Top News

Apple’s new ‘secret weapon’ gives hope for more secure future

Beauceron Security was at CISO Forum Canada in Niagara Falls last week, speaking with noted security thinkers from across the country. One topic that couldn’t help but come up a few times was Apple’s new credit card. 

Apple rolled out its credit card to U.S. customers last week, prompting speculation over what it will mean for the company, consumers and other credit card providers. While it’s not available at home yet, plenty of Canadians are eager to get their hands on one — and with good reason! This thing is pretty cool, and it marks a major leap in the quest for data privacy. 

What’s so different about it?

The permanent, visible 16-digit number found on most credit cards is no more. Instead, the Apple version operates using a token for each transaction; they specifically create a unique ID every time you make a purchase, and it’s not tied to any other identifier — making it a great way to protect your information if you’re dining out, gassing up or shopping around.  

Hackers will be deterred from targeting these types of businesses since they won’t be able to monetize the theft of customers’ credit card information.  

Perhaps the most important difference is that Apple, sticking to the privacy standards they’ve applied to their hardware products, will not (and in fact cannot) use this service to collect data about your transactions such as what you bought, where, when and for how much. Because this info is never collected, it can’t be sold or traded to companies like Google, Facebook and Amazon.  

If you’ve ever wondered why you get ads after buying something even though you never Googled said item, it’s because the information from the store transaction is sold back and associated with your online ID. With the Apple card, no one is tracking you, and no one is hitting you with targeted ads.  

Apple’s not-so-secret weapon

You may be wondering: is this just a ploy to sell more iPhones? Well, yes and no. Of course the goal of any corporation is increased wealth and market share, and the card service is paired intimately with the use of Apple devices like the watch and the phone. People are calling it Apple’s secret weapon in part because if it takes off and goes big, it will take a huge bite out of the revenue of companies like Google and Facebook — and this has long topped Apple’s to-do list.  

Apple’s business model says, “Yes, there’s a premium price for our products, but in exchange for that we won’t give away your data.” So while there may be drawbacks — namely, the upfront cost — with a focus on privacy comes the financial burden of ensuring that security is the standard across the board.  

A rare good-news story

The credit card industry is notoriously competitive, so Apple will have to keep interest rates and other fees reasonable. What you get out of paying more at the outset is the assurance that your data won’t fall into the wrong hands, and we think that’s very valuable!  

Whether or not you’re an Apple fan, this is an unequivocal win for privacy. In a world where good-news cybersecurity stories are few and far between, this is an event worth celebrating. 


If you want to empower your employees and reduce cyber risk, give us a call @ 1-877-516-9245 or reach out at info@beauceronsecurity.com for more information. 

5 hacks to keep calm and conference on

5 hacks to keep calm and conference on

Attending a work conference offers up a mix of exhilaration and added stress. The fun of meeting new people, visiting different places and learning, competes with the strain of jamming in an extra week’s worth of work pre or post event and being away from the comforts of home. As the Beauceron pack prepares for our next adventure, I thought I'd share 5 hacks I use to keep calm and conference on.

Your number neighbour could be your number nightmare

The latest case of “just because you can try something, doesn’t mean you should try something” has emerged with another social media trend. 

The “number neighbour challenge” is one of the sillier ones we’ve seen.  

It goes like this: you text a number that’s almost your own phone number, except it's one digit off. You introduce yourself as this new contact’s number neighbour, and get the ball rolling on what could — best-case scenario — turn into an interesting conversation to post on social media for the laughs and the likes.  

Latest fad fails

The worst-case scenarios are less lighthearted, and a few have already happened in the short time since the fad hit the internet.  

For example, what if your number neighbour is a child? We won’t get into all that can go wrong in this situation, but keep in mind that the person you’re imagining may not match the person you’re texting.  

What if the number you text belongs to someone who’s recently passed away? You could be causing even more distress to an already grieving family.  

