NIST Releases Draft Report for IoT Cybersecurity Standards The National Institute of Standards and Technology (NIST) released a draft report that aims to provide adequate Internet-of-Things (IoT) international #cybersecurity standards for federal agencies and private industry to adhere to. NIST is seeking public feedback on the draft through April 18th.

Business-Security

NIST Working on Global IoT Cybersecurity Standards

SecurityWeek | By Kevin Townsend

NIST is Working Towards International Cybersecurity Standards for the Internet of Things With Draft Interagency Report (NISTIR) 8200

The Internet of Things (IoT) is here and growing. It has the potential to facilitate or obstruct the further evolution of the Fourth Industrial Revolution; largely depending upon whether it is used or abused. Its abusers will be the same criminal and aggressor state actors that currently abuse information systems. But while there are standards and frameworks for defending information networks against aggressors, there are no adequate international standards for securing the internet of things. In April 2017, the Interagency International Cybersecurity Standardization Working Group (IICS WG) — established by the National Security Council’s Cyber Interagency Policy Committee (NSC Cyber IPC) — set up an Internet of Things (IoT) Task Group to determine the current state of international cybersecurity standards development for IoT.

NIST has now published the draft NISTIR document: The Status of International Cybersecurity Standardization for IoT. It is intended to assist the member agencies of the IICS WG Task Group “in their standards planning and to help to coordinate U.S. government participation in international cybersecurity standardization for IoT.” NIST is seeking feedback, especially on the information about the state of cybersecurity standardization for IoT, at NISTIR-8200@nist.gov by April 18. The scope of securing the IoT is a mammoth task. To aid the understanding of this scope, NIST describes the IoT in five separate functional areas: connected vehicles; consumer IoT; health and medical devices; smart buildings, and smart manufacturing (including ICS). There are nuanced differences between securing these functional areas and traditional cyber security. While security has traditionally prioritized confidentiality, integrity and availability (CIA) in that order of priority, for the most part ‘availability’ is the priority for IoT devices.

Consumer IoT is one area that may be different, with the traditional need for confidentiality (as in privacy) still dominant. Patient privacy is also a consideration for medical devices. But, “In addition to data privacy and patient safety”, comments Jun Du, Senior Director and Architect at ZingBox, “we must also put a heavy focus on ensuring uninterrupted service of medical devices. A cyber-attack can bring down the entire hospital by disrupting their service delivery, putting patient lives at risk.” This is the fundamental difference between traditional information security and IoT security — it is closer to OT than to IT. “The objectives of confidentiality, integrity and availability altogether focus on information security rather than IoT security,” adds Du. “When it comes to IoT security, availability of the device is more relevant to business operations than just the security of information. We should focus on availability first, then look at confidentiality and integrity.”

Even in consumer IoT, there is an operational element. Many of the threat vectors are similar between IoT and information networks, but the effects of a successful attack could be more dramatic. The biggest problem for IoT devices, comments Drew Koenig, security solutions architect at Magenic, “are IoT devices that limit or prevent updating and patching. That’s the killer; a zero day — and the only solution is to replace your fridge before someone hacks it and floods your kitchen.”

That metaphor traverses NIST’s five IoT functional areas: crashed cars, flooded kitchens and locked doors, malfunctioning heart pace makers, stuck elevators and power failures, and failing production lines. To get the IICS WG Task Group started in its work to discover the current state of international IoT standardization, the NISTIR 8200 compiles a table of potentially relevant existing standards separated into eleven core cybersecurity areas. These areas range from cryptographic techniques and cyber incident management, through IAM and network security, to supply chain risk management to system security engineering. Each one of these core cybersecurity areas will present its own IoT-specific difficulties.

For example, Du comments, “While encryption is a highly recommended security trend, it isn’t without its drawbacks. Encryption can hide valuable details needed by various teams including security researchers, incident response teams, and security vendors in addition to hiding them from hackers. Insider threats may also attempt to leverage end-to-end encryption to evade detection. In order to protect against these risks, IoT vendors should provide limited visibility through exportation of logs, session stats and meta data information.”

