Expert(s):
Senior Vice President feature_status*/ ?>
comforte AG

Comments Dotted : 11
August 20, 2020

Experts Commentary: 235 Million Instagram, TikTok And YouTube User Profiles Exposed In Massive Data Leak
Breaches like this fuel the attacks to people that open more doors to much more valuable data.
Breaches like this fuel the attacks to people that open more doors to much more valuable data. Given the prevalence of work-from-home right now, its not surprising to see data like this circulating. Specific personal data enables more effective spearphishing to attack an enterprise with higher risk, higher value data. The bottom line here is enterprises need to be both protecting their own personal data to neutralize it from risk of theft and scraping, and ensuring employees don’t become the.....Read More
Breaches like this fuel the attacks to people that open more doors to much more valuable data. Given the prevalence of work-from-home right now, its not surprising to see data like this circulating. Specific personal data enables more effective spearphishing to attack an enterprise with higher risk, higher value data. The bottom line here is enterprises need to be both protecting their own personal data to neutralize it from risk of theft and scraping, and ensuring employees don’t become the vector of exploits from attackers who quite literally have more socially exploitable data on them than the businesses they report to.  Read Less
July 13, 2020

Cyber Experts Comment On US Secret Service Creates New Cyber Fraud Task Force
Organizations facing the dilemma of amassing sensitive data to run, compete and grow business must take first-line defense strategies.
This is a welcome move, and while critical to help recover funds stolen from US businesses and interests, especially smaller entities that can be decimated by direct financial attack, it will not be a full deterrent or defense against well-funded organized crime and nation-state attackers. The lure of data theft, identity and financial crime and economic influence through distributed and coordinated attackers capable of operating in jurisdictions outside of the US is great as evidenced by the.....Read More
This is a welcome move, and while critical to help recover funds stolen from US businesses and interests, especially smaller entities that can be decimated by direct financial attack, it will not be a full deterrent or defense against well-funded organized crime and nation-state attackers. The lure of data theft, identity and financial crime and economic influence through distributed and coordinated attackers capable of operating in jurisdictions outside of the US is great as evidenced by the continued and persistent mass data theft. Organizations facing the dilemma of amassing sensitive data to run, compete and grow business must take first-line defense strategies to secure data before it is stolen. After all, while funds may be recovered, stolen data certainly cannot.  Read Less
June 24, 2020

New Twitter Breach – Security Expert Comments
Aside from human error, it illustrates the frailty of modern, dynamic environments to some configurations leading to possible catastrophe.
The likely culprit here is human error, but it illustrates the frailty of modern, dynamic environments to just one or two configurations that can lead to potential catastrophe. While the data exposed here is limited in nature, it’s a timely reminder that organizations capturing personal data need to examine the complete data lifecycle risks and implement protective and operational controls that limit its exposure end to end.
May 28, 2020

Bank Of America Admits Paycheck Protection Program Data Breach – Enterprise Security Expert Comments
The missing piece here that could have saved the day was using de-identified data during the test run to avoid regulated data exposure.
It goes to show that even the best prepared organizations can suffer breach risks in the rush to changing marketing conditions or harsh deadlines like SBA loan processing. The missing piece here that could have saved the day was using de-identified data during the test run to avoid regulated data exposure. De-identifying data can be as simple as transforming it with technologies like tokenization to a neutralized form that can still drive the application in production or test, but not expose it .....Read More
It goes to show that even the best prepared organizations can suffer breach risks in the rush to changing marketing conditions or harsh deadlines like SBA loan processing. The missing piece here that could have saved the day was using de-identified data during the test run to avoid regulated data exposure. De-identifying data can be as simple as transforming it with technologies like tokenization to a neutralized form that can still drive the application in production or test, but not expose it to risks during test or under attack. It’s a simple step to add to a developer integration and test pipeline or app test process as part of a wider embrace of a “privacy-centric culture” that has to be the norm and not the exception given the pressure of security and privacy regulations and mandates.  Read Less
May 22, 2020

