Daily Archives: June 24, 2016

Great List of Hack Sites

The SANS Pen Test group has a poster they hand out at SANS conferences and put in mailings that has an awesome mind map of hacking challenge/skills sites.

Won't be going to conference soon or not on the mailing list? No worries, the poster can be downloaded here and all of the SANS posters are located here, including  DFIR, Threat Intelligence, CIS and some general information posters.

If you're not familiar with SANS posters, they're not just marketing tools (but of course they advertise an event, too) but are full of good, useful information. Like the hack sites mind map.


Ad Network to Pay Nearly 1 Million in Civil Penalties to Settle FTC Charges That It Geo-Tracked Consumers Without Permission

On June 22, 2016, the Federal Trade Commission announced a settlement with Singaporean-based mobile advertising network, InMobi, resolving charges that the company deceptively tracked hundreds of millions of consumers’ locations, including children, without their knowledge or consent. Among other requirements, the settlement orders the company to pay $950,000 in civil penalties. 

InMobi provides a platform for app developers to sell advertising space on their apps. The company offers geo-targeting products that allow advertisers to target consumers based on their physical location. According to the FTC’s complaint, InMobi represented that it tracks consumers’ locations in a manner consistent with device privacy settings, and only if the consumer provides opt-in consent. Nevertheless, the FTC alleged that the company tracked consumers locations and served geo-targeted ads, regardless of the users’ location settings. The complaint also states that even if a consumer had restricted an app’s access to location information, InMobi was able to track the consumer’s location by collecting information about the wifi networks that were connected to, or in-range of, the consumer’s device.

The FTC’s complaint includes charges that InMobi violated the Children’s Online Privacy Protection Act (“COPPA”) by knowingly collecting personal information from thousands of child-directed apps in order to track children’s locations and serve them with interest-based advertising. According to the complaint, this tracking was done despite InMobi’s promise not to do so without notifying parents or receiving their consent.

The FTC’s consent order imposes a $4 million civil penalty, to be suspended upon InMobi’s payment of $950,000 due to the company’s current financial situation. The settlement also requires InMobi to (1) comply with COPPA, (2) delete all personal information collected from children and all location information collected from other users, (3) obtain express affirmative consent prior to collecting location information that is not overridden by a consumer’s permissions or settings, and (4) implement a comprehensive privacy program and obtain independent assessments of the program biennially for the next 20 years.

UK Votes to Leave the EU: Data Protection Standards Unlikely to Be Affected

On June 23, 2016, the UK held a referendum to decide upon its continued membership in the European Union. The outcome has resulted in the decision for the UK to withdraw its membership from the European Union. Despite the result, data protection standards are unlikely to be affected.

The full details of how and when the UK will negotiate its exit from the EU is still unclear. The process for withdrawal will be a long one, and unless there is an agreement to the contrary, it will take a minimum of 2 years. The next step is for the UK to serve notice of its intention to exit the EU using the formal legal procedure set out in Article 50 of the Treaty on European Union. As yet, no notice has been served and is unlikely to be served until a new UK prime minister is in place, widely expected to be in October 2016.

From a data protection perspective, any change will not be immediate. Regardless of the referendum result, the incoming EU General Data Protection Regulation (“GDPR”) will become law on May 25, 2018, meaning that the UK will almost certainly experience life under the GDPR. Businesses will therefore need to continue to prepare for, and start to, comply with the GDPR despite the UK’s withdrawal from the EU. Other EU Member States must also comply with GDPR beginning May 25, 2018.

Given that businesses will want to trade in the EU, once the UK formally leaves the EU, it is highly likely that the UK would seek to put in place a legal framework that reflects the GDPR. In particular, it appears that the UK would seek recognition as an “adequate” jurisdiction in order to allow the free flow of data from the EU to the UK. This has been confirmed by the UK’s Information Commissioner’s Office (“ICO”) in its statement issued on June 24, 2016. The ICO highlighted that “the Data Protection Act remains the law of the land irrespective of the referendum result.” “If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”

The GDPR (or a UK equivalent) will be the prevailing data protection standard in the UK, and companies should continue their GDPR preparation as before. In due course, and subject to the outcome of the UK’s exit negotiations, companies will need to review and make adjustments to their compliance programs, including relevant data transfer mechanisms, to reflect the fact that the UK will have a separate (albeit similar) data protection law to the EU.