A wide range of existing and potentially relevant standards are mapped against these core areas, providing links to the standard, the standard developing organization (SDO), and a description of the standard. It becomes the raw material for a gap analysis between existing and necessary standards. Such an analysis is also provided, mapping standards to the core areas across the five functions. Only ‘cryptographic techniques’ and ‘IAM’ have available standards applicable to four of the five categories; but always with the rider that there is slow uptake of these standards.

The fifth and missing category is medical IoT, which fares worst of all the five categories for existing applicable standards. However, the two core areas of ‘IT system security evaluation’ and ‘network security’ have no available standards applicable to any of the five IoT categories. In reality, the entire gap analysis makes depressing viewing: there are no core areas that have standards adequately adopted in any of the five IoT categories. Even where there are standards, uptake is slow. Missing from this draft document is any standard that requires the ability for firmware updates within the IoT device build. This may be because there is no existing standard that attempts this. Where ‘patching’ is mentioned in the draft NISTIR document, it is solely for patch management, or remediation where patching is not possible.

“This document is a good start,” comments Koenig. The reality, however, is that it will be a long time before any serious benefit comes from the work. He sees two areas of primary concern. The first is a lack of regulation. NIST doesn’t regulate the private sector, although its recommendations can be required for the public sector. Even if this work eventually leads to IoT standards recommendations, it will require separate legislation to enforce the recommendations across the private sector. That still won’t necessarily address the manufacture of overseas-sourced devices, or the assembly of devices with multiple foreign components. Without regulation over device manufacture and development, Koenig’s second big concern comes into play: “IoT devices that limit or prevent updating and patching. That’s the killer,” he says.

But even with regulation controlling the manufacture of IoT devices, that still won’t necessarily solve the problems. Steve Lentz, CSO and director information security at Samsung Research America has always believed that security teams need to do their own ‘due diligence’ on products and processes, and not rely on what they are told by vendors. He suspects that standards and regulations “will bring out vendors claiming to provide IoT security. Again, this is where security teams need to do their due diligence and really check/test out these claims,” he warns. “IoT is also Wi-Fi which is now everywhere. We need to ensure complete work infrastructure is secure just not the traditional network defenses.

“We need to ensure we thoroughly research solutions that fit our environments,” he continued. “The government can give oversight and make recommendations, but we need to find the solution that works best for us.”

Justice Dept. Launches #CyberTaskForce to Review Elections Attorney General Jeff Sessions is creating a cyber task force to evaluate attempts to interfere with U.S. elections. It is believed the task force will be comprised of representatives from various Justice Department offices, as well as outside law enforcement and #federal agencies. InfoSec Insights Team.

13002-cybersecurity

Sessions Creates Cyber Task Force to Study Election Interference

The Hill | By Olivia Beavers

The Justice Department is creating a cyber-digital task force to examine outside attempts to interfere with U.S. elections, Attorney General Jeff Sessions announced Tuesday.

“At the Department of Justice, we take these threats seriously. That is why today I am ordering the creation of a Cyber-Digital Task Force to advise me on the most effective ways that this Department can confront these threats and keep the American people safe,” Sessions said in a statement. Sessions said Deputy Attorney General Rod Rosenstein will name a senior department official to chair the task force. The effort will seek to “canvass the many ways that the Department is combatting the global cyber threat” as well as “identify how federal law enforcement can more effectively accomplish its mission in this vital and evolving area,” according to the press release.

The task force will be in charge of looking into a broad range of efforts in which outside actors sought to interfere. It is tasked with providing a report on its findings at the end of June.

“The Internet has given us amazing new tools that help us work, communicate, and participate in our economy, but these tools can also be exploited by criminals, terrorists, and enemy governments,” Sessions added. The new task force comes shortly after special counsel Robert Mueller charged 13 Russian nationals and three Russian companies on Friday with attempting to sow discord and interfere in the country’s presidential election by waging “information warfare.”

