Category Archives: data protection

Can Patching and Backup Protect from Ransomware?

Ransomware is a growing industry. According to Cybersecurity Ventures, it was predicted to cost companies around $5 billion in 2017. In comparison, IDC estimates the worldwide market for endpoint security

The post Can Patching and Backup Protect from Ransomware? appeared first on The Cyber Security Place.

Assessing Risk Levels of Structured Versus Unstructured Data: Are They the Same?

As security practitioners look to secure their organization’s crown jewels against data theft, they should consider whether there is a difference in the risk levels for securing structured versus unstructured

The post Assessing Risk Levels of Structured Versus Unstructured Data: Are They the Same? appeared first on The Cyber Security Place.

GDPR quick guide: Why non-compliance could cost you big

If you conduct business in the EU, offer goods or services to, or monitor the online behavior of EU citizens, then the clock is ticking. You only have a few more months – until May – to make sure your organization complies with GDPR data privacy regulations. Failure to abide by GDPR means you could get hit with huge fines. Finding and investigating data breaches: Why it’s always too little, too late Personal data protection … More

The Inconvenient Reality of Law Firm Security Challenges

When it comes to IT security-related risks, law firms are a prime target. Unfortunately, law firm security is not where it needs to be. Think about it: There’s a ton of juicy information on any given law firm network, and it’s all stored on mobile devices, email systems, web portals and more, both locally and in the cloud.

These organizations are concentrated sources of intellectual property and other sensitive business information, including:

  • Client trade secrets;
  • Attorney-client privileged information involving past, current and future cases;
  • Strategies and tactics involving approaches to litigation;
  • Details on mergers and acquisitions; and
  • Personally identifiable information (PII) as part of security incident investigations.

Not only do law firm network environments serve as an entry point to all this sensitive information, but many organizations are behind the times in terms of allocating reasonable funds to bolster security and minimize risks. This creates the perfect scenario for cybercriminals.

The Risks of an IT-Centric Approach to Law Firm Security

It’s easy for legal professionals to assume that they don’t have anything of value to cybercriminals and that their firm is not a target, but the threat is real. It might even come from inside the network in the form of a negligent or conniving employee exposing sensitive records. External threats could include competitors or foreign governments looking to disrupt legal operations or steal information.

In my experience working in the legal field, IT employees have had to lead the charge for security. Larger firms have begun hiring chief information security officers (CISOs), but many still take an IT-centric approach to security tasks, including:

  • Policy development;
  • Policy enforcement;
  • Ongoing information risk oversight; and
  • Security assessment and audit.

Whether in-house or outsourced, IT management of security functions can lead to a false sense of security among law firm partners and other stakeholders. Perhaps even more dangerous, I have seen situations in which firm partners with little to no IT or security background were in charge of security and risk management. This cost-saving shortcut to security can create more liabilities than it mitigates.

Assuring Clients and Preparing for a Breach

It’s one thing to have a dysfunctional security program, but when it becomes known, bigger issues arise. For example, when law firm clients start questioning security initiatives via those dreaded security questionnaires or worse, a breach occurs, the core of the law firm’s business, integrity and livelihood are impacted. To nip these issues in the bud, law firms must:

  • Manage oversight of security initiatives.
  • Document security policies along with disaster recovery and incident response plans.
  • Implement reasonable security technologies, and hire the right personnel to help enforce policies and oversee sensitive information.
  • Establish a cyber liability insurance policy.
  • Conduct periodic vulnerability and penetration testing.

Preventing security breaches is a worthy goal, but security leaders must also prepare to respond to exploits and outages that will inevitably get through the organization’s defenses. Otherwise, the firm will develop a reputation for negligence and recklessness.

To demonstrate that they are integrating security into the firm’s business practices, security teams should take the following steps.

  1. Know what you’ve got, including intellectual property and PII, along with critical systems and the vendors involved.
  2. Understand how it’s all at risk, including both technical and operational risks that are placing these assets in harm’s way.
  3. Reconfigure business processes, technical controls and organizational culture to protect the data identified in the first step and mitigate the risks outlined in the second step.

Collectively, this approach to information security involves a deep understanding of how both the business and the technology operates in the course of client representation. The key is to understand that you cannot secure the things you don’t acknowledge. Overlooking both technical and nontechnical areas of the practice that deal with sensitive information will lead to a misunderstanding of how security needs to be addressed, and that’s when security breaches happen.

Laying Down the Law on Security Practices

These best practices go beyond security. The American Bar Association’s Center for Professional Responsibility documented its own industry-specific guidance for protecting client information in its “Model Rules of Professional Conduct.” These rules involve not only understanding the technologies you’re using in your law firm, but also demonstrating reasonable efforts to properly handle and secure sensitive information.

Security is not that complicated until it is. That’s why law firms should heed Stein’s Law and address security gaps now before a data breach occurs.

The post The Inconvenient Reality of Law Firm Security Challenges appeared first on Security Intelligence.

Where Is Your Sensitive Information and Where Is It Going?

Who is responsible for determining who can access sensitive information? Is it the role of the database or system administrator, or the data owners from lines of business (LOBs)? Maybe the permission oversight varies when data content includes sensitive information. Should your privileged users and admins have actual access to the content? If so, how much control to you have over preventing bad behavior?

