Privacy Watch Weekly – 2016-08-12


New Hack Uses Hard Drive’s Noise to Transfer Stolen Data from Air-Gapped Computer

Air-gapped computers that are isolated from the Internet and other computers are long considered to be the most secure and safest place for storing data in critical infrastructures such as industrial control systems, financial institutions, and classified military networks.

However, these systems have sometimes been targeted in the past, which proves that these isolated systems are not


In right balance, environmental regulations increased firms’ profits, new study finds

CEOs and corporate lobbyists often spend plenty of time decrying how potential government regulations will affect their bottom line, but a new study finds that the US Clean Water Act, when implemented in the right balance, improves firms’ profitability.


UK: Lessons to learn from a £40,000 fine for a mishandled subject access request.

Background

The UK’s privacy regulator, the Information Commissioner’s Office (“ICO”), has issued a GP practice with a fine of £40,000 for unlawfully disclosing the personal data of two individuals in  response to a data subject access request (“SAR”) from a third person.  In its public statement on the enforcement action, the ICO criticised the practice for not having adequate systems or training in place to ensure that its staff were equipped to deal with SARs properly.

A SAR is a request under section 7 of the Data Protection Act 1998 for, amongst other things, the personal data of the requester which is held by the organisation to which the request is directed. In this case, the request came from a father, who submitted the request on behalf of his son, asking for details of his son’s medical records.  However, in preparing what appears to have been a hasty response to the request, the surgery also disclosed personal details relating to the child’s mother, who was estranged from the father, as well as those of the mother’s parents and an older child the man was not related to.  This was in spite of explicit instructions to the surgery from the mother  to protect her details from the father.

Although the person at the surgery dealing with the request made some effort to consult with the child’s GP, the decision was made to disclose the child’s entire medical records without any redaction.

The ICO indicated that it had taken into account the individual liability of the surgery’s partners when setting the level of the fine, and that most organisations would expect to receive a much larger fine for a similar breach.

 

Lessons

This case illustrates a number of common failings with the way in which organisations deal with SARs. In particular, the following shortcomings were apparent:

 

  1.  Preparing a “blanket” response to a SAR – a SAR is a request for an individual’s personal data only. It does not authorise an individual to receive full copies of any records relating to them, and an organisation should not simply disclose an individual’s file in its entirety.
  2. Not taking into account third party personal data – the ICO’s guidance is very clear that an organisation does not have to comply with a SAR where doing so would necessitate the disclosure of a third party’s personal data where that third party: (i) has not consented to the disclosure of their personal data; and (ii) it is not otherwise reasonable to disclose their personal data without their consent. In this case, the mother had explicitly told the surgery to protect her personal details, so it was clear that the surgery should have redacted her details from the records disclosed, or withheld any records that could not be disclosed without revealing her details. In other cases, organisations will need to either actively seek consent from third parties, or make judgments about whether it is reasonable in all the circumstances to disclose third party personal data without consent.
  3. Not having a system in place to deal with SARs – when the SAR was received, there was a clear breakdown in communication between the staff member nominally responsible for the response, and those within the surgery who knew the child and were aware of the mother’s warnings. In addition, the staff member responsible does not appear to have followed a set process for considering and responding to the request, but simply sent out the child’s file in its entirety. A good SAR system, underpinned by an appropriate policy, will follow a series of steps, from validating the identity of the requester and the scope of the request, to conducting a full and proper search, pulling in all relevant parts of the organisation, to then considering the relevant records and applying any exemptions to the records to redact information which should not be disclosed.
  4. Not providing staff with training on data protection – the ICO made it clear that it did not blame the individual staff member, but rather the surgery as a whole for not providing its staff with appropriate training regarding their obligations under data protection law, and the particular issues to consider when dealing with SARs.

SARs are sometimes seen as an inconvenient administrative burden by organisations. However, the General Data Protection Regulation, due in force in 2018, will enhance the rights of data subjects, even further and reduce the response time for organisations from 40 to 30 days.  Therefore there has never been a more important time to get to grips with dealing with information rights, and, as this case demonstrates, there are potentially severe consequences for not doing so.