President Trump spent the weekend tweeting that the grand jury’s indictment vindicates him in the federal Russia probe because this particular set of charges did not point to collusion between Trump campaign aides and Russians. Trump in particular seized on the fact that the indictment accuses the Russians of beginning such efforts in 2014, before he had officially thrown his hat in the ring.

“Russia started their anti-US campaign in 2014, long before I announced that I would run for President. The results of the election were not impacted. The Trump campaign did nothing wrong – no collusion!” Trump tweeted shortly after the indictment became public.

But Trump’s critics pointed to Mueller’s indictment detailing the Russians’ sophisticated operation. The eight-count indictment also includes the explosive allegation that some defendants, who masqueraded as politically active Americans, had contact with “unwitting individuals associated with the Trump campaign” and others. The cyber force will bring together representatives from a wide range of DOJ offices along with outside law enforcement and federal agencies, depending on the direction of Rosenstein.

The announcement also comes amid growing calls on Capitol Hill to prioritize election security ahead of the approaching midterms.

 

Equifax breach exposed more than previously thought. The Equifax breach may have exposed more personal information of customers than previously thought.

Equifax+data+breach+CNN+graphic_jpg_10592263_ver1_0_1280_720

The Equifax hack could be worse than we thought. By Donna Borak and Kathryn Vasel

WASHINGTON (CNNMoney) — The Equifax breach may have exposed more personal information of customers than previously thought.

Additional information, including tax IDs and driver’s license details, may have been accessed in a hack that affected 145.5 million customers, according to confidential documents Equifax provided to the Senate Banking Committee seen by CNN.

The disclosure follows Equifax’s original announcement of the breach in September, which compromised sensitive data like names, date of birth, Social Security numbers and home addresses.

In its original announcement of the hack, the company had revealed that some driver’s license numbers were exposed. The new documents show that the license state and issue date might have also been compromised.

Equifax spokesperson Meredith Griffanti told CNNMoney Friday that the original list of vulnerable personal information was never intended to represent the full list of potentiality exposed information.

The new documents now raise questions of how much information hackers may have accessed in Equifax’s cyber attack.

In its response to lawmakers, Equifax said the pieces of information compiled is “not exhaustive,” but represents common personal information that hackers usually search for.

Criminals can use personal information like this to open bank accounts and lines of credit, like a credit card or mortgage, without the victim’s knowledge.

“The more information scammers have about you, the easier it is for them to impersonate you,” said Lauren Saunders, associate director at the National Consumer Law Center. “And the easier it is for them to get by the protocols that banks and others use to make sure they are dealing with the right individual.”

The unauthorized access occurred from May through July 2017. The hackers exploited a website application vulnerability to gain access to the files, according to the company.

Apple #AirPod smokes, then blows up, report says. A Florida man says one of his Apple AirPods started smoking as he was working out at a St. Petersburg gym.

1518552459537

Apple AirPod smokes, then blows up by By Caitlin McGarry  | Tom’s Guide

Jason Colon didn’t actually see his AirPod burst into flame, because he took the device out of his ear and left it on a piece of gym equipment to seek help. But when Colon returned, the AirPod had popped open, and char marks turned parts of the white plastic grey.
“I didn’t see it happen, but, I mean, it was already fried,” Colon told local television station WFLA TV.

WFLA reached out to Apple after Colon told his story. An Apple spokesperson told the station that the company is investigating the situation.

This is the first time AirPods have made headlines for exploding, so it doesn’t appear to be a widespread issue. A search of Apple’s support forums turned up two reports of AirPods growing warm or hot after 30 minutes of use.

Personally, I have owned a pair of AirPods for more than a year and have worn them daily without any sign of battery issues. But devices with lithium-ion batteries have been known to explode in the past.

