Daily Archives: May 21, 2019

Getting ready for digital transformation: The biggest cybersecurity challenges

Digital transformation (DX) is becoming the largest driver of new technology investments and projects among businesses and IDC forecasts that global spending on DX will reach $1.18 trillion in 2019. But DX efforts come with many challenges that need to be effectively addressed so as not to hamper the success of companies’ digital transformation program and strategies. Convincing the leaders Those who have yet to start the process, the initial mission must be to make … More

The post Getting ready for digital transformation: The biggest cybersecurity challenges appeared first on Help Net Security.

The security challenges of managing complex cloud environments

Holistic cloud visibility and control over increasingly complex environments are essential for successful deployments in various cloud scenarios, a Cloud Security Alliance and AlgoSec study reveals. The survey of 700 IT and security professionals aims to analyze and better understand the state of adoption and security in current hybrid cloud and multi-cloud security environments, including public cloud, private cloud, or use of more than one public cloud platform. Key findings of the study include: Cloud … More

The post The security challenges of managing complex cloud environments appeared first on Help Net Security.

Google Stored G Suite Customers Passwords in Plain Text

In a blog published yesterday, Google revealed that it had discovered a bug that allowed some G Suite users to have their passwords saved in text format.

The bug has been in circulation since 2005, although Google claims to find no evidence of incorrect access to someone’s password.

It’s resetting any passwords that might be affected and allow G Suite, administrators to know about the problem.

G Suite is the business version of Gmail and other Google apps. Apparently, the bug in this product was generated because of a feature specifically designed for businesses.

Initially, your G Suite application manager could set user passwords manually, before a new employee is on board. If this was the case, the administrator’s console would store the passwords in plain text instead of hashing them. Since then, Google has removed this option for administrators.

Google’s blog aims to explain how the cryptographic hashing works, probably to ensure that the nuances surrounding this violation are clear.

“We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” Suzanne Frey, Google Cloud VP of Engineering wrote.

Although passwords are stored in plain text, they are at least plain text on Google’s servers. It would be more difficult to reach them if they had just arrived on the open Internet.

Although Google did not say explicitly, it also seems to prevent people from placing this bug in the same category as other common password problems in which these passwords were leaked. Google has already led users to reset their passwords.

In turn, Google has identified not only the number of users likely to be affected by this bug, but also the fact that it affects “a subset of our G Suite business customers” – probably anyone who used G Suite in 2005.

And while Google has found no evidence that anyone has used this access for malicious purposes, it is unclear who has access to those files containing only text.

Anyway the issue is fixed now, and Google has conveyed in its post how it is appropriately sorry about the whole issue:

We take the security of our enterprise customers extremely seriously and pride ourselves in advancing the industry’s best practices for account security. Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better.

Related Resources:

Google Removes 85 Adware-Infected Android Apps

Google Helps Identify Crime Suspects Using Location History


The post Google Stored G Suite Customers Passwords in Plain Text appeared first on .

Organizations face operational deficiencies as they deal with hybrid IT complexities

While enterprises are taking advantage of cloud computing, all enterprises have on-going data center dependencies, a Pulse Secure report reveals. One fifth of respondents anticipate lowering their data center investment, while more than 40% indicated a material increase in private and public cloud investment. According to the “2019 State of Enterprise Secure Access” report, “the shift in how organizations deliver Hybrid IT services to enable digital transformation must also take into consideration empowering a mobile … More

The post Organizations face operational deficiencies as they deal with hybrid IT complexities appeared first on Help Net Security.

Is your perimeter inventory leaving you exposed? Why it’s time to switch from IP to DNS

Historically, security teams and tools have used IP addresses to define their targets and scopes. But in a world where applications and networks are increasingly cloud-hosted or integrated with third-party services, IP addresses alone aren’t enough to ensure coverage. Modern perimeters are dynamic and constantly changing, which can lead organizations to have an inaccurate picture of their risk simply by failing to properly catalog what Internet facing assets they have. Testing against a stale set … More

The post Is your perimeter inventory leaving you exposed? Why it’s time to switch from IP to DNS appeared first on Help Net Security.

Global secure email gateway market growth driven by data loss prevention capabilities

The global secure email gateway market is expected to post a CAGR of over 14% during the period 2019-2023, according to the latest market research report by Technavio. A key factor driving the growth of the market is data loss prevention capabilities. Many email gateway solutions help in DLP. DLP is extremely critical in a corporate environment as it helps prevent the leakage of sensitive information from the corporate network. The DLP component of an … More

The post Global secure email gateway market growth driven by data loss prevention capabilities appeared first on Help Net Security.

One Year Later: First GDPR Execution Overview Reveals There’s Still Work to Do

It’s been nearly a year since the European Union’s General Data Protection Regulation (GDPR) became enforceable. In that span of time, news outlets have reported various stories largely concerning the regulation and its penalties scheme. In January 2019, for instance, the world learned that France’s data protection regulator CNIL had fined Google 50 million euros […]… Read More

The post One Year Later: First GDPR Execution Overview Reveals There’s Still Work to Do appeared first on The State of Security.

DataStax launches Constellation, a cloud data platform that simplifies app development and operation

At its DataStax Accelerate user conference, DataStax, the company behind the leading database built on Apache Cassandra, announced DataStax Constellation, a cloud data platform that will simplify the development and operation of modern applications. Constellation will launch later this year with two cloud services: DataStax Apache Cassandra as a Service and DataStax Insights. DataStax Apache Cassandra as a Service will deliver easy scale-up and scale-down Cassandra clusters, on consumption-based pricing, which is backed by the … More

The post DataStax launches Constellation, a cloud data platform that simplifies app development and operation appeared first on Help Net Security.

MistNet launches new threat detection and response platform using mist computing and edge AI

MistNet announces the industry’s first multi-entity threat detection and response platform providing 360-degree visibility into threats and vulnerabilities from desktop to data center to public cloud and IoT environments—through an industry-first application of mist computing and edge AI technologies. The company also announces the closing of a $7 million Series A funding round led by Foundation Capital with participation from Westwave Capital and a market-leading networking and security company, to be used to support the … More

The post MistNet launches new threat detection and response platform using mist computing and edge AI appeared first on Help Net Security.

Gigamon Application Intelligence to provide network visibility of the digital enterprise

Gigamon, the leading network visibility provider for the digital enterprise, introduced Gigamon Application Intelligence, which provides comprehensive visibility into the highly complex applications at the heart of digital transformations. As organizations rapidly evolve through their digital transformation journey, agile and highly distributed applications challenge IT teams to achieve and maintain the required security, performance and customer experience. The Gigamon Application Intelligence offering is the only solution that eliminates data silos by sharing application knowledge across … More

The post Gigamon Application Intelligence to provide network visibility of the digital enterprise appeared first on Help Net Security.

Digital Guardian partners with “Friends of Objective-See” to enhance macOS users security

Digital Guardian announced it will be partnering closely with “Friends of Objective-See,” a program designed to safeguard macOS users from malicious attacks by providing security tools, as well as sponsoring the Objective-See conference: Objective by the Sea (OBTS), the world’s only Mac security conference. Objective-See was created by world renowned Mac security researcher, Patrick Wardle, with the intent of sharing free security tools that Patrick uses to secure his macOS environment. “Friends of Objective-See” extends … More

The post Digital Guardian partners with “Friends of Objective-See” to enhance macOS users security appeared first on Help Net Security.

VMS Software launches OpenVMS First Boot on x86 architecture

VMS Software (VSI) is pleased to announce OpenVMS First Boot on the x86 architecture. This important achievement is a major step towards giving OpenVMS users the ability to operate on modern x86 hardware or in the Cloud. “It has been a long journey to get here and we will now be moving rapidly to the V9.0 Early Developer Kit and then to full system operation said Clair Grant, VSI’s CTO. Grant continued, “There is still … More

The post VMS Software launches OpenVMS First Boot on x86 architecture appeared first on Help Net Security.

Lattice unveils MachXO3D FPGA for securing systems against a variety of threats

Lattice Semiconductor Corporation, the low power programmable leader, announced the MachXO3D FPGA for securing systems against a variety of threats. Unsecured systems can lead to data and design theft, product cloning and overbuilding, and device tampering or hijacking. With MachXO3D, OEMs can simplify the implementation of robust, comprehensive and flexible hardware-based security for all system components. MachXO3D can protect, detect and recover itself and other components from unauthorized firmware access at every stage of a … More

The post Lattice unveils MachXO3D FPGA for securing systems against a variety of threats appeared first on Help Net Security.

Aqua Security validates its Cloud Native Security Platform for VMware Enterprise PKS

Aqua Security, the leading platform provider for securing container-based and cloud native applications, announced that Aqua Cloud Native Security Platform (CSP) has attained VMware Partner Ready status for PKS. The validation of Aqua’s CSP validates that the solution has been tested and verified to interoperate with VMware Enterprise PKS, and can fully manage and secure workloads running on VMware Enterprise PKS. “We are pleased that Aqua Security has validated its Cloud Native Security Platform for … More

The post Aqua Security validates its Cloud Native Security Platform for VMware Enterprise PKS appeared first on Help Net Security.

riskmethods and RapidRatings partnership to enhance customers’ risk management practices

riskmethods, a leader in supply chain risk management, has partnered with RapidRatings to allow their customers to incorporate financial health data of public and private partners into their supply chain risk management workflows. With the riskmethods and RapidRatings combined solution, companies can streamline traditional data entry and data extraction processes and automatically integrate their financial data sources, including financial risk indicators derived by RapidRatings, into the riskmethods scorecard. Customers can now receive the best financial … More

The post riskmethods and RapidRatings partnership to enhance customers’ risk management practices appeared first on Help Net Security.

Radiant Logic unveils RadiantOne with FIPS 140-2 validated encryption

Radiant Logic, the leading provider of the federated identity and directory service, announced the immediate availability of RadiantOne with FIPS 140-2 validated encryption. Radiant Logic recently achieved the FIPS 140-2 validation after an independently accredited lab put the Radiant Logic Cryptographic Module for Java through a series of tests. After proving conformance with the FIPS 140-2 standard, the module’s test report was sent to CMVP, the Cryptographic Module Validation Program, operated by the United States … More

The post Radiant Logic unveils RadiantOne with FIPS 140-2 validated encryption appeared first on Help Net Security.

GlobalSign Digital Signing Service now supports 2014/55/EU directive

GMO GlobalSign, a global Certificate Authority (CA) and leading provider of identity and security solutions for the Internet of Things (IoT), announced that its popular Digital Signing Service (DSS) supports 2014/55/EU, the newly implemented European Union directive regarding electronic invoicing. The directive defines a common standard for e-invoices to reduce the complexity and legal uncertainty around e-invoicing and make cross-border trade relations easier. As a result of the new regulation, which came into force on … More

The post GlobalSign Digital Signing Service now supports 2014/55/EU directive appeared first on Help Net Security.

Spirent incorporates NetSecOPEN test suite into its CyberFlood testing platform

Spirent Communications, the trusted provider of test, measurement, assurance, and analytics solutions for next-generation devices and networks, announced that it has fully incorporated the NetSecOPEN test suite into its CyberFlood testing platform. The new built-in capabilities provide CyberFlood users with the ability to easily perform assessments of their security systems using the full breadth of NetSecOPEN’s open network security test standard methodologies. NetSecOPEN is a vendor-independent standards body that brings together leading testing solutions vendors, … More

The post Spirent incorporates NetSecOPEN test suite into its CyberFlood testing platform appeared first on Help Net Security.

Pliant raises over $2.5 million to launch the RPA company

Pliant, a workflow automation platform for API-driven enterprise and service provider infrastructures, announced it has launched out of stealth and secured over $2.5 million in funding, led by former SevOne tech startup exec, Vess Bakalov. Backed by Newfund Capital, New Stack Ventures, Leading Edge, and other angel and family investors, the funding will be used to launch the RPA company. “In today’s on-demand and fast-paced economy, Pliant lets you build sophisticated workflows to automate complex … More

The post Pliant raises over $2.5 million to launch the RPA company appeared first on Help Net Security.

Emsisoft released a free Decrypter for JSWorm 2.0

Good news for the victims of the JSWorm 2.0 ransomware, thanks to experts at Emsisoft they can decrypt their file for free.

Experts at Emsisoft malware research team released a decrypter for a recently discovered ransomware tracked as JSWorm 2.0.

JSWorm 2.0 is written in C++ and implements Blowfish encryption. The first version of the malware was written in C# and used the “.JSWORM” extension. Researchers believe both versions were developed by the same author.

Researchers found notable callouts in two different malware samples naming ID Ransomware and several prominent malware researchers:




Experts pointed out that there have been multiple confirmed submissions to the online service ID Ransomware that allows victims to upload their encrypted files to identify the ransomware that infected their machines. Since January 2019, experts observed encrypted files uploaded from South Africa, Italy, France, Iran, Vietnam, Argentina, United States, and other countries.

“Its files have the “.[ID-<numbers>][<email>].JSWORM” extension and the ransom note file named “JSWORM-DECRYPT.txt.”” reads the post published by Emsisoft.