RetroScope opens doors to the past in smart phone investigations

The increasing use of mobile technology in today’s society has made information stored in the memory of smart phones just as important as evidence recovered from traditional crime scenes. Now researchers are working on a new technique to aid law enforcement in gathering data from smart phones when investigating crimes.


Car Thieves Can Unlock 100 Million Volkswagens With A Simple Wireless Hack

In Brief
Some 100 Million cars made by Volkswagen are vulnerable to a key cloning attack that could allow thieves to unlock the doors of most popular cars remotely through a wireless signal, according to new research.

Next time when you leave your car in a parking lot, make sure you don’t leave your valuables in it, especially if it’s a Volkswagen.

What’s more worrisome?

The new attack


USENIX 2016: How to Scrutinize "Password1"

On the first day of USENIX, there was one talk particularly catching my attention. Daniel Lowe Wheeler from Dropbox talked about a password strength estimation, and he started with the USENIX online account registration, which rates “password” as a fair password, “Password” as good, and “Password1” as strong, while “zjwca” is rated as weak. He argued that, while password guessing has improved over the last 35 years, password policy has not evolved much since 1979. Moreover, there are inconsistent and not always helpful password policies. Two previous studies have found 142 distinct policies on 150 sites and 50 distinct policies on 50 sites, respectively.

To put an end to this, the authors propose a client-side piece of JavaScript that takes 3 ms to run and gives accurate estimates for online attacks by the best available algorithms. The core estimator takes a minimum rank of the input over lists such as top passwords (“password”, “123456”, etc.), top surnames (Li, Khan, etc.), and specific information (user name, etc.). It also considers word transformations such as 1337, caps, and reversing, as well as keyboard patterns and sequence patterns. All this information is combined into an estimate how many guesses a sophisticated algorithm would need to find the password.

To evaluate the estimates, the authors used a large data set consisting of leaked passwords as well as other sources. On this data set, other password strength estimators perform quite badly, overestimating the number of attempts for a lot of passwords that would be found in less than 10^5 tries. A particular offender is NIST entropy, which is completely oblivious to real-world choices such as “password”. In comparison, overestimating happens for very few passwords with zxcvbn.

The software is available on https://github.com/dropbox/zxcvbn, and it is already used by a number of companies, most notably WordPress.


Sophos Server Protection gets an update!

Server copyWe’ve just updated Sophos Server Protection in Sophos Central, adding next-generation malware prevention and detection techniques for server environments.

Solid server security starts with good operational hygiene, which includes restricting who and what can reach the server, and what applications can run.

We’ve now made that easier in Sophos Central Server Protection with the inclusion of:

  • Malicious Traffic Detection on both Linux and Windows servers:  Malware frequently connects to remote servers for further instructions, updates or uploads of data. Malicious Traffic Detection, or MTD, monitors traffic for signs of connectivity to known bad URLs. If malicious traffic is detected, suspect executables are scanned on all servers licensed with Sophos Central Server Protection Advanced and can be blocked on Windows servers.
  • Peripheral Control:  For physical servers, good operational hygiene should include limiting access via peripheral devices, including removable storage, modems and devices such as phones, tablets and cameras. With Sophos Central Server Protection, customers can monitor (Standard license) and block (Advanced license) the use of peripheral devices for their servers with ease.
  • Application Control: You can now define policies to allow or block certain categories of known applications on servers. This is in addition to our Server Lockdown feature, which doesn’t allow any applications to run other than those explicitly allowed. (Applicable for Windows servers with Advanced licenses).
  • Download Reputation: We provide a trustworthiness score for each downloadable file, based on SophosLabs research, giving you reassurance that you are downloading only safe files to your server. This is now available with either the Standard or Advanced licenses on Windows servers.

You can get a free trial of Central Server Protection Advanced here. Customers of Central Server Protection Advanced will automatically receive these updates.

Filed under: Corporate, Server Tagged: Sophos Central, Sophos Server Protection


World should consider limits to future internet expansion to control energy consumption

The world should consider ways to limit data growth on the internet to prevent run-away energy consumption and help limit carbon emissions, say leading computer scientists.


