Privacy Watch Weekly – 2016-10-07


London Police Arrest Romanian ATM Hacker Who Stole Millions

A Romanian man has been arrested and charged with conspiracy relating to his involvement in a prolific ATM malware campaign.

Emanual Leahu, 30, was arrested in the western city of Bac?u, Romania by the London Regional Fraud Team (LRFT) London police run by the City of London Police on Tuesday 20 September, extradited to the United Kingdom last week.

Leahu is believed to be a member of a


Verizon wants $1 Billion Discount on Yahoo Acquisition Deal after Recent Scandals

It seems like it is not all over for Yahoo yet. Another day, another bad news for Yahoo!

Verizon, which has agreed to purchase Yahoo for $4.8 Billion, is now asking for a $1 Billion discount, according to recent reports.
<!– adsense –>
The request comes after Verizon Communications learned about the recent disclosures about hacking and spying in past few weeks.

Just two weeks ago, Yahoo


Mac Malware Can Secretly Spy On Your Webcam and Mic – Here’s How to Stay Safe

Apple Mac Computers are considered to be much safer than Windows at keeping viruses and malware out of its environment, but that’s simply not true anymore.

It’s not because Mac OS X is getting worse every day, but because hackers are getting smart and sophisticated these days.

The bad news for Mac users is that malware targeting webcams and microphones has now come up for Mac laptops as well.
<


Study Group: Crying Wolf: An Empirical Study of SSL Warning Effectiveness

Today’s study group was on the now a little dated paper of 2009 ‘Crying Wolf: An Empirical Study of SSL Warning Effectiveness’ [1], which was published at USENIX. In cryptography research, it is easy to overlook implementation and usability and instead focus on theory. As is succinctly explained in Randall Munroe’s well-known comic, the weaknesses in our cryptographic solutions are seldom in the constructions themselves, but in their real-world application.

This paper explores the use and design of warnings which modern (!) browsers present to a user when SSL certificates cannot be verified, and in particular the user’s reaction to them. There is little point in a cryptographically secure system of authentication if the end user ignores and proceeds past warnings when presented with them. The authors suggests that when browsers ‘cry wolf‘ upon encountering SSL errors, users become desensitised over time, learn to ignore these warnings, and thus become susceptible to having their data stolen.

What is SSL?

(The initiated can skip this.)
SSL stands for Secure Sockets Layer, and is a method by which a client can access a web server securely. The SSL Handshake protocol uses a so-called SSL certificate to verify a server’s authenticity to a client. An SSL certificate specifies whom the certificate was issued to, whom it was issued by, the period of validity and the server’s public key. (Old SSL protocols have been superseded by TLS, but the principles involved are essentially the same.) At a very high level, the protocol proceeds as follows:
  1.  The client sends a ‘hello’ message to the server, requesting content.
  2.  The server sends the client its certificate, which contains its public key.
  3.  The client checks that the certificate is valid.
  4.  If the check passes, the client generates a session key, encrypts using the server’s public key, and sends this to the server. If the check fails, the client aborts.
  5.  The server decrypts the session key using its secret key.
The client and the server can now encrypt all data sent between them using the (symmetric) session key.

What can go wrong?

If the certificate is invalid, the client aborts. The problems this study considers are:
  •  Expired certificate: the certificate is no longer valid.
  •  Unknown certificate authority: the issuing authority is not known.
  •  Domain mismatch: the domain of the web server and the certificate’s listed domain do not match.
If one of the above occurs, the web browser will alert the user. The purpose of the study was to assess the effectiveness of the browser in conveying the severity of the problem to the user: strong warnings where the risks are small cause people to assume high-risk situations given the same warning are just as innocuous.

The Studies

Survey

Using a survey, the authors gathered data from 409 web users on their reactions to SSL warnings and their overall comprehension of the risks involved in ignoring them.

They found that context (i.e. the type of website visited) made little difference to whether or not a user would heed the warnings.

According to the data, respondents who understood ‘Domain mismatch’ and ‘Unknown certificate authority’ warnings were less likely to proceed than those who did not, whereas those who understood certificate expiry errors were more likely to proceed. In fact, the experimenters found that users consistently rated risk of an expired certificate lower than the other two errors.

The authors additionally report some wonderful responses from users, including:

  •  ‘I use a Mac, so nothing bad would happen’
  •  ‘Since I use FreeBSD, rather than Windows, not much [risk]’
  •  ‘On my Linux box, nothing significantly bad would happen’

Laboratory Experiment

A set of 100 participants were asked to use four websites to complete different tasks. One website was a banking website with an invalid certificate, one a library website with an invalid certificate, and two were other sites used as dummies.

The participants were shown either Internet Explorer 7 (IE7), Firefox 2 (FF2), Firefox 3 (FF3), or one of two newly-designed SSL warnings. The IE7 warning is whole page but requires just one click to ignore. The FF2 warning is a pop-up window but also only requires one click to ignore. The first version of the FF3 warning needed 11 steps. ‘They made the original version of the warning so difficult for users to override, that only an expert could be likely to figure out how to do it.’ The first new design was multi-page and asked users to specify the nature of the website they were visiting, presenting severe warnings for websites requiring a high level of security and milder warnings otherwise. The second new design was similar to the FF3 warning but ‘looked more severe’. Images can be found in the paper.

