Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Bengaluru Man Arrested for Exploiting Woman in Online Interview

  Panaji: In a disturbing cybercrime case, the Goa Cyber Crime Police arrested a Bengaluru resident, Mohan Raj V, for allegedly cyberbullyi...

All the recent news you need to know
Punjab Police
Break Up Cyber Attacks Cyber Scammers CyberCrime Cybersecurity Cyberthreats Punjab Police

Punjab Police Break Up Two Scam Call Centers, Arrest 155 Suspects

 


Over the past 24 hours, Punjab police have busted two fake call centres based in Mohali operating under the cybercrime division. People settling in foreign countries were targeted by the illegal units operating from Industrial Area Phase-7 and Phase-8B by offering "maintenance services" for computers and electronic items, before tricking them into sending online payments into their bank accounts to get the money. The Cyber Crime Division of the Punjab Police broke up two fake call centres that had been running in Mohali over the past two days in an overnight operation. 

According to the Punjab Police, over 155 employees of these call centres were arrested over the weekend. According to the police, the accused made fraudulent calls to individuals living in the United States (US). Those fake call centres were both located in Sector 74 in Mohali and are being operated by Gujarat-based kingpins who are currently evading arrest. As a result of the police investigation, they are being hunted for. 

Punjab Director General of Police (DGP) Gaurav Yadav confirmed that he had initiated preliminary investigations that showed fake call centres operating during the nighttime and using the callers to dupe foreign nationals into purchasing gift cards from companies such as Target, Apple, Amazon, etc. A team manager used to collect the gift cards and share them with the kingpins. He added that the kingpins then used the gift cards to redeem them. 

Following the arrest of 155 employees working as dialers, closes, bankers and floor managers at these centres on the intervening night of Tuesday and Wednesday, the DGP said he had zeroed in on the locations, and teams raided and searched both centres on Tuesday and Wednesday night. A press conference was held in which V Neeraja, the ADGP Cyber Crime, stated that “Integration inputs about fake call centres were developed by Inspector Gaganpreet Singh and Inspector Daljit Singh as well as their team in conjunction with assistance from the Digital Investigation Training and Analysis Center (DITAC) lab of cybercrime, with technical assistance from the DIAC lab. 

A police team headed by DSP Prabhjot Kaur raided the fake call centres under the supervision of SP Cybercrime Jashandeep Singh and the supervision of SP Cybercrime Jashandeep Singh after identifying the locations. According to police officials, the scammers employed various methods of operating, including claiming low-interest loans that were fake, even if their credit scores were poor, and charging money for them. It is believed that the kingpins manipulated customers by asking them to buy gift cards to be able to get a loan, which was then redeemed immediately. 

The three primary methods that the callers used to dupe gullible Americans living in the United States could be described as follows: It was mostly carried out using phone calls to Americans with low credit scores by offering them loans with low interest rates. To facilitate the loan process, the callers would require the victims to buy gift cards to get the loans approved. The kingpin would redeem a victim's gift card at the moment when he noticed that the victim had bought a gift card from him. 

The purpose of payday is to allow people to transfer money overseas through a payment platform. To carry out this project, the perpetrators will pose as representatives of Amazon on the phone to scare their victims. As a result, the callers would claim that the parcel they ordered contained illegal items, and the federal police would be informed as soon as the parcel was delivered. For the scammers to cancel the order, they would then ask for money through some cash app or the purchase of an Amazon gift card through one of their scam apps. 

Using a separate phone call for confirmation, the person would pretend to be a banker and would indicate how much money is to be paid and what account number has to be used for the payment. Gift cards are often also asked to be purchased by victims so that they can receive compensation. The Punjab Police have successfully dismantled two major fraudulent call centres, resulting in the arrest of 155 employees. These individuals were involved in a complex scam operation wherein they shared the numbers on gift cards with their partners in the United States, who would immediately redeem them. 

The illicitly obtained money was subsequently transferred to the kingpins in India through the Hawala system. According to police reports, brokers played a pivotal role in providing customer information and data to these fake call centres. The centres then used specialized software to data mine and identify target groups for their fraudulent calls. The arrested individuals occupied various roles within the operation, including dialers, closers, bankers, and floor managers. 