Linux TCP Flaw allows Hackers to Hijack Internet Traffic and Inject Malware Remotely

If you are using the Internet, there are the possibilities that you are open to attack.

The Transmission Control Protocol (TCP) implementation in all Linux systems deployed since 2012 (version 3.6 and above of the Linux kernel) poses a serious threat to Internet users, whether or not they use Linux directly.

This issue is troubling because Linux is used widely across the Internet, from web


Blackhat Firm Offers $500,000 for Zero-day iOS Exploit; Double Than Apple’s Highest Bounty

Last week, Apple finally announced a bug bounty program for researchers and white hat hackers to find and get paid for reporting details of zero-day vulnerabilities in its software and devices.

The company offers the biggest payout of $200,000, which is 10 times the maximum reward that Google offers and double the highest bounty paid by Microsoft.

But now Apple is going to face competition


Android apps can secretly track users’ whereabouts, researchers find

New research reveals that some Android apps may automatically transmit sensitive information, such as the routes you travel, through the phone’s built-in sensors. A malicious developer, he says, ‘can infer where you live, where you’ve been, where you are going.’


Oops! Microsoft Accidentally Leaks Backdoor Keys to Bypass UEFI Secure Boot

It’s True — There is no such backdoor that only its creator can access.

Microsoft has accidentally leaked the Secret keys that allow hackers to unlock devices protected by UEFI (Unified Extensible Firmware Interface) Secure Boot feature.

What’s even worse?

It will be impossible for Microsoft to undo its leak.
<!– adsense –>
Secure Boot is a security feature that protects your device from


UK: Supreme Court – Information sharing and human rights

By James McGachie and Hazel Moffat

The Supreme Court has ruled that information-sharing provisions in Scottish legislation are not sufficiently precise to be compatible with Article 8 of the European Convention on Human Rights, a decision that marks only the second finding that provisions of a Scottish Parliament enactment fall out with its legislative competence and which prevents the relevant sections coming into force as planned on 31 August 2016.

Background

The Children and Young People (Scotland) Act 2014 (the “2014 Act”) is aimed at promoting child welfare in Scotland. Under its “named person” scheme, an individual is designated to every child in Scotland (usually a teacher or health professional already known to the child) and is entrusted with promotion of well-being through support and advice in gaining access to services.

Information sharing is considered necessary to support these objectives. The 2014 Act provides that authorities must generally provide information to the named person where relevant to the exercise of the named person’s functions, or else where the public authority considers information sharing “necessary or expedient“.

Basis for challenge

Any Scottish Parliament legislation must remain within the realm of matters devolved to its jurisdiction and must also be compatible with EU law, including the European Convention on Human Rights (ECHR). Legislation can be challenged on the basis of falling out with these categories.

Judicial review of the legislative competence of the 2014 Act was sought by a number of parties on grounds including incompatibility of the information sharing provisions with Article 8 of the ECHR. This provision affords the right to respect for private and family life, and ensures that any interference with these rights may only take place in accordance with law and where necessary in a democratic society.

Supreme Court decision

The Supreme Court held that the information sharing provisions in the 2014 Act are incompatible with Article 8 of the ECHR. In summary:

  • While finding the named person scheme was “unquestionably legitimate and benign“, the court considered the requirement to share personal data about children and families in order to protect their “well-being” caused a “disproportionate interference with Article 8 rights”. The court considered “well-being” is too low a threshold for information sharing and contradictory to the requirement for data to only be shared if it would protect an individual’s “vital interests” as outlined in the Data Protection Act 1998.
  • In making this finding, the court highlighted that confidential information concerning a child or young person’s state of health could be disclosed to or by to a wide range of authorities without either the child / young person or their parents being aware of this, and in circumstances in which there was no objectively compelling reason for the failure to inform them. Such disclosure would fall under protection of the child’s “well-being“, without consideration of “vital interests“.
  • As currently drafted, the Supreme Court considered the interference caused to Article 8 rights by the new information sharing provisions was not in accordance with law or necessary in a democratic society. The court therefore made an order that the information sharing provisions were incompatible with Article 8 of the ECHR and therefore outside the legislative competence of the Scottish Parliament.  