Fighting Alert Fatigue

Organizations typically rely on volumes of logs to forensically identify who accessed what data at what time and assess whether the access was appropriate or constituted a policy violation. Administrators may consider flowing the database or data access logs to the organization’s security information and event management (SIEM) solution to correlate and assist in determining policy violations. The problem is that large volumes of logs collected and evaluated by the SIEM cause significant overhead and performance degradation, and require extensive human oversight to achieve. Analysts tasked with quickly reviewing these massive logs tend to become desensitized since many alerts end up being false positives or otherwise irrelevant. Unfortunately, this means real risks are often overlooked.

An effective approach to this challenge is to front-end the information landscape — including databases, mainframe data and files — and move the analysis overhead away from the critical systems. A database, for example, is considered structured data since contents are stored in structured tables, columns and rows. When calls to the data are evaluated off of the critical systems themselves, there is an opportunity for real-time evaluation based on appropriate permissions to block, redact and mask content before disseminating it.

It’s also possible to leverage out-of-the box governance frameworks. Data privacy requires knowledge of who is accessing data, when, whether it’s appropriate and whether sensitive information was accessed. Many governance controls also determine the number of failed logins and whether these attempts are eventually successful.

Controlling Access to Sensitive Information in Real Time

By conducting this monitoring seamlessly outside of the actual database server or system, security teams can eliminate the overhead and let the databases, data repositories and SIEM tools to do what they do best. In fact, these systems can synchronously scan and monitor the entire IT landscape and categorize information according to policies. These methods easily facilitate outgoing data according to controls and may even terminate connections that attempt to violate policies.

Best of all, this is relatively easy to incorporate, given the right tools. Solutions that include comprehensive out of-the-box governance models are already equipped to look in the right areas, and groups of users with varying levels of access permissions can be imported from the actual databases groups or from external files and data structures. These groups can then be quickly aligned with the controlled data classifications and granted appropriate access and permissions. As for unstructured data on these servers, advanced data security solutions can perform the same monitoring and provide real-time controls to protect sensitive information.

The bottom line is that it’s crucial to understand where the organization stores its data, who is accessing it and whether that access aligns with established security policies. Without this visibility, threats are bound to slip past the weary eyes of overworked security analysts, and sensitive data is bound to slip into the wrong hands.

Learn More About Strong Data Security

The post Where Is Your Sensitive Information and Where Is It Going? appeared first on Security Intelligence.

Why the cyber threat landscape could grow under GDPR

The General Data Protection Regulation (GDPR) is only 3 short months away, with the incoming regulation seeing businesses across Europe and beyond bolster their cyber security in an effort to

The post Why the cyber threat landscape could grow under GDPR appeared first on The Cyber Security Place.

Dispel Launches Election Security Platform

Dispel, a U.S.-based company that specializes in secure communication and collaboration systems, on Thursday announced the launch of a new product designed to help protect elections against malicious cyber actors.

read more

Data Risk Management, Part 3: Assessing Risk Levels of Structured Versus Unstructured Data

This is the third installment in a three-part series about data risk management. For the full story, be sure to read part 1 and part 2.

As security practitioners look to secure their organization’s crown jewels against data theft, they should consider whether there is a difference in the risk levels for securing structured versus unstructured data. This process starts with defining what exactly the organization’s crown jewels are. Once that is determined, most organizations find that they need to prioritize both structured and unstructured data based on the value they represent.

Structured data, such as data kept in a relational database, is easy to search and analyze. This includes length-specific data, such as Social Security numbers, and variable-length text strings, such as customer names. Examples of applications that rely on structured data contained in a relational database management system (RDBMS) include sales tracking, airline reservation, customer relationship management (CRM), electronic medical record (EMR) and inventory control systems. Structured data within an RDBMS can be easily searched using structured query language.

Unstructured data is just the opposite. It represents the lion’s share of data within any organization, has no predefined schema and uses a variety of formats. Think of emails, audio and video files, social media, mobile data, text files and so on. Unstructured data grows exponentially and constantly streams through your on-premises infrastructure, big data environments and the cloud. It can be stored in diverse repositories, whether they are NoSQL databases, data lakes or applications.

Determining Risk Levels of Structured and Unstructured Data

One thing both types of data have in common is that humans and machines can generate them. They also both represent varying risk levels to the organization. When classifying data, it’s important to consider the value that data represents to the organization and the potential implications of data loss.

For example, intellectual property, which is largely unstructured, is of great value to the organization. The theft of this data by a rival or cyberthieves could eliminate the organization’s competitive advantage and threaten its survival. On the other hand, the compromise of an email exchange about setting up a lunch date represents little threat to the organization, unless it’s between the CEO and another CEO to discuss a potential merger or acquisition. The breach of Colin Powell’s personal email account, for example, exposed a mergers and acquisitions strategy and acquisition targets, thanks to an attachment containing unstructured data in one of many stolen emails.

Structured data, such as transaction, financial and customer data, also holds great value to the organization. Because organizations have long recognized the value of this information, and because regulatory mandates require certain controls to be put in place to protect it, they have done a better job of securing structured data. The bigger issue arises when structured data is taken out of a well-fortified RDBMS and exported into a spreadsheet, cloud or partner system to be manipulated and shared with others. Once outside the existing security controls for the RDBMS, it is much harder to monitor and secure this data.

Unstructured Data Is an Easy Target

Cybercriminals are aware that critical unstructured data is a much easier target for theft than structured data that is protected by corporate firewalls, identity and access controls, encryption, database activity monitoring and more. Because organizations struggle to understand where that critical unstructured data is, how it is used and who has access to it, it can represent a bigger risk to the enterprise.