The Additional Director General of Police (ADGP) reported that law enforcement teams confiscated 79 desktop computers, 204 laptops, mobile phones, and other accessories, as well as scripts used for training employees on how to communicate with potential victims. Neeraja, an official involved in the operation, disclosed that out of the 155 individuals arrested, 18 have been placed on police remand while the remaining suspects have been sent to judicial remand. She also noted that the investigation is ongoing to determine the full extent of the fraud committed, with additional arrests anticipated shortly. 

 An FIR has been registered under multiple sections of the Indian Penal Code (IPC) and the Information Technology (IT) Act. The charges include Section 419 (cheating by impersonation), Section 420 (cheating), Section 467 (forgery of valuable security), Section 468 (forgery for cheating), Section 471 (using as genuine a forged document), and Section 120-B (criminal conspiracy) of the IPC, along with Sections 66C and 66D of the IT Act. This FIR has been lodged at the State Cyber Crime Cell Police Station, underscoring the severity and scale of the operation.
Read more »
Vermont
Data Legislation Data Privacy Laws internet privacy Privacy Vermont

Vermont’s Data Privacy Law Sparks State Lawmaker Alliance Against Tech Lobbyists

Vermont’s Data Privacy Law Sparks State Lawmaker Alliance Against Tech Lobbyists

Vermont legislators recently disregarded national trends by passing the strictest state law protecting online data privacy — and they did so by using an unusual approach designed to avoid industrial pressure.

The Vermont Data Privacy Law: An Overview

Right to Sue: Under the law, Vermont residents can directly sue companies that collect or share their sensitive data without their consent. This provision is a departure from the usual regulatory approach, which relies on government agencies to enforce privacy rules.

Sensitive Data Definition: The law defines sensitive data broadly, encompassing not only personally identifiable information (PII) but also health-related data, biometric information, and geolocation data.

Transparency Requirements: Companies must be transparent about their data practices. They are required to disclose what data they collect, how it is used, and whether it is shared with third parties.

Opt-In Consent: Companies must obtain explicit consent from users before collecting or sharing their sensitive data. This opt-in approach puts control back in the hands of consumers.

Lawmakers collaborated with counterparts from other states 

The bill allows Vermont individuals to sue firms directly for gathering or distributing sensitive data without their permission. As they crafted and finished it, lawmakers used a counter-business strategy: they gathered lawmakers from Maine to Oklahoma who had previously fought wars with the internet industry and asked for guidance.

The Vermont scenario is a rare but dramatic exception to a growing national trend: with little action from Congress, the responsibility of regulating technology has shifted to the states. This sets state lawmakers, who frequently have limited staff and part-time occupations, against big national lobbies with corporate and political influence.

It's unclear whether Vermont's new strategy will work: Republican Gov. Phil Scott has yet to sign the bill, and lawmakers and industry are still arguing about it.

However, national consumer advocacy groups are already turning to Vermont as a possible model for lawmakers hoping to impose severe state tech restrictions throughout the country – a struggle that states have mostly lost up to this point.

The State Lawmaker Alliance

Vermont’s data privacy law has galvanized state lawmakers across the country. Here’s why:

Grassroots Playbook: Lawmakers collaborated with counterparts from other states to create a “grassroots playbook.” This playbook outlines strategies for passing similar legislation elsewhere. By sharing insights and tactics, they hope to create a united front against tech industry lobbying.

Pushback Against Industry Pressure: Tech lobbyists have historically opposed stringent privacy regulations. Vermont’s law represents a bold move, and lawmakers anticipate pushback from industry giants. However, the alliance aims to stand firm and protect consumers’ rights.

Potential Model for Other States: If Vermont successfully implements its data privacy law, other states may follow suit. The alliance hopes to create a domino effect, encouraging more states to prioritize consumer privacy.

Lobbying at its best

The fight for privacy legislation has been fought in states since 2018 when California became the first to implement a comprehensive data privacy law.

In March 2024, Vermont's House of Representatives began debating a state privacy law that would allow residents the right to sue firms for privacy infractions and limit the amount of data that businesses may collect on their customers. Local businesses and national groups warned that the plan would destroy the industry, but the House passed it overwhelmingly.

The bill was then sent to the state Senate, where it was met with further support from local businesses.

