Privacy Watch Weekly – 2016-10-14


Watch now! Sophos Intercept X: CryptoGuard Anti-Ransomware in 60 Seconds

sophos-intercept-x-icon-150It’s been almost a month since we launched our brand new approach to endpoint security, Sophos Intercept X.

Intercept X features signatureless anti-exploit, anti-ransomware and anti-hacker technology that includes visual root-cause analysis and advanced malware cleanup. And it’s all managed via the Sophos Central Admin console.

But how does it detect ransomware?

Find out more in the video below!

Want to know more?

You can learn more about Intercept X over on the sophos.com site, or if you’d like to try the product yourself, you can sign up for a free trial of Intercept X here.

Filed under: Corporate Tagged: CryptoGuard, Intercept X, Sophos Intercept X


12-Year-Old SSH Bug Exposes More than 2 Million IoT Devices

Are your internet-connected devices spying on you? Perhaps.

We already know that the Internet of Thing (IoT) devices are so badly insecure that hackers are adding them to their botnet network for launching Distributed Denial of Service (DDoS) attacks against target services.

But, these connected devices are not just limited to conduct DDoS attacks; they have far more potential to harm you.


“Gotta Catch ‘Em All!”™ – Pokémon™ Go Gives Rise to New Class Action Suits

The latest smartphone sensation, Pokémon Go, has led to a new series of class action lawsuits concerning private property rights. Pokémon Go …


How Sophos helps our own employees to stay safe

sophos-shieldSophos is the same as any other business – we need to keep our employees (and the company) safe, while at the same time we need to give people the freedom to do their jobs.

Our employees want to be helpful, perform well, and give good support to their co-workers, clients and customers. But good nature is exploitable and it’s those easy-to-exploit characteristics that social engineers seek to tap into.

As an attacker, it’s usually easier to try and push past a human than to try and push past a machine. Unless we understand the tactics and techniques of cybercriminals, people may well fall prey to attacks and put the company at risk at the same time.

 

The best defense for social engineering attacks is a combination of good controls and an awareness program – start with a good, simple, human readable policy and then base training and awareness campaigns around that.

Who you gonna call?

Staff need a single point of contact – it’s vital for people to know they have a specific person or team that they can ask for help from, escalate issues to, or double check something with – no matter how small they think it is.

Remember, the biggest incidents start with the smallest of indicators. We advertise this point of contact through everything we produce for staff – whether it’s an email from HR, a poster in the coffee area or a presentation we give to employees.

Education through awareness

At Sophos we run an internal education campaign called ‘7 deadly sins of security’. This educates employees on basic security topics, including phishing, passwords, scanning and sharing documents.

Our latest campaign, ‘Don’t let your data get ripped – Encrypt!’, coincided with the full launch of our SGN 8 file-level encryption product.

Through this internal education campaign, staff are informed of particular risks and can learn how to combat them through blog posts, banners, and posters throughout the offices.

Not just for new joiners

Security training and awareness shouldn’t just be something to bulk up a new starter’s welcome pack and then left alone forever more. Nor should it be routinely rolled out just to tick a compliance box.

Beginning at the on-boarding stage with simple policy, this training should be a continuous process, delivered through numerous methods to keep staff engaged and informed.

Phishing

One of the techniques we use to build awareness is phishing testing, and we continuously test our co-workers against this type of threat. Based on real phishing threats we receive as a security team, our tests have a good call-to-action with domains that resemble our own. We generally run one a month, and anyone who gets caught out gets some instant automated training explaining what to look out for and why.

With any suspected phishing (whether it’s a test from us or the real deal), we actively encourage staff to send possible threats to the security team as soon as they see them – ideally before their first click.

To encourage this, we have clear and simple paths for reporting phishing, including an Outlook button to escalate directly to the team. This is the most straightforward way of being able to proactively defend against this threat.

Protect those passwords

We also have an active password audit program. We enforce large passwords and encourage the use of password managers, as well as check staff passwords and crack any of them that are deemed too simple. Any users with poor passwords get to re-visit our password education campaign.