Where statute requires reference to be made to supporting statutory guidance prior to information being shared, it is imperative that such guidance is clear and comprehensive. The court noted that an information holder will have to address difficult questions of proportionality in relation to the disclosure of confidential information with only the help of statutory guidance issued under the 2014 Act, which the court found to be limited at present.

The judgment highlights the need for any information sharing scheme to be designed to ensuring compliance with both human rights and data protection obligations. This should be the foundation upon which any provisions regarding information sharing are constructed.

The Cabinet Secretary for Education and Skills, John Swinney, has stated that the government would start work to amend the 2014 Act “immediately” so the scheme can still be rolled out “at the earliest possible date”. Whether this will involve development of a higher threshold for information sharing, or further changes to the named person scheme in principle, remains to be seen.

What does this mean information sharing in future?

The Cabinet Secretary for Education and Skills, John Swinney, has stated that the government would start work to amend the 2014 Act “immediately” so the scheme can still be rolled out “at the earliest possible date”. Whether this will involve development of a higher threshold for information sharing, or further changes to the named person scheme in principle, remains to be seen.

The judgment highlights the need for any information sharing scheme to be designed to ensuring compliance with both human rights and data protection obligations. This should be the foundation upon which any provisions regarding information sharing are constructed.

Where statute requires reference to be made to supporting statutory guidance prior to information being shared, it is imperative that such guidance is clear and comprehensive. The court noted that an information holder will have to address difficult questions of proportionality in relation to the disclosure of confidential information with only the help of statutory guidance issued under the 2014 Act, which the court found to be limited at present.


Microsoft Releases 9 Security Updates to Patch 34 Vulnerabilities

In Brief
Microsoft’s August Patch Tuesday offers nine security bulletins with five rated critical, resolving 34 security vulnerabilities in Internet Explorer (IE), Edge, and Office, as well as some serious high-profile security issues with Windows.

A security bulletin, MS16-102, patches a single vulnerability (CVE-2016-3319) that could allow an attacker to control your computer just by


Researchers develop tool to counter public health IT challenges

Front-line protection of US communities against disease epidemics relies on seamless information sharing between public health officials and doctors, plus the wherewithal to act on that data.


1967 solar storm nearly took US to brink of war

A solar storm that jammed radar and radio communications at the height of the Cold War could have led to a disastrous military conflict if not for the US Air Force’s budding efforts to monitor the sun’s activity, a new study finds.


System helps protect privacy in genomic databases

In a new study, researchers describe a new system that permits database queries for genome-wide association studies but reduces the chances of privacy compromises to almost zero.


Serious security threat to many Internet users highlighted

Researchers have identified a weakness in the Transmission Control Protocol of all Linux operating systems since late 2012 that enables attackers to hijack users’ internet communications completely remotely.


2 Hackers Win Over 1 Million Air Miles each for Reporting Bugs in United Airlines

Two computer hackers have earned more than 1 Million frequent-flyer miles each from United Airlines for finding and reporting multiple security vulnerabilities in the Airline’s website.

Olivier Beg, a 19-year-old security researcher from the Netherlands, has earned 1 Million air miles from United Airlines for finding around 20 security vulnerabilities in the software systems of the airline.


Sophos Endpoint Protection receives 2 AAA awards

SE Labs AAA AwardsSophos Endpoint Protection has been awarded 2 AAA awards from SE Labs. The top awards come in the latest round of independent tests conducted for Enterprise and SMB companies looking for endpoint protection.

We make every effort to participate in several independent tests, so you don’t have to take the word of us or any other vendor about our products’ efficacy.

SE Labs was created by Simon Edwards, the former technical director of the now-defunct Dennis Technology Labs. Simon is also the former chairman of the Anti-Malware Testing Standards Organization (AMTSO), to which SE Labs and Sophos both belong. In other words, he knows a thing or two about testing security products.

SE Labs’ tests expose products to a variety of malware and simulated exploits. They attempt to use realistic methods to deliver the threats (e.g. email attachments, web downloads, etc.). The lab produces three separate reports: Small Business, Enterprise, and Consumer Endpoint Protection. Sophos Endpoint Protection was included in both the Small Business and Enterprise reports.