Once infected a computer, the JSWorm 2.0 ransomware will perform the following actions:

  • Sets the “EnableLinkedConnections” registry key, which allows it to attack mapped drives when ran as admin.
  • Restarts SMB services (lanmanworkstation) to take effect (we are investigating if there’s more to the SMB vector).
  • Stops services for databases (MSSQL, MySQL, QuickBooks), kills shadow copies, disables recovery mode.

Victims of the JSWorm ransomware have to follow the instructions below to decrypt their files for free:

  1. Download the Emsisoft JSWorm 2.0 Decrypter.
  2. Run the executable and confirm the license agreement when asked.
  3. Click “Browse” and select the ransom note file on your computer.
  4. Click “Start” to decrypt your files. Note that this may take a while.
JSWorm decrypter


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – JSWorm 2.0. ransomware)

The post Emsisoft released a free Decrypter for JSWorm 2.0 appeared first on Security Affairs.

RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708

During Microsoft’s May Patch Tuesday cycle, a security advisory was released for a vulnerability in the Remote Desktop Protocol (RDP). What was unique in this particular patch cycle was that Microsoft produced a fix for Windows XP, which has not been supported for security updates in years. So why the urgency and what made Microsoft decide that this was a high risk and critical patch?

According to the advisory, the issue discovered was serious enough that it led to Remote Code Execution and was wormable, meaning it could spread automatically on unprotected systems. The bulletin referenced well-known network worm “WannaCry” which was heavily exploited just a couple of months after Microsoft released MS17-010 as a patch for the related vulnerability in March 2017. McAfee Advanced Threat Research has been analyzing this latest bug to help prevent a similar scenario and we are urging those with unpatched and affected systems to apply the patch for CVE-2019-0708 as soon as possible. It is extremely likely malicious actors have weaponized this bug and exploitation attempts will likely be observed in the wild in the very near future.

Vulnerable Operating Systems:

  • Windows 2003
  • Windows XP
  • Windows 7
  • Windows Server 2008
  • Windows Server 2008 R2

Worms are viruses which primarily replicate on networks. A worm will typically execute itself automatically on a remote machine without any extra help from a user. If a virus’ primary attack vector is via the network, then it should be classified as a worm.

The Remote Desktop Protocol (RDP) enables connection between a client and endpoint, defining the data communicated between them in virtual channels. Virtual channels are bidirectional data pipes which enable the extension of RDP. Windows Server 2000 defined 32 Static Virtual Channels (SVCs) with RDP 5.1, but due to limitations on the number of channels further defined Dynamic Virtual Channels (DVCs), which are contained within a dedicated SVC. SVCs are created at the start of a session and remain until session termination, unlike DVCs which are created and torn down on demand.

It’s this 32 SVC binding which CVE-2019-0708 patch fixes within the _IcaBindVirtualChannels and _IcaRebindVirtualChannels functions in the RDP driver termdd.sys. As can been seen in figure 1, the RDP Connection Sequence connections are initiated and channels setup prior to Security Commencement, which enables CVE-2019-0708 to be wormable since it can self-propagate over the network once it discovers open port 3389.


Figure 1: RDP Protocol Sequence

The vulnerability is due to the “MS_T120” SVC name being bound as a reference channel to the number 31 during the GCC Conference Initialization sequence of the RDP protocol. This channel name is used internally by Microsoft and there are no apparent legitimate use cases for a client to request connection over an SVC named “MS_T120.”

Figure 2 shows legitimate channel requests during the GCC Conference Initialization sequence with no MS_T120 channel.

Figure 2: Standard GCC Conference Initialization Sequence

However, during GCC Conference Initialization, the Client supplies the channel name which is not whitelisted by the server, meaning an attacker can setup another SVC named “MS_T120” on a channel other than 31. It’s the use of MS_T120 in a channel other than 31 that leads to heap memory corruption and remote code execution (RCE).

Figure 3 shows an abnormal channel request during the GCC Conference Initialization sequence with “MS_T120” channel on channel number 4.

Figure 3: Abnormal/Suspicious GCC Conference Initialization Sequence – MS_T120 on nonstandard channel

The components involved in the MS_T120 channel management are highlighted in figure 4. The MS_T120 reference channel is created in the rdpwsx.dll and the heap pool allocated in rdpwp.sys. The heap corruption happens in termdd.sys when the MS_T120 reference channel is processed within the context of a channel index other than 31.

Figure 4: Windows Kernel and User Components

The Microsoft patch as shown in figure 5 now adds a check for a client connection request using channel name “MS_T120” and ensures it binds to channel 31 only (1Fh) in the _IcaBindVirtualChannels and _IcaRebindVirtualChannels functions within termdd.sys.

Figure 5: Microsoft Patch Adding Channel Binding Check

After we investigated the patch being applied for both Windows 2003 and XP and understood how the RDP protocol was parsed before and after patch, we decided to test and create a Proof-of-Concept (PoC) that would use the vulnerability and remotely execute code on a victim’s machine to launch the calculator application, a well-known litmus test for remote code execution.

Figure 6: Screenshot of our PoC executing

For our setup, RDP was running on the machine and we confirmed we had the unpatched versions running on the test setup. The result of our exploit can be viewed in the following video:

There is a gray area to responsible disclosure. With our investigation we can confirm that the exploit is working and that it is possible to remotely execute code on a vulnerable system without authentication. Network Level Authentication should be effective to stop this exploit if enabled; however, if an attacker has credentials, they will bypass this step.

As a patch is available, we decided not to provide earlier in-depth detail about the exploit or publicly release a proof of concept. That would, in our opinion, not be responsible and may further the interests of malicious adversaries.


  • We can confirm that a patched system will stop the exploit and highly recommend patching as soon as possible.
  • Disable RDP from outside of your network and limit it internally; disable entirely if not needed. The exploit is not successful when RDP is disabled.
  • Client requests with “MS_T120” on any channel other than 31 during GCC Conference Initialization sequence of the RDP protocol should be blocked unless there is evidence for legitimate use case.


It is important to note as well that the RDP default port can be changed in a registry field, and after a reboot will be tied the newly specified port. From a detection standpoint this is highly relevant.

Figure 7: RDP default port can be modified in the registry

Malware or administrators inside of a corporation can change this with admin rights (or with a program that bypasses UAC) and write this new port in the registry; if the system is not patched the vulnerability will still be exploitable over the unique port.

McAfee Customers:

Please stay tuned for product bulletins and security updates shortly!

If you have any questions, please contact McAfee Technical Support.



The post RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708 appeared first on McAfee Blogs.

PayPal’s Beautiful Demonstration of Extended Validation FUD

PayPal's Beautiful Demonstration of Extended Validation FUD

Sometimes the discussion around extended validation certificates (EV) feels a little like flogging a dead horse. In fact, it was only September that I proposed EV certificates are already dead for all sorts of good reasons that have only been reinforced since that time. Yet somehow, the discussion does seem to come up time and again as it did following this recent tweet of mine:

Frankly, I think this is more a symptom of people coming to grips with the true meaning of SSL (or TLS) than it is anything changing with the way certs are actually issued, but I digress. The ensuing discussion after that tweet reminded me that I really must check back in on what I suspect may be the single most significant example of why EV has become little more than a useless gimmick today. It all started on stage at NDC Sydney in September, more than 8 months ago now. Here's the exact moment deep-linked in the recorded video:

Well that was unexpected. I came off stage afterwards and sat down with Scott Helme to delve into it further, whereupon we found behaviour that you can still see today at the time of writing. Here's PayPal in Firefox:

PayPal's Beautiful Demonstration of Extended Validation FUD

You can clearly see the green EV indicator next to the address bar in Firefox, but load it up in Chrome and, well...

PayPal's Beautiful Demonstration of Extended Validation FUD

Now, you may have actually spotted in the video that the cert was issued by "DigiCert SHA2 Extended Validation Server CA" which would imply EV. It also the same cert being issued to both Firefox and Chrome too, here's a look at it in both browsers (note that the serial number and validity periods match up):

PayPal's Beautiful Demonstration of Extended Validation FUD
PayPal's Beautiful Demonstration of Extended Validation FUD

The reason we're seeing the EV indicator in Firefox and not in Chrome has to do with the way the certificates chain in the respective browsers and again, here's Firefox then Chrome:

PayPal's Beautiful Demonstration of Extended Validation FUD
PayPal's Beautiful Demonstration of Extended Validation FUD

Whilst "DigiCert SHA2 Extended Validation Server CA" is the same in each browser, the upstream chain is then different with Firefox and Chrome both seeing different "DigiCert High Assurance EV Root CA" certs (even though they're named the same) and Chrome obviously then chaining up another couple of hops from there. But frankly, the technical explanation really isn't the point here, the point is that we're now nearly 8 months in which can only mean this:

PayPal really doesn't care that the world's most popular browser no longer displays the EV visual indicator.

And that's all EV ever really had going for it! (Note: yes, I know there can be regulatory requirements for EV in some jurisdictions, but let's not confuse that with it actaully doing anything useful.) The entire value proposition put forward by the commercial CAs selling EV is that people will look for the indicator and trust the site so... it's pretty obvious that's not happening with PayPal.

Furthermore, as I've said many times before, for EV to work people have to change their behaviour when they don't see it! If someone stands up a PayPal phishing site, for example, EV is relying on people to say "ah, I was going to enter my PayPal credentials but I don't see EV therefore I won't". That's how EV "stops phishing" (according to those selling the certs), yet here we are with a site that used to have EV and if it ever worked then it was only by people knowing that PayPal should have it. So what does it signal now that it's no longer there? Clearly, that people aren't turning away due to it's absence.

And finally, do you reckon PayPal is the sort of organisation that has the resources to go out and get another EV cert that would restore the visual indicator if need be? Of course they are! Have they? No, because it would be pointless anyway because nobody actually changes their behaviour in its absence!

It's a dead duck, let's move on.

Data Security in the Cloud: How to Lock Down the Next-Gen Perimeter

Enjoy the video replay of the recent Threatpost cloud security webinar, featuring a panel of experts offering best practices and ideas for managing data in a cloudified world.

Group-IB blocked more than 180,000 links to pirated copies of Game of Thrones

Since April 2019, Group-IB has successfully blocked more than 43,000 links to pirated copies of the Game of Thrones Season 8 on pirate websites, forums, and social media

As the Game of Thrones saga came to a close (no spoilers here), Group-IB has summed up the results of its anti-piracy campaign during Season 8 of the Game of Thrones – one of the biggest franchises in the TV history. Since April 2019, when the final season premiered, Group-IB Anti-Piracy team has successfully blocked more than 43,000 links to pirated copies of the GOT Season 8 on pirate websites, forums, and social media. Group-IB’s Anti-Piracy team was brought in to protect Game of Thrones against online pirates back in 2015. Since that time, the company’s specialists have blocked more than 180,000 links to illegal copies of Game of Thrones in Russian.

The final GOT Season 8 premiered on 14 April and became one of the show’s most popular seasons not only among fans all over the world, but also among online pirates. Group-IB’s Anti-Piracy team discovered and blocked 43,711 links to pirated Season 8 episodes in Russian. Illegal copies surfaced on pirate websites, forums, and social media. Pirated copies of the GOT Season 8 episodes were spotted on 1,098 different websites, 94 of which were designed exclusively for the distribution of pirated GOT copies.

More than 30,000 unique links to pirated GOT episodes have been removed from the search results of the Russian search engine Yandex. In response to the blocking, online pirates struck back by creating mirrors on a daily basis – copies of their websites with new but very similar domain names. For instance, one of the pirates created more than 20 mirrors on their subdomains. However, according to the pirates’ forum posts, the owners of pirate websites were not ready for the “attack” on them: “Looks like somebody just wiped the links out. Some of the pages disappeared… some of them do not appear in search results”. It is also interesting that some of the groups on VK.com, a Russian social network, removed pirated episodes after receiving complaints and turned into GOT fan pages.

The streaming service Amediateka holds exclusive distribution rights for the Game of Thrones in Russia and since April 2015, when Season 5 premiered, has used the services of Group-IB to fight online pirates distributing illegal copies of the GOT in Russian. Season after season, online pirates’ interest in the show has only been increasing. For example, while Season 5 was broadcast, Group-IB’s Anti-Piracy team detected and removed 2,067 links to illegal copies. Season 7 saw an increase, reaching 12,540 links to pirated episodes detected and blocked. Season 8 set a record of 43,711 links. For the past 4 years, Group-IB detected and blocked more than 180,000 links, including links detected and blocked between the seasons’ airings.

Game of Thrones Season 8

GOT is not the only Amediateka’s show that Group-IB’s Anti-Piracy team protects, but it turned out to be pirates’ favorite one. Pirates’ other top targets include True Detective, with 23,473 pirated links detected and blocked, Billions (20,303 links), The Good Wife (14,541 links), and Westworld, with  12,229 links detected and blocked by Group-IB Anti-Piracy team.

“For us the battle against online pirates, trying to profit off the illegal distribution of the Game of Thrones in Russian, was as fierce as for George R.R. Martin’s characters,” commented Andrey Busargin, Director of Anti-Piracy and Brand Protection at Group-IB. “I would also like to highlight Amediateka’s commitment to counter online piracy in Russia: they brought in Group-IB Anti-Piracy team ahead of time and have been making continuous efforts to popularize legal viewership of the Game of Thrones making it available on its website, in movie theaters all over the country and even on the stadium.”

