Cyber Security

Hub Security Releases First-of-its-kind Quantum-proof HSM

TEL AVIV, Israel, June 22, 2020 Following the close of its $5 million Series A funding round in late April, cybertech company Hub Security today unveiled its next-gen Hardware Security Module (HSM), the first to offer quantum-proof capabilities to enterprises. The new solution includes hardware-embedded support for quantum-resistant algorithms as well as quantum source of randomness –– features designed to protect against the next generation of cyber threats and attacks.

Quantum computing is rapidly advancing. IBM predicted in 2018 that quantum computing would be mainstream by 2023. IDC predicted in 2019 that “25% of the Fortune Global 500 will gain competitive advantage from quantum computing” by 2023. When quantum computing comes of age, today’s encryption standards will no longer be secure and any data protected by them will no longer be private. That could usher in a wave of cyberattacks targeting organizations’ most sensitive information.

Hub Security’s newest HSM will help organizations weather the coming evolution of cyberattacks and threats related to quantum computing. While current industry-standard HSMs are equipped to run quantum computing algorithms, many of them provide these capabilities purely on a software level, making them low-performing and unsuitable for cloud and payment processing and other real-world applications.

“Within five to 10 years, quantum computing will be ubiquitous, and many companies that have heavily invested in cybersecurity will need to toss their current HSMs in exchange for high-performing quantum-proof devices,” says Hub Security CTO, Andrey Iaremenko. “It’s going to be a stark wake-up call for many industry leaders and enterprise organizations when they realize their investments in cyber protection don’t go far enough to secure their company’s––and customers’––most sensitive digital assets.”

Hub Security’s HSM offers high-performance military-grade key management and cryptographic solutions built on FPGAs. Now coupled with its latest quantum-proof release, the company will enable cloud and enterprise industries to safeguard against massive attacks by novel and critical cyber threats.

As a growing number of industries turn to cloud and data storage, there is an increasing demand for cybersecurity solutions that can combat the unique threats they face. Hub Security’s miniHSM is the first-of-its-kind pocket-sized HSM solution coupled with an ultra-secure HSM-to-HSM communication layer built uniquely for cloud, banking, healthcare, and government enterprises with scalable, air-tight security that can support any cloud-based or digital asset.

Hub Security utilizes military-grade cybersecurity principles for its HSM and handheld miniHSM devices’ architecture that is designed for FIPS140-2 Level 4 protection (pending) –– the highest protection level currently available on the market for mobile cryptographic security.

The company’s combination of hardware and software solutions includes ultra-secure internal signing and authorization flow with a multi-signature vault, hardware firewall, access control, rules, policy engines and an AI-learning system designed to anticipate unique cyberattacks.

About Hub Security

Hub Security is a top-tier, military-grade provider of HSM and key management solutions for fintech, cloud, and blockchain security. Leveraging military-grade cybersecurity tactics and utilizing cutting-edge innovations, Hub Security has developed a family of products that provide the highest level of enterprise security available on the market today. https://hubsecurity.io/

Aviation Industry Grapples with Basic Cyber Protection

 

EasyJet, one of UK’s largest budget airlines disclosed to its customers in March that a massive data breach had taken place, affecting nine million of its customers and involving over 2,000 credit-card details.

EasyJet now reports it has been the target of a “highly sophisticated” attack, which provided hackers with access to customers’ email addresses and 2,208 credit-card details.

EasyJet’s data breach dwarfs a 2018 British Airways data breach, which was fined $225m last year by the Information Commissioner’s Office under Europe’s General Data Protection Regulation (GDPR).The airline industry is already facing major challenges as many aircraft carriers are facing service disruptions due to the pandemic. Additionally, there is a legal battle being fought in courts by the directors of the carriers over business strategy approaches.

The latest hack signals how imperative it is for enterprise airlines to ensure Infosecurity best practices are put in place in order to avoid future devastating data breaches from taking place. The industry as a whole lacks strict requirements to prevent such incidents or even adhere to specific cybersecurity standards.

Aviation Security Challenges

With one of the most integrated and complex information and communications technology (ICT) systems, the aviation industry faces threats on a number of fronts with its increasing interconnectivity. From data theft to national and political motivations, today’s aviation industry faces multiple cyber risks on a multi-front war.

Common threats to the aviation industry include, but are not limited to:

1. Phishing Attacks

Last year the Center for Internet Security reported that 75 US airports were the targets of advanced persistent threats.

2. Jamming Attacks

Jamming attacks occur when an attacker injects a ghost flight into the air traffic control system.

3. Remote Hijacking

Security flaws in the software and hardware used for communication in the aviation industry allows hackers to remotely attack or control in-flight and on-board systems.

4. DDoS and Botnet Attacks

Distributed-denial-of-service attacks utilize botnets of compromised networks to flood air traffic control and other critical systems, resulting in the platform crashing.

5. WiFi-based Attacks

Vulnerabilities in a plane’s onboard system could allow hackers to use the onboard WiFi signal or in-flight entertainment systems to hack into the plane’s avionics equipment.

HSM for Aviation

The increased wave of security concerns for airlines has continued to ripple across the aviation industry. The growing consensus among security experts outlines the need for air-tight security solutions that will address the threat of malicious hacking attempts and data theft.

Hub Security’s next-gen HSM offers excellent performance military-grade key management and cryptographic solutions built on FPGAs which can handle more data per second than traditional CPU based  HSMs.  enabling  safeguard against massive attacks of novel and critical cyber threats in cloud and enterprise industries.

Hub Security’s combination of hardware and software solutions includes ultra-secure internal signing authorization flow. Designed with a multi-signature vault, hardware firewall, access control, and a deep neural network learning system, Hub Security’s Hsm is built to anticipate and prevent unique aviation attacks.

Join Hub Security’s TokenSoft’s CEO Mason Borda and CRO David Hochhauser online this Thursday, June 18th for a discussion on Real Estate Tokenization.