What if you’re texting a tech-savvy stalker? Your innocent text could put you on the radar of some creep who now has your phone number, knows you’re out there, and could start attacking your phone.  

Neighbour turned nightmare

This is precisely what happened to an L.A. woman who texted her number neighbour and almost immediately started receiving death threats back. The stranger threatened to show up at her house and kill her; they sent videos of guns being loaded; they called her phone dozens of times and even when she blocked that number, more calls streamed in from a different number.

She eventually filed a police report, but we’re betting she wishes she had skipped the whole ordeal!

Think before you text or call

There’s nothing wrong with taking part in fun fads online, but make sure to think about what you’re signing up for. So many of these viral social media trends ask you to sacrifice your security for a few minutes of entertainment.   

Our best advice? Don’t do it! 

To get the right information at the right time, contact the Beauceron Security Team @ info@beauceronsecurity.com or 1-877-516-9245. 

5 questions journalists should be asking about the Capital One breach

Countless Capital One customers were left reeling this week upon learning that a huge data breach exposed their private information including credit scores, balances, and social insurance numbers. Just days ago the institution revealed that the personal data for more than 100 million credit applications and cards — including six million from Canada — were laid bare.   

Paige Thompson — who goes by the name “erratic” online — is alleged to have exploited a vulnerability in Capital One’s online credit card application, for apparently no reason other than to show that she could. Based on the evidence presented by the FBI in court documents, Thompson does not appear to be an experienced hacker, and even seemed to want to get caught, leaving her digital footprint and evidence everywhere. 

Reporters have come at this story from many angles, but here are a few questions the media haven’t yet addressed: 

1) How long has this vulnerability existed?

The focus of this breach has been on the hacker herself — who she is and how she operated — but we don’t know how long this security hole was open, and who else may have taken advantage of it, with what malicious intent. If a more sophisticated hacker had wanted to get their mitts on this data, they could easily have done so. Thompson is less the problem, and more a symptom.

2) Why are banks holding onto this decade-old data in the first place?

“Zombie data” — old data that’s considered dead to the company but that still lurks somewhere, waiting to be revived — is dangerous, and the data involved in this hack has been hanging around since possibly about 2005. There’s no good reason for a financial institution to hang onto years-old credit card applications after they’ve been approved or denied. Why was this info even there to be exploited?

3) Who knew what, and when?

The FBI documents say Capital One was notified July 17 of the breach, but the bank claims it only became aware of the breach on July 19. Why the discrepancy? Is it plausible that no one checked their email for a full two days? Beyond that, Capital One didn’t disclose the breach to customers until July 29 — well after their July 18 second-quarter meeting. What happened during that week and a half? Based on the FBI documents, this doesn’t seem like it took terribly long to figure out what went wrong and who did it.

4) What kind of fine are they facing in Canada?

When the notorious Equifax breach came to light, Canada gave them little more than a slap on the wrist, instead of imposing tough penalties that would force other institutions to take notice and action. According to our country’s new Digital Privacy Act, fines for this type of privacy breach can be up to $100,000. We still don’t know whether the fine will be applied or the government will dole out another freebie.

5) Why aren’t banks required to provide better security tools to their customers?

Multi-factor authentication, for example. The government should regulate banks’ safety tools to remove the option of choosing convenience for the customer over security. If every bank has the same privacy measures in place, our national cybersecurity will see real improvements, so why are governments not acting on this? Requiring banks to offer more advanced security — in a similar, standardized way with a defined date — will end the standoff that exists where the banks are too afraid of losing customers to another institution due to the perceived inconvenience of things such as MFA.

While these breaches are scary — and becoming more common all the time — if we push for legal change and aim to protect our personal data, we can stop hackers in their tracks.  

To learn more about protecting your identity at home or at work, contact the Beauceron Security Team @ info@beauceronsecurity.com or 1-877-516-9245. 

