Category Archives: Report

How Bird plans to blanket the world with electric scooters without going bankrupt


Photo by Justin Sullivan/Getty Images
By

 

Operating an electric scooter-sharing service is expensive and hard. The scooters break down, or they get vandalized or impounded by local law enforcement. Scaling that business globally, like Bird and Lime are trying to do, is even harder. Every scooter company today is operating at a loss, but Bird in particular has an interesting plan to spread the gospel of the scooter without going completely bankrupt.

It involves selling e-scooters to local entrepreneurs, providing them with advice and technical support to get started, letting them incur all the costs associated with maintenance and operations, and then taking a small percentage of each scooter trip. It’s called “Bird Platform,” which the company originally unveiled last November.

But what the Santa Monica-based startup didn’t say at the time was that Bird Platform would be targeted at aspiring scooter entrepreneurs who live in countries outside the US and Europe, where Bird operates its own branded scooter-sharing service. In this way Bird can inspire the creation of new scooter companies that won’t directly compete with its own service, as well as orchestrate the spread of e-scooters in cities around the world, without losing more money than it already is.

“It came out of a brainstorm around how do we take the mission to the world,” Bird CEO Travis VanderZanden told The Verge. “And so, we’re excited about that. We’re also excited because it… allows us to grow faster.”

San Francisco Battles New Electric Scooter Rentals
Photo by Justin Sullivan/Getty Images

Bird is planning to rollout Bird Platform in three initial markets: New Zealand, Canada, and Latin America. Local entrepreneurs can buy Bird’s e-scooters at cost, as well as access the company’s tools, products, and technology needed to manage a fleet of shared e-scooters. Bird will even fly in its own operations experts to help launch the business. And in exchange, the company will take 20 percent of each trip fare. Bird typically charges $1 to unlock a scooter, and then 15 cents per minute of riding. The average trip generates around $3.75 in revenue for the company — though assumedly Bird Platform users would set their own prices.

The scooters, which are manufactured by Bird’s partners in China, will come preinstalled with all the firmware and GPS technology, called the “Bird Brain,” that allows them to be deployed as part of a shared fleet. “It’s capital intensive,” VanderZanden said. “What we’ve really tried to do is keep the upfront costs as low as possible.”

It’s an interesting move by Bird, especially considering how wildly unsustainable the scooter-sharing business is turning out to be. Recently, Quartz’s Alison Griswold crunched the numbers from Louisville, Kentucky, and found that the median scooter took 70 trips over 85 miles, and had a lifespan of 23 days. Lifespan is a big deal for scooter companies: the longer the scooters can stay in operation, the more money they can make for the company. And right now, these scooters aren’t living long enough to earn a profit.

VanderZanden has been staving off the winter doldrums (colder weather, fewer scooter trips) by mulling over the unit economics conundrum. Most of the solution rests in the company’s ability to roll out its new, longer-lasting, more rugged scooter, the Bird Zero. He wouldn’t say what percentage of Bird’s fleet is now comprised of the more rugged scooter. But he did say that in order for Bird to eventually break even, the scooters will need to increase their lifespan to six months.

“We’ve been hard at work on future hardware as well, with even bigger batteries and more ruggedized [scooters], which will circle back on at some point in the future,” he said. “We’re looking at every technology you could imagine. If it makes sense from an economic standpoint, and ideally improves the rider experience, then it’s a no-brainer.”

Only One-Third of Android Antivirus Apps Work Properly

By Tom Fogden, Writer for Tech.Co
March 20, 2019  8:36am (London)

 

According to a report from Austrian antivirus and security experts AV-Comparatives, only one-third of Android antivirus apps actually give you effective antivirus protection.

AV-Comparatives’ Android Test 2019 report shows how only 80 of the 250 most popular Android antivirus apps can detect over 30% of threats, with no false positive results. A false positive is when antivirus software incorrectly labels something as a threat when it is, in fact, safe.

The report demonstrates that, despite the company’s efforts, Google still doesn’t have adequate quality control over the Play Store. What’s more, it shows just how dangerous downloading the wrong app can be for careless users.