Experts Insight On Wishbone App Data Breach Affects 40M Users
Hashed MD5 passwords aren’t difficult to brute force.
It looks like security and privacy have been an afterthought, not a matter of culture and software development process. If the passwords are hashed with MD5, then the users affected should be immediately making sure their ID’s and passwords aren’t used elsewhere with the same password. MD5 is a goner as far as security is concerned but used by mistaken developers unfamiliar with its security risks, or using older code libraries using MD5. Hashed MD5 passwords aren’t difficult to brute.....Read More
It looks like security and privacy have been an afterthought, not a matter of culture and software development process. If the passwords are hashed with MD5, then the users affected should be immediately making sure their ID’s and passwords aren’t used elsewhere with the same password. MD5 is a goner as far as security is concerned but used by mistaken developers unfamiliar with its security risks, or using older code libraries using MD5. Hashed MD5 passwords aren’t difficult to brute force. The bigger issue here is the personal data though – so now attackers have a bunch more data for social engineering. Really though, given the scale, why wasn’t the data tokenized to de-identify it ? 40 million is a lot, but it’s really not hard even at high volume to snap tokenization into an existing data capture process. There’s no need to have PII sitting around in server or cloud databases – and most analytics and operations can run on de-identified data which would avoid this massive breach from having any meaningful impact.  Read Less
May 19, 2020

Expert Commentary: Data Breach In State’s New PUA Unemployment System Exposes Some Claimants’ Personal Info
When storing critically sensitive data, security and privacy must always be at the front of the discussion.
All indications are that this was an accidental software issue, but such incidents can be the cause of massive breaches of trust as well as data. Given the critical need for data security for businesses and people in stressed economic times, organizations establishing new services should really take a look at more modern, snap-in data tokenization technology to modernize their approach to data collection. When storing critically sensitive data, security and privacy must always be at the front .....Read More
All indications are that this was an accidental software issue, but such incidents can be the cause of massive breaches of trust as well as data. Given the critical need for data security for businesses and people in stressed economic times, organizations establishing new services should really take a look at more modern, snap-in data tokenization technology to modernize their approach to data collection. When storing critically sensitive data, security and privacy must always be at the front of the discussion. While the issue in this particular breach was reportedly rectified in an hour, that is still long enough for dangerous criminals to steal troves of valuable personal information and leverage it for their own monetary gain - either by selling it on the dark web or conducting identity fraud. No matter what the reason is behind this particular data exposure, this incident surely points out that any kind of data could be at risk and at any given time. Therefore, more must be done to consider data protection and privacy at the earliest point of entry into databases, files, and other stored areas, as to minimise exposures of all sizes  Read Less
May 19, 2020

Industry Experts On Verizon DBiR 2020
The report shows the Great Digital Train Robbery is alive and well.
The report shows the Great Digital Train Robbery is alive and well. External, multi-faceted and industrialized hacking continues to pepper large enterprises at 72% of overall victims. It’s no surprise that web application patters, around 45% of attacks, expose technology services firms, retail, financial and Insurance services and professional services most to compromise. They are the highest aggregators of highly sensitive data with substantial 3rd party data sharing risk. Personal data.....Read More
The report shows the Great Digital Train Robbery is alive and well. External, multi-faceted and industrialized hacking continues to pepper large enterprises at 72% of overall victims. It’s no surprise that web application patters, around 45% of attacks, expose technology services firms, retail, financial and Insurance services and professional services most to compromise. They are the highest aggregators of highly sensitive data with substantial 3rd party data sharing risk. Personal data theft is trending up, now 49% of retail breaches, overtaking payment data at 47% putting privacy regulation risk high on the compliance agenda. 70% of breaches were from external actors, insiders 30%, and human left doors open in 22% of cases. In a world quickly moving to post-covid cloud IT, now 24% of investigated breaches, enterprises have no choice but to modernise data security strategies to neutralize data from attack or become a victim. The numbers don’t lie - the barrier between attackers and valuable sensitive data can be broken, enabling rapid data theft and abuse unless the real data has no value in the attacker’s hands. Industries that progressively shielded data with contemporary security measures like data tokenization and encryption showed a strong decline in breach impact (POS attack incidents trended close to zero), but attackers followed the path of least resistance – to online compromise opportunities – now 50% of retail breaches.  Read Less
May 07, 2020