Samsung’s Galaxy Note 7 is a prime example — the company had to recall its flagship smartphone altogether after multiple devices blew up. Apple’s AirPods have three lithium-ion batteries: one in each earbud, and another in the charging case.

FY2019 Budget Sees Cyber Funding Boost, Research Cuts. President Trump’s recently revealed budget for fiscal year 2019 increases #cybersecurity funding across the government, but also includes significant cuts in funding for #cyber #research.

cybersecurity-budget-sm

Trump’s 2019 Budget Boosts Cyber Spending but Cuts Research

Nextgov | By Joseph Marks

President Donald Trump’s 2019 fiscal year budget request boosts cybersecurity funding by about 4 percent across the government, including significant hikes at the Homeland Security Department and Pentagon.

The overall increase includes even larger cyber funding spikes at key agencies, including a 23 percent jump at the Energy Department, a 33 percent jump at the Nuclear Regulatory Commission and a 16 percent hike at the Veterans Affairs Department. The budget, however, includes a massive cut of 18 percent to the government’s main cyber standards organization, the National Institute of Standards and Technology. That cut comes as NIST is working on an update to its cybersecurity framework, which is now mandatory for all federal agencies.

The budget also marks a major shift for cyber research and development funding inside the Homeland Security Department. Cyber research was formerly housed primarily in the department’s Science and Technology Directorate. Going forward, that funding, which totals $41 million in the president’s budget request, will be inside the cyber and infrastructure protection division—called the National Protection and Programs Directorate, or NPPD. The move is another blow for the Science and Technology Directorate, which has faced significant budget cuts since the start of the Trump administration.

The shift was made so “operators on the ground have influence over research and development,” a senior administration official said during a press call. The cyber and infrastructure protection division will work closely with the science and technology division on research priorities, the official said.The budget also calls for a small spike in government-wide information technology spending.

The president’s budget request is as much an ideological document as a budgeting one. The request lays out the executive branches’ funding priorities, but those numbers are only a rough starting point when Congress begins its own budgeting process and they’re often ignored entirely. Funding Hikes at Homeland Security and Defense, Homeland Security cyber spending overall will stay roughly flat at about $1.72 billion.

The cyber division of the department’s cyber and infrastructure protection wing, however, will get a 7 percent spike from $665 million in the 2018 fiscal year to $712 million this year.

In addition to protecting federal civilian government computer networks, that division is also helping states secure their election systems against cyberattacks.

The budget includes $238 million for Homeland Security’s continuous diagnostics and mitigation program, which delivers a suite of cybersecurity tools to federal agencies and will eventually track federal computer systems on a government-wide dashboard. That’s down from $279 million in last year’s request.

The budget commits $407 million for a government-wide intrusion detection program called Einstein. That’s up from $397 million in last year’s request.

At the Pentagon, total cyber funding jumps to $8.5 billion in this year’s request, a 4.2 percent hike over the prior year.

That jump comes as U.S. Cyber Command, which was elevated last year to a unified combatant command, is in the process of reaching full operational capability.

The budget released Monday also:

  • Includes $8 million for the White House Office of Management and Budget’s cybersecurity oversight responsibilities, down from $19 million last year.
  • Includes $25 million for a cybersecurity enhancements account at the Treasury Department, which will help upgrade high-value Treasury computer systems that rely on outdated technology. The fund will also help the department respond more nimbly to cyber incidents. Overall cyber funding at Treasury will drop from about $529 million last year to $500 this year.
  • Raises funding for the Justice Department’s national security division, which prosecutes cyber crimes, from $95 million to $101 million. Overall Justice Department cyber funding is at $721 million, up from $704 million last year but down from $735 during the final year of the Obama administration.
  • Includes $10 million for cyber upgrades at the Transportation Department.
  • Hikes Veterans Affairs Department cyber funding 16 percent from $360 million last year to $418 million this year.
  • Raises cyber funding at the Office of Personnel Management 18 percent, from about $39 million to about $46 million.
  • Hikes Nuclear Regulatory Commission cyber funding 33 percent, from about $24 million to about $32 million.