Which Apps Can I Trust?

There are only 23 apps from the 250 tested by AV-Comparatives that managed to pass the company’s strict testing regimen with a perfect score. These 23 apps were able to correctly identify and deal with the more than 2,000 threats sent to them, with no false positives.

AV-Comparatives considers “apps that block less than 30% of common Android threats to be ineffective/unsafe,” and found 170 of these, 138 of which are still available on the Play Store.

Those that passed this fairly low bar, detecting above 30% of threats, brings the total number of useful apps up from 23 to 80 — and includes Google’s own antivirus software.

Fortunately, the 23 apps that managed to identify 100% of threats includes a lot of big names in the world of antivirus — so you might be able to bundle these apps with any services you have on your home PCs.

Here are the apps rated as 100% safe by AV-Comparatives:

AhnLab Antiy Avast AVG AVIRA Bitdefender Bullguard Chili Security
Emsisoft ESET ESTSoft F-Secure G Data Kaspersky Lab McAfee PSafe
Sophos STOPzilla Symantec Tencent Total Defence Trend Micro Trustwave

Why isn’t the Play Store Completely Safe?

The Google Play Store is the biggest app store in the world, and is growing significantly quicker than the Apple App Store — back in 2017, almost twice as many apps were added to the Play Store compared to the App Store, according to AppFigures.

This is largely thanks to Android’s open source design, basically meaning that anyone with enough know-how (which is easy to gain from online research) can create and publish their own apps. This can make the Play Store a bit of a wild west at times.

That’s not to say that Google isn’t keeping an eye on the Play Store, it is, and it regularly removes shady apps. However, the issue here isn’t that these antivirus apps are malicious, they’re just a bit useless — and Google can’t remove an app just because it isn’t very good.

What’s more, many of the poorer antivirus apps use the same core threat detection engine with only minor tweaks, meaning that it is very easy to reproduce them. This makes them very easy to reproduce, and leads to the large amount of bad antivirus apps.

If you want to stay safe using your Android phone, make sure you download one of AV-Comparatives top-rated antivirus apps. Then combine it with a VPN like PureVPN to give you even stronger security.

_________________________________

Did you know?

Consumers reportedly lost $905 million to fraud in 2017, with more millennials reporting losing money to scams than senior citizens (marketwatch.com).
Be safe online.

_________________________________

 

New Formjacking Technique Used to Skim Payment Details Off Websites

Conor Reynolds, News Reporter at Computer Business Review – 10th December 2018

“In recent months, we have seen a major uptick in formjacking attacks against high-profile websites across the globe”

 

Researchers at cybersecurity company Symantec have identified a new formjacking campaign targeting a French ecommerce site that is prominently featured in global shopping aggregator listings.

Over 30 online retail websites from all over the world were redirecting traffic to the compromised site.

Formjacking is a term used to describe the injection of JavaScript code into the payment section of a website. This code then skims the payment details of unaware customers sending it onto to threat actors to abuse.

The online-store in Paris was injected with a formjacking script which collects the payment information entered onto the website and then sends it to the domain google-analyitics.org; a “typo-squatted” version of the genuine url google-analytics.com.

Another piece of injected code on the same web page looks for the presence of debugging tools, such as Firebug, to thwart security researchers analysing the malicious script; a trend security researchers have increasingly noticed.

See also: Magecart’s 7 Groups: Hackers Dropping Counter-Intelligence Code in JavaScript Skimmers

Siddhesh Chandrayan Threat Analysis Engineer at Symantec wrote: “This latest formjacking campaign highlights the fact that attackers are continuously altering and improving their malicious code and exploring new delivery mechanisms to infect more users.”

Symantec researchers say they have identified more than one million formjacking attempts on over 10,000 websites in the last three months alone.

Formjacking

Symantec told Computer Business Review that the scammers had also hacked other ecommerce websites to redirect visitors to the compromised site.

He believes that the Paris site was selected as a target because it is listed in several shopping aggregators.

Formjacking

Traditionally attackers have targeted retail websites through the software provided by third-parties, as these often contain the weak link in the security chain.