That’s not everything

This is just a small subset of how we build a security culture. The main thing to remember is that it should be constant, not just a check box.

Security awareness is fine; security culture is where it’s at.

Filed under: Enduser, Security Tips Tagged: Phishing, security tips, Social engineering


Privacy Shield – “Holding the line.”

Your organisation’s self-certification to Privacy Shield has been finalised. The battle lines are drawn, the personal data that your organisation receives from the EU is tucked safely behind the Shield.

Job done, time to put your feet up, right?  Not quite!

Once certified, organisations have ongoing obligations to adhere to Privacy Shield Principles.

Practical steps that you should take

So what does the battle plan look like?  Here  are some the practical steps that you will need to take:

  • Notify individuals of any changes to your privacy policy or the organisation’s data processing activities;
  • Implement appropriate policies and procedures to help you to achieve compliance in practice and to demonstrate such compliance e.g. Data Protection Policy, Information Security Policy, Access Policy, Complaints Handling Procedure, Retention Policy;
  • Train US employees on how to handle personal data received from the EU in accordance with Privacy Shield Principles and have a documented employee training policy in place;
  • Keep records on the implementation of Privacy Shield Principles in practice;
  • Check that you have contracts in place with any third parties to whom you transfer personal data and that the contracts contain provisions that meet the requirements of the Accountability for Onward Transfer Principle.   Organisations that self-certified before 30 September 2016 have a 9 month grace period to put the relevant contracts in place;
  • Don’t forget to re-affirm your commitment to apply the Privacy Shield Principles to the Department of Commerce (DoC) on an annual basis;
  • If you have chosen self-assessment as a means of verifying compliance with Privacy Shield Principles, conduct an annual compliance audit and retain evidence of the outcome of such audit. If you are using a third party assessment service, then ensure arrangements are in place for such third parties to carry out the audit prior to recertification each year;
  • If your independent dispute resolution body is an EU data protection authority, consider whether increased scrutiny by EU Data Protection Authorities (DPAs) may mean taking stock of your compliance under EU laws.

What are the consequences if organisations fail to comply? 

  • Complaints are likely to be escalated to your selected independent recourse mechanism – i.e. a private sector dispute resolution body or a national DPA.
  • The designated independent dispute resolution body could require the non-compliant organisation to:

– make public the instances of non-compliance with its obligations;

– delete data;

– pay individuals compensation for losses they incur due to non-compliance; or

– make injunctive awards.

  • The FTC, Department of Transportation, and any other statutory body recognised by the EU will have investigatory and enforcement powers to ensure compliance with the Privacy Shield.
  • The DoC may remove an organisation from the Privacy Shield list if it persistently fails to comply with the Principles. Organisations would then need to stop processing the relevant data, and return or delete personal information they received under the Privacy Shield or provide adequate protection for the information by another authorised means.
  • For residual claims, the Shield’s binding arbitration panel will have the power to impose individual-specific equitable relief (such as access, correction, deletion or return of personal data). Individuals will be able to seek judicial review and enforcement of arbitral decisions before the federal district court.

Classified U.S. Defense Network Outage Hits Air Force’s Secret Drone Operations

U.S. drones are again in news for killing innocent people.

The Air Force is investigating the connection between the failure of its classified network, dubbed SIPRNet, at Creech Air Force Base and a series of high-profile airstrikes that went terribly wrong in September this year.

Creech Air Force Base is a secret facility outside Las Vegas, where military and Air Force pilots sitting in


Just give me some privacy

Not everyone who strives to navigate the internet without being tracked is up to no good. This is the underlying premise of a qualitative study led by researchers who gathered the stories of people working on collaborative projects online — like editing Wikipedia — and are concerned about their privacy and taking steps to protect it.


The Netherlands: new chairman DPA announces fines

By Richard van Schaik and Róbin de Wit

Last week, the chairman of the Dutch Personal Data Protection Authority (Autoriteit Persoonsgegevens, “AP”), Aleid Wolfsen, announced that several investigations around data breaches are pending and that the first serious fine is just a matter of time.