For the library website, the IE7, FF2 and multi-page warnings did not prevent people from proceeding compared to the FF3 warning, and the single-page warning was similar to the previous warnings.

For the banking website, the two new warnings did prevent people from accessing the website, but no more than the FF3 warning. The new warnings and the FF3 warning outperformed the IE7 and FF2 warnings in preventing people from accessing the website.

Conclusions

In conclusion, the authors say that the average user does not understand the dangers of SSL warnings, and as such the decision of whether or not to proceed should essentially be made for them by the browser in most cases.

More recently, Chrome recently redesigned its SSL warnings due to the large proportion of users who simply ignored all SSL warnings [2].

To see different SSL warnings in your current browser, visit badssl.com.

References 

[1] Crying Wolf: An Empirical Study of SSL Warning Effectiveness by Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Naha Atri and Lorrie Faith Cranor. In Proceedings of the 18th Conference on USENIX Security Symposium, 2009; link.
[2] Improving SSL Warnings: Comprehension and Adherence by Adrienne Porter Felt, Alex Ainslie, Robert W. Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, Helen Harris and Jeff Grimes. In CHI 2015; link.


UK: ICO issues record fine to TalkTalk for data breach

The UK’s data protection regulator, the Information Commissioner’s Office (“ICO”) has publicly announced the imposition of a £400,000 ‘monetary penalty’ on the British telecommunications company and internet service provider, TalkTalk.  The penalty was issued to TalkTalk in response to a cyber-attack in October 2015 which compromised the personal data of over 150,000 customers.

The penalty, imposed under statutory powers granted to the ICO by the Data Protection Act 1998 (“DPA”), is the largest to date, and falls just short of the maximum fine of £500,000 which the ICO is allowed to levy by law.  It follows on the heels of a much smaller fixed penalty of £1,000 which was also imposed on TalkTalk by the ICO, in that case for failing to notify the ICO about the data breach within the timescales required for telecommunications companies by the Privacy and Electronic Communications Regulations 2003.

In the notice issued to TalkTalk with the more recent penalty, the ICO details the ways in which it found the company to be in contravention of its obligation under the DPA to “take appropriate technical and organisational measures against the unlawful or unauthorised processing of personal data”, also known as the seventh principle of the DPA.

Crucially, TalkTalk had not taken sufficient measures to ensure that the customer database which was targeted by the attack could not be accessed by a hacker performing an SQL injection attack, in which malicious statements in the SQL programming language can be used to control a web application’s database server. The ICO found that TalkTalk was operating a vulnerable and outdated database which was accessible via webpages related to its legacy Tiscali business.

In setting the level of the penalty, the ICO identified a number of aggravating factors which made the data breach particularly serious. These were:

  • the number of individuals (data subjects) affected;
  • the sensitivity of the data (in over 15,000 cases, the data included bank account numbers and sort codes);
  • the potential consequences of the breach for the data subjects; and
  • the fact that TalkTalk ought reasonably to have known that there was a risk a breach of this kind would occur.

However, the ICO did stop short of deciding that the contraventions of the DPA were ‘deliberate’.

This record penalty comes at a time of ever increasing awareness about the prevalence of cyber-attacks, and the consequential breaches of customer data. A recent Lloyd’s of London report revealed that, of the large European companies surveyed, 92% were aware of having experienced a data breach in the last five years.[1] In 2016 alone, large scale breaches involving familiar names such as Yahoo, Inc., Sage Group plc and Seagate Technology plc have  been in the headlines.

The penalty also arrives approximately 18 months ahead of a change in the law across the EU (including, it is anticipated, the UK) from the current data protection regime to the General Data Protection Regulation (“GDPR”).  The GDPR will significantly increase enforcement risks for companies who breach data protection rules, including in respect of data breaches.  It will allow for fines of up to the greater of EUR 20 million, or 4% of a company’s total worldwide annual turnover.  It will also introduce a mandatory data breach reporting regime for all companies, whereby companies will be required to give notice to a supervisory authority about a data breach within 72 hours of becoming aware of the breach.

For telecommunications companies like TalkTalk, as well as other providers of critical infrastructure such as banks, utility companies and transport operators, the GDPR rules will sit alongside another new set of rules in the Network and Information Security Directive, which also include a data breach reporting regime, as well as provisions for information sharing and the setting of guidelines in respect of data breach management.

It is also interesting to note the GDPR contains specific indicators which supervisory authorities should take into account when setting the level of fines.  These include:

  • the number of data subjects affected and the level of damage suffered by them;
  • the technical and organisational security measures which had been implemented;
  • the degree of cooperation with the supervisory authority;
  • the manner in which the infringement became known to the authority (i.e. was the authority notified?); and
  • whether the infringement was either intentional or negligent.Some of these are very similar to the guidelines relied upon by the ICO in determining the level of TalkTalk’s penalty, leading to the conclusion that this data breach would have been met with a much higher penalty if it were to have occurred in October 2018, rather than 2015.

DLA Piper’s specialist Data Protection, Privacy and Security group operates on a global basis to provide sophisticated data management and data security advice.  We can help businesses both to crisis-manage the fall-out of data breaches, as well as to organise policies and procedures to ensure compliance, and to mitigate against the risk of breaches occurring in the first place.

