Expert(s):
Digital Security and Operations Managerfeature_status*/ ?>
The Media Trust

Comments Dotted : 4
September 20, 2019

Experts Comments On Magecart Attack On Hotel Websites Through The Supply Chain
The only way to protect users is to know who’s providing what code and what that code does to users.
Managing the digital supply chain is difficult because it requires the right tools and expertise. When third party code suppliers deliver code to users through browser and not through a tool that the website publisher/owner uses, the owner has little control of what happens and can't monitor when something's afoot. If a third party provides or supports the web application, iframes will fall victim to attack. The only way to protect users is to know who’s providing what code and what that code .....Read More
Managing the digital supply chain is difficult because it requires the right tools and expertise. When third party code suppliers deliver code to users through browser and not through a tool that the website publisher/owner uses, the owner has little control of what happens and can't monitor when something's afoot. If a third party provides or supports the web application, iframes will fall victim to attack. The only way to protect users is to know who’s providing what code and what that code does to users.  Read Less
September 02, 2019

Google Finds ‘Indiscriminate iPhone Attack Lasting Years’
The notion that only you can access your device is far from the truth.
The identification of these exploits targeting iOS devices prove that even products designed from the ground up to protect your privacy aren’t 100% secure. The notion that only you can access your device is far from the truth. Your device and the apps that run on it are supported by many third-parties who can potentially access your behavioral and personal information, from how many steps you’ve taken this morning to where you bought your coffee to which article you read on which online.....Read More
The identification of these exploits targeting iOS devices prove that even products designed from the ground up to protect your privacy aren’t 100% secure. The notion that only you can access your device is far from the truth. Your device and the apps that run on it are supported by many third-parties who can potentially access your behavioral and personal information, from how many steps you’ve taken this morning to where you bought your coffee to which article you read on which online publication. That’s just three of the many things you did this morning; it doesn’t include your location even with your GPS off, the credit card balance you paid off, and what pictures you IM’d to whom. This is today’s surveillance economy made possible by the digital ecosystem’s growing presence—with our unmindful consent--in our daily lives. And in this economy, the only way we can restore our privacy is for manufacturers, developers, online publishers, adtech/martech, data management providers, and everyone else in between, to work together on setting higher privacy and security standards that should include knowing who all their digital third parties are, what these third parties are doing and for what purpose, and uprooting these third parties from the digital ecosystem when they violate digital policies.  Read Less
August 22, 2019

PokerTracker.com Hacked To Inject Payment Card Stealing Script
Developers use CSPs to enforce a white list of resources that a client browser can load resources from and sites that can interact with their site.
The hacking of a popular site and software reveals the growing popularity of combining two attack methods: (1) compromising websites that use outdated versions of their content management platforms and (2) injecting credit card skimmers on to the page. Bad actors know too well the vulnerabilities of web content platforms. And, even when those platforms release new versions to address vulnerabilities, website operators often neglect making the needed updates. While the site has made.....Read More
The hacking of a popular site and software reveals the growing popularity of combining two attack methods: (1) compromising websites that use outdated versions of their content management platforms and (2) injecting credit card skimmers on to the page. Bad actors know too well the vulnerabilities of web content platforms. And, even when those platforms release new versions to address vulnerabilities, website operators often neglect making the needed updates. While the site has made improvements to the Content Security Policy (CSP), this move has its limits. Developers use CSPs to enforce a white list of resources that a client browser can load resources from and sites that can interact with their site. However, such a list does not take into account the unknown third-party scripts these resources and sites bring in and allow to run on the site. Operators should therefore monitor the site for all scripts that run, in order to ensure that only those that they have authorized are able to execute. Doing so will note only address security, but also privacy issues at a time when data privacy laws are being enacted across the country and around the world.  Read Less
August 12, 2019

Researchers Finding Election Systems Open To The Internet
Our digital elections system doesn’t have a single point of failure.
Our digital elections system doesn’t have a single point of failure—it has many - largely because the system appears to have been designed without prioritizing security and privacy. What’s most disturbing is that even as vendors claim the system isn’t connected to the internet, they provide documents that show otherwise. In addition, there’s the potential for configuration problems—an all too frequent error--USB drives infected with malware, brute force attacks to get around.....Read More
Our digital elections system doesn’t have a single point of failure—it has many - largely because the system appears to have been designed without prioritizing security and privacy. What’s most disturbing is that even as vendors claim the system isn’t connected to the internet, they provide documents that show otherwise. In addition, there’s the potential for configuration problems—an all too frequent error--USB drives infected with malware, brute force attacks to get around passwords, firewalls with unpatched software, outdated server software, no oversight of how well vendors install the system, configuration for transmitting election results not certified by Election Assistance Commission (EAC) although one wonders what good that would do if they don't have cybersecurity experts to alert them when something's afoot. Another significant problem is that state and local governments suffer from chronic budget cuts that prevent it from putting more stringent security measures in place and thoroughly vetting machines before putting them to use and in so doing, exposing these systems—not to mention voters--to sustained attacks from bad actors and nation-state adversaries.  Read Less