In addition, since there is so much more unstructured data than structured data, it’s harder to separate the critical from the not-so-critical to bolster protections around it. At the end of the day, it is essential to secure and control access to mission-critical structured and unstructured data. The process of identifying the data that is most critical to the success of the business will raise awareness of the potential impact of a breach.

Achieving the highest possible level of data security requires continuous monitoring for potential vulnerabilities and threats, combined with advanced protection and deep visibility into potential risks that may affect sensitive business data and processes. The key is to enable conversations between IT, security and line-of-business leaders to improve processes, mitigate risks, and convey meaning and value to executives.

Listen to the podcast: Data Risk Management in 2018 — What to Look for and How to Prepare

The post Data Risk Management, Part 3: Assessing Risk Levels of Structured Versus Unstructured Data appeared first on Security Intelligence.

Poor patching, user education leave healthcare providers sitting ducks for cyber attacks

Despite the masses of highly sensitive data that healthcare companies manage, new analysis has warned that chronically poor endpoint security, weak patching practices and high exposure to social engineering make

The post Poor patching, user education leave healthcare providers sitting ducks for cyber attacks appeared first on The Cyber Security Place.

Integrate Your Ticketing System into Database Security to Prevent DBA Privilege Abuse

Many of the recent high-profile data security breaches were made by trusted insiders. They are often database administrators (DBAs) who are highly privileged and trusted insiders with access to sensitive data.

In this blog post, I will discuss the inherent risk introduced by highly privileged administrators who are required to support production databases, the challenge of ensuring they are not abusing their privileges, and then, how you can integrate your ticketing system with your database compliance and security solution to mitigate the risk.

The risk of highly-privileged database users

Database administrators are sometimes required to connect to a production database to conduct maintenance tasks or diagnose and fix a problem. These tasks often require high-level privileges. With these ultimate privileges, it means database administrators can do whatever they want.

Any DBA can drop, create, backup, recover, truncate, and obviously query any table. At first look, querying any table is the least dangerous task from the list. On the other hand, if someone is trying to export and sell the content of the credit cards’ table, that’s exactly the privilege they will need.

Malicious DBAs (insiders) are just one face of the risk. Careless DBAs might expose their DB credentials. Alternatively, their DB credentials may be compromised by an email phishing campaign (outsiders).

The “need-to-know” approach

In theory, you would like to grant each user the minimal permissions that they need for the task. In practice, it’s virtually impossible to achieve this since most administrative tasks require high-level privileges. In some cases, these privileges are hierarchic and contain other privileges the administrator should not have. In addition, the administrator’s permission needs keep changing based on their current task.

An example to demonstrate the risk of reading the SQL Server audit file using the sys.fn_get_audit_file stored function, requires the CONTROL SERVER permission. This permission also allows the administrator to query any table on any database of that server. Querying any table might enable exporting all personally identifiable information from your most sensitive tables.

The “trust, but verify” approach

The alternative to a strict permissions model is to audit all activities, let administrators know their actions are audited, and finally, review and investigate any suspicious activity.

Let’s assume the first two parts are easy. But, how would you review all activities? And what the hell is a suspicious activity, when you do not know what the administrator was supposed to do?

Trust is easy. However, if the verify part is too tedious, you and your database security personnel in general, will not do it properly. What you’re probably looking for is a set of tools and procedures that will simplify the verify part.

Managing production maintenance tasks and supporting cases using a ticketing system

Now let’s say you use a ticketing system. Each maintenance task or production issue has a ticket. It describes the symptoms to investigate, or the required action. Someone assigns each ticket to a DBA, who will in turn connect to the database and handle the ticket.

In a well-managed system, no highly privileged user will connect to a production database without having a ticket assigned to them.

In a perfect world, the highly privileged user will act according to the ticket’s description. That’s exactly what you need to verify.

The missing link

When database support is managed through a ticketing system, you can tell which task should be done and by whom. Still, the ticketing system will not validate that DBAs do not abuse their privileges.

The missing building block is a tool that matches what the privileged users actually did, with the support tasks that should have been done. Such an automated process will filter out all legitimate actions, which leaves you to deal with suspicious activity only.

Naturally, a database security solution that audits all activity, also has the potential to help you validate that privileged users don’t abuse their privileges and alerts you when they do.

Integrating a ticketing system into DB audit and security

Let’s take a closer look at how ticketing systems and database security solutions should cooperate to automate alerting for abuse of high privileges. Such DB audit solution integrations should have:

  • Easy one-time set up
  • Continuous notifications on any new ticket
  • Highly privileged users, who can easily tell the database their assigned ticket ID. This is crucial: It must be as easy as executing a single SQL statement in the current connection.
  • A unique ticket ID for a specific DB connection that is associated with all activity performed in the same DB connection
  • Validation that the ticket ID is both valid and assigned to the connected DB user
  • Alerts issued when a highly privileged user connects, executes privileged actions, or queries sensitive tables with no valid ticket assigned
  • Validation of the actual activity by reporting all audited events that belong to each ticket ID

SecureSphere DAM provides all the above and more

SecureSphere allows you to integrate a ticketing system into your database security policies. Its highly-customizable audit and security policies let you define which DB users must have a valid ticket ID, what actions should trigger alerts when no valid ticket is assigned, and much more.