Hikes Energy Department cyber funding 23 percent, from about $379 million to about $465 million.

Microsoft is trying to kill passwords. It can’t happen soon enough. Microsoft called passwords a “relic from the early days of computing” that “has long outlived its usefulness.”

password-security

Microsoft Corp. is trying to kill the password, and it’s about time. This month, the company said the next test version of its stripped-down Windows 10 S operating system will strip out passwords too, by default. If you go through setup as recommended, you’ll never get a password option.
Los Angeles Times

But killing the password altogether will take more work and time — and the problem may get worse before it gets better.

That’s a shame. Passwords are the bane of modern digital existence. On a big-picture level, insecure passwords cause an estimated 80% of breaches, according to a 2017 report from Verizon. On a human level, they’re paralyzing; right when you need to access your utility bill, you can’t remember if you replaced the “a” with a 4 or an @ symbol. Or when, say, a missile alert has gone out to your entire state and you can’t find your password to give an all-clear.

Passwords have amassed their share of enemies. Microsoft’s latest move follows pushes from Apple, Google and others to shake up the old passcode and password system with fingerprint scans, face scans or temporary codes. There’s no question passwords aren’t adapting to a modern age. “It’s quite clear to us, that the era of the password is passing. Based on the significant amount of accounts that now exist, it doesn’t scale as a system,” said William Beer, a principal at business management consultancy EY.

Microsoft has been waging a war on passwords for a while. Like others, it has poured effort into other types of authentication, namely biometric scans of your face or fingerprints — it introduced facial recognition unlocking for Windows PCs in 2015. It also has built a smartphone app to provide an ever-changing code to act as your password.

“This relic from the early days of computing has long outlived its usefulness, and certainly, its ability to keep criminals at bay,” an official blog post from Microsoft said in December.

Now Microsoft is edging even closer to pushing passwords off a cliff, at least in its lighter version of Windows — though not every feature that gets tested in early versions of operating systems makes it to consumers.

But we don’t have a lot of time to work on a slow revolution. The way we handle security is about to hit an even bigger test.

One reason passwords are awful is that there are so many of them. Dashlane, a password manager company, found in a survey of its own customers that they have an average of 130 accounts with passwords.

And password overload is poised to get worse before it gets better. Tech companies are pushing into more areas of our lives by giving “smarts” to any item that can accommodate a chip — toilets, car, beds. Securing all of those gets messy, and it’s not remotely feasible to create a secure, unique password for every home appliance, even though those appliances collect very personal data.

Another big issue: Finding the perfect password is difficult, as it requires a unique balance of “easy to remember” and “hard to hack.” And since you need more than one password, you have to find that sweet spot over and over again. In the pursuit of safety, companies often require passwords to have a complex combination of capital letters, symbols and other requirements. But those requirements can actually cause people to reuse their complex passwords or refuse to change them once they’ve committed them to memory. In 2016, Britain’s National Cyber Security Centre recommended simplifying password requirements to encourage people to change them.

All of these issues point to a system that doesn’t work, and it makes sense for companies and people to get on the bandwagon to replace it.

Yet passwords they linger like roaches in the corners of our digital lives. Alternatives such as fingerprint scans, retinal scans, voice recognition and other technologies can be hard for companies — particularly non-tech companies — to implement well. Those solutions are also imperfect, as some pairs of twins can tell you. If something requires new costs to implement and is still flawed, many companies may stick with the devil they know. (Even Microsoft is simply proposing getting rid of passwords, and only on a light version of Windows, instead of replacing it with another security alternative.)

Plus, even when companies offer something more, it’s often difficult for people to get used to a new routine, Beer said.