The CFO of Vermont outdoor outfitter Orvis wrote to state legislators saying limiting data collecting would "put Vermont businesses at a significant if not crippling disadvantage."

A spokesman for Orvis stated that the corporation did not collaborate with tech sector groups opposing Vermont's privacy measure.

On April 12, the Vermont Chamber of Commerce informed its members that it had met with state senators and that they had "improved the bill to ensure strong consumer protections that do not put an undue burden on Vermont businesses."

Priestley expressed concern about the pressure in an interview. It reminded her of L.L. Bean's significant resistance to Maine's privacy legislation. She discovered similar industry attacks against state privacy rules in Maryland, Montana, Oklahoma, and Kentucky. She invited politicians from all five states to discuss their experiences to demonstrate this trend to her colleagues.

Industry Response

The out-of-state legislators described how local firms mirrored tech industry groupings. They recounted a flood of amendment requests to weaken the plans and how lobbyists turned to the opposing parliamentary chambers when a strong bill got through the House or Senate.

Predictably, tech companies and industry associations have expressed concerns. They argue that a patchwork of state laws could hinder innovation and create compliance challenges. Some argue for a federal approach to data privacy, emphasizing consistency across all states.

Read more »
security alerts
Cyber Security cybersecurity risks data security decentralized framework edge computing IoT vulnerabilities Network Security security alerts

Top Cybersecurity Risks in Edge Computing : Here's All You Need to Know

 

Managing a large number of endpoints poses considerable challenges, especially in handling security logs. Over half of chief information security officers find the volume of daily alerts overwhelming, and monitoring a decentralized framework further heightens cybersecurity risks.

Currently, 56% of security professionals dedicate at least 20% of their workday to reviewing and addressing security alerts. Moving storage and processing to the network's edge is likely to increase daily alerts, raising the risk of missing critical threats and wasting time on false positives.

1.Data Vulnerabilities
Securing every IoT device in a decentralized setup is less practical than in a centralized data center. Data at the edge is more susceptible to man-in-the-middle and ransomware attacks, such as sniffing attacks where unencrypted data is intercepted. Edge devices often lack the processing power for robust encryption, and encrypting data can slow down operations, conflicting with edge technology's primary goal.

2.Expanded Attack Surface
Edge computing, aimed at reducing latency, increasing bandwidth, and improving performance, requires placing devices near the network's edge, expanding the attack surface. Each device becomes a potential entry point for attackers. Research shows AI outperforms humans in this area, with one study noting an algorithm achieving a 99.6% recall rate for high-priority notifications and a 0.001% false positive rate, which is significant given the typical volume of alerts.

3.Device and User Authentication
Authenticating edge devices is crucial to ensure each endpoint is verified before accessing networks, preventing compromised machines from connecting and helping trace unusual activity back to specific devices.

4. Encrypting Network Traffic
While encryption is essential for cybersecurity, it can be too resource-intensive for widespread use in edge computing. To mitigate this, data classification should be employed to prioritize which endpoints and data require encryption. Encrypting data both at rest and in transit, using suitable key sizes, can balance security and performance. Edge computing's appeal lies in its ability to enable low-latency, high-efficiency, real-time operations by moving storage and processing to the network's boundary. However, this shift from centralized data centers comes with significant cybersecurity concerns.

Major Cybersecurity Risks of Edge Computing

Despite its benefits, edge computing brings five primary cybersecurity risks.

1. IoT-specific vulnerabilities: Internet-connected devices are prone to man-in-the-middle attacks and botnets due to limited built-in security controls. In 2022, IoT attacks surpassed 112 million, up from 32 million in 2018, posing significant risks as encryption is resource-intensive and often insufficiently supported by these devices. The process of encrypting data also slows operations, countering the primary advantage of edge technology.

2. Expansive attack surface: To reduce latency, increase bandwidth, and improve performance, edge devices must be placed near the network's edge, expanding the attack surface. Each device becomes a potential entry point for attackers.

3. New budget limitations: Edge computing's complexity requires substantial investments in telecommunications and IT infrastructure. Even with a significant upfront investment, maintenance and labor costs can strain budgets, leaving less room for handling failures, recovery, or deploying additional defenses.