Find out more about how it works with “Integrate Imperva SecureSphere with BMC Remedy.” I’ll discuss the technical details of how to set up SecureSphere for integration with a ticketing system in my next post.

If You Care About Data Security, Don’t Leave It in Your Employees’ Hands

By Geraldine Osman, Vice President of  Marketing at StaffConnect, Employees are only human. They like to communicate with each other in convenient ways that fulfill their needs for connection and information—not

The post If You Care About Data Security, Don’t Leave It in Your Employees’ Hands appeared first on The Cyber Security Place.

NoMoreRansom: Free Decryption for Latest Cryakl Ransomware

Decryption keys for a current version of Cryakl ransomware have been obtained and uploaded to the NoMoreRansom website. Victims of Cryakl can potentially recover encrypted files with the Rakhni Decryptor available for free from Kaspersky Lab or NoMoreRansom.

read more

Using Data Protection Guidelines to Balance Security and Compliance in 2018

When did compliance become an enemy of security? Everyone knows that although security can lead to compliance, the reverse isn’t always true. But are security and compliance really impossible to balance?

If you take a purely economic view, compliance usually takes precedence over security for the simple reason that it is easy to measure via the purely binary check box method. Therefore, huge budgets are invested in compliance efforts that could otherwise go toward improving security.

Since security is an attrition game that requires businesses to weigh effort and cost versus what risk is mitigated, spend greatly affects the level of security that can be achieved. This is even before we consider the fact that compliance typically creates a false sense of security, compliance projects are often inefficiently implemented and everybody is generally happy as long as the organization passes its audits.

What Has Changed in 2018?

Has this changed in 2018? Have we finally prioritized security over compliance?

Unfortunately, the answer is almost always no. However, new technologies are changing the economics of this problem and increasing the opportunity to achieve the same (or better) levels of compliance while spending less money. This enables businesses to free up budget to elevate security rather than simply checking boxes.

To paint a clearer picture, let’s take a look at the numbers from Gartner’s “Market Guide for Data-Centric Audit and Protection,” which is emerging as a key framework for improving data security and compliance.

Retention and Storage

Retention requirements are constantly growing. It used to be acceptable to retain data for 30 to 60 days. Now, it’s far more common for retention requirements to span at least 13 months, and many companies are in the three-year category since new regulatory requirements demand extended retention.

While these changes present considerable challenges for database administrators and other information security professionals, solutions are emerging. Technologies such as security-centric big data lakes enable customers to increase their retention period by a factor of 10 while helping to reduce storage costs by at least a factor of 10 — together, that’s 100 times the savings. Features such as deduplication, compression and columnar storage can account for many of these benefits, and the rest comes from leveraging cloud and/or on-premises object stores where the price point is extremely low for bulk data storage.

For example, 1 PB of audit data that is reduced to 200 TB of compressed/deduplicated/indexed data spread over hot/warm/cold cloud storage can cost as little as $25,000 per year. Compare that with the cost of 200 TB of enterprise storage area network (SAN) storage that is typically used to achieve online access, and it’s possible to save in excess of $1 million.

It’s important to note that these new technologies allow for data to be retained in a way that serves security and user activity analytics. It’s not dumped into some archive and never heard from again. So while the main driver is the need to be compliant, the implementation method makes it possible to improve security analytics while helping to significantly reduce costs.

User Activity and Long-Term Analytics

We know that user activity analytics is the only way to address the noise and overhead of massive raw data sets, but to be effective, the analytics must be applied to a long-term data repository. It is widely known that “stupid” algorithms that operate on a lot of data perform much better than “smart” algorithms on a few weeks’ worth of data. The optimal solution is to couple the smartest algorithms with the largest possible historical data sets.

Beyond the fact that introducing data-centric audit and protection (DCAP) user activity analytics lowers costs and improves operational efficiency, cost-effectively retaining the data for longer periods of time also results in better security analytics and allows new insights to be uncovered.

Automation and Orchestration

The DCAP world is full of review and approval processes that, until now, have been mostly manual. Findings get routed manually to business owners, who manually approve events that are then manually added to policies and reference sets.

With DCAP, people often make decisions based on a very small set of criteria, and routing and orchestration can be automated. The decision process can also be automated 95 percent of the time by building a machine learning model to ingest these criteria. This significantly reduces the operational costs and complexity of review processes, since now people only need to be involved in 5 percent of the decision process.

A Fresh Perspective on Security and Compliance

By adhering to the DCAP guidelines, organizations can reduce the cost of compliance while contributing to significant improvements in security. That way, compliance efforts need not get in the way of security, and security teams can focus more on improving the enterprise’s data protection processes and less on checking boxes to pass audits. If organizations around the world adopt this fresh perspective in 2018, compliance won’t be the enemy of security after all.

The post Using Data Protection Guidelines to Balance Security and Compliance in 2018 appeared first on Security Intelligence.

What does the GDPR and the “right to explanation” mean for AI?

Security teams increasingly rely on machine learning and artificial intelligence to protect assets. Will a requirement to explain how they make decisions make them less effective?”But I’m not guilty,” said

The post What does the GDPR and the “right to explanation” mean for AI? appeared first on The Cyber Security Place.

How to Improve Cyber Literacy Within Your Organization

The issue of cyber literacy as a way to improve defenses against future attacks has received a lot of attention lately. This notion isn’t exactly new: A 1994 article from The New York Times mentioned the need to promote cyber literacy, quoting then-Wired editor Kevin Kelly, who spoke of “a different kind of literacy based on a melange of digital information.”