Group-IB‘s fight against digital piracy started in 2011, when the Anti-Piracy Department was established. Group-IB’s Anti-Piracy team uses unique machine-learning technologies applied in complex investigations of cyberattacks to detect pirate websites, find their owners and block illegal content. Group-IB’s Anti-Piracy system monitors 100,000+ resources in all languages ranging from torrent trackers and streaming services to social media groups and pirate platforms in the DarkNet. The average time to detect the first pirated copy on the Internet is 30 minutes. 80% of pirated links are successfully blocked by Group-IB team within 24 hours of their appearance on the Internet.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

About the author: Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection.

The report published by Group-IB is available here:


Pierluigi Paganini

(SecurityAffairs – piracy, Game of Thrones)

The post Group-IB blocked more than 180,000 links to pirated copies of Game of Thrones appeared first on Security Affairs.

ITIL Service Operation Processes: A Brief Introduction

The ITIL Service Operation (SO), which is one of the five core publications that form part of the ITIL Service Management Lifecycle under ITIL (Information Technology Infrastructure Library) Framework, provides guidance regarding maintaining stability in IT Services and helps manage services in supported environments.

The ITIL SO module takes care of some very important responsibilities including the monitoring of services, the resolving of incidents, the fulfilling of requests and the execution of operational tasks. Once the formal handover from the Service Transition process module is done, the SO module takes control of new/changed services and takes care of the execution of all design and transition plans. The SO module also measures all these plans for actual efficiency.

The Objectives

The ITIL SO module, which is totally customer facing, ensures that IT services are delivered efficiently and effectively and also that quality of service is maintained. Hence, key functionalities like fixing problems and service failures, fulfilling of user requests, executing routine operation tasks etc come under the purview of the SO module. The SO module also takes care of some other important aspects including reducing incidents and problems, minimizing impact of service outages on businesses, ensuring authorized access only to agreed IT services, assisting organizations in delivering benefits within SLA in the best of manners, supporting users in service-related matters etc.

The Processes

There are five processes that come under ITIL SO. They are- Event Management, Incident Management, Request Fulfilment, Problem Management and Access Management.

While Event Management is basically about ensuring constant monitoring of CIs and services, Incident Management, as the term suggests, ensures that IT services are restored to working state quickly after unexpected incidents. Request Fulfilment is all about the acknowledging and processing of service requests from users and Problem Management helps find root cause of problems and seeking to mitigate impacts of problems or trying to prevent them from happening. The last, Access Management is all about ensuring authorized access to services and functions in accordance with pre-defined policies.

These five processes are assigned to two major functional groups- the Service Desk and the Technical Support Group (Technical, Application and IT Operations Management), about which we discuss in detail in the next section.

The Functions

ITIL SO comprises four functions and two sub-functions. The functions are- Service Desk, Technical Management, IT Operations Management and Applications Management.

Service Desk, which is the first and single point of contact, takes care of things like coordinating between end user and service provider, managing logged tickets, ensuring timely closure of user requests etc.

Technical Management is all about managing the IT infrastructure by providing technical expertise and support.

The IT Operations management deals with IT related day-to-day operational activities and comprises two sub-functions, namely IT Operations Control (monitoring and controlling of IT services and the underlying infrastructure) and Facilities Management (management of the physical environment where the IT infrastructure is located).

Application Management, as the term suggests, is all about managing applications throughout their lifecycle.

The Benefits

There are many benefits of the ITIL Service Operations process.

The main benefit, however, is that it helps reduce unplanned expenditure for organizations through optimized handling of service outages and proper identification of their causes. By ensuring that the duration and frequency of service outages are minimized, ITIL SO helps organizations make full use of services.

ITIL SO processes support an organizations security policy by ensuring proper access management and also helps obtain operational data to be used by other ITIL processes. Providing quick, effective access to standard IT services also is one of the benefits. It also helps provide a framework for automating iterative operations, thereby helping increase efficiency and better utilization of human resources.

The post ITIL Service Operation Processes: A Brief Introduction appeared first on .

Data Leak Exposes Instagram Influencers

A leaked database has compromised the personal information of more than 49 million Instagram users, including celebrities and “influencers.”

The information was found on an unsecured database hosted on an Amazon cloud server and includes public-facing information from Instagram accounts as well as personal details, including email addresses and phone numbers. Techcrunch, the website that initially broke the story, traced the database back to Chtrbox, a social media marketing firm based in Mumbai.

The database appears to have been initially compiled to determine relative costs and overall influence of each Instagram account.

The chief executive of Chtrbox declined to comment on the story.

See the initial Techcrunch news article here.


The post Data Leak Exposes Instagram Influencers appeared first on Adam Levin.

DHS Issues Alert on Chinese-Made Drones

DHS Issues Alert on Chinese-Made Drones

Chinese-made drones may be sending sensitive flight data to their manufacturers in China, according an alert issued by the US Department of Homeland Security (DHS), CNN reported on May 20.

In a copy of the alert obtained by CNN, DHS said, "The United States government has strong concerns about any technology product that takes American data into the territory of an authoritarian state that permits its intelligence services to have unfettered access to that data or otherwise abuses that access.”

While the report refrains from naming specific manufacturers, approximately 80% of the drones used in the US and Canada reportedly come from DJI in Shenzhen, China. DHS reportedly is concerned about "potential risk to an organization's information…[from products that] contain components that can compromise your data and share your information on a server accessed beyond the company itself," according to CNN.

"Those concerns apply with equal force to certain Chinese-made (unmanned aircraft systems)-connected devices capable of collecting and transferring potentially revealing data about their operations and the individuals and entities operating them, as China imposes unusually stringent obligations on its citizens to support national intelligence activities," the alert reportedly added.

“The Department of Commerce required Google to pull rights to use Google Play and apps on Android from Huawei. Now, we are hearing about risks of Chinese-made drones, which the primary manufacturer is DJI based in China,” said Chris Morales, head of security analytics at Vectra.

“The overall theme is that a third-party manufacturer could be using personal data for malicious intent. This is a theme that should expand beyond just a specific nation state actor. This is a real concern for any device that is collecting data on a user, regardless of where they are based.

“It doesn’t mean everyone is bad, though. Most organizations are in the business of making money and are not intentionally causing harm to consumers. Personally, I don’t even like enabling features, such as location services, on my personal device that gives even American companies too much data about me and my own personal habits.”

Step 9. Protect your OS: top 10 actions to secure your environment

In “Step 9. Protect your OS” of the Top 10 actions to secure your environment blog series, we provide resources to help you configure Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to defend your Windows, macOS, Linux, iOS, and Android devices from advanced threats.

In an advanced threat, hackers and cybercriminals infiltrate your network through compromised users or vulnerable endpoints and can stay undetected for weeks—or even months—while they attempt to exfiltrate data and move laterally to gain more privileges. Microsoft Defender ATP helps you detect these threats early and take action immediately.

Enabling Microsoft Defender ATP and related products will help you:

  • Mitigate vulnerabilities.
  • Reduce your attack surface.
  • Enable next generation protection from the most advanced attacks.
  • Detect endpoint attacks in real-time and respond immediately.
  • Automate investigation and remediation.

Threat & Vulnerability Management

Threat & Vulnerability Management is a new component of Microsoft Defender ATP that provides:

  • Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities.
  • Linked machine vulnerability and security configuration assessment data in the context of exposure discovery.
  • Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager.

To use Threat & Vulnerability Management, you’ll need to turn on the Microsoft Defender ATP preview features.

Attack surface reduction

Attack surface reduction limits the number of attack vectors that a malicious actor can use to gain entry. You can configure attack surface reduction through the following:

  • Microsoft Intune
  • System Center Configuration Manager
  • Group Policy
  • PowerShell cmdlets

Enable these capabilities to reduce your attack surface:

Hardware-based isolation Configure Microsoft Defender Application Guard to protect your company while your employees browse the internet. You define which websites, cloud resources, and internal networks are trusted. Everything not on your list is considered untrusted.
Application control Restrict the applications that your users can run and require that applications earn trust in order to run.
Device control Configure Windows 10 hardware and software to “lock down” Windows systems so they operate with properties of mobile devices. Use configurable code to restrict devices to only run authorized apps.
Exploit protection Configure Microsoft Defender Exploit Guard to manage and reduce the attack surface of apps used by your employees.
Network protection Use network protection to prevent employees from using an application to access dangerous domains that may host phishing scams, exploits, and other malicious content.
Controlled folder access Prevent apps that Microsoft Defender Antivirus determines are malicious or suspicious from making changes to files in protected folder.
Network firewall Block unauthorized network traffic from flowing into or out of the local device.
Attack surface reduction controls Prevent actions and apps that are typically used by exploit-seeking malware to infect machines.

Next generation protection

The Intelligent Security Graph powers the antivirus capabilities of Microsoft Defender Antivirus, which works with Microsoft Defender ATP to protect desktops, laptops, and servers from the most advanced ransomware, fileless malware, and other types of attacks.

Configure Microsoft Defender Antivirus capabilities to:

Enable cloud-delivered protection Leverage artificial intelligence (AI) and machine learning algorithms to analyze the billions of signals on the Intelligent Security Graph and identify and block attacks within seconds.
Specify the cloud-delivered protection level Define the amount of information to be shared with the cloud and how aggressively new files are blocked.
Configure and validate network connections for Microsoft Defender Antivirus Configure firewall or network filtering rules to allow required URLs.
Configure the block at first sight feature Block new malware within seconds.

Endpoint detection and response

Microsoft Defender ATP endpoint detection and response capabilities detect advanced attacks in real-time and give you the power to respond immediately. Microsoft Defender ATP correlates alerts and aggregates them into an incident, so you can understand cross-entity attacks (Figure 1).

Alerts are grouped into an incident based on these criteria:

  • Automated investigation triggered the linked alert while investigating the original alert.
  • File characteristics associated with the alert are similar.
  • Manual association by a user to link the alerts.
  • Proximate time of alerts triggered on the same machine falls within a certain timeframe.
  • Same file is associated with different alerts.

Image of the Windows Defender Security Center.

Figure 1. Microsoft Defender ATP correlates alerts and aggregate them into incidents.

Review your alerts and incidents on the security operations dashboard. You can customize and filter the incident queue to help you focus on what matters most to your organization (Figure 2). You can also customize the alert queue view and the machine alerts view to make it easier for you to manage.

Image of a list of incidents in the Windows Defender Security Center.

Figure 2. Default incident queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list.

Once you detect an attack that requires remediation, you can take the following actions:

Auto investigation and remediation

Microsoft Defender ATP can be configured to automatically investigate and remediate alerts (Figure 3), which will reduce the number of alerts your Security Operations team will need to investigate manually.

Image showing automated investigations in Microsoft Defender ATP.

Figure 3. You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.

Create and manage machine groups in Microsoft Defender ATP to define automation levels:

Automation level Description
Not protected. Machines will not get any automated investigations run on them.
Semi – require approval for any remediation. This is the default automation level.
An approval is needed for any remediation action.
Semi – require approval for non-temp folders remediation. An approval is required on files or executables that are not in temporary folders. Files or executables in temporary folders, such as the user’s download folder or the user’s temp folder, will automatically be remediated if needed.
Semi – require approval for core folders remediation. An approval is required on files or executables that are in the operating system directories such as Windows folder and program files folder. Files or executables in all other folders will automatically be remediated if needed.
Full – remediate threats automatically. All remediation actions will be performed automatically.

Microsoft Threat Experts

Microsoft Threat Experts is a new, managed threat hunting service that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately with two capabilities:

  1. Targeted attack notifications—Alerts that are tailored to organizations provide as much information as can be quickly delivered to bring attention to critical network threats, including the timeline, scope of breach, and the methods of intrusion.
  2. Experts on demand—When a threat exceeds your SOC’s capability to investigate, or when more actionable information is needed, security experts provide technical consultation on relevant detections and adversaries. In cases where a full incident response becomes necessary, seamless transition to Microsoft incident response services is available.

Microsoft Defender ATP customers can register for Microsoft Threat Experts and we will reach out to notify you via email when you’ve been selected.

Learn more

Check back in a few weeks for our final blog post in the series, “Step 10. Detect and investigate security threats,” which will give you tips to deploy Azure Advanced Threat Protection to detect suspicious activity in real-time.


The post Step 9. Protect your OS: top 10 actions to secure your environment appeared first on Microsoft Security.

“Hackable?” Puts Smartphones to the Test

Is the Personal Data on Your Smartphone Vulnerable? Listen to Find Out: Used for everything from banking and taking pictures, to navigating, streaming, and connecting, mobile devices are a treasure trove of sensitive personal data. On the latest episode of “Hackable?” the team investigates how secure that data really is by inviting a white-hat to try and remotely penetrate our host Geoff’s smartphone. Listen now on Apple Podcasts and learn if one errant click could expose everything, including your deleted photos.  

The post “Hackable?” Puts Smartphones to the Test appeared first on McAfee Blogs.