Mitigation Strategies for Edge Computing Risks

Strategic planning and investments can help overcome numerous cybersecurity risks associated with edge computing.

1. Utilize authentication controls: Multi-factor authentication, one-time passcodes, and biometrics can prevent unauthorized access, reducing the risk of data breaches caused by human error, which accounts for 27% of such incidents.

2. Deploy an intrusion detection AI: A purpose-built intrusion detection system using deep learning algorithms can recognize and classify unknown attack patterns and cyber threats. Such AI can manage most endpoints without integration into each one, offering scalability and ease of deployment, making it ideal for edge computing environments.
Read more »
UK Firm
Cyber Fraud Deepfakes Engineering Giant Threat Landscape UK Firm

Engineering Giant Arup Falls Victim to £20m Deepfake Video Scam

 

The 78-year-old London-based architecture and design company Arup has a lot of accolades. With more than 18,000 employees spread over 34 offices worldwide, its accomplishments include designing the renowned Sydney Opera House and Manchester's Etihad Stadium. Currently, it is engaged in building the La Sagrada Familia construction in Spain. It is now the most recent victim of a deepfake scam that has cost millions of dollars. 

Earlier this year, CNN Business reported that an employee at Arup's Hong Kong office was duped into a video chat with deepfakes of the company's CFO and other employees. After dismissing his initial reservations, the employee eventually sent $25.6 million (200 million Hong Kong dollars) to the scammers over 15 transactions.

He later realised he had been duped after checking with the design company's U.K. headquarters. The ordeal lasted a week, from when the employee was notified to when the company started looking into the matter. 

“We can confirm that fake voices and images were used,” a spokesperson at Arup told a local media outlet. “Our financial stability and business operations were not affected and none of our internal systems were compromised.” 

Seeing is no longer the same as believing 

The list of recent high-profile targets involving fake images, videos, or audio recordings intended to defame persons has risen with Arup's deepfake encounter. Fraudsters are targeting everyone in their path, whether it's well-known people like Drake and Taylor Swift, companies like the advertising agency WPP, or a regular school principal. An official at the cryptocurrency exchange Binance disclosed two years ago that fraudsters had created a "hologram" of him in order to get access to project teams. 

Because of how realistic the deepfakes appear, they have been successful in defrauding innocent victims. Deepfakes, such as the well-known one mimicking Pope Francis, can go viral and become difficult to manage disinformation when shared on the internet. The latter is particularly troubling since it has the potential to sway voters during a period when several countries are holding elections. 

Attempts to defraud businesses have increased dramatically, with everything from phishing schemes to WhatsApp voice cloning, Arup's chief information officer Rob Greig told Fortune. “This is an industry, business and social issue, and I hope our experience can help raise awareness of the increasing sophistication and evolving techniques of bad actors,” he stated. 

Deepfakes are getting more sophisticated, just like other tech tools. That means firms must stay up to date on the latest threat and novel ways to deal with them. Although deepfakes might appear incredibly realistic, there are ways to detect them. 

The most effective approach is to simply ask a person on a video conference to turn—if the camera struggles to get the whole of their profile or the face becomes deformed it's probably worth investigating. Sometimes asking someone to use a different light source or pick up a pencil can assist expose deepfakes.
Read more »
Technology
Advanced Technology AI Models AI technology Artifcial Intelligence communication Dutch Language Model Technology

Teaching AI Sarcasm: The Next Frontier in Human-Machine Communication

In a remarkable breakthrough, a team of university researchers in the Netherlands has developed an artificial intelligence (AI) platform capable of recognizing sarcasm. According to a report from The Guardian, the findings were presented at a meeting of the Acoustical Society of America and the Canadian Acoustical Association in Ottawa, Canada. During the event, Ph.D. student Xiyuan Gao detailed how the research team utilized video clips, text, and audio content from popular American sitcoms such as "Friends" and "The Big Bang Theory" to train a neural network. 

The foundation of this innovative work is a database known as the Multimodal Sarcasm Detection Dataset (MUStARD). This dataset, annotated by a separate research team from the U.S. and Singapore, includes labels indicating the presence of sarcasm in various pieces of content. By leveraging this annotated dataset, the Dutch research team aimed to construct a robust sarcasm detection model. 