Mr. Wolfsen is optimistic about the impact of the upcoming General Data Protection Regulation (“GDPR”), effective from May 25, 2018. Data subjects’ rights are boosted up and the responsibilities for companies significantly increased, Wolfsen says. Furthermore, the possibilities for the AP to step up the level of enforcement and to impose “draconian fines” will further expand. Under the GDPR, fines of up to EUR 20 million or 4% of the worldwide annual turnover may be imposed, whilst the maximum amount is substantially lower under current Dutch data privacy laws.

Although the AP has not imposed any fines in 2016, changes are imminent. Mr. Wolfsen indicated that almost 4,000 cases of data breaches have been notified to the AP and that several investigations are still pending. Investigations relate to cases where the protection of personal data is “drastically insufficient”. It is therefore to be expected that the first fines will follow in due course.


BlockChain.info Domain Hijacked; Site Goes Down; 8 Million Bitcoin Wallets Inaccessible

UPDATE: The site is back and working. Blockchain team released a statement via Twitter, which has been added at the end of this article.

If you are fascinated with the idea of digital currency, then you might have heard about BlockChain.Info.

It’s Down!

Yes, Blockchain.info, the world’s most popular Bitcoin wallet and Block Explorer service, has been down from last few hours, and it’s


HUNGARY: Hungarian DPA issues 12 step guide on the GDPR

By Zoltan Kozma (Senior Associate, Budapest)

The Hungarian Data Protection Authority published on its website a 12 step guide on how to get ready for the GDPR. Similar to the guides already issued by other DPAs from various jurisdictions (e.g. UK and Belgium), the guide includes 12 steps data controllers and data processors should follow in order to achieve compliance. Although this is a useful initial guideline from the Hungarian DPA for controllers and processors, it still leaves room for interpretation. Further guidance and other tools can be expected from the DPA to assist with preparation for GDPR compliance by 25 May 2018.

The guide includes the following steps:

1. Increase awareness

Awareness must be ensured within the organization to get ready for compliance with the GDPR.

2. Criteria of the data controlling activities must be reviewed

Purpose and context of the data processing activities, together with the concept of processing the personal data must be reviewed. With a well prepared data protection policy, compliance with the accountability principle and lawful processing can be achieved.

3. Appropriate information should be provided to data subjects

Attention must be paid to the fact that where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.

4. Rights of data subjects

Rules regarding the rights of data subjects and data processing procedures must be checked. The most important new right of data subjects is data portability, which means that data subjects shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. Data subjects must be able to have their data deleted from any accessible sources.

5. Right of access by the data subjects

New rules regarding access requests and timescales to respond must be checked. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month. That period may be extended by two further months where necessary.

Right of access can be ensured by a secure online system through which data subjects can have easy and quick access to their information.

6. Legal basis for processing personal data

Data processing activities must be looked at within the organization and in compliance with the legal bases provided for in the new Regulation, informational self-determination must be ensured. Be aware that on the basis of ‘right to be forgotten’, if requested by the data subject, the personal data must be erased without undue delay, should the data subject withdraw his or her consent to the data processing. Accordingly, consent means a stronger erasure obligation on the side of the data controller.

7. Conditions of consent must be reviewed

If processing is based on consent, data processing operations must be checked to ensure compliance with the new criteria of the GDPR. Like the Info Act, the GDPR has references to both ‘consent’ and ‘explicit consent’. The difference between the two is not determined in either the Info Act or in the GDPR, however, in any case consent is only valid if it is freely given, specific, informed and unambiguous.

8. More emphasis on children’s rights

If an organization processes children’s data, more emphasis should be placed on children’s rights in relation to information society services. In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is under the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes, provided that such lower age is not below 13 years.

9. Notification of data breach

Pursuant to the current rules of the Info Act, data breaches must be recorded by the controller and information must be provided only at the request of the data subjects.