What is new, however, is how a business might implement the specifics of a literacy program and determine who exactly will be on the receiving end of this effort. Tripwire noted that educating executives about cybersecurity can help companies prepare for a potential security breach. While that may be true, there is a bigger issue at stake — namely, our end users’ cybersecurity knowledge and practices.

Measuring Cyber Literacy by the Numbers

Part of the problem is defining what it means to be cyber literate to begin with. Recently, a Tenable survey showed that, although virtually all respondents had heard about data breaches, many have failed to change their security habits. This could stem from ignorance, denial or a misunderstanding of their role in protecting data.

The survey also found that only about one-quarter of employees use multifactor authentication (MFA), and just one-third have reduced their use of open Wi-Fi hotspots as a result of stories describing security compromises. In addition, 45 percent of respondents use a personal identification number (PIN) to lock their laptops and other mobile devices, and 19 percent use some form of biometric tools such as fingerprint or facial recognition.

This is alarming because most of these activities, like the cyber literacy discussion itself, have been around for decades. Given these results, what can security leaders do to promote improved cyber literacy across the user population?

Promoting Secure Behavior Across the Enterprise

First, you should practice what you preach and demonstrate how to use MFA for personal accounts, such as Facebook, Google and Paypal. All of them now implement MFA methods, and even if you don’t have it for any corporate apps, you should still use MFA personally and encourage others to do so as well.

Next, regularly remind users to update their apps, operating systems and browser versions, even on their home computers and phones. According to the survey, 13 percent of computer users wait more than a week to update the apps on their computer, while 3 percent wait a month and 5 percent fail to update at all. Enterprise update policies are certainly important, but you should also educate your users about the risks of having out-of-date equipment.

If your company doesn’t yet use password managers or single sign-on (SSO) tools, now is the time to implement them. These solutions can cut down on password reuse, which is often the best way for cybercriminals to infiltrate your networks. While we all have too many passwords to manage, automated tools such as these can help us stop relying on our insecure go-to passwords.

Transparency and Trust

These are all great starting points, but it takes more than technology to improve cybersecurity literacy. For example, one of the most important considerations is corporate culture. Security leaders should endeavor to make the company more accountable and transparent in its response to data breaches. Look to organizations that have had success in this area and use those examples to convince upper management to do the same. As part of this transparency effort, you should strive to take better care of your customer data in terms of how it is used, stored and accessed by your employees.

Finally, we need to examine how to establish more trust between the chief security officer (CSO), employees at every level of the company and top management. This comes down to building mutual trust with key stakeholders and fostering strong relationships with the right people.

By educating employees, acquiring the right tools to help them develop more secure habits, and imploring top leadership to increase accountability and transparency in their response to data breaches, security leaders can finally make progress in the decades-long effort to promote cyber literacy throughout the enterprise and across our increasingly connected digital world.

The post How to Improve Cyber Literacy Within Your Organization appeared first on Security Intelligence.

Poor data practices can ruin a company, research claims

People will not do business with companies known for misuse of personal data.A lot of consumers (41 per cent) submit false data when signing up for products and services online,

The post Poor data practices can ruin a company, research claims appeared first on The Cyber Security Place.

Microsoft & Google unable to detect new zero-day ransomware

The ShurL0ckr ransomware was able to avoid detection by a majority of anti-virus engines and cloud applications.As organisations have adopted cloud services to increase their productivity and agility, so to

The post Microsoft & Google unable to detect new zero-day ransomware appeared first on The Cyber Security Place.

Parental Control Apps: More Security Tools For Your Family

In our Internet safety for kids article, we mentioned how useful parental control software is for the online security of the entire family. We’ve also seen a lot of parents wondering just how necessary or safe they are.

Let’s dive in and see what parental control apps are and how they can be a valuable addition to your family’s cyber security protection.

Parental control apps, at their core, allow parents to restrict their children’s access to certain kinds of content. You can use specialized parental control apps or software settings combos to decide what programs your children can see on TV, how much time they spend gaming, what sites they visit and so on.

They’re also a must-have for those who know just how important online security is.

Here’s what parental control notifications from just one security vendor reveal about children’s online habits.

children online en 1 1024x751


While it could be tempting to let the small ones regulate their habits themselves, every parent knows there must be boundaries.

Children are tiny explorers, forever pushing those boundaries, and it’s up to parents to ensure their adventures don’t end in misfortune. The online landscape is filled with threats towards kids. Inappropriate content, shrewd marketers, malicious individuals who call “trolling” a hobby are just a few relevant examples of online threats.

But you already know that.

What you probably remember or examine closely is the security of the devices and software your child interacts with.

If you’re a parent or planning to be one, you know security is one of the most important aspects of a family life. There has to be financial security, emotional security and, as all of us spend more and more time connected, cybersecurity.

Let’s see first what parental control apps are, what they offer and how necessary they are. Then let’s see the best, easiest way to make sure your family welfare is secure in all aspects.

Parental control apps are roughly divided into a couple of large categories, but modern ones offer multiple features.

Types of parental control apps and how they work:

Location monitoring

These apps will monitor location and activity usage, using GPS and other tools to let you know where your child is and alerting you when boundaries are crossed. You can use features like Find My Phone or apps like Glympse for location sharing.

Content filters

The most widespread content filters limit your child’s access to inappropriate content. Such content filters are available in most apps, from Youtube to Google, in games consoles, TVs and so on.