5 reasons FaceApp should give you worry lines

By now you’ve probably seen plenty of old versions of your friends’ faces pop up on social media. FaceApp is so popular that in just a few days the app has managed to collect the faces of more than 150 million people from around the world!  

Why are people so eager to snap and upload that selfie? Well, it’s fun and interesting to see these scarily accurate “future” faces. And Canadians still presume that laws and technological checks and balances are in place to protect their data.  

Really, though, it’s the Wild West on the internet, and once you surrender your information, you can't get it back.  

Here are our top 5 reasons to skip FaceApp: 

1) Your face is a biometric 

What are biometrics? It’s physical data that’s unique to you and used to identify you, such as your fingerprints, retina or iris scans, gait recognition (the way you walk), or voice recognition.  

Increasingly, we use our face to unlock our phones, to access services, we’re tracked by our faces through airport and other surveillance systems – and the potential for the loss or abuse of your biometric data is huge.  

2) The app is based in Russia 

The data is stored on Russian servers and is subject to Russian laws. This means Russian state intelligence agencies could gather this info. Remember when they tried to access Tinder users’ data? With FaceApp, users have already agreed to that data collection simply by creating an account and uploading a photo. 

3) They’re capturing your web browsing history 

Everything you search for, every website you visit, is viewable to FaceApp, until you uninstall the app. Yikes! 

4) Not to mention your location 

That location data can be used to pinpoint your whereabouts and target you with hyper-specific ads...and to gain insight into demographic trends for who knows what purpose. 

5) Your data could be stored indefinitely and used for reasons you can’t predict 

For example, this amazingly diverse data set could be used to train mass surveillance systems. It sounds far-fetched, but photos uploaded to Flickr and social media sites have already been scarfed up and used to teach A.I.s without people’s consent.  

Why should FaceApp be any different? 

If you’ve already downloaded the app, you should uninstall it ASAP, and make sure that you always read the terms of service before hopping on board with the newest trend. Remember that when you don’t pay for an app or service, you’re not the customer – you're the product

The onus is on the individual to protect sensitive information.  

To learn more about protecting your identity at home or at work, contact the Beauceron Security Team @ info@beauceronsecurity.com or 1-877-516-9245. 

5 terms you need to know heading into election season

What do you get when you cross the internet and social media, with the decline of traditional media? You get a democracy vulnerable to election interference! 

On the internet, any group or person can present themselves as anyone else, and all information is accorded equal value. On social media, info — accurate or otherwise — is shared rapidly, and there is little regard for long-established media entities that are accountable to their audiences.  

This environment is ripe for manipulation of data and of minds. 

In October, Canada heads into a federal election. The best defense against election interference is an educated citizenry. To help you separate fact from fiction, we’re setting straight a few of the terms around data manipulation that are often used interchangeably or incorrectly.  

Hacking elections is rarely about messing with the vote count. It’s about messing with voters’ thoughts before they go to the ballot box. 

ELECTION INTERFERENCE OR MEDDLING

Meddling in elections takes many forms. For example, well before the American election of 2016, Russians created fake Christian websites and Facebook groups, built huge audiences over time, gained their trust, and as the election approached, the content pushed out from these sources became more and more political and began to sway the beliefs held by followers about parties and candidates. It’s social engineering — psychological manipulation of people into performing actions or divulging information — and it works!

DISINFORMATION

Disinformation is deceptively placed information. It has to do with intent to deceive. It’s a lie. 

Let’s say the Russians decided to meddle in Canada’s affairs, as with the U.S. They could pick on the Conservative Party, for instance, and create a series of fake emails, that when discovered would generate a massive media controversy.  

The problem is that once a lie or propaganda is out there, it’s tough to get back — bad ideas and controversy spread quicker and with greater impact than the truth. 

MISINFORMATION

It sounds similar, but it’s quite different: misinformation is mistakenly placed information.  

Recall how often you’ve seen friends share a questionable article on social media believing it to be valid: it may be false, but if they have a wide enough social media “reach,” that wrong data snowballs, to be viewed by thousands of people.  