“Hackable?” Puts Smartphones to the Test

Is the Personal Data on Your Smartphone Vulnerable? Listen to Find Out: Used for everything from banking and taking pictures, to navigating, streaming, and connecting, mobile devices are a treasure trove of sensitive personal data. On the latest episode of “Hackable?” the team investigates how secure that data really is by inviting a white-hat to try and remotely penetrate our host Geoff’s smartphone. Listen now on Apple Podcasts and learn if one errant click could expose everything, including your deleted photos.  


The post “Hackable?” Puts Smartphones to the Test appeared first on McAfee Blogs.

Facial Recognition Software 101: Current Debates and How to Elude It

Facial recognition software is a relatively new technological development that is becoming adopted on a large scale by law enforcement agencies and national intelligence agencies worldwide.

Theoretically, the adoption of facial recognition software and other biometric identification methods could help identify attacks before they occur and generally lead to a faster capture of criminals. Practically, many citizens and digital privacy advocates are fighting back against the use of facial recognition software.

So why is facial recognition software such a charged topic?

To help anyone understand exactly why people don’t like it, I’ll first dive into the current debates surrounding it and on the main controversies about facial recognition software. Then, I’ll continue by explaining how the technology works and how you can confuse it or resist it.

While I wouldn’t encourage anyone to do anything illegal or resist legitimate info requirements made by public authorities, the truth is that facial recognition software is still, in many ways, a wild west. The laws are being debated and subject to change.

Innovators and authorities are still exploring what the technology can do and discover new functionalities. Meanwhile, the public tries to catch up and debate whether the functionality should be used in the first place.

Therefore, attempts to resist facial recognition software and to confuse it are a vital part of current negotiations and debates, in a new landscape where the right to a private life can’t be taken for granted anymore.

But before we dive in deep into the intricacies of facial recognition software, we need to look a bit to the history of developing facial recognition software.

A short history of facial recognition software:

  • Mid-1960s: American mathematician Woodrow Wilson Bledsoe and his team develop a simple device which records facial features using a stylus and a tablet. His efforts helped pave the way towards modern facial recognition software and his intelligence team members are considered pioneers of AI and pattern recognition.
  • Between the 1980s and 1990s: MIT, Rhode Island, and Brown University scientists develop the technology further, leading to Eigenfaces. Eigenfaces are two-dimensional facial structures generated through algebraic formulae. They laid the foundation for contemporary facial recognition software.
  • After 2001: The 9/11 terrorist attacks highlighted the need to strengthen border security with better personal identification, via facial recognition software. This led to a wide-scale adaptation of this software, which continues to be improved to this day. Applications of the software were quickly picked up by the commercial sector as well (see below).
  • 2005: The first personal phone with facial recognition software is unveiled at the Security Show Japan. The technology was named OKAO Vision Face Recognition Sensor and it was developed by the OMRON Corporation.
  • 2005 – present: Facial recognition software is increasingly adopted by most smartphones but also perfected for the use of law enforcement and military groups. Machine learning and AI are employed for taking its accuracy to new heights and to vary its applications.

Why Is Facial Recognition Software So Debated Today?

As you can see, facial recognition software also has some consumer applications which are pretty popular (like the ones for smartphones).

Since security experts have long decried single-factor authentication (like security measures consisting only of passwords) as being too vulnerable to hacking (through credential stuffing attacks, for example), two-factor authentication is increasingly recommended and implemented. Some voices say even two-factor authentication is not as secure as previously thought.

In this context, methods of biometric authentication seem like a more secure way of accessing your accounts. Signing in with your face, your fingerprint, your iris scan or other bodily-related identity factors, which are (theoretically) accessible to no one buy you is the next level.

So why then are people against facial recognition software?

First and foremost, because facial recognition software started being employed in mass surveillance programs at nation-wide levels. People may not be against facial recognition software per se, but the way it started being used by law enforcement and state intelligence agencies are making most citizens uncomfortable.

Secondly, it’s not just the matter of privacy infringing: facial recognition software is also prone to errors and bias which cause people further discomfort.

Thirdly, as people become more educated in cybersecurity matters, with news of new data breaches making headlines every month, everyone is realizing that the safest bet is to have as little of your data collected as possible. If you allow devices to record even your most personal and private biometric data and store it for recognition and authentication, sooner or later the data might fall into the wrong hands.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.


Get Thor Foresight

There are other ways of being safe or employing multi-factor authentication methods; you don’t need to hand over your intimate bodily data. Besides, some biometric data is very easily faked by hackers just by seeing a photo of their victim where the hands are visible. In a famous case, a German minister’s fingerprints were replicated by hackers using just public photos.

Countries Which Are in the Spotlight for Facial Recognition Software

But the first reason for which people are outraged by facial recognition software lately is the way some public authorities started employing it. In the past half-year, some countries have been more under the spotlight for using facial recognition software in a way equated by people to a dystopian-like mass surveillance campaign.

These countries are:

#1. The US

In most American cities, unless explicitly banned due to public backlash and protests, police authorities have adopted the use of facial recognition software.

Since the technology behind facial recognition software is rather new and unprecedented, laws haven’t managed to catch up with it. Therefore, it’s still akin to the wild west: police are using the tech liberally and gathering as much data as they can, just thinking that it might be useful in the future or in order to train the programs to be more accurate.

As of 2016, it was estimated that 50% of the population was in the databases of police-owned facial recognition software, and that was 3 years ago.

If laws concerning the collection of private data without consent are in place, they are targeted at companies and advertisers, not at law enforcement. However, digital rights advocacy groups started speaking out against the rights of law enforcement to gather and make use of such data without a just reason. The following year will probably bring significant changes, one way or the other, as the matter is settled towards one pole or the other. More details on debates and protests below.

#2. The UK

bansky mural against cctv

“One Nation Under CCTV,” 2007 mural by Banksy (Flickr/ogglog).

In the UK, the use of facial recognition software by law enforcement seems to be even more pervasive than in the US, raising deeper concern over citizen rights and dystopian potential. To say that the use of this tech by police forces is contested would be an understatement.

First of all, as the use of this tech is yet unregulated, the police are apparently using it without permission. Privacy rights advocates such as the Big Brother Watch NGO are campaigning against the use, calling it unlawful and abusive towards privacy rights. Other studies report numerous ways in which surveillance via facial recognition software infringes on multiple citizen rights.

The UK police is also taken to court over its use of facial recognition software, in a first case. Until the matter is settled via legislation, more trials and protests will probably follow.

The fact that the use of the software is not even particularly effective doesn’t help improve its public perception either.

#3. China

China is facing an international outrage over its treatment of the Uighur minority in the Xinjiang region, who are under constant surveillance through various technological means, including facial recognition, voice recording and spying (even when not talking on the phone and so on). Chinese police forces even have smart glasses with built-in facial recognition systems, so the potential of the tech is very high.

#4. Germany

Germany tested out using facial recognition software for checking the people who cross through a train station, on the basis of volunteers and completely consensual ceding of biometric photos. However, it didn’t take long for privacy advocates to raise alarms. Considering the country’s history to mass surveillance by the government, I think the quick response, even if the trigger was ‘softer’ than the practices adopted by other countries, is a healthy exercise in democracy.

Other countries (less concerning cases):

Facial recognition software is also employed by law enforcement in the United Arab Emirates (for border control and such).

In Japan, the tech is being used for some controversial things like checking whether employees are smiling enough and so on, but since it’s not controversial in how police forces are using it, I won’t be including Japan in the list of really concerning countries.

Singapore, the tech capital of Asia, also employs facial recognition software widely for fast check-ins and such, but no reports of abuse have come through. Of course, it’s very possible that the West is experiencing more public protests about this kind of tech because of cultural differences and a greater awareness of privacy rights.

How People Are Fighting Back against Facial Recognition Software and Why

While for their part, law enforcement forces are defending their use of facial recognition software by highlighting the positive effects it has, people are not convinced.

In the US and UK, regular protests were held against the police use of facial recognition software without probable cause, as well as against storing the data obtained through this software without consent. If we look at some of the recent and non-recent protests, it’s pretty clear that many citizens see facial recognition software as having the potential to lead to a dystopian world, at least when it is in the hands of public forces.

  • In Washington, DC, people made a logo from the Eye of Sauron (from the Lord of the Rings trilogy) and the campaign message ‘Stop Watching Us, Sauron’ in order to protest surveillance;
  • An NSA program which uses machine learning to identify probable terrorists has been dubbed Skynet, in a reference to the machine turned mad which ultimately takes control of humans in the Terminator series.

Recently, San Francisco registered a huge win in this fight: due to citizen backlash, it became the first city to ban the use of facial recognition software by police and municipal authorities. Reports say that Oakland may soon follow in its trail.

New York Brooklyn tenants are protesting the plans of a landlord to install facial recognition software in their building. If the protest is successful, it will serve as a useful precedent to fight future potentially unethical uses of this software.

In other parts of the world, like China, protests were obviously not held against this tech, but the Uighur minority members who manage to get away (usually to Turkey as a preferred asylum destination) are complaining about the all-controlling digital surveillance tech back home.

Protesting facial recognition software is not all political; there are also economic ways of sanctioning the use of technologies which are perceived as infringing people’s privacy.

Advocacy groups blend their efforts in order to exert pressure on big tech companies like Google and Microsoft in order to prevent them from selling facial recognition software to the government. Google agreed to the requests and said it will not release such software for now, until it finds good ways to ensure its ethical use.

amazon protest against facial recognition software

Amazon protestors using printed masks of Jeff Bezos in order to condemn facial recognition software, via NYTimes. 

Amazon acknowledged the tech’s potential for abuse but continued seeking partnerships with federal forces. As a result, it is now facing investor pressure in order to determine the company to stop selling facial recognition tech to law enforcement. Its employees are protesting it as well, though with little success so far. Luckily, investors stepped in to call an ethics check on the practice, with a greater potential of obtaining results.

Regular citizens are also fighting the use of facial recognition software through social media shares of incidents they are subjected to. In the digital age, this disclosure can gain quite the traction. Thanks to these small but significant ways to fight it, several new problems were revealed, beyond the privacy infringement and potential to lead to a totalitarian rule.

Apparently, facial recognition software can also be racist and gender biased. Because it was fed biased photos (in the hunger of authorities to just push images into it indiscriminately, including celebrity photos and everything they could get their hands on from private citizens without consent), facial recognition software has trouble correctly identifying women and black people. Women of color are a particularly targeted category since they are subjected to a double bias.

Facial Recognition Software Tech Details: How It Works

Just like photo cameras were in a way designed to crudely imitate the human eye, so was facial recognition software emulated on the way people recognize faces.

Step 1: At least one picture of your face is captured by the software, from public sources or from CCTV video, whatever.

Step 2: The facial recognition software ‘reads’ the geometry of your skin and measures out proportional distances between the main features, the depth, and 3D shapes and so on.

Step 3: All this is compiled into a set of mathematical data – your face’s formula.

Step 4: This string of numbers is then compared to the database of millions of other faces captures, and the likeliest match is drawn.

example of facial recognition software fails

Two examples of facial recognition software fails, via PopularMechanics.

This is the basic way it works. Is it accurate? Not really, several sources attest, but it does seem to get better and better thanks to more data being fed into it (with or without consent) and artificial intelligence algorithms.

How to Confuse Facial Recognition Software

Since the use of facial recognition software, even by law enforcement, is not yet regulated, resisting it does not constitute a crime. Harsher climates may impose charges, but this only leads to greater publish backlash. A recent case of a UK man being fined after covering his face to elude facial recognition software has sparked an even more energetic opposition to police using this tech.

The interesting part is that since there are no laws yet regulating the use of facial recognition software (in the UK), not only resisting is not illegal, but the use of it (by police) is not yet legal, too.

Still, until the matters are settled and each country negotiates its own limits on the use of this controversial tech, let’s take a look at how facial recognition software can be confused.

There are at least 3 ways, but it’s debatable for how long they will continue to work.

#1. Wear a partial mask:

The old cover-up method is by far the most effective, but in some places, it can get you in trouble, as in the case of the UK man discussed above. Since you’re wearing a face mask, it’s pretty clear that you’re trying to hide your identity and that can draw unwanted attention from the police.

#2. Wear special clothing items for confusing facial recognition software:

There are several clothing items with confusing patterns on them which were specially designed to prevent cameras using facial recognition software from being able to tell where your face is. For example, a pair of psychedelic glasses, or this scarf by Hyphen-Labs, or an anti-surveillance coat, or a baseball cap with projects tiny laser dots on your face invisible to the human eye but confusing for the software.

anti face makeup surveillance art

Anti-Face, the art project by CVDazzle.

#3. Wear irregular make-up designed for confusing facial recognition software:

Other creative ways to confuse facial recognition software is through make-up. The CVDazzle group has developed a series of looks which make your face untrackable, but their efforts aim to be a form of artistic protest and not a practical everyday solution for eluding recognition.

Positive Examples of Facial Recognition Software Applications

Since I want to maintain a non-biased overview of everything related to facial recognition software, I feel we should also note some of its applications which can make a positive difference in the world.

I won’t include crime prevention in the list, even though it is often mentioned by authorities as the main reason for a wide-spread employment of facial recognition software methods. While it may indeed have a positive impact on preventing or reducing crime, I stand with those who believe individual freedom is more important than collective security.