[1] ‘Facing the cyber risk challenge.’ Lloyd’s of London. 20 September 2016.


How to Start Secret Conversations on Facebook Messenger

If you are looking for ways to start a secret conversation on Facebook Messenger with your friends, then you are at the right place.

In this article, I am going to tell you about Facebook Messenger’s new end-to-end encrypted chat feature, dubbed “Secret Conversations,” but before that, know why do you need your chats to be end-to-end encrypted?

Your online privacy is under threat not only


BREAKING! Another NSA Contractor Arrested For Stealing ‘Secret’ Documents

Another Edward Snowden?

The FBI has secretly busted another National Security Agency (NSA) contractor over a massive secret data theft.

The United States Justice Department charged Harold Thomas Martin, 51, with theft of highly classified government material, including “source codes” developed by the NSA to hack foreign government, according to a court complaint (PDF) unsealed on Wednesday.


TalkTalk Telecom Ordered to Pay Record £400,000 Fine Over 2015 Data Breach

TalkTalk, one of the biggest UK-based Telecoms company with 4 million customers, has been issued with a record £400,000 ($510,000) fine for failings to implement the most basic security measures to prevent the hack that made global headlines last year.

The penalty has been imposed by the Information Commissioner’s Office (ICO) over the high-profile cyber attack occurred in the company last


An interview with our new CIO Tony Young

tony-youngWe recently announced the appointment of Tony Young as Global CIO of Sophos.

In his new role, Tony will be responsible for the strategy, security and management of the global IT organization at Sophos.

We met with Tony to say hello, and find out a bit more about him…

Welcome to Sophos Tony! What attracted you to the role of the first ever CIO of Sophos?

Thanks, I’m very excited to be here!

There were a few reasons that I was attracted to working at Sophos. First of all, I love high-tech. I’ve spent most of my working life in the industry and it’s a great place to be. I came to Sophos from GoPro where I was CIO, and working in a consumer business reinforced my excitement for our industry.

When I told people I was off to work for a security company, they asked me why. I explained that I had noticed how fractured many vendors in the security space are. A customer has to buy multiple products and then figure out how to stitch them all together. Everything is separate and you need an army of security professionals to enable and maintain any sort of security when faced with that fragmented approach.

Sophos really is “security made simple” – it’s more than just a tagline; the vision and strategy resonated with me as an IT buyer. Sophos was breaking the “point product” mold by making products talk to each other through “synchronized security.” Putting everything onto a single central management console made good sense – I could see that really makes things easier for security professionals, and for each business as a whole.

Where did you start your career?

I started my career at HP, working as a programmer. I worked my way up from developer, to senior developer, to project manager and then team manager. While working at HP, I went back to school at night to get my MBA.

After I received my MBA, and while I was building a CRM system, HP asked me to change roles to run the North America channel strategy for the PC business. Over the years, I became very intimate with this business. The new role was a challenge but it was great fun. It gave me a perspective into the business which, I believe, ultimately made me a better IT person.

After I left HP, I went to a startup for a year in another industry and then came back to HP to run ecommerce. Another two startups later (and the dot-com bust), I went to Informatica where I stayed for 13 years. It was a good run and I loved it there, but then a friend introduced me to the leadership at GoPro. Data integration isn’t sexy, it’s gritty, so working for a brand like GoPro was an exciting prospect for me, and one I couldn’t turn down.

How have those roles shaped what you’ll do at Sophos?

I think the variation of the companies I’ve worked for has been helpful to me. I’ve had the opportunity to see how large companies work and perform, and I’ve also experienced startups, as well as spending time in some mid-sized companies.

I’ve seen IT being done well, and I’ve seen it being done very badly. I’ve also seen the transformation from bad/good to great IT.

Throughout your career you build a playbook which you can refer to in your current role. You take the things you’ve learned and then you apply them. Knowing what worked well (and what didn’t) somewhere before is very helpful.

I’ve lived in Silicon Valley for over 25 years. You get to know a lot of cutting edge, innovative thinkers. There are about 6 different CIO groups in the Valley and we’re all really collaborative and open. We share with each other and are able to learn from each other. If there’s an issue someone is having, they can ask others if they’ve experienced it too, and can quickly get suggestions for a resolution.

What does being the CIO of a security company actually entail?

In general, a CIO’s role is quite fragmented. A CIO walks down the corridor and can be stopped by someone asking about the status of the supply chain project, take another few steps and he or she is being told about a network performance issue, then another few steps and they’re in a conversation about storage. The role is broad. Over time you realize you’re an inch deep and a mile wide.

At Sophos, security is at the forefront of everything we do, so the first questions are always about security, then capabilities. In most companies, it’s the opposite – the discussion is first about capabilities and then how secure something is.

What do you think makes a great CIO?

A great CIO needs to demonstrate great leadership – you need to be able to set a compelling vision for the team, and then get them bought into that vision and motivated to execute it. You also need to make sure that you are hiring and retaining top talent – you will only ever be as good as your team.

Making sure you are aligned with business priorities and listening to personal pain points is really important in IT. As a CIO, you need to remember that everyone in the company is a customer. If someone’s Skype meeting isn’t working, then that’s my problem. If someone can’t access email, IT needs to fix that for them. Every day you come to work to win business and make people more successful here than they could be at any other company.