It’s dangerous because anyone can fall victim to it; even if they don’t mean to, innocent people can inadvertently harm the democratic process.  

SATIRE/PARODY

The prevalence of satirical news or parody sites has exploded in recent years, and because the stories tend to mimic “real” news — though in a humourous fashion — they dupe plenty of people who don’t read beyond headlines. These kinds of stories spread like wildfire as more and more people share them online, many believing them to be true.  

The intent of the story may be to mock authority, to skewer politicians, but if audiences aren’t careful, they can end up believing a narrative that’s way off base.  

FAKE NEWS

Finally, we have fake news, a term that’s been bandied about especially by U.S. President Donald Trump, who uses it to label and denounce practically any article or information he doesn’t like. 

It’s not the same as satire, because, again, of the intent — it’s news or data purposely doctored to appear other than it is. Think of “deepfake” videos intended to trick as many people as possible — or of news articles from unreliable sources made to seem legitimate.  

This boils down to checking your sources; when in doubt, find out where the information came from. If it’s political material, find out straight from candidates what their policies are and put more trust in established Canadian media. Above all, be careful about what you like, click and share online, because your social reputation has a huge impact on what your friends think about politics. 

To get the right information at the right time, contact the Beauceron Security Team @ info@beauceronsecurity.com or 1-877-516-9245. 

One of the Top 20 Most Influential Women in Cybersecurity joins Beauceron Advisory Board

Partnership with Dr. Jessica Barker, Cygenta puts Beauceron Security on global stage 

Fredericton- July 8th, 2019 - Beauceron Security is honoured to announce their newest advisor, Dr. Jessica Barker, Co-CEO, Head of Socio-Technical, Cygenta.  

Named as one of the top 20 most influential women in cybersecurity in the UK and awarded as one of the UK’s Tech Women 50 in 2017, Dr. Barker is an expert in the human nature of cybersecurity. 

With a background in sociology and civic design, Dr. Barker engages international organizations and audiences in conversations about cybersecurity threats, social engineering, the psychology of fear and cybersecurity and the language of cybersecurity.  

“People are at the heart of cybersecurity and this has been more apparent than ever in the last few years. As an industry, we have focused too much, for too long, on technology, which has left people more vulnerable to becoming the target of cybercrime. Social engineering attacks are the biggest threat to most organizations and the key to mitigating these is to address cybersecurity awareness, behaviour and culture in a meaningful way” – Dr. Jessica Barker.  

With a shared interest in the people, process and culture that supports behaviour change, Dr. Barker will provide a wealth of knowledge to Beauceron’s advisory board. Beauceron will also be partnering with Cygenta, combining their in-depth content and knowledge to better serve clients around the world. 

“I’m thrilled to have had the chance to get to know Dr. Barker over the past year and now to have the opportunity to work with her as well as Cygenta’s Co-CEO and Head of Ethical Hacking F.C. I'm excited about combining Cygenta’s expertise with the technology we’ve built to help even more people globally tackle the human side of cybersecurity,” said Beauceron CEO David Shipley.  

Dr. Barker is joining industry leaders and experts who bring decades of experience in technology, security and building scaling start-ups to Beauceron's advisory board.  

  • Jerry Carr, Chief Technology Officer, Introhive, previous Senior Vice President Engineering with Salesforce and former CTO of Radian6.  

  • David Alston, Entrepreneur in Residence for the New Brunswick Government, former CMO for Radian6 and a Forbes Top 50 CMO in social media. 

  • Kurt Lee – Cybersecurity industry veteran who has held a variety of executive positions at ArcSight, Q1Labs, NetWitness, and RSA over the past 20 years.  

“We're extraordinarily fortunate to have the advisors we've gathered to date to help us build our firm’s global reach and impact,” said Shipley.  

To learn more about how Beauceron can support your organization empower people and reduce cyber risk, visit us online at www.beauceronsecurity.com or send an email to info@beauceronsecurity.com. 