Expert Comments Of COVID-19 Tracing Apps Published By Different Countries
The Australian government COVID-19 apps downloaded by 3 million people so far collect more personal data.
The COVID app situation is a classic case of balancing risk and benefits, which is exactly what CISO’s do 24 hours a day. The infection tracing methods published by Google and Apple appear reasonable and well grounded, with sound cryptographic methods to de-risk data using rolling cryptographically ‘tokenized’ Bluetooth pseudorandom identifiers vs actual personal data – the data is also in constant time-based change. The architecture is tuned to COVID19’s characteristics too, for.....Read More
The COVID app situation is a classic case of balancing risk and benefits, which is exactly what CISO’s do 24 hours a day. The infection tracing methods published by Google and Apple appear reasonable and well grounded, with sound cryptographic methods to de-risk data using rolling cryptographically ‘tokenized’ Bluetooth pseudorandom identifiers vs actual personal data – the data is also in constant time-based change. The architecture is tuned to COVID19’s characteristics too, for example, the 14-day infection symptom periods. It’s actually a great example of building privacy into a design which is a core tenet of modern privacy compliance like CCPA. The only time any real data access occurs is on matching to infected people and the protocol recommends additional data de-identification/sanitization of the limited data set used to initiate contact over Bluetooth – a very limited risk. The infection risk matching however works purely on de-identified data. But not all apps seem to follow this, and it’s not clear what data is really collected in every case. The Australian government COVID-19 apps downloaded by 3 million people so far collect more personal data on enrolment and share it on infection detection – to ‘healthcare teams’, and there’s no current regulation to ensure data privacy in Australia, so what if there is a leak? In the US, apps that only use the Apple and Google model are likely to be quite benign, but the challenge now will be ensuring that all applications that are downloaded are genuine, only use the provided model, don’t collect more than is needed, and that rogue apps don’t appear in the ecosystem linked to bad actors with malicious data collection intent. Consumers won’t always know, and a look in the app store right now has several ‘tracing’ of apps from highly variable sources rushed to market, so how these stack up to US privacy laws isn’t totally clear.  Read Less
May 05, 2020

Experts Insight On Tesla Data Leak: Old Components Containing Personal Info End Up On eBay
There are new data security methods that are ideal for dynamic edge telemetry systems and online analytic platforms.
Tesla always push boundaries of driverless technology, so it’s quite unexpected to hear of data leakage of personal data from automotive components like this, especially those at the edge of powerful online network systems that drive modern intelligent vehicles. The question on my mind is, could Tesla avoid personal data storage like this using modern data-centric security technology? Very probably. There are new data security methods that are ideal for dynamic edge telemetry systems and.....Read More
Tesla always push boundaries of driverless technology, so it’s quite unexpected to hear of data leakage of personal data from automotive components like this, especially those at the edge of powerful online network systems that drive modern intelligent vehicles. The question on my mind is, could Tesla avoid personal data storage like this using modern data-centric security technology? Very probably. There are new data security methods that are ideal for dynamic edge telemetry systems and online analytic platforms to avoid retention of personal data while still enabling full customer experience, engagement, and even machine learning analytics without live data leakage risks. That would take care of both the disposal and recycling of parts, but also a myriad of security and privacy compliance issues and data breach risks for them.  Read Less
April 22, 2020

Expert Insight On News: SBA Website Leaks Personal Data Of 8,000 Small-Business Loan Applicants
Have best practices like data-centric security been traded-off to launch quickly.
It’s clear that prioritizing services to save vulnerable small businesses in a pandemic is a priority, but this exposure begs more questions about application data handling risk. Have best practices like data-centric security been traded-off to launch quickly, leading to further exposure and attack down the line? The last thing these businesses need is their identity data abuse cascading to deeper economic injury risk. Attackers are smart, following the money, and the path of least.....Read More
It’s clear that prioritizing services to save vulnerable small businesses in a pandemic is a priority, but this exposure begs more questions about application data handling risk. Have best practices like data-centric security been traded-off to launch quickly, leading to further exposure and attack down the line? The last thing these businesses need is their identity data abuse cascading to deeper economic injury risk. Attackers are smart, following the money, and the path of least resistance. Affected businesses really need to be watchful for social engineering attacks which follow identity exposures leading to more sinister IT compromises and financial theft.  Read Less