After extensive training using the MUStARD dataset, the researchers achieved an impressive accuracy rate. The AI model could detect sarcasm in previously unlabeled exchanges nearly 75% of the time. Further developments in the lab, including the use of synthetic data, have reportedly improved this accuracy even more, although these findings are yet to be published. 

One of the key figures in this project, Matt Coler from the University of Groningen's speech technology lab, expressed excitement about the team's progress. "We are able to recognize sarcasm in a reliable way, and we're eager to grow that," Coler told The Guardian. "We want to see how far we can push it." Shekhar Nayak, another member of the research team, highlighted the practical applications of their findings. 

By detecting sarcasm, AI assistants could better interact with human users, identifying negativity or hostility in speech. This capability could significantly enhance the user experience by allowing AI to respond more appropriately to human emotions and tones. Gao emphasized that integrating visual cues into the AI tool's training data could further enhance its effectiveness. By incorporating facial expressions such as raised eyebrows or smirks, the AI could become even more adept at recognizing sarcasm. 

The scenes from sitcoms used to train the AI model included notable examples, such as a scene from "The Big Bang Theory" where Sheldon observes Leonard's failed attempt to escape a locked room, and a "Friends" scene where Chandler, Joey, Ross, and Rachel unenthusiastically assemble furniture. These diverse scenarios provided a rich source of sarcastic interactions for the AI to learn from. The research team's work builds on similar efforts by other organizations. 

For instance, the U.S. Department of Defense's Defense Advanced Research Projects Agency (DARPA) has also explored AI sarcasm detection. Using DARPA's SocialSim program, researchers from the University of Central Florida developed an AI model that could classify sarcasm in social media posts and text messages. This model achieved near-perfect sarcasm detection on a major Twitter benchmark dataset. DARPA's work underscores the broader significance of accurately detecting sarcasm. 

"Knowing when sarcasm is being used is valuable for teaching models what human communication looks like and subsequently simulating the future course of online content," DARPA noted in a 2021 report. The advancements made by the University of Groningen team mark a significant step forward in AI's ability to understand and interpret human communication. 

As AI continues to evolve, the integration of sarcasm detection could play a crucial role in developing more nuanced and responsive AI systems. This progress not only enhances human-AI interaction but also opens new avenues for AI applications in various fields, from customer service to mental health support.

Read more »
XDR Firm
CISO Cyber Security IBM Palo Alto Networks Software XDR Firm

IBM's Exit from Cybersecurity Software Shakes the Industry


 

In an unexpected move that has disrupted the cybersecurity equilibrium, IBM has announced its exit from the cybersecurity software market by selling its QRadar SaaS portfolio to Palo Alto Networks. This development has left many Chief Information Security Officers (CISOs) rethinking their procurement strategies and vendor relationships as they work to rebuild their Security Operations Centers (SOCs).

IBM's QRadar Suite: A Brief Overview

The QRadar Suite, rolled out by IBM in 2023, included a comprehensive set of cloud-native security tools such as endpoint detection and response (EDR), extended detection and response (XDR), managed detection and response (MDR), and key components for log management, including security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms. The suite was recently expanded to include on-premises versions based on Red Hat OpenShift, with plans for integrating AI capabilities through IBM's Watsonx AI platform.

The agreement, expected to close by the end of September, also designates IBM Consulting as a "preferred managed security services provider (MSSP)" for Palo Alto Networks customers. This partnership will see the two companies sharing a joint SOC, potentially benefiting customers looking for integrated security solutions.

Palo Alto Networks has assured that feature updates and critical fixes will continue for on-premises QRadar installations. However, the long-term support for these on-premises solutions remains uncertain.

Customer Impact and Reactions

The sudden divestiture has taken the cybersecurity community by surprise, particularly given IBM's significant investment in transforming QRadar into a cloud-native platform. Eric Parizo, managing principal analyst at Omdia, noted the unexpected nature of this move, highlighting the substantial resources IBM had dedicated to QRadar's development.

Customers now face a critical decision: migrate to Palo Alto's Cortex XSIAM platform or explore other alternatives. Omdia's research indicates that IBM's QRadar was the third-largest next-generation SIEM provider, trailing only Microsoft and Splunk (now part of Cisco). The sudden shift has left many customers seeking clarity and solutions.