Sophos earned a “total accuracy” score of 98% in both the Small Business and Enterprise reports. Total accuracy is a calculated score that accounts for the degree of protection and the rate of false positives.

The SE Labs tests are very relevant to buyers of endpoint protection, as they highlight the need for multiple prevention and detection technologies. The Enterprise report noted that the products which achieved the best results did so “due to a combination of their ability to block malicious URLs, handle exploits and correctly classify legitimate applications and websites.”

Choosing an endpoint protection product that uses multiple techniques to help you prevent, detect and respond to threats is a vital part of your security strategy, and we are delighted that the SE Labs tests have independently verified Sophos’ capabilities on behalf of enterprises and SMBs alike.

Filed under: Awards, Corporate Tagged: AAA Awards, Endpoint Protection, SE Labs


How Your Computer Monitor Could Be Hacked To Spy On You

Just stop believing everything you see on your screen, as it turns out that even your computer monitor can be hacked.

You have seen hackers targeting your computer, smartphone, and tablet, but now, it has been proved that they can even compromise your monitor and turn them against by just changing the pixels displayed on the screen.

Although changing pixels is really hard and complicated, a


Data Breach — Oracle’s Micros Payment Systems Hacked

The risks associated with data breaches continue to grow, impacting a variety of industries, tech firms, and social networking platforms. In the past few months, over 1 Billion credentials were dumped online as a result of mega breaches in popular social networks.

Now, Oracle is the latest in the list.

Oracle has confirmed that its MICROS division – which is one of the world’s top three


First-Ever Ransomware For Smart Thermostat is Here — It’s Hot!

Internet of Things (IoT) is the latest buzz in the world of technology, but they are much easier to hack than you think.

Until now we have heard many scary stories of hacking IoT devices, but how realistic is the threat?

Just think of a scenario where you enter in your house, and it’s sweltering, but when you head on to check the temperature of your thermostat, you find out that it has been


Join the Sophos XG Firewall v16 beta today!

XG FirewallIt’s official: the highly anticipated public beta for the Sophos XG Firewall v16 is now underway, and we’d love for you to get involved. The product team has been working furiously for the last several months making this one of the most ambitious and exciting product releases ever. It’s loaded with tons of new features and enhancements that we think you’re going to love.

larger_v16 Banner

What’s New

XG Firewall v16 brings over 120 new features and a long list of optimizations and enhancements. The key focus areas for this release:

  1. Improving the user experience to make it faster and simpler to manage.
  2. Adding features to provide parity with SG UTM.
  3. Adding more innovative Synchronized Security features.

The highlights include:

  • All new navigation, enhanced control center and improved UI across many areas
  • Redesigned Secure Web Gateway style web policy model with inheritance
  • Full Email MTA with store and forward capabilities
  • Two-factor authentication (one-time-password) support
  • New Security Heartbeat and Synchronized Security features
  • Microsoft Azure Support

…And so much more!

See what’s new in v16 for complete details on the enhancements and new features.

We want you!

We highly encourage you to participate in testing this beta and help make this release the best it can be.

Please head on over to our Beta Community Forums to get the latest beta firmware, meet your fellow beta testers and Sophos staff, and share any issues or feedback you have.

We’re hosting a Beta Kickoff Webcast on Thursday, 11 August at 11AM Eastern where we’ll provide an overview of what’s new, tour the new features, review the known issues list, and discuss where to focus your time and attention.

We look forward to seeing you on the webcast and in the forums.

XG on Azure

If you’d like to preview XG on Microsoft Azure, send us a request with your Microsoft Account ID to azure.marketplace@sophos.com. We’ll whitelist your account for preview access and provide instructions on how to launch XG from the Azure Marketplace.

microsoft-azure-logo

Learn More about XG Firewall

Learn more about Security Heartbeat and see Sophos XG Firewall in action at sophos.com/xgfirewall. And if you want to get hands on, try it out with our free home edition or sign up for a 30-day trial in your business.