Finally, you can be a good leader by doing the basics well. But the difference between a good leader and a great leader is that you don’t just lead with your head, you lead with your heart too. In my opinion, a great leader genuinely cares for the individuals on the team. Great leaders are trusted. And, people won’t care how much you know until they know how much you care.

What do you like doing in your spare time?

I do a variety of things – anything from woodworking to kiteboarding.

I’m health conscious and exercise several times a week. This is a great way for me to relieve stress and feel good.

We have two boys. They’re active and I’m active. I want to ensure we can always have fun together, and go out and enjoy life.

What can’t you live without?

Family aside, what I really love is good food, good wine and good whisky! If you want to bribe me, do it with one of those three things!

And I can’t forget the internet. I would choose that over TV in an instant – I could still watch my sports via streaming!

What can you advise others to do to keep their employees safe and secure?

It really goes back to the basics here – education and awareness. Phishing is the number one attack vector so educate your employees. Let them know that they should be on alert, and if they notice something that isn’t right then they need to tell IT immediately. I would rather have someone over report than under report. There’s no mistakes in reporting potential issues.

Other than that, enable them to be a good corporate citizen. Help them to do safe things, keep their computer patched, make sure they don’t turn off their firewall, tell them to use strong and varied passwords for each account and use two-factor authentication where possible. Small steps can make big differences.

Finally, do you have any security tips for at home?

If you have a family, watch your kids – know what they are doing on social media.

One of the challenges with kids is that they might be smarter with technology then you. You can put up all sorts of defenses to secure your kids online but they may well find ways around them. You can ask them to show you their phone but they can delete messages or use Snapchat. You can be their Facebook friend but they can limit what you see.

Technology moves so fast – there will always be a hack. You need to help your kids to make good decisions about what they decide to do online. Build up trust by talking openly about the ‘unintended consequences’ of online behavior – believe me, there are many – and if they trust you, then, like your employees, they are more likely to tell you if they’ve made a mistake.

 

Filed under: Corporate Tagged: CIO, Tony Young


Toby Nwazor: 4 Ways The Internet Has Hurt Us And What We Can Do About It

Since it is practically impossible to stay away from the internet these days, you need to know how to control your use of it. For this reason, it is important to identify how the internet hurts you and what you can do to stop it from happening.

Read more: Internet Usage, Internet Abuse, Online Privacy, Technology Distractions, Healthy Living News


Apple starts downloading MacOS Sierra automatically to your MacBook — Here’s How to Stop It

Are you experiencing slow Internet speed on your MacBook today? — It’s not just you!

Here’s Why:

Following in Microsoft’s footsteps, Apple has started “pre-downloading” the latest version of its desktop operating system, macOS 10.12 Sierra, in the background, if you are still running OS X El Capitan.
<!– adsense –>
If you have automatic downloads enabled on your Mac, a large file of around


Yahoo Built a Secret Tool to Scan Your Email Content for US Spy Agency

Users are still dealing with the Yahoo’s massive data breach that exposed over 1 Billion Yahoo accounts and there’s another shocking news about the company that, I bet, will blow your mind.

Yahoo might have provided your personal data to United States intelligence agency when required.

Yahoo reportedly built a custom software programmed to secretly scan all of its users’ emails for specific


Signal is Most Secure Messenger, ‘Useless Data’ Obtained by FBI Proves It All

Do you trust your messaging app even though it uses end-to-end encryption?

As I previously said end-to-end encryption doesn’t mean that your messages are secure enough to hide your trace.

It’s because most of the messaging apps still record and store a lot of metadata on your calls and messages that could reveal some of your personal information including dates and durations of communication


XG Firewall v16 has arrived

firewallThe firewall team has been working furiously over the last several months on the latest release of XG Firewall and, after an extensive beta, we’re really pleased to announce that XG Firewall v16 is available now.

This release is a major update that includes over 120 new features and enhancements across all areas of the firewall.

It’s easier to use, with new navigation, enhanced logging and troubleshooting tools, and streamlined workflows.

It’s more powerful, with new policy tools that make it easy to build sophisticated web, email, and routing policies custom tailored to your needs.

It’s got more innovative, with new Synchronized Security features like dynamic app identification and new Security Heartbeat™ options that improve protection, response, and visibility into what’s happening on your network.

There’s a complete list of new features below, but you’ll probably prefer to see what’s new first hand: watch the full 8-minute overview video of all the major new features or see the highlights in just two minutes.

How to get it

The new XG Firewall v16 firmware is being rolled out automatically to customer systems, so keep an eye open for the firmware update notification in your firewall. However, if you’re eager to install the update sooner, you can download the firmware update from from the Community Forums (and later via MySophos) and apply it anytime. Watch this video that explains how to update your firmware.

If you’re new to XG Firewall, you can see what all the buzz is about here and you can also sign up for a 30-day free trial.

Tell us what you think

Many of the enhancements in v16 are the result of your feedback and input – so thank you very much for your help in making this a great release! But please don’t stop there. Let us know what’s on your mind by stopping by the XG Firewall Community Forums.

Need help? Have questions? Our Community has the answers.