Content monitoring and reporting

In essence, these are tools that allow you to see exactly what your child is up to while interacting with devices, by checking the user logs or offering comprehensive reports. For example, in Windows 10 you can set up individual accounts for family members. If you add a child, you can get activity reporting and even weekly reports via email.

Usage control

These function like content filters but limit the usage of an app or a device. Think placing time constraints on your child’s access to a games console.

Meanwhile, parents, soon to be parents and other individuals have a lot of questions on how to proceed with online security for their children.

Essential questions regarding parental control apps:

Are parental control apps needed?

Yes. There is no doubt about it, no matter how you slice it.

Maybe you’re one of Internet’s early adopters, maybe you’re not. Either way, you definitely have seen some content that deeply disturbed you.

You most definitely struggled to regulate your own media consumption, your own habits, and your own social media usage. If you, an adult with decades of experience in keeping yourself healthy and secure, are struggling with this, what can be said about children and teenagers?

As writer James Bridle pointed out, Youtube, one of kids’ favorite online hangouts, is filled to the brim with disturbing content. This content is usually created through automation and delivered straight to the top of the charts by spamming Youtube’s search and recommend algorithm.


Moreover, kids and teens’ love for video games leaves them exposed to questionable marketing tactics and tempted to spend a lot of money on microtransactions, buying loot for their favorite game.

As Techspot reported last year, an 11-year-old spent $7,500 on in-app purchases, after his father had connected his iTunes account to his credit card.

It’s just one of many examples because, even though parents do try to limit their children’s access to technology, slip-ups do happen.

According to the Pew Research Center, more and more parents are starting to recognize the need for digital monitoring. However, a lot of parents are struggling to juggle all their responsibilities and to differentiate the valuable information from the fluff or misinformation.

This means that a lot of them are overwhelmed by too many information sources and miss out on the advent of a lot of great parental control apps.

Fortunately, this type of technology is getting more awareness and, implicitly, the adoption rate has raised.

PI 2016.01.07 Parents Teens Digital Monitoring 0 01


Are parental control apps and platforms too complicated?

They can be.

Because we allow children to access so many devices and apps, from PCs to tablets to smartphones and consoles, it’s difficult to keep up with how they interact and behave online.

Even if you do manage to stay on top of your child’s time spent on devices or somewhat regulate what websites he visits, things can slip. This was evidenced in the previous example, where a child had unrestricted access to his parents’ tablet.

The best, simplest and most cost-effective way to have an overview of the small ones’ digital activities is to use a parental control app that works across a myriad of devices and websites. We found a few paid options being compared here, and a few free choices as well.

Are parental control apps just disguised surveillance?

If you watched the latest episodes of Black Mirror, the hit series from Netflix, then you probably saw a world where a parental control app goes horribly wrong. In the pursuit of their child’s security, the parents go overboard and their worry becomes a self-fulfilling prophecy.

It’s a great point to consider when you’re investigating your parental control options. You also need to exactly just how much control is required. As an individual, you’re always looking for balance in all things, from the time spent in improving yourself to the ways you relate to loved ones.

As a parent, you’re always trying to figure out what’s best for your family’s online security.

Which brings us to this. It’s the fundamental question you should ask when it comes to securing your children’s well-being, especially when it comes to their digital activities.

black mirror arkangel parental controls unit


Are parental control apps secure?

Parental control apps, tools, gadgets and so on are made by people who share the same concern as you.

This means they’re as secure as they can be. Most of the times, parental control apps are designed to bring information and peace of mind for parents. While their designers have the best intentions, cybersecurity is not something they have at the forefront of their mind.

Protecting your child against threats like malware, ransomware or data leakage should be achieved via specialized tools.

Kids are always tempted to click on something, download an app and so on. This makes them extremely at-risk users. To ensure their online safety, good cybersecurity practices should start with parents.

Here are the essential steps to ensure cybersecurity for the entire family:

  • Make sure your WiFi security is flawless because all your family’s devices are connected to that and malicious hackers always target it. We put together a guide to Wifi security here.
  • Secure your and your children’s smartphones and tablets. Here is the smartphone protection guide that will ensure the family is safe from the thousands of compromised apps, malicious banners, and other malware infection sources.
  • Keep your computer protected at all times using an antivirus alongside an anti-malware solution that monitors all traffic.
  • Always update the software on your PC.

We know that, as a parent, your time is precious and sometimes severely limited.

Our biggest advice is to get a secure parental control app that automates a lot of tasks and research the best security solutions to add another layer of protection.

We want to invite you to try Heimdal PRO for 30 days, free, with no strings attached. It’s our proactive protection software that works with any antivirus. This agent secures you against advanced malware and updates your software automatically, without interrupting you from your tasks. We’d love to hear what you think about it and get valuable feedback from parents concerned about online security.


How do you use a parental control app? How do you place limits on your kids’ digital activity and how do you ensure their online safety?

Do you use a parental control app?

Minimizing the Encryption Blast Radius

We have made great strides in the area of encryption since its introduction over 3,000 years ago, particularly with the introduction of asymmetric and hash algorithms. From a policy perspective, the National Institute of Standards and Technology (NIST) has helped us evolve our encryption capabilities by pushing for public submission and review of algorithms, as they did with Advanced Encryption Standard (AES) and Secure Hash Algorithm 3 (SHA-3). In 2009, IBM research scientist Craig Gentry presented the first homomorphic encryption scheme, and IBM unveiled pervasive encryption as part of its z14 platform last year.

