PC. That means PC gamers on Windows 10 can also take advantage of the big deals event.
Here’s our look at some of the highlights:
Forza Motorsport 7 Standard Edition is $30Remove non-product link down from its MSRP of $60, and the Ultimate Edition of the game is $50, a 50 percent discount from its $100 MSRP. Forza 7 is a fantastic racing game, though when it came out we didn’t like the loot box system.
To read this article in full, please click here
Source:: IT news – Hardware Systems
Farnborough Airshow in pictures: The big, the fast, the noisy.
Source:: BBC News – Technology
Customers of Sky Mobile (Sky Broadband) have now been given the rather unique ability to “cash in” any unused 4G Mobile data (Mobile Broadband) allowances they may have and instead receive savings on a range of Smartphones, Tablets and mobile accessories (aka – Piggybank Rewards). At present existing Sky TV customers can take any one […]
Source:: ISPreview
The Company
SofTec Solutions provides managed IT and security services to the Canadian business community of southeastern New Brunswick. The company serves a range of businesses within a 100 kilometer radius that includes automotive, accounting, trucking, retail corner stores, and senior care facilities.
“We’ve been able to develop expertise in different vertical markets,” says President Dave McPherson, who purchased the company in 1992. “For example, we have a solid reputation with the local Toyota, Volkswagen, and Audi dealerships for providing wireless connectivity for customer waiting rooms, integrating software for car programming devices, and securing company networks. All of our customers, no matter the type of business, expect strong protection to avoid downtime. If a breach happens, they would be unable to run their businesses.”
Source:: Avast
The network of balloons travels by predicting the speed and direction of winds in the stratosphere.
Source:: BBC News – Technology