To learn more about Dr. Jessica Barker, see her in action here or visit online at www.cygenta.co.uk. 

Media Contact

Kassi Clifford

Director of Marketing, Beauceron Security

kassi.clifford@beauceronsecurity.com

1-877-516-9245

Don't click that strange Google Calendar invite — it may be a phish!

Even the most cyber-savvy among us may be persuaded to click a link in a phishing email if it looks like it’s from Google. Why? Because we trust Google. We use Google for email, for road trip directions, we use it to store files, to catch up on the news, to find a cool photo. It has become so much more than a search engine.  

Owing to that familiarity, the latest scam involving Google is insidious indeed. Malicious links are dropped into your Google Calendar — you don't even need to click anything in an email to fall victim. 

How the scam works

Kaspersky Lab, the multi-national cybersecurity firm, uncovered the con and have researched how it plays out. 

Basically, scammers consult a prepared email list to send meeting or event invites to multiple Google Calendar users. They use weaknesses in calendar settings — the default being to automatically add any event and a notification about it — to plunk their own events into your schedule.  

The event could be called something like “There’s a money transfer in your name”; even if you delete it initially, it’ll still remind you about it several times, upping the chances you’ll eventually click on it and be convinced to fill out a harmful form with your personal information.  

It’s profitable because of the sheer number of emails criminals can send out with fraudulent invites and events. The scam’s success rate is high — the notifications and calendar entries both appear to come from Google, which helps ease users’ suspicions.  

How to avoid it without scrapping your Google Calendar

Once you’re aware it exists, it’s easy to get on top of this scam. 

A couple of simple steps to take: 

  • Protect yourself through the app itself by going to Google Calendar’s settings on a desktop, and going to “Event Settings > Automatically Add Invitations.” From there, select “No, only show invitations to which I’ve responded.” 

  • Under “View Options,” uncheck “Show declined events.” That way phishy events won’t continue to pop up after you’ve already declined them. 

Cybercriminals are always on the lookout for new victims and innovative ways to scam them out of their money or data. But staying informed and alert can go a long way in mitigating risk.  

To figure out how your team/organization can reduce cyber risk, reach out to the Beauceron Security Team @ info@beauceronsecurity.com or 1-877-516-9245. 

Insider threat: When a company data breach comes from within

There’s one kind of cybersecurity breach that's almost impossible to defend against, and that’s when the weak link is operating within the organization.  

Most breaches we hear about in the news pertain to external threats. International criminals hack into servers, hold data hostage, or release sensitive information to the public. These outside forces use tactics such as phishing to penetrate the organization with intent to do harm. 

But just as damaging: someone who — for whatever reason — decides to bring down a company from the inside. 

Data danger at Desjardins

On Thursday Desjardins Group in Quebec announced that a former employee publicly shared the personal info of 2.9 million members, including names, phone numbers, dates of birth, email addresses, social insurance numbers, banking habits — in short, everything and more that a criminal would need to commit identity theft. 

This breach is huge, affecting 40 per cent of Desjardins’ members. Desjardins is offering to pay for credit monitoring as well as a year’s worth of identity theft insurance for those affected, but it’s hard to know whether this will be enough to ensure no fraudsters take advantage of the situation. 

Manipulation based on trust

This kind of action is a bit like going undercover, except instead of doing so to investigate illegal activity as the police do, the goal is to commit crimes by building relationships and earning the trust of peers. The accused ex-employee, whose name has not been released, was a valued Desjardins employee who had access to the kinds of information needed to do major damage. According to Desjardins, the employee also convinced other employees to gain access to records he didn’t have the right to access using a technique known as social engineering. 

To “social engineer” is to manipulate people psychologically into performing actions or divulging private information. The former employee used social engineering for malevolent ends, ultimately betraying their employer in the worst way possible. This is so hard to prevent because human nature is to suspect strangers rather than friends or colleagues of wrongdoing.  