Given all these developments, why do many enterprises still resist using encryption? For years, experts within the security community have debated about worst-case scenarios — that an encryption key might be lost or stolen, that a brute-force attack might unlock data, or that an intentional backdoor or unforeseen bug in the encryption algorithm might cause a failure, or encryption blast, that compromises all the data under its protection. These discussions foster fear and uncertainty in our community and can cause us to overreact or, worse, do nothing.

Why Are Organizations Reluctant to Adopt Encryption?

In the 19th century, Dutch cryptographer Auguste Kerckhoffs created a principle that states that a cryptosystem should be secure even if everything about the system — except the key — is public knowledge. In simpler terms, that means that even if you know everything about a lock, you should not be able to open it without the proper key.

Encryption critics have long stated that encryption has overhead. It does — it must — since no algorithm is free of processor consumption. However, the current standard for encryption, AES, is extremely efficient, and its security and performance were vetted publicly against numerous implementations, including a variety of languages, across a number of hardware architectures. In fact, even its implementation within silicon was evaluated before it was considered for ratification. Furthermore, AES has now withstood quite a lifetime of use without compromise since its formal ratification in 2001. Unlike algorithms before it, AES epitomizes Kerckhoffs’ principle: The lock is well-known but the key is virtually impossible to find, especially within a 256-bit keyhole

Managing Encryption Keys

Now let’s talk about managing keys. We, as security professionals, do not place all of our reports, presentations or spreadsheets into a single file because it would be too difficult to manage. Instead, we manage thousands of files on our laptops with ease by separating them by topic, time, type or filename. We even have emails that are organized in a similar fashion, along with numerous hyperlinks. Why are we able to manage such a large set of files, but managing a similar number of encryption keys seems so challenging? In truth, managing encryption keys should be easier than managing files.

If we placed all of our data within one file or database, the loss of that database would have very large blast radius — all of the data would be gone. However, since we break our data into manageable chunks, files, databases or spreadsheets, the loss of one file does not mean a loss of everything. Therefore, our blast radius is smaller.

This approach enables us to minimize the encryption blast radius. Encryption not only gives you the ability to protect data, but it also allows you to encrypt it on a file-by-file basis, regardless of where it is stored, with each file being scrambled under a unique encryption key. With granular file encryption and a unique key per file, the loss of one key or file significantly reduces the blast radius.

Better yet, granular encryption and key management also allow you to erase the data forever by merely deleting the associated encryption key. Can you image a file delete feature that merely discarded the encryption key, thus rendering the data cryptographically erased and unrecoverable? Would rewriting with ones and zeros even be necessary? Sure, to feel better, you could rotate the bits of the key, but it would take a lot less time to scrub the bits of a 256-bit key than it would for a 1 GB file.

Are We Future-Proof?

We are never future-proof. Encryption is a practice, not a destination. Unfortunately, we have a lot of data that still needs our protection, but some of our locks and keys may need to be updated as well.

We do not know precisely when, but quantum computing is coming. Furthermore, we do not know exactly when it will be cost-effective, but the NIST reported that by 2030, the cost of building a quantum computer that can break a 2000-bit RSA key in a matter of hours will be about $1 billion. That is certainly not couch change, but the price will likely go down from there.

Will this advancement impact today’s encryption algorithms? Yes, but the impact of symmetric algorithms such as AES will be mild compared to the disastrous impact it will have on asymmetric algorithms such as RSA and elliptic curve cryptography (ECC).

In response, we should not scream, declare the sky is falling or wait before we do anything. Instead, we should encrypt all of our data at a very granular level using AES-256, delete all data that we do not want to be made public in 10 years, and find new algorithms to replace RSA and ECC.

It’s that simple — we must keep moving forward. It is the only way to minimize the encryption blast radius.

To learn more, watch the “Unified Data Encryption: Reduce the Risk of Costly Breaches and Compliance Pain” video at the top of this page.

The post Minimizing the Encryption Blast Radius appeared first on Security Intelligence.

UK data protection authority issues record fines

Since August 2015, The UK’s independent authority, The Information Commissioner’s Office, has fined 104 organisations a total of £8.7 million for breaches in data security and anti-spam regulations. Every month the UK body releases detailed information on which companies have been issued with fines for breaking the regulations. The figures for January reveal that they are ramping up the pressure still further on companies that break the rules by issuing record fines for the month. … More

January’s Top Cybersecurity News Stories: Jackpotting, Cryptocurrency Mining and Other Emerging Trends

Below is a roundup of the biggest cybersecurity news stories from the past month.

January is over, and it’s time for security professionals around the world to sweep up the confetti and start digging in on their New Year’s resolutions. During the first month of 2018, we saw everything from a CPU vulnerability to advanced Internet of Things (IoT) exploits, physical ATM attacks and new cybercriminal trends driven by the cryptocurrency gold rush.

Let’s take a closer look at how these stories are shaping the cybersecurity landscape as the industry gears up for another year of escalating threats.

Taking Stock of the Top Cybersecurity News Stories From January

On Jan. 9, a Ponemon Institute report titled “What CISOs Worry About in 2018” revealed that chief information security officers (CISOs) are less confident than ever about their susceptibility to cyber risks. According to the study, two-thirds of security leaders believe their organizations will suffer a cyberattack or data breach this year, and many fear that third-party partners will be the vulnerability point. In addition, 70 percent of CISOs cited lack of competent staff as their top challenge. Their concerns are understandable considering that cybercriminals stole $172 billion from 978 million consumers in 20 countries last year, according to Symantec.