What is Homomorphic Encryption

 

Technology is changing rapidly around us daily and a growing number of organizations are implementing service to improve their security and levels of productivity. However, as we enter the new generation of connectivity and exponential growth of personal data generation and collection, we must re-examine the entire idea of security and the ecosystem that connects all its moving parts.

Many common services, such as cloud data storage, are not as secure as they may seem. These vulnerable endpoints leave companies at high-risk for any number of cyberattacks, ranging from data breaches to ransomware schemes with far-reaching consequences for entire organizations. That’s where homomorphic encryption comes in.

Homomorphic Encryption

Homomorphic encryption is a method of encryption that allows computations and queries to be performed upon fully encrypted data, making it possible to analyze or manipulate encrypted data without decrypting it.

Since most data theft occurs while data is being temporarily decrypted for us or stored as plain text, homomorphic encryption allows anyone to perform operations on data without the need to first decrypt it –– making the entire system safer from data theft and privacy violations.

The risk of privacy leakage of sensitive information in complex IT systems can’t be ignored, and there is a growing interest in applying homomorphic technology to provide data privacy and decentralized access to organizational data.

Applications of Homomorphic Encryption

In the real-world, homomorphic encryption has a number of practical, industry-relevant applications. From electronic voting systems to protecting information on the cloud to enabling private queries in search engines. Real-world applications for homomorphic encryption can include:

1. Securing Cloud Storage

Whether your organization uses a third-party cloud storage service or has only some data offloaded to the cloud, it’s critical to never fully trust the security of your cloud software-as-a-service (SaaS) provider.

It’s already well known that cloud storage isn’t always as secure as we’d like it to be. The remnants of which can still be seen from The Wall Street Journal’s investigation into the global hacking campaign called ‘Cloud Hopper.’

Not only does homomorphic encryption have the potential to secure data stored on the cloud, but it also retains the ability to calculate and search ciphered information that you can later decrypt. This is super important to safeguarding the integrity of your data as a whole –– a win-win scenario for security experts, organizations and customers.

2. Enabling Data Analytics

Homomorphic encryption allows safe and secure access to data for researchers. Without the need to decrypt, data can be encrypted and outsourced to commercial cloud environments for research purposes — all while keeping patient data secure.

Homomorphic encryption can be used for businesses and organizations across a number of industries, including but not limited to, finance, retail and healthcare. By allowing predictive analytic service providers to safely analyze medical data without putting data privacy at risk, homomorphic encryption is empowering research teams worldwide and the advancement of new technological developments.

3. Improving Election Security and Transparency.

It’s been a hot topic lately, but researchers are now looking into how to use homomorphic encryption to make democratic elections more secure and transparent. The Paillier encryption scheme, for example, uses additional operations and would be best suited for voting-related applications.

By allowing users to add various values in an unbiased manner, homomorphic encryption has the ability to keep these values private. This kind of technology has huge potential to not only protect data from unwanted manipulation, but also allow it to be used to independently verify results by authorized third-parties.

Hub Security’s miniHSM

Hub Security’s HSM is a high-performance key management and cryptographic solution built on FPGAs –– designed to protect against unique cyberattacks. Hub Security’s miniHSM is the first of its kind to offer a pocket-sized HSM solution coupled with an ultra-secure HSM-to-HSM communication layer for air-tight security that can support any cloud-based or digital asset.

Learn More

Webinar Video – IoT Cyber Vulnerabilities, smart cities and beer

Last week Hub Security CTO, Andrey Iaremenko, discussed IoT cyber vulnerabilities. The topics discussed included also security risks with smart cities, cars and homes.See below the webinar intro to IoT, IoT vulnerabilities and the full webinar recording. 

Intro to IoT

IoT Cyber Vulnerabilities

IoT and Beer - Full Webinar

Webinar: Securing Remote Access

Hub Security’s Chief Product Officer Ido Helshtock joined OurCrowd’s Cyber Security webinar to discuss working remotely and secure access at current times.

The Pathway to Secure Remote Voting

A recent Senate memo released this week offered a peek into the US government’s efforts to leverage blockchain technology, with security as a core focus. The memo was drafted for a roundtable aimed at exploring the “Continuity of Senate Operations and Remote Voting in Times of Crisis.”

It outlines COVID-19’s impact on the ability of the Senate to congregate and vote on new and upcoming legislation, forcing Congress to rethink its operations as in-person meetings become obsolete.

Join Hub Security’s CPO Ido Helshtock online this Thursday, May 14th to discuss Secure Remote Access in time of COVID-19 on OurCrowd webinar Cybersecurity and Insecurity.

According to the memo, any solution worth exploring will have to prove its authentication and encryption abilities. As blockchain, or distributed ledger technology, offers both transparency and encryption as benefits, it is being explored as an ideal solution.

It noted, “With its encrypted distributed ledger, blockchain can both transmit a vote securely and also verify the correct vote. Some have argued that these attributes make blockchain useful for electronic voting broadly. Blockchain can provide a secure and transparent environment for transactions and a tamper-free electronic record of all the votes.”

In fact, blockchain voting has already been creating waves and changing elections. Overseas military from West Virginia, USA for example can already vote in their local elections using just their mobile phones. A combination of encryption and blockchain registry then tallies their votes. 

Other countries like Brazil, Denmark, South Korea, and Switzerland have also already begun looking into ways blockchain voting can be used. But by far, Estonia is leading the way. Their citizens each hold unique ID cards that allow them to vote on the blockchain both quickly and securely.

Despite the many benefits, the Senate still has reservations regarding the use of blockchain –– as it should. The biggest concern outlined in the memo is that the network supporting the voting infrastructure could fall into the wrong hands. Since the Senate is a relatively small entity, any blockchain network used must be able to eliminate the threat of a 51% attack.

A federal government report released in 2019 on secure online voting concluded that blockchain had not yet succeeded in resolving key security issues inherent in any internet-based voting system. The recently released memo cited similar concerns, such as “…possible vulnerabilities from cryptographic flaws and software bugs.”