Here are a few cool applications of facial recognition software:

Final Words

Facial recognition software, especially the advanced types used at the state level, are based on powerful machine learning technologies. Thus, unfortunately, even if you manage to successfully confuse it through creative means, the algorithms are bound to catch up and improve. Perhaps digital artists will be able to keep up and find new ways to confuse the software in a cat and mouse game, for a while.

But the real target of those concerned about facial recognition software should still remain the political debate and negotiation. The recent victory of citizens over local authorities in San Francisco has proved that where there’s a will, there’s a way. Nonetheless, no one should ignore the positive aspects which may come from facial recognition software.

Still, being more careful about what data we share and with whom should be a must for all of us. How about you? Who logs into their cell phone with facial recognition?

The post Facial Recognition Software 101: Current Debates and How to Elude It appeared first on Heimdal Security Blog.

Endpoint’s Relevance in the World of Cloud

Businesses everywhere are looking to cloud solutions to help expedite processes and improve their data storage strategy. All anyone is talking about these days is the cloud, seemingly dwindling the conversation around individual devices and their security. However, many don’t realize these endpoint devices act as gateways to the cloud, which makes their security more pressing than ever. In fact, there is a unique relationship between endpoint security and cloud security, making it crucial for businesses to understand how this dynamic affects information security overall. Let’s explore exactly how these two are intertwined and how exactly endpoint security can move the needle when it comes to securing the cloud.

Cloudier Skies

Between public cloud, private cloud, hybrid cloud, and now multi-cloud, the cloud technology industry is massive and showing zero signs of slowing down. Adoption is rampant, with the cloud market expected to achieve a five-year compound annual growth rate (CAGR) of 22.5%, with public cloud services spending reaching $370 billion in 2022. With cloud adoption drawing so much attention from businesses, it’s as important as ever that enterprises keep security top of mind.

This need for security is only magnified by the latest trend in cloud tech – the multi-cloud strategy. With modern-day businesses having such a diverse set of needs, many have adopted either a hybrid or multi-cloud strategy in order to effectively organize and store a plethora of data – 74 percent of enterprises, as a matter of fact. This has many security vendors and personnel scrambling to adjust security architecture to meet the needs of the modern cloud strategy. And though all businesses must have an effective security plan in place that compliments their cloud architecture, these security plans should always still consider how these clouds can become compromised through individual gateways, or, endpoint devices.

The Relationship Between Endpoint and Cloud

The cloud may be a virtual warehouse for your data, but every warehouse has a door or two. Endpoint devices act as doors to the cloud, as these mobile phones, computers, and more all connect to whichever cloud architecture an organization has implemented. That means that one endpoint device, if misused or mishandled, could create a vulnerable gateway to the cloud and therefore cause it to become compromised. Mind you – endpoint devices are not only gateways to the cloud, but also the last line of defense protecting an organization’s network in general.

Endpoint is not only relevant in the world of cloud – it has a direct impact on an organization’s cloud – and overall – security. A compromised endpoint can lead to an exposed cloud, which could make for major data loss. Businesses need to therefore put processes into place that outline what assets users put where and state any need-to-knows they should have top of mind when using the cloud. Additionally, it’s equally important every business ensures they make the correct investment in cloud and endpoint security solutions that perfectly complement these processes.

 Ensuring Security Strategy Is Holistic

As the device-to-cloud cybersecurity company, we at McAfee understand how important the connection is between endpoint and cloud and how vital it is businesses ensure both are secured. That’s why we’ve built out a holistic security strategy, offering both cloud security solutions and advanced endpoint products that help an organization cover all its bases.

If your business follows a holistic approach to security – covering every endpoint through to every cloud – you’ll be able to prevent data exposures from happening. From there, you can have peace of mind about endpoint threats and focus on reaping the benefits of a smart cloud strategy.

To learn more about our approach to endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business, and read more in our latest paper:


The post Endpoint’s Relevance in the World of Cloud appeared first on McAfee Blogs.

Privacy Advisory: What Regulatory Changes Have Been Happening Around Cookie Consent

The TrustArc “Current State of Cookie Consent Compliance and Enforcement” Privacy Advisory provides a brief background on cookies and tracking technologies, the role of the GDPR’s definition of consent and that law’s relationship to ePrivacy. Also addressed are recent cookie consent-related activities by several regulatory authorities, clarifying compliance requirements within the EU, and early possible interpretations relating to cookie practices under the forthcoming California Consumer Privacy Act (CCPA). The EU ePrivacy Directive regime, as implemented among the individual Member States, independently requires consent as a pre-condition to lawfully accessing or storing information on an end user’s device. ePrivacy uses the … Continue reading Privacy Advisory: What Regulatory Changes Have Been Happening Around Cookie Consent

The post Privacy Advisory: What Regulatory Changes Have Been Happening Around Cookie Consent appeared first on TrustArc Blog.

After latest Microsoft Windows updates some PCs running Sophos AV not boot

Sophos is warning users of potential problems with the recent Microsoft’s Patch Tuesday updates and is saying to roll back it if they want the PC to boot.

The security firm has informed its customers of potential problems with the latest Microsoft’s Patch Tuesday updates and is asking them to uninstall the patch if they want the machine to boot.

This means that the machine could be exposed to cyber attacks that leverage the vulnerabilities addressed by Microsoft, including a Windows zero-day flaw and an RDS vulnerability that can be exploited to carry out WannaCry-like attack.

Sophos confirmed that the latest set of Windows updates are causing problems with the boot of computers running the popular Antivirus software.

“We have had a few customers reporting that following on from the Microsoft Windows 14th May patches they are experiencing a hang on boot where the machines appear to get stuck on “Configuring 30%”” reads a note published by the company.

Experts believe the problems could be caused by the incompatibility with the KB4499164 and KB4499175 Microsoft Patches released on May 14, 2019.

According to Sophos, the problems have been reported by customers running Windows 7 and Windows Server 2008 R2.


The experts suggest to remove Windows update by booting the system in Safe mode.

“Current reports indicate that removing the Windows update in Safe Mode allows computers to boot as normal.” continues the note.

“If you experience issues removing this in Safe Mode please set the “Sophos Anti-Virus” Service startup to be “Disabled” and then attempt to remove the update after coming out of Safe Mode.”

Sophos is currently working with Microsoft to investigate the issue and develop a fix.

Microsoft Patch Tuesday updates for May 2019 also addressed a remote code execution flaw in Remote Desktop Services (RDS). The flaw tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker by connecting to the targeted system via the Remote Desktop Protocol (RDP) and sending specially crafted requests. Microsoft pointed out that this vulnerability could be exploited by malware with wormable capabilities. It could be triggered by an unautheticated attacker and without users interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The problem faced by Sophos customers could very annoying for large businesses that deployed the Microsoft updates. One user commenting on a blog post published by Sophos wrote the following statement:

“We had to roll back some 300+ machines for clients around the US.”

Affected users that are not able to boot their machine have to contact the company and open a ticket with the tech support team.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Sophos, Microsoft)

The post After latest Microsoft Windows updates some PCs running Sophos AV not boot appeared first on Security Affairs.

Celebrating the Next Generation of Technology Innovators

At Trend Micro, it’s our mission to secure the connected world. However, we want to go beyond the boundaries of the cybersecurity industry to support and learn from the technology innovators of tomorrow. That’s what our venture arm, Trend Forward Capital, is all about.

As part of these efforts, we held a pitch-off competition this week for ambitious start-ups at our North American headquarters in Dallas. We’d like to congratulate all those who took part, and particularly Roby on winning the $10,000 Forward Thinker Award.

Five minutes to shine

Trend Micro has run highly successful pitch-off competitions at the past two CES shows. This was the first time we’ve brought the idea back home to our headquarters. We certainly weren’t disappointed with the quality of applicants – around 50 submissions were whittled down to the final five participants. Each was given five minutes to present to a formidable line-up of judges, including Trend Micro co-founder and CEO, Eva Chen; Marwan Forzley, CEO of one of our start-up success stories, Veem; and Tom Whittaker of IBM ventures.

The quality of presentations was high, as was the energy in the room. From credit scoring for farms to parenting management, and hybrid cloud connectivity to AI and African healthcare — the sheer range of innovative ideas on show was fantastic to see. We were also pleased to see shortlisted a local Dallas-based business and two from Austin, testament to the burgeoning start-up scene in Texas.

Competing presenters were judged on five key criteria: leadership, product, addressable market, customer validation and business model.

Backing local businesses

In the end, the judges thought Roby – an office automation company – had the edge on the competition. As well as the cash prize, the company will now be considered for pre-selection for our 2020 CES pitch-off, and receive two passes to the show. However, we’d like to thank all those who took part. Even for those that didn’t quite make it, competitions like this are a valuable opportunity to practice their pitches and set themselves up for success next time. There were also plenty of local investors and other industry influencers in the room to impress.

There’s a wealth of great ideas out there, and Trend Micro remains committed to finding them and giving ambitious entrepreneurs the opportunity to shine. In so doing, we hope to help create a smarter, more connected world while learning a little ourselves from the disrupters of tomorrow.

The post Celebrating the Next Generation of Technology Innovators appeared first on .

Ransomware Not Gone but More Targeted, Report Says

Ransomware Not Gone but More Targeted, Report Says

Cyber-criminals continue to grow more sophisticated, developing advanced attack methods, including tailored ransomware, according to the Q1 Global Threat Landscape Report, published today by Fortinet. In addition to targeted attacks, criminals are also using custom coding, living-off-the-land (LotL) and sharing infrastructure to maximize their opportunities, the report said.

Despite a decline in previous high rates of ransomware, ransomware itself is far from gone. Instead, cyber-criminals are using more targeted attacks. Ransomware “is being customized for high-value targets and to give the attacker privileged access to the network. LockerGoga is an example of a targeted ransomware conducted in a multi-stage attack. There is little about LockerGoga that sets it apart from other ransomware in terms of functional sophistication, but while most ransomware tools use some level of obfuscation to avoid detection, there was little of it used when analyzed,” the report said.

Researchers also detected an uptick in malicious actors leveraging dual-use tools, preinstalled on targeted systems to carry out cyber-attacks. 

The report noted the trend of shared infrastructure. Researchers detected a rise in the total malware and botnet communication activity, as well as the number of domains shared between threats at each stage of the kill chain.

“Nearly 60% of threats shared at least one domain indicating the majority of botnets leverage established infrastructure. IcedID is an example of this 'why buy or build when you can borrow' behavior. In addition, when threats share infrastructure they tend to do so within the same stage in the kill chain. It is unusual for a threat to leverage a domain for exploitation and then later leverage it for C2 traffic. This suggests infrastructure plays a particular role or function when used for malicious campaigns,” the report said.

“We, unfortunately, continue to see the cyber-criminal community mirror the strategies and methodologies of nation-state actors, and the evolving devices and networks they are targeting,” said Phil Quade, chief information security officer, Fortinet, in a press release.

“Organizations need to rethink their strategy to better future-proof and manage cyber risks. An important first step involves treating cybersecurity more like a science – doing the fundamentals really well – which requires leveraging the cyberspace fundamentals of speed and connectivity for defense. Embracing a fabric approach to security, micro and macro segmentation and leveraging machine learning and automation as the building blocks of AI can provide tremendous opportunity to force our adversaries back to square one.”

Infocyte HUNT Cloud for AWS: Detection and IR for high-growth cloud environments

Infocyte today announced the availability of Infocyte HUNT Cloud for AWS, a solution combining detection and IR for high-growth cloud environments, unlike traditional endpoint protection platforms (EPPs) which don’t address cloud workloads. Analyzing a threat found injected into memory with the Infocyte HUNT platform Infocyte HUNT Cloud for AWS features agentless deployment through AWS APIs and artificial intelligence (AI) to quickly identify, categorize and respond to persistent, hidden and other advanced threats and vulnerabilities. Leveraging … More

The post Infocyte HUNT Cloud for AWS: Detection and IR for high-growth cloud environments appeared first on Help Net Security.

Episode 497 – Work On Expanding These Skills In Your Cybersecurity Career

The cybersecurity profession requires a very technical set of skills. However technical skills are not the only ones employers are looking for. This epsiodetalks about the soft skills that are being sought after in today’s workplace.  Be aware, be safe. *** Support the podcast with a cup of coffee *** – Ko-Fi Security In Five […]

The post Episode 497 – Work On Expanding These Skills In Your Cybersecurity Career appeared first on Security In Five.

Veracode Announces New DevOps Penetration Testing Service

DevSecOps can be challenging for many organizations when you consider all the areas of the DevOps process that require security testing. Organizations that begin to shift security “left” often find significant gaps in the security of infrastructure and operational components that are now integrated into the development process. Many of the technologies being used in DevOps are also very new to most organizations and are more recently starting to become “mainstream.” For example, we’re seeing more customers adopting microservices, utilizing cloud storage through Amazon S3, MongoDB, and Elasticsearch, deploying applications using containers, and managing those containers with newer orchestration technology like Kubernetes.