Pursuant to the new rules in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

10. Data protection by design and data protection impact assessment

Under the new rules, in certain cases data controllers must carry out a data protection impact assessment. Although this might impose administrative burden on data controllers, however, in the case of high risk data processing situations it can be justifiable to carry out a data protection impact assessment.

The controller shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk, in the absence of measures taken by the controller to mitigate the risk.

11. Data protection officers

The GDPR requires more data controllers to appoint data protection officers than the Info Act, e.g. if the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.

12. Competence of supervisory authorities

Under the GDPR each supervisory authority shall be competent for the performance of the tasks assigned to it and  exercise of the powers conferred on it in accordance with the GDPR on the territory of its own Member State.

The supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor.

Should the activity of the organization not be limited to only one country, it must be checked in which country most of the data processing is carried out (usually the seat of the parent company) and on this basis it should be reviewed which country’s supervisory authority will proceed as lead supervisory authority in respect of the data processing.


Researchers Demonstrated How NSA Broke Trillions of Encrypted Connections

In the year 2014, we came to know about the NSA’s ability to break Trillions of encrypted connections by exploiting common implementations of the Diffie-Hellman key exchange algorithm – thanks to classified documents leaked by ex-NSA employee Edward Snowden.

At that time, computer scientists and senior cryptographers had presented the most plausible theory: Only a few prime numbers were


Facebook, Twitter and Instagram Share Data with Location-based Social Media Surveillance Startup

Facebook, Instagram, Twitter, VK, Google’s Picasa and Youtube were handing over user data access to a Chicago-based Startup — the developer of a social media monitoring tool — which then sold this data to law enforcement agencies for surveillance purposes, the ACLU disclosed Tuesday.

Government records obtained by the American Civil Liberties Union (ACLU) revealed that the big technology


Microsoft Patches 5 Zero-Day Vulnerabilities Being Exploited in the Wild

Microsoft has released its monthly Patch Tuesday update including a total of 10 security bulletin, and you are required to apply the whole package of patches altogether, whether you like it or not.

That’s because the company is kicking off a controversial new all-or-nothing patch model this month by packaging all security updates into a single payload, removing your ability to pick and choose


Top 5 takeaways from IoT panel at DLA Piper Tech Summit

The DLA Piper Technology Summit 2016 has been a groundbreaking event, bringing together thought leaders from across the European and wider technology industry.

Here are my main takeaways from the panel on the Internet of Things (IoT) which I had the pleasure of moderating at this Summit in London, one which included, as panelists: Mike Sutcliff, Group CEO at Accenture Digital; Ludovico Fassati, Head of Vertical Market Development at Vodafone; Mark Darbyshire, VP Platform – Integration at SAP; and Sanjay Pradhan, Principal Solutions Engineer at Salesforce.

The discussion was very interesting and among the key insights that surfaced were the following:

1. The IoT market has not yet reached its peak

There was an unanimous opinion that the IoT market is still far from reaching maturity. A number of companies did not fully understand the potential of IoT technologies and appear to be maintaining a ‘wait and see’ approach, monitoring what their competitors are doing. As an ‘evangelist’ on IoT matters, it’s my belief that such companies need to be supported in order to more deeply appreciate the transformative potential of the IoT for their company’s competitive advantage, whilst also acknowledging that such change often brings with it new legal issues and liabilities.

At the same time, there are professional services companies which have over 100 IoT products in the pipeline and are doubling revenues deriving from the IoT sector year on year. The IoT market itself is set to evolve considerably over the next few years.

2. Cyber risks are an issue, however customer trust rather than standards alone are the solution

The increase in cyberattacks is a threat for IoT technologies whose core consists of large databases and connected data. But the solution to cyber-attacks cannot be:

  • either granting the full control of a platform to the same supplier, since IoT requires the creation of a connected environment of different suppliers
  • or the approval by regulators of standards of security since standards will always lag behind the capabilities of hackers.