Many startups including Votem, Voatz, Follow My Vote, Boulé, Democracy Earth and Agora have already begun developing and promoting blockchain-based voting systems. Many of them believe blockchain could be as big a deal in voting as advocates expect it to be in shipping, money transfers, and property records.

But technology and security experts alike seem to think otherwise. “We range from being skeptical to very skeptical about it,” said Maurice Turner, senior technologist at the Center for Democracy and Technology.

But one promising solution could come from somewhere unexpected –– the cryptosphere. Cryptocurrencies like Bitcoin have seen their fair share of hacking attempts, with millions already exploited by hacking entities that lurk on the dark web.

Hub Security, a Tel-Aviv based cybersecurity firm, is now looking to share their cryptographic technology with the Senate, and the rest of the world. Their promise: a military-grade, highly-secure voting environment for both citizens and parliamentary members alike. 

Designed for FIPS 140-2 level 4 certification, Hub’s miniHSM device would allow voters to participate in the electoral process while remaining 100% isolated from local network connections. The HSM’s unique cryptographic architecture eliminates any cyber and privacy threats from the internet, home computer or mobile device, making blockchain voting for the first time a viable option.

Whether the future of voting remains paper-based or takes on a new evolution of cryptography, elections must go on and both citizens and congressional leaders must continue to explore solutions for maintaining the engine of democracy during COVID-19 –– our voting systems.

AXA Ventures Leads $5 Million Investment in Next-generation Cybersecurity Startup Hub Security

FPGA-based cyber platform closes Series A funding round with additional investment from OurCrowd
Tel Aviv, May 7, 2020Hub Security, a startup that offers military-grade cybersecurity solutions for fintech, cloud, blockchain and data storage, announced today it has closed a $5 million Series A funding round led by AXA Ventures, with participation from Jerusalem-based OurCrowd.

The company said the investment will be used to strengthen Hub Security’s team, expand their technology and offer enhanced products to fintech companies, focusing on enabling access to credit, corporate banking solutions, cross-border payments and providing ultra-secure banking solutions.

Hub Security offers a solution to growing security concerns related to cloud and enterprise organizations that are raising alarm bells across industries struggling to combat rising levels of cyberthreats and attacks.

There is consensus among security experts of the need for military-grade security solutions that can address the threat of data theft and exploitation –– especially in the era of COVID-19.

“We believe this round of funding is crucial to helping us continue our mission of providing military-grade level cybersecurity solutions to top cloud and digital asset management providers,” said Eyal Moshe, Hub Security’s CEO.
“Hub Security’s end-to-end approach to the development and delivery of its hardware and software components ensures the highest level of security throughout the entire product lifecycle –– something that’s critical now more than ever in the era of COVID-19. We don’t take for granted the trust we’ve seen from investors, especially in the current financial climate,” said Moshe.As a growing number of industries turn to cloud and data storage solutions, there is an increasing demand for cybersecurity solutions that can combat emerging threats.Hub Security boasts an expanding portfolio of fintech, cloud, and insurance clientele.

In February 2020, the company announced its strategic partnership with Seagate® Technology as part of its new LyveTM Labs.

The initiative was launched in order to provide methods for safe and secure data management solutions, both on and off the cloud.“Hub Security’s miniHSM is the first of its kind to offer a pocket-sized HSM solution, which provides an ultra-secure HSM-to-HSM communication layer built uniquely for cloud, banking, healthcare, and government enterprises with scalable, air-tight security that can support any cloud-based or digital asset,” said Moshe.HUB Security utilizes military-grade cybersecurity tactics for its HSM architecture that is designed for FIPS140-2 Level 4 protection (In advanced stage process) –– the highest protection level available for mobile cryptographic security solutions on the market to date. HUB Security’s combination of hardware and software solutions include ultra-secure internal signing and authorization flows with a multi-signature vault, hardware firewall and an AI-learning system designed to anticipate unique cyberattacks.“On our FPGA-based HSM, we have an innovative approach,” Moshe said. “This is in sharp contrast to HSMs relying on legacy architecture, where you have to connect your source via PCIe — and depend on the operating system to deliver the data to your application.

HUB Security approach  gives very high bandwidth, as well as low latency.”“I was actively looking for a ‘software-defined HSM’ platform company in Israel for the past 12 months and I was very pleased when I met Hub Security and learned about their unique offering. We agreed very quickly to partner and invest,” said Moshe Raines, Partner at OurCrowd and Labs/02 managing partner.

About Hub Security: Hub Security is a top-tier, military-grade provider of HSM and key management solutions for fintech, cloud and blockchain security. Leveraging military-grade cybersecurity tactics and utilizing cutting-edge innovations, HUB Security has developed a family of products that provide the highest level of enterprise security available on the market today. https://hubsecurity.io/

What is Ransomware

Today the world has become increasingly aware of the threat of cyber attacks and data breaches, but not all organizations know how to defend themselves against them. Systems breaches great and small have more than doubled in the past five years, and the attacks have grown in both sophistication and complexity. 

From DDoS to ransomware attacks, a cyberattack can have devastating consequences for a brand. Not only does it lead to a loss of consumer confidence, but the manner in which a company handles an attack can also have a significant impact on the business’s bottom line and reputation.

Learn more on cyber security, HSM and key management

In this article, we’ll take a bird’s-eye view at what ransomware is, who it targets, and how it works so you can work to defend you and your organization from future attacks.

What Are Ransomware Attacks

Ransomware is a type of malware that encrypts data, making it impossible for the owners of that data to access it unless they pay a hefty fee. In March 2017, the WannaCry virus spread independently through the networks of unpatched Microsoft Windows devices, leaving thousands of computers infected and making off with a total of 327 payments.

Ransomware has cost businesses more than $75 billion per year in damages (Datto), and ransomware remains the most common form of cyberattack. By the end of 2016, 12.3 percent of global enterprise detections were ransomware, while only 1.8 percent of consumer detections were ransomware worldwide. By 2017, 35 percent of small and medium-sized businesses had experienced a ransomware attack of some kind.