Changing habits will require more effort such as those from Microsoft, and a slow introduction to different methods to change people’s habits. Beer said that many of the businesses he looks at are now at least combining the old username and password combination with something else — a fingerprint scan, voice print or temporary code for those cagey about sharing biometric info (or for companies unwilling or unable to secure them).

Ultimately, Beer said, the real path to killing the password is not technology, but education.

“We’re putting all the focus on technology and not thinking about explaining to people,” he said. “I would suggest that while technology is great, it needs to be accompanied by a significant awareness campaign to explain and support users as they go through these changes.”

Tsukayama writes for the Washington Post.

157 new emoji coming to #iOS, #Android . Are you ready for a ton of new emoji? If not, you better hurry to prepare yourself and your phone.

180208091102-new-emojis-780x439

New year, new emoji.
Kaya Yurieff | CNN

The Unicode Consortium — a nonprofit that sets the global standard for emoji — announced on Wednesday 157 new emoji options would be coming later this year. The latest collection includes a cupcake, lobster, pirate flag and more expressive smiley faces.

Emoji will soon have a variety of new hairstyles, such as curly or bald, and more hair color options such as red and white.

There will also be more animals, such as a kangaroo, llama, swan and mosquito. More fun smiley faces include a “cold face” with dangling icicles, a partying face and a “woozy” emoji.

New superheros and villains join the lineup, and popular activities like lacrosse, knitting, sewing and skateboarding are also represented.

After Unicode releases its guidelines, software makers such as Apple and Google design versions for their respective platforms. That’s why emoji on iPhones look different than those on Android phones.

180208113832-new-emojis-2-b-780x439

The new emoji usually begin appearing on mobile phones later this year. Apple typically previews its versions in June and releases them in the fall with the next iOS update. Android will release its emoji later this year.With the latest additions, the total number of approved emojis will total 2,823. In recent years, Unicode has made a bigger effort to include more diverse skin tones, occupations and flags.

 

Dark Caracal Targets Thousands in Over 21 Countries. The Electronic Frontier Foundation and Lookout Security released a report detailing several active Dark Caracal #hacking campaigns that successfully targeted mobile devices of #military personnel, medical #professionals, #journalists, #activists, and others in over 21 countries.

the

Dark Caracal: Hackers Spied on Targets in Over 21 Countries and Stole Hundreds of Gigabytes of Data

International Business Times UK | By India Ashok

A new and massive cyberespionage campaign, believed to be the work of Lebanese hackers linked to Lebanese General Security Directorate (GDGS) in Beirut, has been uncovered.

A new report by the Electronic Frontier Foundation and Lookout Security revealed that the cyberespionage group, dubbed Dark Caracal, has conducted numerous attacks against thousands of targets in over 21 countries in North America, Europe, the Middle East, and Asia.

The hacker group successfully targeted mobile devices of military personnel, medical professionals, journalists, lawyers, activists and more. It has stolen hundreds of gigabytes of data, including photos, text messages, call records, audio recordings, contact information and more.

The cyberespionage group stole this massive trove of information using its custom-developed mobile spyware called Pallas. The spyware, which Lookout discovered in 2017, is found in malware-laced Android apps — knock-offs of popular apps like WhatsApp, Telegram and others that users downloaded from third-party online stores.

“People in the US, Canada, Germany, Lebanon, and France have been hit by Dark Caracal,” EFF director of Cybersecurity Eva Galperin said in a statement. “This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.”

According to the report, Dark Caracal has been active in several different campaigns, running parallel, with its backend infrastructure also having been used by other threat actors. For instance, Operation Manul, which according to the EFF targeted journalists, lawyers and dissidents of the Kazakhistan government, was launched using Dark Caracal’s infrastructure.

According to Galperin, the Dark Caracal group may be offering its spyware services to various clients, including governments, The Register reported.

Dark Caracal hackers also make use of other malware variants such as the Windows malware called Bandook RAT. The group also uses a previously unknown multi-platform malware dubbed CrossRAT by Lookout and EFF, which is capable of targeting Windows, Linux and OSX systems. The report states that the APT group also borrows or purchases hacking tools from other hackers on the dark web.