To avoid falling victim, companies should reinforce the importance of data privacy and ramp up cybersecurity training including talking about all the various ways that people use social engineering, by phone, by email, by text or in this case, in person. That way, it’s less likely they’ll be manipulated in the first place. 

How can individuals protect their privacy?

If you’re a Desjardins member whose data was compromised, and even if you’re not, here's how to protect yourself against identity fraud: 

  • Take advantage of credit monitoring offered by Desjardins and other credit monitoring services. This basically alerts you to changes in your credit report and indicates possible signs of identity fraud such as a new account being opened in your name. 

  • Lock down your digital identity and your accounts: this means you need to stop using the same passwords (create a new long one for every site, and store them in a password manager); make sure to enable two-factor authentication wherever possible; and be vigilant about emails you receive, particularly if they’re about the Desjardins breach itself, because phishers will be looking to exploit the fear surrounding this juicy news item 

  • Pay close attention to transactions not only on your Desjardins accounts, but any financial transactions, because SINs, birth dates, and banking habits were potentially exposed, and these are the keys to the kingdom when it comes to identity theft. 

To learn more about protecting your identity at home or at work, contact the Beauceron Security Team @info@beauceronsecurity.com or 1-877-516-9245. 

Cities: sitting ducks for cyberterrorists

What is ransomware, and why should I care?

Ransomware is a kind of malicious software (malware) that criminals use to deny access to data or computer systems until a ransom is paid.  

You should care because cities are a major target for ransomware attacks, and cities also happen to be the level of government people interact with most, and that impact our day-to-day lives. If cities suffer, so do individuals.  

Why are hackers targeting cities?

Municipalities are enticing for a few reasons: their IT departments are small to non-existent; their employees usually aren’t trained in avoiding phishing emails and other common avenues for attacks; they don’t have the resources that higher levels of government do to prevent and combat attacks; and because many of their systems are so specialized — such as parking and payroll — patching and keeping software up-to-date is seen as more hassle than it’s worth.

Is online extortion rare?

Short answer: No! Stratford, ON is just the latest in a string of small Canadian cities forced to pay hefty ransoms (we’re talking hundreds of thousands of dollars) to criminals who hold important public data hostage. On April 14, part of Stratford’s server system was hijacked, locking out some municipal employees. The police chief confirmed it was a ransomware attack, and the hackers wanted to be paid in bitcoin.  

Stratford Mayor Dan Mathieson said it’s a common occurrence, and that if mayors across the country don’t band together to deal with the ransomware problem, more communities could be hit.  

What will it take for cities to ramp up their security?

Cities who fall victim tend to point the finger at other levels of government or talk about their lack of resourcing without taking any real action. It makes sense that cities are overwhelmed — these attackers are international and organized, and police or RCMP often don’t have the time or resources to help.  

Unless there’s a disruption in essential services like sewage, water and power, it’s going to be tough for these towns to take the problem seriously.  

What can cities do about it?

Municipalities can be proactive about their cybersecurity by: 

1) Using standard security controls such as antivirus, firewalls and good digital identity controls such as two-factor authentication — but being aware that these can’t catch all sophisticated attacks. 
 
2) Teaching people what a cyberattack looks like and how to report it. Beauceron works with municipalities around the world, and security education has a dramatic impact. With proper training, we’ve seen the rate of clicking on links in phishing emails drop from as high as 34% to as low as 5%.  
 
3) Building resiliency — many organizations under-invest in IT and neglect cyberattack “fire drills,” leaving themselves wide open to hacking. Cities should be strengthening their IT teams and prepping for worst-case scenarios by practising cyber incident response plans.  

It’s open season on municipalities, but together we can protect ourselves against ransomware attacks! 

To figure out how your team/organization can reduce cyber risk, reach out to the Beauceron Security Team @ info@beauceronsecurity.com or 1-877-516-9245.