These new technologies allow faster development, but also come with the side effect of introducing a new attack surface and different types of vulnerabilities. Like any new technology, systems within a DevOps environment are often deployed insecurely and misconfigured. This makes the requirement to conduct security testing on the DevOps environment more important than ever. Moreover, what about the developers themselves from a security awareness perspective? What might they be discussing with peers on online forums, leaving in code repositories, or other areas on the Internet that may make their applications and the organization more susceptible to targeted phishing attacks, data leaks, and breaches that we hear about in the news on almost a daily basis?

What Is Veracode DevOps Penetration Testing?

Automating security testing is a key concept when building out a DevOps process and should not be overlooked. However, there is still a need for penetration testing in a DevOps environment. Penetration testing provides something that automation cannot -- the attacker’s perspective.

Building upon our strong application penetration testing service and highly skilled team, Veracode DevOps Penetration Testing provides testing above and beyond the application to include the operations and infrastructure components of applications. Technologies that can be in scope for this type of testing include, but are not limited to:

  • Containers like Docker and Kubernetes orchestration
  • Microservices and related interactions
  • CI tool environments like Hudson and Jenkins
  • Cloud infrastructure (AWS, Azure) and cloud storage databases
  • Network infrastructure related to application deployment and configuration management

The Importance of Open Source Intelligence and DevOps

Veracode DevOps Penetration Testing also provides Open Source Intelligence (OSINT) analysis as part of every DevOps Penetration Test we perform. This analysis identifies misconfigured cloud storage databases such as AWS S3 buckets, Elasticsearch, MongoDB instances, and others. If you haven’t been paying attention to the news, misconfigured cloud storage databases are some of the largest sources of data leaks and breaches we see today*. In addition, we also leverage OSINT techniques to find vulnerabilities in the infrastructure that may leave your organization and applications exposed.

As part of this process, testers will also look into the activities of the developers themselves. Our testing checks to see if developers are practicing proper security measures. For example, we will analyze GitHub repositories looking for exposed credentials, locating sensitive data related to app development, and seeing what’s being discussed about an organization’s applications within popular public developer forums like Stack Overflow.

DevOps and Security Compliance

Security compliance does not magically go away when organizations “shift left.” That’s why Veracode DevOps Penetration Testing can be used to meet compliance requirements for PCI DSS 11.3 as well as GDPR Article 32 in the European Union. This requirement is also important for those organizations that need to comply with GDPR outside of the EU. GDPR Article 32 covers “Security of processing,” which requires that the data controller and processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This includes “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing” **. Penetration testing can help meet this new compliance requirement.

Veracode Is a Complete DevOps Testing Solution

Veracode DevOps Penetration Testing combined with Veracode’s static, dynamic, SCA, and application penetration testing provides the most comprehensive testing available for a DevOps environment in the market today. Contact your Veracode Sales or Services representative for more details on how to get started with your first Veracode DevOps Penetration Testing engagement.

Learn more about Veracode DevOps Penetration Testing here.


* https://www.zdnet.com/article/unsecured-server-exposes-data-for-85-percent-of-all-panama-citizens/



** http://www.privacy-regulation.eu/en/article-32-security-of-processing-GDPR.htm

Cisco is a Representative Vendor in the first ever Gartner 2019 Market Guide for the NTA (Network Traffic Analysis) market

According to Gartner1, “Applying behavioral analysis to network traffic is helping enterprises detect suspicious traffic that other security tools are missing.” 

The case for network traffic analysis to uncover hidden threats

You are charged with protecting your organization and have made multiple investments to do so. But you might be under-utilizing one of the biggest investments your organization has already made – the network infrastructure. With 1 in 4 organizations running the risk of a major breach in the next 24 months, it’s not a matter of if but when you will be breached. And you need to be able to detect and respond quickly to incidents.

The network is a rich data source, and by analyzing how the different entities are “behaving” within the network, we can identify malicious activities associated with a breach. This helps detect attacks in near real-time. Today, average time to detect a breach is 197 days2. Can you really afford to wait more than 6 months to know whether you have been compromised? Additionally, network security analytics can expedite investigations to pinpoint the source of the threat so you can take appropriate actions. This considerably cuts down the time to contain a threat from the average 69 days3 to a few hours!

Cisco’s network traffic analysis (NTA) solution, Stealthwatch provides enterprise-wide visibility, from the private network to the public cloud, and applies advanced security analytics to detect and respond to threats in real-time. Using a combination of behavioral modeling, machine learning and global threat intelligence powered by Cisco Talos, Stealthwatch can quickly and with high confidence, detect threats such as command and control attacks, ransomware, DDoS attacks, illicit cryptomining, unknown malware, as well as insider threats. With a single, agentless solution, you get comprehensive threat monitoring across the data center, branch, endpoint and cloud, and even find threats hidden in encrypted traffic.

Stealthwatch has some key attributes that you should demand from your network traffic analysis solution for the following outcomes:

Contextual network-wide visibility

First and foremost, network traffic analysis provides visibility into every device on the network and what it is doing. Legacy servers, IoT, mobile, and remote users – a lot of organizations simply don’t know what’s on their network, let alone be able to protect it. And this visibility extends across all the dynamic environments that are typical of the modern digital enterprise – from the campus, branch and data center to the cloud. And with the rise in encrypted traffic and the internet going dark, you also need visibility into threats hiding in encrypted traffic.

Predictive threat analytics

Secondly, there are some unique threats that can only be detected if you are continuously monitoring network activity. Your traditional security tools will not be able to catch insider threats – caused due to a rogue employee trying to exfiltrate sensitive data or a compromised admin credential that the attackers are now using to swoop the entire organization. Additionally, you have created a lot of security policies to prevent threats, or simply to remain compliant. But how do you know those are being enforced? That the controls you have set up are actually working? Also, as mentioned earlier, network traffic analysis tries to identify malicious behavior and therefore, can help detect threats like unknown malware.

Accelerated response

Lastly, let’s talk about incident response. What do you do if you know that you have been compromised? Where do you begin investigating? With network traffic analysis, you can attribute the malicious behavior to a specific IP and perform forensic analysis to determine how the threat has moved laterally within the organization. What other devices might be infected, where is the communication occurring externally, etc. This leads to faster response in order to prevent any business impact.

Download your complimentary copy of the first ever Gartner 2019 Market Guide for the NTA (Network Traffic Analysis) market  here.

To learn more about Cisco Stealthwatch, go to https://cisco.com/go/stealthwatch

  1. Gartner Market Guide for Network Traffic Analysis, Lawrence Orans, Jeremy D’Hoinne, Sanjit Ganguli, 28 February 2019.
  2. Source: Ponemon 2018 Cost of a Data Breach Study
  3. Source: Ponemon 2018 Cost of a Data Breach Study
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


The post Cisco is a Representative Vendor in the first ever Gartner 2019 Market Guide for the NTA (Network Traffic Analysis) market appeared first on Cisco Blog.

Encryption is Often Poorly Deployed, if Deployed at All

Encryption is Often Poorly Deployed, if Deployed at All

Encryption continues to be a challenge for companies, as only a quarter of organizations admit to using it for at-rest data, and for emails and data centers.

According to research by Thales and IDC, encryption for email is only adopted by around 27% of European of the respondents they recently surveyed, while the numbers decline for data at rest, data centers, Big Data environments and full disk encryption. The only instance of European respondents ranking higher than a global number was in the instance of using cloud-native provider encryption.

Speaking at an event in London, Thales senior regional sales director, Kai Zobel, said that despite the introduction of GDPR a year ago “companies struggle to understand where the data is” and he has seen some companies buy a product to “encrypt some islands but then they struggle to continue. So we see thousands of potential servers that need to be encrypted but they [some companies] just do 200 and they think they are done.”

Zobel added that with more and more politics in the workplace, data “doesn’t want to be touched” and there is a feeling that security cannot be relied upon.

“They [organizations] have long lists of what to implement in the next 12 months, but they struggle to implement it and one of the main reasons is because of complexity,” Zobel said. “This is because they don’t have enough people to understand the technology in the best way possible.”

He also commented that a number of companies look for “good enough compliance” and people would rather spend less than ensure 100% security, “so they are just trying to find good solutions but not 'The Best' solution.”

Jason Hart, security evangelist at Thales, said that there is a wider problem of nothing changing in the last 25 years, except that we are creating more and more data. That has become a commodity, and “because of the acceleration of cloud I say to a company ‘what are you trying to protect?’ and after an hour we may get to a conversation about data and two hours later we may get to the type of data that they deem to be valuable.”

However, Hart argued that companies do not understand the risks that they are trying to mitigate, “and information security is really simple, it is about people, data and process.”

Speaking to Infosecurity, Hart said that if you look at every major breach that has occurred, there are too many instances of companies not deploying encryption properly, and also people do not look at the risk.

“You encrypted the data in the database, but what talks to the database? The application, so the data now transverses into the application’s code text and then from the application it goes into the cloud,” he said. “So they do it in silos and elements, but when people do it wrong, there is a false sense of security.” 

Sharp Rise in Phishing Attacks against SaaS, Webmail Services

Phishing attacks against businesses offering SaaS (Software-as-a-service) and web-based email services have increased considerably in the first quarter of the current year, as per a recent report.

According to the Phishing Activity Trends Report released by APWG (Anti-Phishing Working Group) and focusing on the period between January and March 2019, cybercrime groups have shifted their attention from payment services to businesses offering SaaS and web-based email services. At the same time, there has been a considerable decrease in the volume of attacks against cloud storage and file hosting sites; from 11.3 percent it has dropped to around 2 percent.

It’s only natural for cybercriminals to target SaaS platforms and webmail services since they are becoming more and more popular. The rising popularity is because of the fact that these services are easy to use by anyone who has internet access and also because they provide online business solutions. It’s mostly through phishing attacks that such services are targeted. Experts point out that though many businesses today are concerned about targeted hacking and DDoS attacks, most organizations seem to be worried about phishing attacks the most.

The APWG report points out that 36 percent of all phishing attacks that took place in Q1 targeted SaaS and webmail services. The report states, “Phishing that targeted Software-as-a-Service (SaaS) and webmail services became the biggest category of phishing. At 36 percent of all phishing attacks, it eclipsed phishing against the payment services category for the first time.”

The report also points out that the total number of phishing websites detected by APWG in Q1 was up notably over Q3 and Q4 of 2018. Similarly, the number of phishing attacks hosted on Websites having HTTPS and SSL certificates also reached a new high. The report states, “The total number of phishing sites detected by APWG in 1Q was 180,768. That was up notably from the 138,328 seen in 4Q 2018, and from the 151,014 seen in 3Q 2018…The number of unique phishing reports submitted to APWG during 1Q 2019 was 112,393. These were phishing emails submitted to APWG, and exclude phishing URLs reported by APWG members directly into APWG’s eCrime eXchange.”

Through such phishing attacks, cybercriminals seek to steal sensitive data like geolocation, email addresses, credit card data, payment details, personal preferences of users etc.

Now, let’s discuss the relevance of the findings revealed by the report in the current context. On the one hand, the rise in phishing attacks targeting businesses offering SaaS and webmail services is notable. At the same time, it’s to be noted that hackers are increasingly using SSL/HTTPS-hosted websites (that are usually thought to be secure) for executing phishing attacks. The report also explains that of all phishing attacks, while 36 percent targeted SaaS/webmail services, 27 percent targeted payment solutions, 16 percent targeted financial institutions, 15 percent targeted other organizations and only 3 percent targeted eCommerce / Retail and Telecom. In this context, there are two things that need to be noted. On the one hand, it’s highly important that organizations go for the most advanced of security solutions and digital forensics to protect themselves and to identify/detect threats, attacks and the bad actors. On the other hand, they must also go for adopting a well-planned and legitimate security policy and at the same time train their employees to stay wary of phishing scams since clients’ data policy should also be of utmost importance for them.

APWG is a not-for-profit industry association comprising of over 2,000 enterprises worldwide and focused on eliminating identity theft and frauds that are caused by phishing, crimeware, and email spoofing.

Related Resources:

On Phishing Attacks and the Companies That are Targeted the Most

Counter Phishing Attacks with These Five Tricks

HackerCombat Guide on How to Prevent Phishing Attacks

10 Ways How To Avoid Being A Phishing Scams Victim

The post Sharp Rise in Phishing Attacks against SaaS, Webmail Services appeared first on .

A Cybersecurity Guide for Digital Nomads

Reading Time: ~3 min.

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means their favorite coffee shop or co-working space. For others, it means an idyllic beach in Bali or countryside public house. One thing remains true wherever a digital nomad may choose to lay down their temporary roots: They are at a higher cybersecurity risk than a traditional worker. So what risks should they look out for? 

Public Wifi

Without a doubt, public WiFi is one of the main cybersecurity hazards many digital nomads face. The massive and unresolved flaw in the WPA2 encryption standard used by modern WiFi networks means that anyone connecting to a public network is putting themselves at risk. All public WiFi options—including WiFi provided by hotels, cafes, and airports—poses the risk of not being secure. How can a digital nomad be digital if their main source of internet connectivity is a cybersecurity minefield?  

When connecting to public WiFi as a digital nomad, it is crucial to keep your web traffic hidden behind a virtual private network (VPN). A quality VPN app is simple to set up on your mobile devices—including laptops and smart phones—and uses a strong encryption protocol to prevent hackers and other snoops from stealing important personal information such as account passwords, banking information, and private messages. VPNs will keep your data encrypted and secure from prying eyes, regardless of locale.