“Dark Caracal is part of a trend we’ve seen mounting over the past year whereby traditional APT actors are moving toward using mobile as a primary target platform,” said Mike Murray, VP of security intelligence at Lookout. “The Android threat we identified, as used by Dark Caracal, is one of the first globally active mobile APTs we have spoken publicly about.”

“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said EFF staff technologist Cooper Quintin. “This research shows it’s not difficult to create a strategy allowing people and governments to spy on targets around the world.”

IRS warns tax preparers about a new refund scam. Only a few days into the tax-filing season, the #IRS is sounding an alarm about a new tax scam. Specifically, it’s warning #tax preparers to be on guard about the scam, which is aimed at stealing #taxpayers’ refunds by using data compromised in tax preparers’ offices. Kathy Kristof | CBS News | MSN

thTJLDP985

The agency said it has already received a number of fake tax returns that had accurate taxpayer names, addresses, Social Security numbers and even bank account information for the victims.

In an unusual twist, some bogus refunds were actually directed to the real taxpayers’ bank accounts, the agency said. A criminal, posing as a debt collector, then contacted the taxpayers saying the refunds had been sent in error and the victims should forward the money to the crook.

Because these fake returns contained all of the taxpayer’s correct information, down to the right number of dependents, the IRS believes the scam started in tax-preparation offices. The agency assumes that the data was compromised because some preparers were taken in by phishing scams that then loaded malicious software onto their computer systems, making all the taxpayer information that was kept by these preparers vulnerable to theft.
Government website to help victims of identify theft. The IRS said it’s still in preliminary stages of investigating the con and can’t quantify how many people have been affected. But because this type of scam has a way of burgeoning overnight, the agency wanted to immediately warn preparers to secure their computer systems.

“Given the history that we have seen on scams like this, when these start, they tend to proliferate quickly,” said IRS spokesman Terry Lemons. “When a scam turns out to be successful, they tend to expand. We wanted to alert tax professionals to be on the lookout.”

Unfortunately for consumers — the ultimate victims of this con — those who find themselves hit by tax fraud have a far more difficult course than consumers whose credit card accounts have been stolen. In the latter case, consumers have a number of steps they can take to deter criminals from using that stolen information to open up new accounts.

In the former case, the first inkling that a taxpayer would get that they were victimized is when their electronically filed return gets rejected as a duplicate. At that point, in addition to reporting the fraud to the credit bureaus and the Federal Trade Commission, tax fraud victims need to fill out a special IRS form, 14039. The taxpayer’s 1040 must then be filed on paper, with the fraud affidavit attached to the front.
How the tax bill will affect the returns of three American families
Be prepared that this will dramatically slow your refund. Lemons said the typical tax identity fraud takes roughly four months to investigate and resolve.

Since tax ID theft peaked in 2013, the IRS has taken a host of steps, including forming a security partnership with preparers and software companies, to stamp out tax return fraud. The agency has also launched a pilot program that has added 16-digit identifiers to some employer’s W-2 information. The agency hopes this will help it spot and stop identity thieves before they take off with taxpayer refunds.

These efforts have helped cut ID theft reports nearly in half over the past year.

“We have stepped up our defenses, and the private sector tax community has worked to strengthen their security too,” Lemons said.

Still, this newly discovered fraud is ominous and suggests that individual taxpayers should also be on guard.

Make sure that you keep updated security software on your home computer and ask any tax preparer you hire how your data is protected, Lemons suggested. If any of your W-2 forms contain the new 16-digit identifiers, also make sure to include that number on your tax return. That will help the IRS know the return truly came from you, not an identity crook.

#SID2018 Is the Internet Safer? Today is the annual Safer Internet Day, an effort to promote safer and responsible use of the internet and mobile phones that is celebrated by over 120 countries. Several cyber experts and companies weigh in on the dangers that younger internet browsers face, and how government, industry, parents, and others in the community can help reduce usage risks.

th
#SID2018: Is the Internet Safer?