According to a Kapersky Labs report, cybersecurity statistics show ransomware attacks were launched from within more than 190 countries, with financial services the second most targeted industry after healthcare.

Not only are banks at high-risk, but cities and municipalities are as well. In August 2019, 23 local government organizations in Texas were hit by a coordinated attack, likely from a single threat actor. In June 2019, the state of Florida was also hit hard by ransomware attacks, and in just one month no less than three Florida municipal governments were attacked by Emotet, TrickBot, and Ryuk ransomware.

How Ransomware Attacks Happen

Phishing is a common type of cyberattack that’s often used to steal user data, including login credentials and credit card numbers. Phishing occurs when an attacker tricks an unsuspecting victim into opening a malicious link, leading to an installation of malware which then freezes the system as part of a ransomware attack. This can have devastating results on a business.

One of the major news stories of 2013 was the Target data breach that affected 110 million users, including 41 million retail card accounts. It turns out that cybercriminals did not attack Target directly. They targeted a third-party HVAC vendor, which had trusted access to Target’s servers. Upon compromising FMS’s servers, gaining complete access to Target’s was simple.

Learn more on cyber security, HSM and key management

Types of Ransomware Attacks

As far as ransomware goes, there are three primary kinds of ransomware. Each ranges in severity from mildly to code-red dangerous. Let’s break them down now.

Scareware Attacks

Scareware is actually not as scary as it sounds. This kind of attack is primarily supposed to seem scary when in reality the victim is safe until it provides unwarranted access. Scareware usually includes rogue security software and tech support scams, such as pop-up messages claiming that malware was discovered and the only way to get rid of it is to pay up. 

If an individual does nothing, they’ll likely continue to be bombarded with pop-ups while all files remain essentially safe. A legitimate cybersecurity software program would never solicit customers this way. If you don’t already have this company’s software on your device, then it would not be monitoring you for ransomware infection, plain and simple.

Screen Locker Attacks

When lock-screen ransomware gets access to a device, it means the user is frozen out of their PC entirely. Usually, when victims turn on their computer a large window appears, accompanied by an official-looking US Department of Justice seal stating illegal activity has been detected and the user must pay a fine. 

However, any official department who suspects illicit activity would simply not freeze someone out of their computer or demand payment. If they suspected piracy, child pornography, or other cybercrimes, any official office would go through the appropriate legal channels.

Encrypted Attacks

Encrypting ransomware is the type of ransomware that can cause real harm and lasting damage. Commonly deployed against small businesses and other larger organizations, the attack works by snatching up large sets of files and encrypting them, demanding payment in order to redeliver. 

The main reason this type is so dangerous is that once cybercriminals get a hold of sensitive data, no security software or system restore can get them back unless the ransom is paid. Even if an organization does decide to pay up, there’s no guarantee cybercriminals will provide the files back safely.

Conclusion

As we have already seen, 2020 will have many cyberthreats to contend with –– many due to COVID-19. Trojans such as Emotet and TrickBot had successful runs last year and we can expect them, or other multi-purpose malware like them, to make a comeback.

While it may seem hopeless and at times even impossible, the good news is it’s not. There are a few key steps every organization can take to protect its digital landscape.  To protect sensitive digital assets, it’s good to start with the basics, like getting organized, understanding attack and breach implications.

But protecting digital assets comes with its own set of unique challenges and proper preparation is required to thwart off and defend against these kinds of attacks. By having safely guarded cryptographic keys and organizational data –– and a proper HSM device in place to protect them –– organizations can protect themselves against incoming ransomware attacks by preventing them from happening in the first place.


Join Hub Security’s CTO online this Thursday, April 30th for a free webinar to discuss cybersecurity threats related to ransomware, IoT vulnerability, and quantum computing.

Deutsche Banken erweitern Krypto-Serviceangebote nach neuem Recht

Die 5. EU-Geldwäscherichtlinie ist am 1. Januar 2020 in Kraft getreten und baut auf die 4. EU-Geldwäscherichtlinie auf. Unter anderem nimmt sie nun auch Anbieter von Kryptowährungen in die Pflicht. Das Gesetz bezieht EU-weit Verkauf und Verwaltung von Bitcoin und anderen Kryptowährungen mit ein.

Die Erweiterung erlaubt Banken, Bitcoin oder Ethereum wie Wert- oder Pfandbriefe zu behandeln. So können dem Kunden alle damit verbundenen Finanztechnologien angeboten werden. Bis jetzt hat nahezu kein einziges deutsches Geldinstitut virtuelle Währungen im Programm – doch das wird sich nun im Zuge des neuen Gesetzes ändern.

Bei der Bundesanstalt für Finanzdienstleistungsaufsicht BaFin sind bereits 40 Anfragen von Banken für die Genehmigung von Krypto-Custody-Lizenzen eingegangen.

Eines der ersten Geldinstitute, das Dienstleistungen im Bereich der Kryptowährungen anbietet, ist die Solarisbank aus Berlin. Sie hat im Dezember vergangenen Jahres die Tochter Solaris Digital Assets gegründet, um sich dem digitalen Anlagenmarkt anzunehmen. Solarisbank ist im Besitz einer vollen Banklizenz und hat ihre Dienste bereits in der Vergangenheit zahlreichen deutschen FinTech-Startups angeboten.

“Digitale Vermögenswerte werden den Finanzmarkt grundlegend ändern” sagt Michael Offermann, geschäftsführender Direktor für Kryptobanking bei Solarisbank. “Sobald Kauf und Verwahrung von Bitcoin einfacher werden, erwarten wir einen starken Zuwachs.”