Device Theft

Physical device theft is a very real risk for digital nomads, but one that can largely be avoided. The first and most obvious step to doing so is to never leave your devices unattended, even if your seatmate at the coffee shop seems trustworthy. Always be mindful of your device visibility; keeping your unattended devices and laptop bags locked away or out of sight in your hotel room is often all it takes to prevent theft. Purchasing a carrying case with a secure access passcode or keyed entry can also act as an additional deterrent against thieves looking for an easy mark. 

If your device is stolen, how can you prevent the damage from spiraling? Taking a few defensive measures can save digital nomads major headaches. Keep a device tracker enabled on all of your devices—smartphones, tablets, and laptops. Both Apple and Android have default services that will help you locate your missing device.  

But this will only help you find your property; it won’t prevent anyone from accessing the valuable data within. That’s why all of your devices should have a lock screen enabled, secured with either a pin or a biometric ID, such as your fingerprint. If you believe these efforts have failed and your device is compromised, enabling multi-factor authentication on your most sensitive accounts should help reduce the effect of the breach.  

However, if you cannot recover your device, remotely wiping it will prevent any additional data from being accessed. If you have a device tracker enabled, you will be able to remotely wipe your sensitive data with that software. If you’re using a data backup solution, any lost files will be recoverable once the status of your devices is secure 

Lower Your Risk

Being a digital nomad means that you’re at a higher risk for a breach, but that doesn’t mean you can’t take steps to lower that risk. These best practices could drastically reduce the risk incurred by leading a digitally nomadic lifestyle. 

  • Toggle off. Remember to always turn off WiFi and Bluetooth connectivity after a session. This will prevent accidental or nefarious connections that could compromise your security. 
  • Mindfulness. Be aware of your surroundings and of your devices. Forgetting a device might be an acceptable slip up for most, but for a digital nomad it can bring your lifestyle to a grinding halt. 
  • Be prepared. Secure your devices behind a trusted VPN before beginning any remote adventures. This will encrypt all of your web traffic, regardless of where you connect.  
  • Stop the spread. In case of a device or account breach, strong passwords and multi-factor authentication will help minimize the damage. 

A staggering 4.8 million Americans describe themselves as digital nomads, a number that won’t be going down anytime soon. With remote work becoming as a new norm, it’s more important than ever that we take these cybersecurity measures seriously—to protect not just ourselves, but also our businesses and clients. Are you a digital nomad making their way through the remote work landscape? Let us know your top tips in the comments below! 

The post A Cybersecurity Guide for Digital Nomads appeared first on Webroot Blog.

Core Elastic Stack security features now available to all users

Elastic, the company developing enterprise search engine Elasticsearch and the Elastic Stack, has decided to make core Elastic Stack security features accessible to all users (and not just those who have a Gold subscription). What is the Elastic Stack? Elasticsearch is the most widely used enterprise search engine in the world. It is usually used for log, business, operational and security intelligence analytics. It is part of the Elastic Stack, an integrated solution that also … More

The post Core Elastic Stack security features now available to all users appeared first on Help Net Security.

What is Emotet?

Estimated reading time: 4 minutes

Emotet malware was first identified in 2014 as Banking trojan. Emotet has evolved from banking trojan to threat distributor till now. It has hit many organizations very badly in 2018 with its functionalities like spamming and spreading. Further with its widespread rich/existence at many organizations, it became threat distributor. Since mid of 2018, Emotet is used by threat actors to spread other malwares like TrickBot, Qakbot and most dangerous Ryuk ransomware. It has also been observed that it loads modules and launches different malware depending on geographical location i.e. Country of Victim.

Malware authors strategy is to use infected systems for all means like firstly for credential stealing, further use these credentials for spreading and spamming. Finally, when all use of this infected system is done, it deploys other malwares like Ransomware, TrickBot, Qakbot.

From mid of 2018, Emotet has become headache for security providers because of its polymorphic, self-updating and spreading capabilities which makes cleaning of such infected network very complex and sometimes takes months for cleaning.

How it can enter into your system?

It enters into your system by phishing mail as shown in below fig:

Such emails contain malicious attachments like doc, pdf, xls, js, etc. Once user opens such attachment, it will download and launch Emotet. Sometimes such mail may contain malicious links, when opened by users, it downloads and launches Emotet. Other way is through lateral spreading i.e. if one of your friend or colleagues in the same network is infected with Emotet, then your friends’ machine can deploy Emotet on your machine.

What Emotet can do?

It has many capabilities like password stealing, Email Harvesting, spamming, lateral spreading, launching other malwares. All of these are discussed in detail in our research paper on EMOTET.


According to US-CERT alert released on July 20, 2018, “Emotet continues to be amongst the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”

At Quick-Heal labs, we have seen many of our customers are badly affected because of spamming done by emotet. As malware sends many phishing mails to user’s contacts, mail server reaches its maximum limits and blocks user’s account for the day. As a result, most of the employees of such infected organization cannot send mails. Such blockages lead to disruption to regular operations or work and further potential harm to an organization’s reputation. Finally, after a week or two we were able to totally clean total network.

Ryuk ransomware infection may cause temporary or permanent loss of user’s critical data.

What Quick-Heals Telemetry says:

As you can see, number of hits per day are very high from July 2018 till April 19. It indicates how widespread it is. But same is not the case with actual numbers of customer escalations. At quick-heal Labs, even after detecting thousands of samples per day, we received many customer escalations in initial months after outbreak. Further, we added some rules, IOC’s, signatures at each level of Product features namely at Virus Protection, Behavior Detection, Email Protection, Memory scan, IDS & IPS, Machine learning based, Browsing protection. This directly affected in Zero customer escalations for Emotet from last few months with already infected customers also totally cleaned. As stats are indicating that we are detecting thousands of Emotet samples per day in last few months and still NO customer escalation/issue reported.

How can I remove Emotet?

If your machine is in network of any organization, then firstly isolate it immediately. Patch with latest updates of installed software’s and clean the system.

As Emotet can move laterally in network, your machine can be infected again when you reconnect to network. Identify and clean each infected machine in same network. It’s really complex process to follow. One can always choose Quick-heal Antivirus / Seqrite Endpoint Security to avoid this complex process and stay safe with cleaning of already infected machines and proactively blocking against future Emotet infections.

Preventive measures

  1. Keep your computer up-to-date with the latest updates of Operating system, Security software and other software.
  2. Don’t open any link in the mail received from an unknown/untrusted source.
  3. Don’t download attachments received by an unknown/untrusted source.
  4. Don’t enable ‘macros’ for Microsoft’s office documents.
  5. Educate yourself and others for keeping strong passwords.
  6. Use two-factor authentication where-ever possible.


Stats indicate that we are detecting thousands of Emotet samples per day in last few months and still NO customer escalation/issue has been reported. With this we can say that Quick Heal is able to stop Emotet till today’s date. As its always cat and mouse game between malware and security vendors, we expect evolution of Emotet to next step. We will be continuously monitoring Emotet for future also and will ensure all customers are secured from such malwares.

To read more about the detailed analysis of the Emotet, download this PDF.

The post What is Emotet? appeared first on Seqrite Blog.

How Technology and Politics Are Changing Spycraft

Interesting article about how traditional nation-based spycraft is changing. Basically, the Internet makes it increasingly possible to generate a good cover story; cell phone and other electronic surveillance techniques make tracking people easier; and machine learning will make all of this automatic. Meanwhile, Western countries have new laws and norms that put them at a disadvantage over other countries. And finally, much of this has gone corporate.

DDoS Attacks on the Rise After Long Period of Decline

DDoS Attacks on the Rise After Long Period of Decline

The number of DDoS attacks increased by 84% in the first quarter of 2019 compared to Q4 2018, according to new research from Kaspersky Lab.

The global cybersecurity company’s findings, detailed in its DDoS Attacks in Q1 2019 report, come in the wake of dramatically falling numbers of DDoS attacks recorded throughout 2018, suggesting that cyber-criminals are once again turning to DDoS as an attack method after a sustained period of shifting their attention to other sources of income last year, such as cryptomining.

What’s more, Kaspersky Lab discovered a substantial growth in the amount of attacks that lasted more than an hour. The company suggested that the launch of newer DDoS-for-Hire services could explain the sudden rise in the number of DDoS attacks in 2019.

“The DDoS attack market is changing,” said Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team. “New DDoS services appear to have replaced ones shut down by law enforcement agencies. As organizations implement basic countermeasures, attackers target them with long-lasting attacks. It is difficult to say if the number of attacks will continue to grow, but their complexity is showing no signs of slowing down.

“We recommend that organizations prepare themselves effectively, in order to withstand sophisticated DDoS attacks.”

Kaspersky Labs’ advice for DDoS attack defense included:

•           Ensuring that web and IT resources can handle high traffic

•           Using professional solutions to protect the organization against attacks

HawkEye Attack Wave Sends Stolen Data to Another Keylogger Provider

A recent attack wave involving HawkEye malware sends data stolen from its victims to another keylogger provider’s website. On 21 May, My Online Security came across a new sample of HawkEye. The actual delivery mechanism itself wasn’t unique compared to previous attacks involving the malware. In this particular instance, the attack email used the lure […]… Read More

The post HawkEye Attack Wave Sends Stolen Data to Another Keylogger Provider appeared first on The State of Security.

Washington Issues Temporary License to Huawei

Washington Issues Temporary License to Huawei

The US government has issued a temporary license to Huawei and its affiliates, allowing American companies to supply the telecoms and handset giant until August.

Despite reports emerging over the weekend of various chipmakers halting supplies to the Chinese firm after it was placed on an Entity List last week, the Commerce Department appears to have softened its stance.

Issued on Monday, the temporary general license for Huawei and 68 non-US affiliates will run for 90 days, bringing it up to August 19 2019.

It covers various areas, including: supplies to ensure Huawei’s networks and equipment are fully operational; software updates for existing Huawei handsets; and disclosure of any security vulnerabilities to the firm.

The license also authorizes US firms to engage with Huawei and its affiliates “as necessary for the development of 5G standards as part of a duly recognized international standards body.”

At the same time, Huawei founder Ren Zhengfei has struck a defiant tone in state media reports, claiming the US “underestimates” the firm’s capabilities and that it has already made efforts to mitigate the impact of any supply chain restrictions.

He has also reportedly claimed that no company can catch Huawei in terms of its 5G technology, a fact that Western lawmakers are grappling with in weighing up how to treat the company.

Lock the company out of 5G completely and it could add years to implementation, impacting customers — or at least, that’s Huawei's argument.

Although UK Prime Minister Theresa May agreed only to allow Huawei to supply non-core parts of carriers’ 5G networks, the decision by the leading Five Eyes nation remains controversial.

A new report by right-wing think tank the Henry Jackson Society co-authored by a Conservative MP and a former government security advisor claims there is “significant risk” in allowing Huawei to supply the UK’s 5G networks.

The report includes a foreword from former MI6 boss, Richard Dearlove, calling on the government to reconsider its position.

Phishing Kit 16Shop Targets Apple Users, Hackers

Phishing Kit 16Shop Targets Apple Users, Hackers

Researchers have discovered a hidden backdoor in a commercial phishing kit, 16Shop, used to attack Apple customers, according to Akamai.

“When it comes to targeting Apple users and their personal and financial data, 16Shop has emerged as a go to kit for those who can afford it. While 16Shop is sold to criminals looking to collect sensitive information from a targeted subset of the Internet community, at least one pirated version circulating online houses a backdoor that siphons off the data harvested and delivers it to a Telegram channel – proving once more that there is no honor among thieves," wrote Akamai researcher Amiram Cohen.

According to the research, this highly sophisticated and neatly constructed kit has layered defenses, as well as attack mechanisms. “It's a true multi-level kit, running different stages for different brands, depending on the information the victim provides. It has the ability to change its layout and presentation depending on platform, so mobile users will see a website tailored to their device, while desktop users see something better suited to their situation,” wrote Cohen.

Credit: Akamai
Credit: Akamai

The phishing kit was allegedly developed by an Indonesian whom Cohen said “has the skill to be a legitimate security community member, as well as the skills to maintain a healthy career in development. Instead, and most unfortunately, their knowledge is applied to a criminal enterprise.”

Until now, the individual has been known only as either devilscream or Riswanda. In addition to Cohen multiple online researchers “have located various personal artifacts of Riswanda's, including GitHub repositories, security presentations, past examples of website defacements, pictures of family and friends, email address, and social media accounts.”

However, some users of the phishing kit have been sharing their criminally obtained information without their knowledge through a backdoor that makes a copy of the victim's information and secrets it over to a bot waiting in a room on Telegram, according to Cohen.

“Akamai first discovered this backdoor while examining code inside of main.php, which was obfuscated in a way that made it stand out. The highly obfuscated code collects information for all of the forms visited by the victim, and no matter what storage and delivery options are selected by the 16Shop operator, the victim's data is siphoned off and sent to the Telegram bot via API calls,” Cohen said.

The author reportedly has released video demonstrations showing active usage of Telegram as a means of data storage. “However, like other popular phishing kits, 16Shop has been pirated. Based on comparisons against multiple versions of the 16Shop, the backdoor only appears in the de-obfuscated version of the kit,” Cohen said.