Market Dynamics

This acquisition comes at a pivotal time in the cybersecurity industry, with SIEM, SOAR, and XDR technologies increasingly converging into unified SOC platforms. Major players like AWS, Microsoft, Google, CrowdStrike, Cisco, and Palo Alto Networks are leading this trend. Just before IBM's announcement, Exabeam and LogRhythm revealed their merger plans, aiming to combine their SIEM and user and entity behaviour analytics (UEBA) capabilities.

Forrester principal analyst Allie Mellen pointed out that IBM's QRadar lacked a fully-fledged XDR offering, focusing more on EDR. This gap might have influenced IBM's decision to divest QRadar.

For Palo Alto Networks, acquiring QRadar represents a significant boost. The company plans to integrate QRadar's capabilities with its Cortex XSIAM platform, known for its automation and MDR features. While Palo Alto Networks has made rapid advancements with Cortex XSIAM, analysts like Parizo believe it still lacks the maturity and robustness of IBM's QRadar.

Palo Alto Networks intends to offer free migration paths to its Cortex XSIAM for existing QRadar SaaS customers, with IBM providing over 1,000 security consultants to assist with the transition. This free migration option will also extend to "qualified" on-premises QRadar customers.

The long-term prospects for QRadar SaaS under Palo Alto Networks remain unclear. Analysts suggest that the acquisition aims to capture QRadar's customer base rather than sustain the product. As contractual obligations expire, customers will likely need to transition to Cortex XSIAM or consider alternative vendors.

A notable aspect of the agreement is the incorporation of IBM's Watsonx AI into Cortex XSIAM, which will enhance its Precision AI tools. Gartner's Avivah Litan highlighted IBM's strong AI capabilities, suggesting that this partnership could benefit both companies.

In conclusion, IBM's exit from the cybersecurity software market marks a paradigm shift, prompting customers to reevaluate their security strategies. As Palo Alto Networks integrates QRadar into its offerings, the industry will closely watch how this transition unfolds and its impact.




Read more »
Transparency
Cyber Security Data Breaches Financial Institutions SEC Regulations Transparency

Financial Institutions Now Required to Disclose Breaches Within 30 Days

Financial Institutions Now Required to Disclose Breaches Within 30 Days

The 30-Day Deadline

The Securities and Exchange Commission (SEC) is demanding financial institutions to report security vulnerabilities within 30 days of discovering them.

Why the Change?

On Wednesday, the SEC adopted revisions to Regulation S-P, which controls how consumers' personal information is handled. The revisions require institutions to tell individuals whose personal information has been compromised "as soon as practicable, but no later than 30 days" after discovering of illegal network access or use of consumer data. The new criteria will apply to broker-dealers (including financing portals), investment businesses, licensed investment advisers, and transfer agents.

"Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially. These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for the investor,” said SEC Chair Gary Gensler. 

Challenges and Compliance

Notifications must describe the occurrence, what information was compromised, and how impacted individuals can protect themselves. In what appears to be a loophole in the regulations, covered institutions are not required to provide alerts if they can demonstrate that the personal information was not used in a way that caused "substantial harm or inconvenience" or is unlikely to do so.

The revisions compel covered institutions to "develop, implement, and maintain written policies and procedures" that are "reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information." The amendments include:

The standards also increase the extent of nonpublic personal information protected beyond what the firm gathers. The new restrictions will also apply to personal information received from another financial institution.

SEC Commissioner Hester M. Peirce expressed concern that the new regulations could go too far.

Best Practices

"Today’s Regulation S-P modernization will help covered institutions appropriately prioritize safeguarding customer information," she said. "Customers will be notified promptly when their information has been compromised so they can take steps to protect themselves, like changing passwords or keeping a closer eye on credit scores. My reservations stem from the rule's breadth and the likelihood that it will spawn more consumer notices than are helpful."

Regulation S-P has not been substantially modified since its adoption in 2000.

Last year, the SEC enacted new laws requiring publicly traded businesses to disclose security breaches that have materially affected or are reasonably projected to damage business, strategy, or financial results or conditions.

Read more »
Subscribe to: Posts (Atom)