Der Blockchain-Wert der Industrie knackt Schätzungen zufolge 2023 die 23 Milliarden-Dollar-Marke. Blockchainbasierte Dienste werden also allgegenwärtig sein. Doch das Wachstum der Industrie bringt auch Gefahren mit sich. (-mehr)

Die inhärenten Sicherheitsvorkehrungen von Blockchains können Angriffe auf DLT-Transaktionen abwehren, machen sie jedoch nicht immun. Tatsächlich hat die Distributed-Ledger-Technologie mit Gefahren zu kämpfen, die zentralen Datenbanken fremd sind. Die Liste der Anbieter von Blockchain-Technik, die Opfer von Hackerangriffen geworden sind, wird immer länger.

Während manche Experten die Öffentlichkeit immer wieder daran erinnern, dass DLT gegenwärtigen Datensicherheitslösungen weit voraus ist, glauben andere wiederum, Firmen sollten extra Maßnahmen zur ausreichenden Sicherung ihrer digitalen Vermögenswerte ergreifen. Mit wachsenden Nutzerzahlen von Blockchain- und DLT-basierten Technologien im Regierungs- und Wirtschaftssektor wächst das Bedürfnis, die mit ihrer Nutzung verbundenen Risiken zu diskutieren.

Die zahlreichen Cyberbedrohungen von heute machen Banken zu beliebten Zielen von Cyberattacken wie Credential Stuffing , Phishing und Ransomware. Die gute Nachricht dabei ist, dass bereits bewährte Schritte unternommen werden können, um digitale Vermögenswerte zu sichern.

1. Cloud Security auswerten

Banken können den momentanen Sicherheitszustand der Cloud mit Sicherheitsmaßstäben, best practices und Regelkonformität vergleichen.

2. Cloud Security überwachen

Banken können mithilfe eines Risiko-Management-Tools die Gefahrenerkennung automatisieren – so werden potentielle Gefahren angegangen, bevor sie zum Problem werden.

3. Strenge Richtlinien für das Zugangsmanagement

Banken können sich vor internen Gefahren schützen, indem sie nur denjenigen Mitarbeitern Zugangsrechte garantieren, die sie wirklich brauchen. 

4. Disaster-Recovery-Lösungen

Mit dem richtigen Plan in der Hinterhand können Banken Datenverlust verhindern und die Ausfallzeit nach einer Störung minimieren. Das kann natürlich nur funktionieren, wenn regelmäßige und zahlreiche Backups durchgeführt werden.

5. Daten kryptographisch verschlüsseln

Kryptographische Verschlüsselungen und Sicherung der kryptographischen Schlüssel mit HSM sorgen dafür, dass sensible digitale Vermögenswerte immer geschützt sind – selbst im Falle einer Gefährdung der IT-Struktur einer Bank.

Learn more on digital assets, compliance and cyber security from our experts

Cyber Security Fireside Chat – Coronavirus, Government Backdoor and Cloud Vulnerability

We held a fireside chat with our very own, Andrey Iaremneko, Hub Security CTO and Shterny Isseroff discussing urging cyber security matters

Tokensoft Partners with Ex-military Cyber firm Hub Security to Provide Ultra-secure Token Platform HSM

Covid-19 prevents people from coming to work and operating the on-premise security systems that controls large amounts of assets. Hub security enables to do that remotely with the same security standard

EY Launches Baseline Protocol, an Open Source Initiative for the Public Ethereum Blockchain

EY announced in early March the launch of its Baseline protocol project. The new initiative is a an open-sourced paackage of blockchain tools that will allow enterprises to build and deploy blockchain-based products securely and privately on the public Ethereum blockchain. The project is part of a joint effort between EY, ConsenSys and Microsoft.

The Baseline protocol leverages several technologies, including zero knowledge proofs, off-chain storage and distributed identity management so that enterprises can define and synchronize processes and agreements using common standards, with full privacy, and without storing sensitive business information on the blockchain itself.

“This initiative builds on that groundwork and starts filling in gaps such as enterprise directories and private business logic so enterprises will be able to run end-to-end processes like procurement with strong privacy,” said Paul Brody, EY Global Blockchain Leader.

The Baseline protocol will also support smart contracts and industry-wide tokenization standards. In doing so, they will enable an ecosystem of interoperable business services. Key process outputs like purchase orders and receivables are tokenized and integrated into the decentralized finance (DeFi) ecosystem.

The initial release of the Baseline protocol includes the process design and key components to enable volume purchase agreements and lays the groundwork for blockchain applications that link supply chain traceability with commerce and financial services.

“With the Baseline protocol, we are developing enterprise processes that are ecosystem ready because they are being built in a truly blockchain-native manner. When delivered on the public Ethereum network, this will drive adoption and the whole ecosystem,” said Yorke Rhodes, Principal Program Manager of Blockchain at Microsoft.

By supporting smart contracts and tokenization, as well as integrating into a DeFi ecosystem, enterprises will have access to an extensive toolbox of resources with which to research and develop blockchain solutions. The protocol enables confidential and complex collaboration between companies and enterprises without leaving sensitive data on-chain.

Heightened Coronavirus Travel Ban Raises Cybersecurity Risks & Threats

While the World Health Organization (WHO) hasn’t declared the novel coronavirus a global pandemic yet, the infectious disease continues to spread at a rapid pace, affecting both the global economy and global health. The virus has been detected inover 85 countries as of Money and data from Johns Hopkins University confirms more than 110,000 cases of the virus attributed to the COVID-19 disease.

In an attempt to control the spread of the virus, we’ve seen an increase in restrictions on travel. Last week the US announced that travelers coming into the US on direct flights from Italy and South Korea will be screened for symptoms, while travelers from China are already being screened. One sector of the tech economy already feeling the immediate impact of the changing policies is industry events. From travel bans to bans of large gatherings, officials are canceling industry conferences left and right; leaving conference organizers, attendees, exhibitors, and sponsors scrambling to make new plans.

But now, due to the coronavirus outbreak and an increase in travel restrictions, the way we work may be undergoing a radical shift. Now more remote workers are working from home than ever as the global workforce shifts to mitigate the spread of COVID-19. Soon the cohorts working from home will grow into armies as the Chinese Lunar New Year comes to an end and Chinese companies begin restarting operations. Now because of the heightened pace of coronavirus’s spread, the return to work is likely to usher in the world’s largest work-from-home experiment. In 2020, working from home is no longer a privilege –– it’s a necessity.