Infosecurity Magazine | By Dan Raywood | February 6, 2018

Today is the annual Safer #InternetDay, where the reality of online threats are detailed in the effort to encourage users to take better safety steps online.

According to research released by the UK Safer Internet Centre, a study of 2000 eight- to 17-year-olds, found that 11% had “felt worried or anxious on the internet,” while respondents had felt inspired (74%), excited (82%) or happy (89%) as a result of their internet use in the previous week.

This year’s event is using the slogan “Create, Connect and Share Respect: A better internet starts with you” with a strong emphasis on using the internet and what makes users feel good or bad. In a time where more is being done to deliver a safe experience online – including free SSL certificates, the launch of a new version of the TLS protocol and the ability to filter out certain words on Twitter – it does seem that more is being done to provide a safer and better experience for all online.

Margot James, Minister for Digital and the Creative Industries, said that the internet does have a positive effect on young people’s lives, but we must all recognize the dangers that can be found online. “Only by working together can government, industry, parents, schools and communities harness the power of the internet for good and reduce its risks.”

At the recent White Hat Ball, it was revealed that in 2017, there were over 12,000 counselling sessions in which children spoke to Childline about experiences of online sexual abuse, bullying and safety.

Will Gardner, a director of the UK Safer Internet Centre and CEO of Childnet, said: “Safer Internet Day gives us the unique opportunity to collectively promote respect and empathy online, inspire young people to harness their enthusiasm and creativity, and support them to build positive online experiences for everyone. It is #inspirational to see so many different organizations and individuals come together today to build a better internet.”

After all, a #safer #internet means more young people are encouraged to learn more about the internet and its workings, and therefore see the benefits of a career in cybersecurity.

Raj Samani, chief scientist and fellow at McAfee, said the reality is that we need to continue raising awareness for codes of best practice online. “Cyber-criminals are constantly on the lookout for slip ups and mistakes which allow them to access lucrative private data – from bank account details to medical history: consumers must be aware of the threats online – not least because the blurring of work life boundaries today means bad habits online can quickly slip into the office.”

As a result, Samani recommended that businesses should offer staff training to build up a strong security culture across their entire organization.

He added: “Implementing the right technology is vital but, at the end of the day, it’s about looking for a blended approach which suits your specific organization. This means finding the right combination of people, process and technology to effectively protect the organization’s data, detect any threats and, when targeted, rapidly correct systems.

“Safer Internet Day acts as a timely reminder for organizations to ensure the correct training is in place so staff can remain cyber-savvy online.”

To tie-in with the day, ENISA published the Cybersecurity Culture in Organizations report, in order to promote both the understanding and uptake of cybersecurity culture programs within organizations. ENISA said that a decent culture is achieved by:

• Setting #cybersecurity as a standing agenda item at board meetings to underline the importance of a robust cybersecurity culture

• Ensure that employees are consulted and their concerns regarding cybersecurity practices are being considered by the cybersecurity culture working group

• Ensure that business processes/strategies and cybersecurity processes/strategies are fully aligned

“While many organizations and employees are familiar with related concepts such as cybersecurity awareness and information security frameworks, cybersecurity culture covers a broader scope. The idea behind this concept is to make information security considerations an integral part of an employee’s daily life,” ENISA’s announcement said.

Part of this was to appreciate that “cyber threat awareness campaigns alone do not provide sufficient #protection against ever evolving cyber-attacks,” and that technical cybersecurity measures need to be in accordance with other business processes, and it is important that employees need to act as a strong human firewall against cyber-attacks.

A safer internet is better for all, although a cynic of such awareness days would suggest that there should be year-round awareness of the issues and part of developing a culture is the constant awareness. Regardless, some action is better than none and it is reassuring to see such positivity about internet usage in 2018.