Last summer it was disclosed that Ticketmaster was the subject to a serious cyberattack in which threat actors made off with the payment details of over 40,00 UK customers. A chat-bot designed by third-party supplier Inbenta was identified as the source of the vulnerability.

A report from cybersecurity enterprise RiskIQ identified Magecart tactics and script in the attack, which saw a massive credit card skimming operation that affected over 800 e-commerce websites.

In their report RiskIQ noted that: “Magecart actors breached their systems (Ticketmaster) and, in separate instances, either added to or completely replaced a custom JavaScript module Ibenta made for Ticketmaster with their digital skimmer code.”

See Also: The Ticketmaster Hack is Worse Than First Thought

Unfortunately one of the key factors in formjacking or script payment skimming attacks is that retailers and customers may not be aware that their website and details are compromised. Websites and payment forms operate as normal if the attackers have done their job right.

One way enterprise can protect themselves is to test any new software updates in small test environments. Doing so gives you a chance to spot any unusual behaviour in the script.Software distributors who supplier major retailers with products should have monitoring systems in place that detect any changes in their code or in the updating process itself. Symantec is currently working with the websites involved in this new formjacking attack and so they have not named the websites affected.

Digital Transformation, Dynamic Threats and Growing Accountability

March 1, 2019

By Mark Sangster, Chief Security Strategist at eSentire, Inc., contributor to SecurityMagazine.com

 

Businesses today accept the presence of cyber risks. In fact, 70 percent assume a business-altering event will occur in the next few years (FutureWatch Report), but often have a more difficult time identifying specific risks, key factors and mitigation strategies. Worse, the board or senior leadership often makes assumptions about the safety of the firms that is overly optimistic when compared to confidence ratings of security practitioners.

The difference between awareness and understanding is driven by the communication gap between the board and executives steering the business, and the security experts close to the problem. Both parties struggle to comprehend the other’s needs and responsibilities.

A firm’s risks stem from a handful of business aspects, including the firm’s participation in high-risk industries, its appetite for emerging technologies, and willingness to properly invest in targeted security practices. While this sounds obvious at first, it’s lost when the line of sight from the security practitioners to the board is over the horizon.

This article will explore board-level concerns, key drivers to invest in security, and how emerging technologies outpace the evolution of security technologies and services. The data presented in this article was collected in late 2018, through third-party research that surveyed 1,250 security executives, managers and practitioners. Data was collected from the United States, Canada and the United Kingdom. Participants were equally represented across various industries and company sizes, ranging from less than 100 employees to 5,000 employee or more. Read the full FutureWatch Report.

Major Attacks Are an Assumption

Unanimously, business leaders such as the CEO, board members and technical executives (CIO) alike predict a major cyber-attack in the next two to five years. Over 60 percent of respondents assume a major event will occur. Interestingly, 77 percent of CEO and board respondents consider their organization prepared for such an event. As expected, technical leaders are approximately 20 percent more likely to predict an attack and are 10 percent less optimistic than their business peers in their organization’s preparedness.

Senior leadership fears operational disruption, reputational damage and significant financial losses over regulatory penalties as top consequences of a major security event.

While business leaders show a confidence in their firm’s ability to manage a security breach, the devil is in the details. Only 29 percent of respondents indicated that their high-value or high-profile information is not adequately protected. And two-thirds of respondents are not confident that their cybersecurity programs match their peers, nor that their programs are appropriately resourced.

The Cybersecurity Rosetta Stone

Boards and security practitioners still struggle to translate their concerns and objectives. Only one-third of business leaders are confident in their security executive’s ability to monitor and report on cybersecurity programs and 66 percent worry that these programs are not aligned to business objectives.

IT and security leadership sentiments echo this concern. Most organizations struggle to show the value of IT security spend to senior management, including status reporting difficulties. Aligning to enterprise risk management confounds over half of businesses, along with the ability to managed external risks with third-party vendors and the growing complexity of regulatory compliance.