While we won’t know the coronavirus’s effects on the overall nature of work for some time, we do know that working from home lends serious questions to the heightened cybersecurity risk for many InfoSec and IT security employees. Unlike working from the office, working from home often means working in an unsecured environment. This shift’s effect on many working specifically in banking and cloud enterprise should cause alarm. Employees with high-access management permissions should be on high alert as they self-quarantine, especially if they are responsible for accessing highly sensitive financial, business or consumer data without proper endpoint security measures in place.

In another risk, outlined in a December 2019 weekly tech advice column, the FBI’s Portland office released an ominous warning to US homeowners, “Your fridge and your laptop should not be on the same network.” That’s because your most vulnerable IoT devices –– think wireless cameras, baby monitors, smart thermostats and smart locks, all hold unique vulnerabilities that can be easily exploited. It’s no secret in the cybersecurity world that today’s hackers specifically target home IoT devices to gain entry to your home’s wireless network.

The FBI’s best advice for keeping your devices secure and safe? “Keep your most private, sensitive data on a separate system from your other IoT devices.” According to the FBI’s recommendation, you should have two routers at home: one for your IoT devices and another one for your more private devices.

Whatever the future of work may look like, the cybersecurity implications of a home-based workforce cannot be denied. Companies and cybersecurity professionals must mobilize to provide their organization’s workforce with proper cybersec and threat prevention training. In order to mitigate the cyber risks of a home workforce, heightened education and training is needed for the cyber risks associated with the post-corona economy.

Learn more about Hub Security’s miniHSm device and military-grade key management solutions and how they can help you stay secure and protected –– no matter where you’re working from.

4 Blockchain Security Risks To Consider Before Building a Blockchain-based Solution

With the blockchain industry’s value estimated to hit $23B by 2023, it’s hard to keep track of the amount of blockchain-based solutions launching each month. As the industry grows though, so does its risks. While the security features inherent in blockchains make DLT resistant to attack, they do not make it immune. In fact, DLT technology is subject to a number of issues that centralized databases are not.

The growing list of blockchain technology providers who have become victims of malicious hacks and attacks is starting to make many wonder if blockchain is really as secure as it’s made out to be. While industry experts continue to remind the public that DLT technology is eons beyond current data security solutions, many still believe companies should take extra precautions when safeguarding their data –– especially on the cloud.

As more governmental, industrial, and commercial sectors adopt the use of blockchain and DLT-based technology, there’s a growing need for discussion. Below are some points to consider which also serve as a means to raise awareness of the risks still associated with the use of blockchain and Distributed Ledger Technology.

Blockchain Security Risks

1. Endpoint Vulnerabilities

One of the most common points of vulnerability with DLT technology is actually outside of the blockchain. Endpoint vulnerabilities are critical because of where they take place: at the time and place humans and blockchains meet. Simply put, an endpoint could be anywhere an individual is using to access sensitive data such as the computer of a bank employee.

Since most hackers know there’s no use in attempting to guess a user’s keys, they spend a lot of time trying to steal them. The best chance of obtaining keys is to attack the weakest point in the entire system, a personal computer or mobile device.

The process of accessing the blockchain in order to receive that data is what makes endpoints so vulnerable. Endpoints provide malicious attackers the opportunity they need to get nasty code in or out. Once a device is exploited, hackers can piggyback off the credentials of high-access users in order to do the most amount of damage.

2. Vendors

As DLT adoption continues to grow, many look to new solutions to provide them with the security and protection DLT technology promises. But while many new products continue to grow, it also creates another security vertical of great concern: vendor risks. Often, companies looking to deploy 3rd-party blockchain apps and platforms are not aware of the security risks associated with faulty and exposed vendors.

It’s not uncommon for vendor solutions to have limited focus on security measures with weak security controls on their own systems, flawed code, and even personnel vulnerabilities that can easily expose their clients’ blockchain credentials to unauthorized users. This threat is especially relevant when discussing products that involve the use of smart contracts. Since an organization’s entire operation and policies can be housed as a smart contract on a blockchain, a vulnerability of this magnitude has the potential to be catastrophic.

3. Untested Code

While Bitcoin has been around awhile, blockchain technology is still considered highly experimental. While we still don’t know the full scale of what’s possible ––– security experts can agree on one thing: every new blockchain product that leverages DLT technology must undergo vigorous testing before being released to the public. While some DLT projects are tempted to launch their half-heartedly tested code on live blockchains, the cyber risks can be damaging and long-lasting.

As new technologies enter the market, developers are incentivized to be first or early with the release of applications, often at the risk of deploying insufficiently tested code on live blockchains. Given the decentralized model of many blockchain solutions, the risks are often greater due to the irreversibility of the technology.

4. The On-ramp 

The on-ramp of digital assets is one of the most critically exposed points in the development of a blockchain-based solution. More specifically, how are the assets and information securely signed on to a blockchain? This all comes down to the private keys used to sign and encrypt blockchain transactions. If someone gets ahold of the keys, the entire downstream blockchain-based solution is corrupted.

Not only is protecting these keys critical but also ensuring they’re used safely, e.g. not exposed by software when used to sign a transaction. Additionally, the process of approval for using the keys must be protected –– otherwise, someone can hack or impersonate an approver and sign a malicious transaction. And of course, this element of your blockchain solution needs to be considered from the start, or else it will likely prevent or slow down a successful transition into production.

Looking Forward

Adopting new technologies always comes with the fear of the unknown. While blockchain-based solutions continue to provide customers with high levels of security and transparency, the onus falls on product designers to begin considering security from day one. From design to development, every step in the product development cycle is crucial to ensuring products are safe, reliable and secure for consumer use.