Filed under: Corporate, Network, Partners Tagged: beta, XG Firewall, XG Series


What is… social engineering?

Welcome to our What is… series,
where we turn technical jargon into plain English.

It’s a key part of criminal activities, often an important step in phishing campaigns. But what is social engineering, exactly?

Social engineering is the act of manipulating people into taking a specific action for an attacker’s benefit. You might think it sounds like the work of a con artist – and you’d be right.

Since social engineering preys on the weaknesses inherent in all of us, it can be quite effective. And without proper training it’s tricky to prevent.

If you’ve ever received a phishy email, you’ve seen social engineering at work. The social engineering aspect of a phishing attack is the crucial first step – getting the victim to open a dodgy attachment or visit a malicious website.

Crooks have a lot of weapons in their social engineering arsenal to get recipients to take action, including:

  • Creating a sense of urgency, perhaps by setting a deadline for action
  • Impersonating someone important such as your company’s CEO
  • Mentioning current events to make messages more authentic
  • Obscuring malicious URLs to make them look legitimate
  • Offering an incentive like a payout or a promotion

Phishing can’t work unless the first step – the social engineering – convinces you to take an action. But social engineering used in phishing attacks is getting more targeted and sophisticated every day as attackers try to stay ahead of users or try to go after bigger, more strategic targets.

Of course, social engineering isn’t just limited to email phishing campaigns.

Social engineering can happen over social networks, in person, and over the phone as well – a supposedly innocent call to your desk from “tech support” to gather a few seemingly minor details about what kind of operating system your company uses can actually result in a treasure trove of information for an attacker.

It can be difficult to completely avoid falling victim to social engineering, but there are a few things you can always keep in mind:

  • Trust your gut feeling – if something seems fishy, slow down, take no action, and verify the situation. For example, speak to your boss in person if you aren’t sure if an email really is from them.
  • If someone’s asking for sensitive information like a username and password over the phone, hang up. Legitimate customer service or technical support staff would never ask for this information.
  • Avoid clicking links in emails or opening email attachments, especially when they’re unexpected. Remember that attackers can easily pose as someone you know or work with.
  • Remember that you are in control. Don’t let anyone talk you into doing something you’re not sure about – ignore pressure tactics to get you to act and take a step back.

Ultimately, stay alert and keep cautious. If something seems too good to be true, it nearly always is.

Filed under: Corporate, Security Tips Tagged: Security, Social engineering, What is


Facebook to Launch Commercial Express Wi-Fi Service In India

After the failure of Facebook’s Free Basics — an initiative to provide free Internet access — in India due to the violation of Net Neutrality principles, Facebook has reintroduced its plan to provide Internet access in rural India, but this time:

The social networking giant is planning to launch a commercial WiFi service in India.

Facebook is testing a WiFi service in rural India, allowing


Warning! Over 900 Million Android Phones Vulnerable to New ‘QuadRooter’ Attack

Android has Fallen! Yet another set of Android security vulnerabilities has been discovered in Qualcomm chipsets that affect more than 900 Million Android smartphones and tablets worldwide.

What’s even worse: Most of those affected Android devices will probably never be patched.

Dubbed “Quadrooter,” the set of four vulnerabilities discovered in devices running Android Marshmallow and earlier


On This Day 25-years Ago, The World’s First Website Went Online

On this day 25 years ago, August 6, 1991, the world’s first website went live to the public from a lab in the Swiss Alps.

So Happy 25th Birthday, WWW! It’s the Silver Jubilee of the world’s first website.

The site was created by Sir Tim Berners-Lee, the father of the World Wide Web (WWW), and was dedicated to information on the World Wide Web project.

The world’s first website, which ran on


Iran Bans Pokémon GO — It’s My Way or the Highway!

Pokémon GO has become the world’s most popular mobile game since its launch in July, but not everyone loves it.

Pokémon GO has officially been banned in Iran.

The Iranian High Council of Virtual Spaces – the country’s official body that oversees online activity – has prohibited the use of the Pokémon GO app within the country due to unspecified “security concerns,” BBC reports.
<!– adsense

Share

Comments are closed