The XG Firewall Community is also the perfect place to get all your questions answered and is staffed by members of our technical engineering team as well as some very knowledgeable expert members. There’s tons of useful content in the Knowledge Base and, soon, the new How-to Library as well (stay tuned for more on that). I think you’ll be impressed with the quality and quantity of content available there.

What’s new

Control Center and navigation

  • Enhanced Control Center widgets: Several widgets have improved flip-card views or drill-down results including Reports, Interfaces, and Security Heartbeat.
  • Navigation: Left navigation has been expanded to improve access and gain consistency with Sophos Central. Menu items are grouped logically on the left side by task or activity. Second level navigation is now tab-based, enabling quicker two-clicks-to-anywhere access to the most frequently used configuration options. (Note: final tab layout and organization is still being worked on for a subsequent beta build.)

Firewall, network and device configuration

  • Firewall hostname: You can now assign a custom hostname to your firewall.
  • Cloning: Enables easy cloning of existing firewall rules, objects and policies.
  • Policy routes: Route select traffic to a custom gateway based on source, destination or layer-4 service.
  • Firewall to firewall RED tunnels: Site-to-site RED tunnel support.
  • Country filtering improvements: Streamlined implementing country or continent-based filtering in firewall rules.
  • NAT business rule creation: Improved DNAT, Full NAT, and server load balancing rule creation.
  • DHCP server and relay: Support for concurrent DHCP Server and Relay configurations at the same time.

Authentication and diagnostics

  • Two-factor authentication: Improved access security with support for OATH-TOTP one-time passwords directly on the firewall, eliminating the need for a separate 2FA solution. Support for IPSec, SSL VPN, User Portal, and WebAdmin access. We recommend using the free Sophos Authenticator app for iOS and Android.
  • STAS (Sophos Transparent Authentication Suite) UI: STAS configuration has been added to the GUI enabling easy setup without requiring the CLI.
  • Direct live log viewer access: Open the live log viewer in a separate window directly from the Control Center using the magnifying glass at the top of any screen.
  • Live log viewer enhancements: An improved live log viewer which conveniently opens in a new window, with a 5-second refresh option, color-coded log lines, and the option to activate packet capture.

Web and email protection

  • Redesigned web policy model: Flexible new user and group policy creation and in-line editing tools with inheritance that make web policies more intuitive and easy to maintain while dramatically reducing firewall rule count in many situations.
  • Warn action: A new web filtering action in addition to Block or Allow that enables users to proceed to websites only after acknowledging a warning that the site belongs to an inappropriate or undesirable category. This option can be ideal in situations where user education, awareness, and monitoring is desired without strictly prohibiting access.
  • Unscannable content handling: Options to allow or block content that cannot be scanned due to encryption or containers.
  • Google Apps control: Limit access to a selected Google Apps domain to reduce the risk of data loss from users transferring documents to their personal Google Apps.
  • Creative Commons enforcement: Reduce the risk of exposure to inappropriate images by enforcing search engine filters for content with a Creative Commons license.
  • External URL lists: Import external URL lists that require enforcement in certain organizations or jurisdictions.
  • Email per-domain routing: Route incoming mail to the correct destination server, based on the target domain.
  • Full email MTA – store and forward support: Enable business continuity, allowing the firewall to store mail when target servers are unavailable.
  • New anti-spam features (HELO/RDNS): Added anti-spam technology to identify non-legitimate mail sending servers.
  • Email SPX Encryption reply portal: Enable recipients of SPX encrypted emails generated by the firewall to reply securely using a portal on the firewall to draft and send a response.

Synchronized Security

  • Missing Security Heartbeat: Enables the firewall to detect when a previously healthy Endpoint is generating network traffic with a missing Security Heartbeat and automatically identify the system and respond. This may be an indication that the endpoint AV has been tampered with or disabled.
  • Real-time application visibility: Enables the firewall to solicit information from the endpoint to determine the application responsible for generating uncategorized network traffic. This is valuable for gaining insights into network traffic that is unrecognized by other firewall solutions.
  • Destination-based Security Heartbeat: Enables the firewall to limit access to destinations and servers based on the status of their Heartbeat, further bolstering protection from potentially compromised systems until they can be cleaned up. Combined with regular Heartbeat policy enforcement, this can effectively isolate a compromised system completely – both inbound and outbound.

Deployment and hardware

  • Microsoft Azure platform support: Support for deployment in Microsoft Azure as a preconfigured virtual machine from the Microsoft Azure Marketplace with pay-as-you-go or bring-your-own-licensing (BYOL) options.
  • High availability enhancements: HA support for configurations using dynamic (DHCP/PPPoE) interfaces.
  • Improved Security Audit Report: Improved layout, presentation and information for the customer facing Security Audit Report provided after a TAP-mode or Inline-mode Proof-of-Concept deployment.
  • RED 15w support: Adds support for the RED 15w with integrated wireless.
  • AP 15C support: Adds support for the entry-level AP 15C ceiling mount access point.
  • 4x10G 4-Port Flexiport module support for 1U XG Series appliances

Issues addressed

  • Open issues addressed: In addition to new features, this release has closed hundreds of open issues identified since the release of v15 across all areas of the product. Check the release notes for details.
  • Vulnerabilities addressed: A number of vulnerabilities have also been closed with this release, improving the security of your Firewall

What’s next

Now, of course, we’re not done yet by any means. There’s still lots of great things we want to do, but I think you’re going to love the improvements in this release so I encourage you to check it out.

xgfirewall_emailheader

Filed under: Corporate, Network Tagged: Firewall, network security, Sophos, XG Firewall, XG Firewall v16


Encryption now available in Sophos Central

scde_blog_graphicCab rides, airport security, busy cafes, hotel rooms, airplanes; all can be very treacherous places for laptop computers. Each year, millions of laptops are lost, stolen or simply left behind, with many of them containing important and sensitive data.