What Blockchain-based Projects Need to Consider Before Writing a Single Line of Code

With the explosion of distributed ledger technology (DLT) as a safe and secure solution for transparently handling and sharing information across organizations, many businesses are jumping on the DLT bandwagon. Proponents of the distributed ledger technology known as blockchain consider it to be one of the best ways to secure transactions.

But while blockchains have many desirable features, such as transaction efficiency, there are still other conditions and requirements to consider when leveraging blockchain technology for business. The publication of DTCC’s most recent paper on the matter outlines key risks associated with the use of the nascent technology and an acknowledgment of the many security risks still associated with its use for both small businesses and enterprises alike.

“With the adoption of DLT across the financial services ecosystem likely to continue to increase in the coming years, we need to be certain that all DLT-related security risks are identified and addressed to maintain the safety and stability of the markets,” said Stephen Scharf, Chief Security Officer at DTCC.

With hundreds of new blockchain-based products released each year, many of today’s development teams don’t consider the security risks associated with the use of DLT early enough on in the project development cycle. Infosec usually isn’t on every founder’s mind when they start projects, especially when it comes to pilots. Once things are in the air, often they are forced to take a few steps back once they realize they hadn’t considered security performance and infrastructure from the get-go. Interestingly, the same is often true for blockchain vendors who are in a rush to get their products deployed.

The fact of the matter is, most don’t consider the fact that all blockchains aren’t created equal. It’s important for businesses to be aware of this fact when evaluating whether the technology they’ve chosen will have the proper security measures they require –– both internal and regulatory.

For fintech solutions looking to meet security regulation standards, opting for a simple cloud-based solution often can do more harm than good. Trusting cloud providers can be risky business –– or better yet, a major risk for your business. However you choose to look at it, while many cloud providers promise to keep highly sensitive data secure many also fail to do so as the recent WSJ’s Cloud Hopper investigation revealed.

When establishing a private blockchain, businesses must consider the best platform for deployment. While blockchain has inherent properties that provide security, known vulnerabilities in any infrastructure can be manipulated by those looking to get their hands on yours or your customer’s data.

Ideally, you should have an infrastructure with integrated security that can:

  • Prevent even root users and administrators from accessing privileged information.
  • Prevent illegitimate attempts to change data or applications within the network.
  • Protect encryption keys using the highest-grade security standards.

Considering these capabilities before developing your DLT-based solution will ensure your blockchain network has the added protection it needs to prevent attacks from both within and without.


Learn more on Hub Security blockchain protection

What Is Public Key Infrastructure (PKI)?


Encryption requires high levels of cryptography and secrecy. Often encryption aids in the transfer of data from one point to another, safeguarding the data lest it is intercepted or falls into the wrong hands.

Encryption is most commonly used on documents and messages before they’re transmitted, but if the recipient of the information cannot verify its source or the identity of the sender, the authenticity of the information may not be trustworthy.

This is the primary reason for the use of keys when decrypting data. Keys are shared between the sender and receiver of encrypted communications and verified by digital certificates in order to establish the integrity of any incoming information.

In the world of data encryption and decryption, there are typically two kinds of keys, private keys, and public keys. Private keys are when both the sender and recipient of the information have an identical key that allows for the translation of the incoming data. In cases of private keys, both parties must make efforts to keep the key secret and safeguarded –– which can become challenging when more than two keys are involved.

That’s where public keys come in useful. Used more often today, public keys can be used to encode information and a private key is required to decrypt it. A good example of this would be credit card usage. While a credit card company may provide an authorization device with a key that is readily available, customers must input a pin that allows the machine to decrypt their information, making the sharing of sensitive financial data more regulated and secure.

Public keys are the basis for a Public Key Infrastructure when decrypting highly-sensitive data. PKIs enable the use of digital signatures and encryption across large user sets. The Public Key Infrastructure (PKI) is the set of hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and public-keys.

Often they help establish the identity of people and devices, enabling controlled access to systems and resources, protecting data and authenticating transactions. Many of today’s emerging technologies, especially within the fintech space, are becoming more and more reliant on PKI technology to guarantee security and protection of sensitive data.

What Is a Hardware Security Module

A hardware security module (HSM) is a dedicated cryptographic processor designed to protect highly critical and sensitive keys and assets. HSMs act as trust anchors that protect the cryptographic infrastructure of some of the most security-conscious organizations in the world. This piece of hardware may look small, but is mighty powerful. It has the ability to securely manage, process, and store cryptographic keys inside its hardened, tamper-resistant shell.

Hub Security Partners with Seagate Technology Lyve Labs Tel-Aviv

Hub Security is proud to announce its partnership with Seagate as part of its new initiative to explore ways to create safe and secure data management solutions.

Telefonica Pilots Telecom Blockchain Access with 8,000 Spanish Firms

The Spanish telecommunications giant Telefonica recently reported it will launch a new partnership with the local Association of Science and Technology Parks (APTE) to grant 8,000 Spanish firms access to its blockchain.

Top 5 Cyber Threats Facing Banks in 2020

With all the cyber threats that exist today, banks are more vulnerable than ever to becoming the next victim of a malicious cyberattack. With the growing list of fintech solutions offered in banking and the most recent Cloud Hopper investigation released by WSJ, 2019 was an early indicator of cyberthreats still to come in the year ahead.

According to a new report released by the Federal Reserve Bank of New York, just a single cyberattack targeting one of the largest U.S. banks would likely have a major ripple effect on the global financial system. Even today, with a growing awareness of the cyber-risks involved in a banking sector driven by technology, there’s a greater risk facing banks than ever before.

With all this in mind, here are the top five cyber risks every financial institution should be prepared to defend against in 2020.

1. Credential Stuffing

Credential stuffing is a type of cyberattack that usually targets the personal data of banking customers. Using stolen account credentials, hackers can gain unauthorized access to user accounts using automated large-scale login requests. The stolen information can then be used to bombard websites and servers in order to try to gain access to critical IT infrastructure. This practice is known as credential stuffing.