On the positive side, progress has been made over the last few years. The CISO is no longer the least interesting person to the board, until they are the most important person.  Over half of respondents indicate their board is very familiar with the security budget (51 percent), overall strategy (57 percent), policies (58 percent), technologies (53 percent), and currently review current security and privacy risks (51 percent).  Moreover, line of sight from the CISO to the board is more direct. Forty-five percent of security officers report to the board or CEO, 33 percent continue to report to the CIO and a small handful (10 percent) report to a privacy or data officer.

Moreover, nearly two-thirds of security budgets are set to rise in 2019. Spend on the security side is still reactionary. While regulatory requirements is in the basement of the board’s concerns, it tops the list for security practitioners. A security teams spend is generally reactive to client demands, major technology purchases, a major security event or near miss, and the adoption of emerging technology.

Emerging Technology: A Double-edged Sword

IT and security teams find themselves in a difficult position between meeting the demands of the business to adopt emerging technologies that offer competitive advantage, while also carrying the burden of mitigating the risks that come along with new deployments.

Nearly three-quarters of respondents are currently using cloud services or plan to deploy cloud services in the next six months, with financial services, manufacturing and healthcare leading the adoption rate. Only law firms lag in their cloud adoption. Artificial Intelligence (AI), Internet-of-Things (IoT) and Industrial IoT (IIoT) top the list behind cloud.

Cloud security adoption is the priority, followed closely by identity and access management, threat detection and response, and endpoint detection and response. Security Information and Event Management (SIEM) moves beyond a compliance tool and now plays a role in the greater detection and response portfolio.

More than half of telecom, information technology, financial services and manufacturers invested in securing their cloud services. Similarly, financial services, healthcare and manufacturing also emphasize threat detection and response investments. These industries are equally investing in identity and access management as a response to a more distributed workplace. Again, law firms are significantly less likely to adopt these technologies.

Digital transformation is here to stay and brings with it a drive to always evolve and constantly change. Economics demand that vendors constantly improve and offer new features and technologies which outpaces our understanding of the associated risks. We focus on the benefits while assuming vendors have resolved the security issues. For example, cloud technology tops the list of security priorities today, but AI and IoT/IIoT are on track to surpass cloud as the primary risk concern in less than two years.

This challenge will only increase over the coming years as 5G facilitates a ubiquitous mosaic of always connected devices. Risk associated with emerging technologies becomes more concerning as adoption rates accelerate, compressing the time in which organizations and vendors can adapt and develop appropriate security controls and deploy protective solutions.

Most Susceptible to Risk: Law Firms, Transportation and IT

Law firms lead when it comes to risks associated with external actors and attacks and their ability to report status, show value and meet internal risk standards and regulatory requirements. Transportation and IT firms report higher than average levels of risk. Financial services tend to run just below industry averages across external attacks and internal or industry requirements.

Digital Transformation Outpaces Current Security Approaches

Digital transformation touches every facet of business operation and redefines how businesses engage with their customers. The emerging technologies underpinning this tectonic shift must constantly expand capabilities and adapt to survive in a competitive environment. Current security approaches are not fluid enough to keep pace with adoption of emerging technology and platforms.

Today, most firms identify their primary security posture as leveraging prevention technologies and device management. Firms that leverage a predictive security model such as threat hunting, machine learning, and device analytics reduce their risk by thirty percent. Less than one-fifth of firms identify as predictive. The trend is consistent across all industry segments with financial and healthcare services leading the charge and law firms lagging.

Firms adopting predictive security models are better able to identify never-before-seen threats and have engaged rapid response capabilities to reduce the risk of a business-altering event. Over the next two years, older preventative models drop to less than one-third, while predictive threat hunting will more than double to 40 percent. This trend correlates with the shift in business drivers away from regulatory dominance toward business-centric considerations such as operational disruption, reputational damage, and, of course, financial losses.

Interestingly, advanced firms are more apt to adopt emerging security technologies such as endpoint, threat detection and response, identity access management, and cloud security. Moreover, mature firms aggressively leverage SaaS and are more likely to adopt 100 percent cloud-based security services than firms using a device-management model. Outsourcing is a palatable alternative to recruiting and retaining threat hunting talent from a pool that cannot support the growing demand.