Full-disk encryption is the essential first line of defense for protecting data in any of these events and, plainly speaking, it should be used for all business computers.

Traditionally, the catch with full-disk encryption has been that in order to use it efficiently across an organization, a bit of effort is needed: data protection policies need to be created, management servers must be installed, key recovery processes need to be put in place, users have to be trained, and so on.

We figured you don’t have time for all that, so let’s make it simple: We’re very excited to announce Sophos Central Device Encryption, which is our full-disk encryption for Windows managed from Sophos Central – our single, integrated, web-based administration interface.

Sophos Central Device Encryption offers a three-click policy setup, no key management servers to install, compliance and reporting features, and self-service key recovery for your users. It’s the easiest way to manage BitLocker encryption for all your Windows users.

With installation and setup done in minutes, it’s an extremely powerful addition to your data protection strategy.

Why not see for yourself? Take Sophos Central Device Encryption for a spin today with a free 30-day trial.

Read more about Sophos Central Device Encryption here or see it in action below.

Filed under: Cloud, Corporate, Enduser Tagged: Encryption, Sophos Central, Sophos Central Device Encryption


WikiLeaks Promises to Publish Leaks on US Election, Arms Trade and Google

Wikileaks completed its 10 years today, and within this timespan, the whistleblower site has published over 10 million documents, and there’s more to come.

In the name of celebration of its 10th Anniversary, Wikileaks promises to leak documents pertaining to Google, United States presidential election and more over the next ten weeks.
<!– adsense –>
Speaking by video link to an anniversary


France Adopts Digital Republic Law

On 28th September, the French Parliament adopted the Digital Republic Bill (“Projet de loi pour une République numérique“) marking the end a year long process which began in December 2015 to amend the laws regulating various aspects of the digital economy in France. The Bill has yet to be published in the Official Journal before it comes into force, which is expected to happen before the end of 2016.

This law introduces new provisions that will regulate the digital economy as a whole (such as open data, online cooperative economy, revenge porn and access to the internet). For privacy professionals, this law is important as it introduces several key amendments under the French Data Protection Act of 1978 and other laws, prior to the GDPR’s entry into force in 2018. The essential provisions of the Digital Republic Bill are explained below in ten key points.

  1. Higher fines pronounced by CNIL

By far, the most significant amendment to the Data Protection Act concerns the French Data Protection Authority’s (CNIL) powers to impose administrative fines. Previously limited to EUR 150,000 under the amended Data Protection Act, the CNIL will now be able to impose fines up to EUR 3 million. The Digital Republic Bill explains that once the GDPR comes into force in 2018, the CNIL will be able to impose administrative fines of up to EUR 20 million or 4% of total worldwide annual turnover for any data protection violations as defined under article 83 of the GDPR. But controllers in France may still be fined up to EUR 3 million for any violation to the amended Data Protection Act that is outside the scope of the GDPR. This is particularly significant in relation to the new rights that are granted to the data subjects.

  1. Enhanced Rights for Individuals

In the wake of the GDPR, the Digital Republic Bill seeks to enhance the rights of individuals by introducing under the Data Protection Act a general right allowing them to decide and to control the uses that are made of their personal data. For example, the Digital Republic Bill explicitly requires controllers to grant individuals the right to exercise their rights electronically whenever their data is collected electronically.

  1. Additional Information to the Data Subjects

The Digital Republic Bill now requires data controllers to inform their data subjects about the period during which the personal data will be stored, or if that is not possible, the criteria used to determine that period.

Furthermore, all providers of online communication services to the public must inform their users specifically about the right to decide how their personal data will be processed following their death, including the right to provide their last instructions regarding the processing of their data (see below for the post mortem right to privacy).

Regarding the processing of data for purposes of medical research, the Digital Republic Bill establishes that the parents or legal guardian of a minor under 18, or the legal representative of a person placed under legal guardianship, receive the information regarding the data processing and exercise the rights provided by the Data Protection Act in France. However, for certain types of medical research mentioned in the Public Health Code, minors below the age of 15 may object to their parents or legal guardian accessing the personal data about them that has been collected and processed in the course of such medical research, and may exercise alone the right to access and rectify data and the right to object to the processing.