Aussie Government IT Worker Arrested for Cryptomining

Aussie Government IT Worker Arrested for Cryptomining

An Australian government IT contractor has been arrested on suspicion of making thousands from an illegal cryptocurrency mining operation at work.

The 33-year-old New South Wales man appeared in court today after allegedly earning AU$9000 ($6188) by “modifying his agency’s computer systems,” according to the Australian Federal Police (AFP).

At Sydney Local Court, he was charged with unauthorized modification of data to cause impairment, and unauthorized modification of restricted data, contrary to the Criminal Code Act 1995.

The charges carry a maximum penalty of 10 years and two years behind bars, respectively.

“Australian taxpayers put their trust in public officials to perform vital roles for our community with the utmost integrity,” argued acting commander, Chris Goldsmid, AFP manager cybercrime operations. “Any alleged criminal conduct which betrays this trust for personal gain will be investigated and prosecuted.”

It’s unclear how the man was eventually caught, but his home was raided by the AFP in March and personal laptop, phone employee ID cards and data files were seized.

Cryptocurrency mining continues to be a threat to businesses, while consumer detections have fallen to almost zero, according to a Malwarebytes report released in April. It said the latter trend had been influenced by Coinhive’s decision to shut down earlier this year.

Although most cryptomining in businesses occurs covertly, directed by external botnet herders in charge of compromised machines, there is always the risk of an insider threat.

A Chinese headmaster was fired last year after secretly mining cryptocurrency using his school’s electricity supply. Hunan man Lei Hua hooked up eight mining machines to the mains, running up an electricity bill of 14,700 yuan ($2125) mining Ethereum 24 hours a day.

Microsoft updates break AV software, again!

Microsoft’s May 2019 security fixes have again disrupted the normal functioning of some endpoint security products on certain Windows versions. Current problems “We have had a few customers reporting that following on from the Microsoft Windows 14th May patches they are experiencing a hang on boot where the machines appear to get stuck on ‘Configuring 30%’,” UK-based Sophos explained. “We have currently only identified the issue on a few customers running Windows 7 and Windows … More

The post Microsoft updates break AV software, again! appeared first on Help Net Security.

Fifth of Docker Containers Have No Root Passwords

Fifth of Docker Containers Have No Root Passwords

A fifth of the world’s most popular Docker containers contain a security issue which could make them vulnerable to attack in some circumstances, a researcher has discovered.

Kenna Security principal security engineer, Jerry Gamblin, explained that after recent Cisco Talos research revealed Alpine Linux docker images were shipping with no (nulled) root passwords, he decided to dig a little deeper.

Running a script on the 1000 most popular containers in the Docker store, he found 194 (19.4%) also had nulled root passwords.

“The findings are interesting, but I don’t want to be overly alarmist. Just because a container has no root password does not mean that it is automatically vulnerable,” he explained.

“These findings could lead to configuration-based vulnerabilities in certain situations, as was the case with this the Alpine Linux vulnerability.”

Specifically, only containers which use Linux pluggable authentication modules (PAM) or “some other mechanism which uses the system shadow file as an authentication database” are vulnerable to exploitation, as Cisco detailed.

The most popular container on the list affected by the issue was kylemanna/openvpn: a software unit that has been used over 10 million times, according to Gamblin.

Other names on the list included govuk/governmentpaas, hashicorp, microsoft, monsanto and mesosphere.

In the Alpine Linux case, exposed containers could find they are at risk of Docker image vulnerability (CVE-2019-5021), whereby an attacker can elevate their privileges to root within the container.

“Deploying containers that allow users to authenticate as root should be avoided at all costs, because authenticating as root is already outside the scope of ‘best practices’ for secure containers or generally in system,” argued Gamblin.

KnowBe4 Announces Acquisition of CLTRe

KnowBe4 Announces Acquisition of CLTRe

KnowBe4 has announced the acquisition of CLTRe, adding the capability to measure security culture into its portfolio.

Led by Kai Roer, CLTRe is a Norwegian company focused on helping organizations assess, build, maintain and measure a strong security posture. It will continue to operate as an independent subsidiary of KnowBe4.

The acquisition will mean that CLTRe’s toolkit and Security Culture Framework will be available to all KnowBe4 customers later this year.

Stu Sjouwerman, CEO of KnowBe4, said: “Today’s announcement brings KnowBe4 very valuable tools to help our customers measure what matters – their security culture – so they can make decisions about how to improve. We’re excited to welcome Kai and the CLTRe team to the KnowBe4 family and to enhance our European presence while supporting more global customers.”

Roer said that KnowBe4 “is a natural fit for our evidence-based analytics and measurement tools, as KnowBe4 customers will now be able to measure their security cultures, benchmark against their industry sectors, and pinpoint exactly what kind of security culture they have.”

He said: “With KnowBe4 and CLTRe, organizations can gain true insight into their security culture, improve their security with pinpoint accuracy, report their progress to their board of directors and educate their users to make smarter security decisions.”

CLTRe measures the seven dimensions of security culture: behavior, responsibilities, cognition, norms, compliance, communication and attitudes.  

Listen to Kai Roer, along with Espen Otterstadt and Nicola Whiting, as Security Culture was discussed as part of the Infosecurity Magazine Online Summit

GDPR one year on

May 2019 marks the first anniversary since the General Data Protection Regulation came into force. What has changed in the world of privacy and data protection since then? BH Consulting looks at some of the developments around data breaches, and we briefly outline some of the high-profile cases that could impact on local interpretation of the GDPR.

Breach reporting – myths and misconceptions

Amongst the most immediate and visible impacts of the GDPR was the requirement to report data breaches to the supervisory authority. In the context of GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The regulation introduced a duty on all organisations to report personal data breaches to the supervisory authority where they are likely to pose a risk to data subjects. This report must take place within 72 hours of the controller becoming aware of the breach, where feasible. There are additional obligations to report the breach to data subjects, without undue delay, if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms.

Between May 2018 when GDPR came into force, and January 2019, there were 41,502 personal data breaches reported across Europe, according to figures from the European Data Protection Board. In Ireland, the Data Protection Commission recorded 3,542 valid data security breaches from 25 May to 31 December 2018. This was a 70 per cent increase in reported valid data breaches compared to 2017.

Notwithstanding the uptick in the number of reported breaches, it has been suggested that many organisations are still unsure how to spot a data breach, when a breach may meet the criteria for reporting, or even how to go about reporting. With this in mind, the key lessons to consider are:

Not every breach needs to be reported

Organisations controlling and processing personal data should have a process in place to assess the risks to data subjects if a breach occurs. This assessment should focus on the severity and likelihood of the potential negative consequences of the breach on the data subject.

Assess the risks

When assessing whether to report, the controller will need to consider the type of breach, sensitivity and volume of the personal data involved, how easily individuals can be identified from it, the potential consequences and the characteristics of the individual or the controller (such as if the data relates to children or it involves medical information).

Who’s reporting first?

It’s possible the supervisory authority may hear about the breach from other sources including the media or affected data subjects. If this is the case, an authority such as the DPC may reach out to the affected organisation first, even before that entity has reported.

Establish the facts

As a final point, it is important not to forget that, even if you do not need to report a breach, the GDPR requires you to document the facts relating to it, its effects and remedial action taken. Therefore, you should keep a record should of all privacy incidents, even if they do not rise to a reportable level. This will help you learn from any mistakes and to meet accountability obligations.

Points to note

Keep in mind that it is not just about reporting a breach; organisations must also contain the breach, attempt to mitigate its negative effects, evaluate what happened, and prevent a repeat.

Breach reporting myths

Several misconceptions quickly emerged about GDPR, so here is a short primer to clarify them:

  1. Not all data breaches need to be reported to the supervisory authority
  2. Not all details need to be provided as soon as a data breach occurs
  3. Human error can be a source of a data breach
  4. Breach reporting is not all about punishing organisations
  5. Fines are not necessarily automatic or large if you don’t report in time

Resource cost – beyond the obvious

There have been a limited number of GDPR-related fines to date (see below) but this amount is likely to increase. Aside from financial penalties relating to breaches, organisations and businesses also need to consider the cost involved in complying with the regulation more generally.

This includes the resources needed to engage with a supervisory authority like the Data Protection Commission, as well as the amount of time it typically takes to manage a subject access request (SAR). The number of SARs is increasing because GDPR allows individuals to make a request free of charge.

GDPR enforcement actions: Google

In the runup to May 25 2018, there had been significant doubts about effective enforcement of the GDPR. If the seemingly invulnerable American social media and technology giants were able to ignore requirements without consequence, what would happen to the credibility and enforceability elsewhere? But against the current global backdrop, those technology companies have become far less invulnerable than they once seemed. Most cases are still making their way through the appeals procedure, but initial verdicts and sanctions are causing ripples for everyone within scope.

On January 21, 2019, the French Supervisory Authority for data protection (CNIL) fined Google €50 million for GDPR violations – the largest data protection fine ever imposed. The case raises several important privacy issues and provides useful insights into how one supervisory authority interprets the GDPR.

CNIL’s decision focuses on two main aspects: (i) violation of Google’s transparency obligations under the GDPR (specifically under Articles 12 and 13) and (ii) the lack of a legal basis for processing personal data (a requirement under Article 6). The CNIL is of the opinion that the consent obtained by Google does not meet the requirements for consent under the GDPR. Google is appealing the decision.

The decision dismisses the application of the GDPR’s one-stop-shop mechanism by holding that Google Ireland Limited is not Google’s main establishment in the EU (which would have made Ireland’s DPC the competent authority, rather than the CNIL). Since the fine is more than €2 million, it is clearly based on the turnover of Alphabet, Google’s holding company in the United States, not on any European entity.

GDPR enforcement actions: Facebook

On 7 February, Germany’s competition law regulator, FCO, concluded a lengthy investigation into Facebook and found that the company abused its dominant market position by making the use of its social network conditional on the collection of user data from multiple sources.

Facebook has not been fined; instead, the FCO imposed restrictions on its processing of user data from private users based in Germany. Facebook-owned services such as WhatsApp and Instagram may continue to collect data but assigning that data to a Facebook user account will only be possible with the user’s voluntary consent. Collecting data from third party websites and assigning it to a Facebook user account will also only be possible with a user’s voluntary consent.

Facebook is required to implement a type of internal unbundling; it can no longer make use of its social network conditional on agreeing to its current data collection and sharing practices relating to its other services or to third party apps and websites. Facebook intends to appeal this landmark decision under both competition and data protection law in the EU.

Other enforcement actions

After Birmingham Magistrates’ Court fined workers in two separate cases for breaching data protection laws, the UK Information Commissioner’s Office warned that employees could face a criminal prosecution if they access or share personal data without a valid reason.

The first hospital GDPR violation penalty was issued in Portugal after the Portuguese supervisory authority audited the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. The failure to implement appropriate access controls is a violation of the GDPR, and the hospital was fined €400,000 for the violations.

Lessons from year one

For data controllers and processors, the lessons to be learned from the first year of GDPR are clear:

Transparency is key

You must give users clear, concise, easily accessible information to allow them to understand fully the extent of the processing of their data. Without this information, it is unlikely any consent we collect will be considered to be a GDPR level of consent.

Fines can be large

CNIL’s response to Google demonstrates that regulators will get tough when it comes to fines and take several factors into account when determining the level of fine.

Watch the investigations

There are current 250 ongoing investigations – 200 from complaints or breaches and 50 opened independently by the data protections authorities so these will be interesting to watch in 2019.

Lead Supervisory Authority identity

Google and Facebook have both appointed the DPC in Ireland as their lead supervisory authority and have included this in the appeals process. CNIL took the lead in Google investigation, even though Google has its EU headquarters in Ireland – because the complaints were made against Google LLC (the American entity) in France.

Further challenges

There are further challenges to the way for the tech giants use personal data show no sign of dwindling. A complaint has been filed with Austria’s data protection office in respect of a breach of Article 15 GDPR, relating to users of Amazon, Apple, Netflix, Google (again) and Spotify being unable to access their data. 2019 should be an interesting year for Privacy.

What lies ahead?

The GDPR cannot be seen in isolation; it emerged at the same time as a growing public movement that frames privacy as a fundamental right. The research company Gartner identified digital ethics and privacy as one of its top trends for 2019. From a legislative perspective, the GDPR is part of a framework aimed at making privacy protection more robust.

PECR is the short form of the Privacy and Electronic Communications (EC Directive) Regulations 2003. They implement the e-privacy directive and they sit alongside the Data Protection Act and the GDPR. They give people specific privacy rights on electronic communications and they contain specific rules on marketing calls, emails, texts and faxes, cookies and similar technologies, keeping communications services secure and customer privacy relating to traffic and location data, itemised billing, line identification, and directory listings.

Further afield in the US, the California Consumer Privacy Act (CCPA) was signed into law in June 2018 and will come into effect on 1 January 2020. It’s intended to give California residents the right to know what personal data is being collected about them, and whether that information is sold or disclosed. Many observers believe the Act will trigger other U.S. states to follow suit.

For the remainder of 2019 and beyond, it promises to be an interesting time for privacy and data protection.

The post GDPR one year on appeared first on BH Consulting.