Digital Transformation, Dynamic Threats and Growing Accountability

Digital transformation continues to expand a larger and more fluid attack surface from the advanced methodologies used by well-resourced adversaries like organized criminals and nation-state actors. Regardless of industry, businesses operate in a world with ever-increasing accountability to protect their clients’ confidential information, adhere to state legislation, comply with privacy laws and meet the growing complexity of overlapping regulatory obligations.

This triad of risk demands that IT, security practitioners, and leaders align with business governance objectives, while senior leadership acknowledge their role in establishing expectations and providing resources to adequately protect the business, its investors, employees and customers.

We’ve left the world of prescriptive regulations as a measure of security end state. Many organizations recognize that the financial loss associated with operational disruption and reputational damage outweigh the penalties set out by regulators. In the future, organizations will likely move to a perspective driven by their clients. In this state, brand and reputation will form the barometer by which a company’s security performance is ultimately measured. Protecting the client will mean by extension, protecting their data and services, avoiding operational disruption and resulting financial losses.


Author: Mark Sangster, Chief Security Strategist at eSentire

Mark Sangster is an industry security strategist and cybersecurity evangelist who researches, speaks and writes about cybersecurity as it relates to regulations, ethical obligations, data breach incident response and cyber risk management.

Why businesses fear cyberattacks from ex-employees more than nation states

By Alison DeNisco Rayome, Senior Editor for TechRepublic – February 27, 2019, 6:02 AM PST

A major data breach would likely shut down half of SMBs permanently, according to an AppRiver report.

 


Video

 

More than half of cybersecurity executives at small- and medium-sized businesses (SMBs) (58%) fear a major data breach more than a flood, fire, transit strike, or even a physical break-in of their office, according to the inaugural AppRiver Cyberthreat Index for Business Survey released Tuesday.

The concern is rooted in a stark business reality: Nearly half of the 1,059 SMB cybersecurity decision-makers surveyed (48%) said a major data breach would likely shut down their business permanently, the report found. This percentage increased significantly for financial services and insurance SMBs (71%) and healthcare SMBs (62%), according to the report.

SEE: Security awareness and training policy (Tech Pro Research)

These results echo the findings of a previous report from VIPRE, which found that 66% of SMBs would either go out of business or shut down for at least one day in the event of a breach. Almost half of all cyberattacks target SMBs, as these businesses tend to have less-sophisticated security infrastructure and fewer trained cybersecurity workers on staff to manage and respond to threats.

“In today’s digital age, businesses rely on their intellectual property and use automated business processes more than ever before – bringing cybersecurity to the forefront,” said Dave Wagner, CEO of Zix Corporation, parent company of AppRiver.

SMBs are more concerned that these attacks could come from disgruntled ex-employees (24%) than from rogue hacktivist groups (21%), lone-wolf hackers (19%), competitors targeting corporate intellectual property (18%), or nation state-sponsored hackers (18%).

The reason for this fear of an ex-employee breach is well founded: Some 20% of organizations said they have experienced data breaches by former employees, according to a OneLogin report. Companies can increase their chances of avoiding such an attack by removing employees’ access to all accounts immediately after they leave the company.

SMBs can follow these tips from Kaspersky Lab to improve their security practices:

  1. Create a list of assets your employees use
  2. Make a list of the online services your organization uses, and analyze which of them is critical for your business process.
  3. Audit critical services and their settings
  4. Set clear guidelines for which data can be moved to the cloud and which must stay internal
  5. Set guidelines for which data can be accessed by which employees
  6. Arrange security awareness training to teach staff how to handle critical data safely
  7. Use a reliable security solution
The big takeaways for tech leaders:
  • 58% of cybersecurity leaders fear a major data breach more than a flood, fire, transit strike, or even a physical break-in of their office. — AppRiver, 2019
  • 48% of cybersecurity leaders said a major data breach would likely shut down their business permanently. — AppRiver, 2019

———————————————————————-

« Older Entries