It is therefore essential for enterprise to create trust in the customer experience of its products. Such trust demands a sustained investment in innovation in order to limit the potential risks.

Standardisation might be the response to limit potential liabilities towards authorities and customers, especially in the light of the upcoming EU Data Protection Regulation. But the success of IoT technologies requires a relationship of trust between suppliers and customers.

3. The market will force interoperability between IoT platforms

There are currently over 360 IoT platforms and 100 protocols of communication between such platforms. However, this would appear to be a transitional phase which may soon evolve with the consolidation of a few platforms.

The potential cyber risks should not alone be considered a sufficient rationale for avoiding the necessary integration required for a connected environment.

Data is the critical foundation for IoT technologies and closed platforms will struggle to survive as they might not exploit the full potential of the IoT.

4. European privacy laws might be both a disadvantage and an advantage for IoT technologies

European data protection rules are considerably more restrictive than the privacy regulations in other jurisdictions. The scenario may grow yet more challenging with the EU Data Protection Regulation, which is set to increase the applicable sanctions to 4% of the global turnover of the breaching entity.

There is no doubt that such regulatory restrictions might hinder or even prevent the launch of some IoT technologies in the European Union. At the same time, they might become a competitive advantage because a higher level of compliance will lead to more trust by consumers in these technologies, which would thereby circumvent the ‘Big Brother’ effect.

The negotiation between industry and data protection authorities will be crucial. They will need to identify solutions that balance business needs with privacy compliance obligations.

5. IoT will not have a single winner

None of the panelists was of the opinion that there will be a ‘Google of IoT’. Our panelists’ belief was that it is more likely that there will be market leaders in the different segments of IoT which will require a ‘concertation’ between different platforms. IoT has such a broad scope that no company will be in a position to exert absolute control over all of it.

Open data regulations might not be the panacea that boosts the growth of the IoT, however governments will have a key role to play in ensuring all stakeholders understand the underlying public interest in the exploitation of such technologies.


Searching for Best Encryption Tools? Hackers are Spreading Malware Through Fake Software

Over the past few years, Internet users globally have grown increasingly aware of online privacy and security issues due to mass monitoring and surveillance by government agencies, making them adopt encryption software and services.

But it turns out that hackers are taking advantage of this opportunity by creating and distributing fake versions of encryption tools in order to infect as many


Yahoo Disables Email Auto-Forwarding; Making It Harder for Users to Move On

Yahoo! has disabled automatic email forwarding — a feature that lets its users forward a copy of incoming emails from one account to another.

The company has faced lots of bad news regarding its email service in past few weeks. Last month, the company admitted a massive 2014 data breach that exposed account details of over 500 Million Yahoo users.

If this wasn’t enough for users to quit the


Challenge! WIN $50,000 for Finding Non-traditional Ways to Detect Vulnerable IoT Devices

If you are concerned about the insecurity of Internet of Things, have good hands at programming and know how to hack smart devices, then you can grab an opportunity to earn $50,000 in prize money for discovering the non-traditional ways to secure IoT devices.

Internet of Things (IoT) market is going to expand rapidly over the next decade. We already have 6.5 billion to 8 billion IoT devices


Turkey Blocks GitHub, Google Drive and Dropbox to Censor RedHack Leaks

Turkey is again in the news for banning online services, and this time, it’s a bunch of sites and services offered by big technology giants.

Turkey government has reportedly blocked access to cloud storage services including Microsoft OneDrive, Dropbox, and Google Drive, as well as the code hosting service GitHub, reports censorship monitoring group Turkey Blocks.
<!– adsense –>
The


Yahoo Email Spying Scandal — Here’s Everything that has Happened So Far

Today Yahoo! is all over the Internet, but in a way the company would never have expected.

It all started days ago when Reuters cited some anonymous sources and reported that Yahoo built a secret software to scan the emails of hundreds of millions of its users at the request of a U.S. intelligence service.

At this point, we were not much clear about the intelligence agency: the National

Share

Comments are closed