List of keys and logins are often obtained via the dark web and allows hackers to save lots of time by avoiding the need to play the password guessing game.

“There is an automated process where the hacker can log thousands to millions of breached passwords and usernames using standard web automation tools,” says Brian Brannon, VP of security product strategy for Safe Systems, an IT security firm that works with community and small banks.

Credential stuffing differs from a brute force attack because in credential stuffing operations attackers are often using usernames and passwords that are known to have been good at some point or another. For banks, credential stuffing is an emerging and credible threat that will only get worse as the number of data breaches increases.

2. Cloud Providers

Cloud services come in very useful by helping banks offset IT expenses, boost system uptime and ensure their data is being stored safely. But the promises of the cloud have come with a few hard-earned lessons when it comes to customer data and security.

With so much information stored on the cloud, particularly for the use of public services, cloud providers have become easy targets for malicious attackers looking to gain access to financial institutions. To get a clearer picture of the problem, consider that over 1.4 billion records were lost to data breaches in March 2017 alone –– many of which involved cloud servers.

With the Wall Street Journal’s recent release of their investigation into the global hacking campaign known only as ‘Cloud Hopper,’ the true depth of the risks associated with compromised cloud data couldn’t be more evident, or alarming.

For the Cloud Hopper attack, hackers known as APT10 gained access to cloud service providers, where companies believed their data was being safely stored and protected. Once in, the hackers freely and anonymously hopped from client to client, evading investigator’s attempts to eliminate them for years.

According to WSJ, the attack went far beyond the 14 companies listed in the indictment, stretching across at least a dozen cloud providers, including CGI Group Inc., Tieto Oyj, and International Business Machines Corp.

To make things worse, investigators said many major cloud companies stonewalled clients as to what was happening inside their networks. Contrary to what many bank executives might think, the sole responsibility for protecting corporate data in the cloud lies with the cloud customer, not the service provider. Hence, no cloud provider is legally or contractually obligated to ensure the safety of customer data –– as much as they may promise to do so.

3. Phishing Attacks

Phishing is a common type of cyberattack that’s often used to steal user data, including login credentials and credit card numbers. But lately, there’s been an increase in phishing attacks targeting bank employees. Phishing occurs when an attacker tricks an unsuspecting victim into opening a malicious link, leading to an installation of malware which then freezes the system as part of a ransomware attack.

An attack can have devastating results on a business –– especially a financial institution like a bank. Phishing can be used to gain a foothold in a network as a part of a larger attack like an advanced persistent threat (APT) event. In this scenario, an employee is compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.

With access to an employee’s email account, cybercriminals can read a bank’s sensitive information, send emails on the bank’s behalf, hack into the employee’s bank accounts, and gain access to internal documents and customer financial information. This can result in millions of dollars worth of damage in both financial and reputational risks for the institution and its employees.

4. Ransomware

Ransomware is a type of malware that encrypts data, making it impossible for the owners of that data to access it unless they pay a hefty fee. In March 2017, the WannaCry virus spread independently through the networks of unpatched Microsoft Windows devices, leaving thousands of computers infected and making off with a total of 327 payments totaling $130,700.

Although ransomware has costs businesses more than $75 billion per year in damages (Datto), ransomware still remains one of the most common forms of cyberattack. Banks remain top targets for ransomware attacks, as cybercriminals follow the money for big payoffs. According to a Kapersky Labs report, cybersecurity statistics show attacks were launched from within more than 190 countries, with financial services the second most targeted industry after healthcare.

Successful ransomware attacks, especially on smaller banks, are the result of a lack of IT resources, outdated security tech and protocols, and inadequate endpoint cyber-protection. To help protect themselves against ransomware, financial institutions should place many uniquely-tailored protection layers throughout their networks –– each one acting as an obstacle to block malicious software attacks.

5. Internet of Things (IoT) Exploitation

While a majority of exploitation attempts stem from software vulnerabilities, they can just as easily begin from vulnerable pieces of hardware. Anything from an employee device to a router connected to an unsecured network can put an entire organization’s digital infrastructure at risk.

For many CISOs, this may sound like preaching to the choir –– but unbeknownst to many is how easily exploitable their IoT devices are since they’re often not required to have the same level of security scrutiny as computers. Unsecured IoT devices, such as, home routers, printers, and IP cameras are all vulnerable to attack.

As institutions continue to connect more gadgetry to the internet, the number of potential security weaknesses on their networks are also more likely to increase. To breach a financial institution, attackers will target insecure devices to create a pathway to other systems. Once they have an entryway from an IoT device, they have full access to the entire network, including all customer data.

Today’s hackers also have the unfavorable ability to easily exploit a bank’s API system since many legacy APIs weren’t designed with the cloud in mind. This leaves many systems vulnerable from the get-go –– and open banking has just been making the problem worse.

What Banks Can Do

If after reading this article, you’re starting to doubt the security of your organization’s IT structure, know you’re not alone. Here are just a few methods you can adopt in order to create a more safe and secure digital landscape and defend against potential cyberthreats.

1. Assess Your Cloud Security

Regularly review your cloud infrastructure to ensure it’s up to date. Assess your cloud security’s current state compared to security benchmarks, best practices and compliance standards.

2. Monitor Your Cloud Security

Use a vulnerability management tool to help you automate threat detection and protect against potential threats before they become a problem.

3. Establish Strict Access Management Policies

By only providing access permissions to employees who require it, you’re ensuring your organization is well-protected from within –– especially if you employ contractors or part-time workers.

4. Establish a Disaster Recovery Plan

Having a plan in place helps you avoid data loss and allows your to minimize downtime after a disruption. This only works if you backup your data regularly and often.

5. Encrypt Your Data

Encrypting your data cryptographically, and protecting the cryptographic keys to that kingdom, ensures your most sensitive digital assets are always protected –– even if your IT structure is critically compromised.

Learn more on HUB Security for banking and digital asset protection


Scroll to top

JOIN OUR NEWSLETTER

Keep up with cyber security news!