  1. Post Mortem Right to Privacy

The Digital Republic Bill creates an innovative new right for individuals to decide how their personal data may be processed after their death. Before dying, any individual may give general or specific instructions regarding the storage, erasure or disclosure of his/her personal data. On the one hand, general instructions apply to all data that is collected and processed about an individual. These instructions are kept by a certified third party or the CNIL. On the other hand, individuals may send specific instructions to a given data controller instructing that controller on how it may continue to use the data it withholds about those individuals after their death. Where a controller has received specific instructions from an individual, the ongoing processing of that individual’s data after his/her death is based on that individual’s consent and cannot be waived in the controller’s general terms of use. Naturally, what comes to mind with this new provision is the possibility given to individuals to erase their data from online profiles on social networks and other web platforms. In the absence of any instructions, the heirs of the deceased may exercise the data protection rights of the deceased.

  1. Right to be Forgotten

The Digital Republic Bill introduces under the Data Protection Act the right for individuals to request that their personal data be deleted without delay when such data was collected in relation to the offering of information society services at a time when they were minors. Where the data controller has shared the data with third party controllers, the initial controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform such third parties which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

If the data controller does not delete the data, or fails to respond to the data subject’s request within one month, then the individual may file a complaint to the CNIL who must respond within three weeks from receiving the complaint.

  1. Enhanced secrecy of correspondence

The Digital Republic Bill introduces a new obligation for telecom operators and providers of electronic communication services to the public who offer online communication services (for example, providers of online messaging services) to maintain the secrecy of correspondence, including the content of the message, the sender and recipient’s identity and, where applicable, the subject line and attachments of the message. The automatic processing of emails or other type of digital communications for purposes of advertisement, statistics or the enhancement of services is forbidden unless the data subject has given his/her express consent to such processing at least one year before the processing. Moreover, there must be a specific consent for each type of processing. However, electronic messages can still be analysed automatically to display, sort or dispatch messages, or to detect viruses or other forms of computer malware.

  1. New Right to Data Portability for Consumers

The Digital Republic Bill introduces a new section under the Consumers Code, which grants consumers a right to the recovery and portability of their personal data. This new provision requires all providers of online communication services to the public to enable consumers to recover, free of charge, all data that they have stored online, including data files, all data stored and accessible from the user’s online account, and other types of data that are associated with the user’s online account and that can be easily re-used and exploited by another data controller. The data controller must provide the data in a readable format. If that cannot be done, the data controller has to inform the consumer of such restriction and provide alternative ways for the user to recover his/her data.

  1. Online Platform Providers

The Digital Republic Bill introduces specific obligations for online platform providers. They are defined as businesses that offer to customers an online communication service to the public that 1) enables the ranking or referencing by means of a computer algorithm of content, goods or services that are offered or displayed online by third parties (e.g., search engines), or 2) allows parties to get in contact with one another in order to sell goods, offer a service, or exchange or share content, goods or services (e.g., online auction or shopping websites).

These online platform providers must provide consumers with loyal, clear and transparent information regarding 1) the general terms of use that apply to the platform and the means used to rank, reference or de-reference content, goods or services that are available via this platform; 2) whether there is a contractual or capitalistic relationship, or remuneration in case they influence the ranking or referencing of the content, goods or services that are made available on their platform; and 3) the rights and obligations of the parties in civil and fiscal matters when the platform allows consumers to contact professionals or non-professionals.

  1. No restrictions on data storage

Last but not least, the final text of the Digital Republic Bill has deleted the provision that would have required all data to be stored in the EU and not be transferred outside of Europe. Therefore, there are no data residency rules that would require businesses to store their data in France, and on the contrary, businesses can continue to transfer personal data outside Europe as long as they respect the EU data protection requirements under the GDPR

  1. Practical implications

With the Digital Republic Bill, France has sent a clear message that it is taking personal data protection very seriously and is keen to establish strong safeguards to protect personal data. This new law also shows that even though the GDPR establishes a harmonised data protection regime across Europe, EU member states can nonetheless adopt additional or more restrictive data protection rules, and therefore, country-specific laws will continue to apply meaning that businesses may still need to comply with different national laws when processing personal data across Europe.

Finally, the text of the law will be officially published in October and members of the French government are already meeting to decide a schedule for the adoption of the implementing decrees, some of which are supposed to come into force before the end of the year. Thus, businesses should tackle the new challenges set up by this law as soon as possible.


Beware! You Can Get Hacked Just by Opening a ‘JPEG 2000’ Image

Researchers have disclosed a critical zero-day vulnerability in the JPEG 2000 image file format parser implemented in OpenJPEG library, which could allow an attacker to remotely execute arbitrary code on the affected systems.

Discovered by security researchers at Cisco Talos group, the zero-day flaw, assigned as TALOS-2016-0193/CVE-2016-8332, could allow an out-of-bound heap write to occur


Internet of Things devices are NOT privacy compliant

An investigation run by 26 privacy authorities showed that 60% of the reviewed Internet of Things technologies did not pass the test of compliance with data protection laws. 

The findings of the investigation

The data protection authorities of 26 countries combined as part of the Global Privacy Enforcement Network ran an investigation Internet of Things technologies and reached the conclusion that over 60% of them are not fully privacy compliant.

Out of 300 reviewed devices,

  • 59% does not provide adequate information on how personal data is collected, used and communicated to third parties;
  • 68% does not provide appropriate information on the modalities of storage of data;
  • 72% does not explain to users how their data can be deleted from the device; and
  • 38% does not guarantee easy-to-use modalities of contact for clients that are willing to obtain clarifications on privacy compliance.

Also, some health related devices triggered security issues since they transmitted data to medical practitioners with encrypting them.

The impact on the Internet of Things industry

The comment from the Italian data protection authority on the results of the investigation is interesting. Indeed, he emphasised that the lack of compliance with privacy regulations of IoT devices is expected to impact the trust of consumers on them.

Internet of Things technologies are often considered as the new “big brother“. If the industry wants to succeed, it needs to be trusted by users. But, in order to do that, users need to be adequately informed on how their data is processed and have full control on them, being able to also delete them at their discretion.

This investigation will result in an expensive bill soon

The data protection authorities did not openly declare that they will issue sanctions against the entities whose devices have been found not compliant with privacy laws. However, this investigation should definitely ring a bell for manufacturers of IoT devices and companies that either are planning to use them or are currently using them as part of their business.

The new EU Privacy Regulation will start to apply with effect from 25 May 2018 and the change which is more often repeated is the massive increase of the applicable sanctions up to 4% of the global turnover of the breaching entity. But the regulation does not just introduce sanctions as it sets up a new set of rules aimed at granting a higher level of control to individuals on the usage of their personal data.

The adoption of a privacy by design approach is the sole solution that can mitigate the potential risks of privacy sanctions. This approach is however only the result of a complex review of Internet of Things technologies which will require also a privacy impact assessment.

The implementation of such changes might take years, if it is considered that some companies already openly declared that they are unlikely to meet the deadline of 25 May 2018.

If you found this article interesting, please share it on your favourite social media!

@GiulioCoraggio


Download: 68 Million Hacked Dropbox Accounts are Just a Click Away!

Over a month ago, The Hacker News reported about the Dropbox Hack, where hackers had managed to steal more than 68 Million Dropbox accounts in a data breach that was initially disclosed by the online cloud storage platform in 2012.

Although the initial announcement failed to reveal the true scale of the data breach, it was in late August when the breach notification service LeakBase obtained


So many reasons to never buy a D-Link router

D Link Logo Blue strap edited

If you care at all about security and privacy, a recent security analysis of the D-Link DWR-932 B LTE router will make your head explode.

Researcher Pierre Kim found an amazing set of security vulnerabilities that should embarrass a first year developer.

First, by default you and SSH and Telnet (yes Telnet!) into the router using the root or admin accounts. These accounts have preset passwords of “admin” and “1234” respectively. People, you should never set up fixed accounts like this, and if you do don’t use trivial passwords!

Of course it gets worse. There is also a backdoor on the routers. If you send “HELODBG” to port 39889 it will start a telnet demon which provides access to root without any authentication at all. My head is starting to look like the guys at the end of Raiders of the Lost Ark.

Just for fun they have a fixed PIN number for WiFi Protected Setup, many vulnerabilities in the HTTP daemon, major weakness in their over the air firmware updating, and anyone on the LAN can also create any port forwarding rule on the router for any port.

It is amazing that one product could have such a comprehensive set of catastrophic security failures. It certainly begs the question of how well they secure any of their other products.

The post So many reasons to never buy a D-Link router appeared first on The Privacy Blog.


News From The Break Room


Source Code for IoT botnet responsible for World’s largest DDoS Attack released Online

With rapidly growing Internet of Thing (IoT) devices, they have become a much more attractive target for cybercriminals.

Just recently we saw a record-breaking Distributed Denial of Service (DDoS) attacks against the France-based hosting provider OVH that reached over one Terabit per second (1 Tbps), which was carried out via a botnet of infected IoT devices.

Now, such attacks are expected


Get Sophos certified with the Sophos Certified Administrator training program

Customer TrainingToday, we are excited to launch the Sophos Certified Administrator training program.

Open to all customers, this new certification offers you complete training on Sophos products. You’ll have the opportunity to learn about the full range of features, and how you can harness these to get the most out of your product.

Training can either be completed as e-learning, vouchers for which can be purchased from your partner, or in a classroom via our network of Authorized Training Centers. You can find your local Authorized Training Centers from the Partner Locator or by emailing us at globaltraining@sophos.com

The e-learning courses are easily accessed through the Sophos Training Portal using your Sophos ID login, so you can carry out your training whenever and wherever you have internet access.

We are currently offering courses in Enduser Protection. XG Firewall training will be arriving later this month, and training on all other products will follow very soon.

Filed under: Corporate, Enduser Tagged: Sophos, Sophos Certified Administrator, training program


United States set to Hand Over Control of the Internet to ICANN Today

Since the foundation of the Internet, a contract has been handed over to the United States Commerce Department under which the department had given authority to regulate the Internet.

After 47 years, this contract ends tonight at midnight EDT i.e. Saturday, October 1st, 2016.

If you think that the United States owns the Internet, then you’re wrong. It doesn’t.

Founded in 1998, non-profit


Uh oh, Yahoo! Data Breach May Have Hit Over 1 Billion Users

The massive data breach that Yahoo! confirmed to the world last week is claimed by the company to have been carried out by a “state-sponsored actor” in 2014, which exposed the accounts of at least 500 Million Yahoo users.

But, now it seems that Yahoo has downplayed a mega data breach and triying to hide it’s own security blunder.

Recently the information security firm InfoArmor that analyzed

Share

Comments are closed