January also saw an explosion of cryptomining attacks. In recent weeks, threat actors made off with $400 million worth of a digital currency by penetrating Japanese cryptocurrency exchange Coincheck. That news came just days after Ernst & Young estimated that nearly $400 million worth of funds raised in initial coin offerings had been lost or stolen. That’s more than 10 percent of the proceeds.

Cryptocurrency has become a playground for attackers, who have recognized that they can score bigger payoffs by turning users’ computers into nodes on a massive coin-mining network than they can by attacking users individually. In fact, SiliconANGLE reported that ransomware attacks are on the decline as criminals seek safer and more lucrative returns in mining.

One such attack has been ongoing for more than four months, affecting an estimated 30 million users around the globe. In most cases, victims don’t even know they’ve been compromised. Miners can use rogue JavaScript controls to hijack a system from an open browser window. Some attackers even buy their ads legitimately before replacing the contents with malicious code.

Top Exploits of 2018 So Far

In cybersecurity, there’s always something new to worry about. This month’s headache is jackpotting, a physical compromise scheme in which thieves hijack ATMs and force them to spit out cash. Brian Krebs first exposed the phenomenon, which encompasses a variety of techniques, such as using an endoscope — a device used by doctors to look inside the human body — to locate ports inside the machine where a crook can attach a cable that syncs with his or her laptop.

Voice-activated assistants have also found themselves squarely in cybercriminals’ crosshairs. According to Communications of the ACM, sound waves can be used to rewire circuits in IoT devices to deliver incorrect readings, cause control systems to malfunction or even execute commands using voice instructions hidden in music. Because the threats use analog media, they aren’t easily combated with digital protection.

Emerging Malware Trends

One thing that defines every January is predictions for the year ahead. What trends will define the security landscape in 2018? The IBM X-Force team has a few ideas.

  • Botnet attacks will become more frequent as cybercriminals exploit vulnerabilities in IoT devices. Last summer, a consortium of technology firms took down a botnet that compromised tens of thousands of Android devices using exploits in seemingly legitimate apps from the Google Play store. Any device can now potentially become a participant in a distributed denial-of-service attack (DDoS).
  • Failure to patch known vulnerabilities continues to be the primary culprit in large-scale attacks. Less than 1 percent of vulnerabilities in 2016 were considered zero-day, according to the IBM X-Force vulnerability database. Applying patches has never been more important.
  • Cloud services are presenting new attack vectors as misconfigured permissions or simple oversight leaves data exposed. Cloud databases leaked over 2 billion records in 2017, and the X-Force team asserted that server misconfigurations were responsible for 70 percent of them.
  • Thieves are increasingly extorting large ransoms for stolen high-value data. Victims in 2017 included a popular video streaming service from which preproduction versions of popular shows were stolen and several plastic surgery clinics whose photos of celebrity clients were held for ransom. With ransomware becoming a hit-or-miss proposition, attackers are focusing more on big money opportunities.
  • Phishing attacks will become more sophisticated as perpetrators use spear phishing to target individual victims, often spoofing their email accounts and writing style with personalized messages.
  • As noted above, cryptocurrency theft will soar with the growing value of blockchain-based digital money.

Risk Management Resolutions

Failure to patch is only one of the five epic security fails we outlined this month that put organizations at increased risk. Another is the tendency to become complacent once compliance is achieved on paper and neglect to update certifications and skills. A third major blunder is failure to centralize data security, which can impede efforts to keep up with the constantly shifting threat landscape.

Organizations that do not assign responsibility for data put themselves at even further risk. After all, if no one owns the data, no one is likely to protect it. Finally, failure to monitor data access enables cybercriminals to simply walk in through the front door, so to speak. It’s important to shut down access privileges immediately once an employee is terminated or otherwise leaves the company.

Consumers Warm Up to Security

IBM Security’s new “Future of Identity Study,” which surveyed nearly 4,000 adults from around the globe, revealed that consumers are beginning to prioritize security above convenience. Respondents ranked security as their top priority, over both convenience and privacy, when logging in to the majority of applications, especially apps dealing with money and financial transactions. The survey also found that biometrics are becoming mainstream, with 87 percent of consumers saying they’ll be comfortable with the technology in the future.

In addition, the study noted that although millennials have grown up with information technology, they aren’t as careful as their elders about passwords. Young people are less likely than other groups to use complex passwords and more likely to use the same password many times. However, they are also more inclined to use password managers and biometrics, which can help provide additional security layers without adding extra passwords to memorize.

Read the complete IBM Study on The Future of Identity

Gearing Up for Six More Weeks of Winter

With the new year in full swing, the start of February is an excellent time to take stock of the past month’s cybersecurity news headlines and trends, and gear up for whatever threats will emerge in the coming weeks. It’s a lot to take in at once, but awareness of the latest shifts in the threat landscape can go a long way toward helping enterprises and individual users steer clear of the cybercriminal flavor of the month.

The post January’s Top Cybersecurity News Stories: Jackpotting, Cryptocurrency Mining and Other Emerging Trends appeared first on Security Intelligence.

7 steps for getting your organization GDPR-ready

While the EU has had long established data protection standards and rules, its regulators haven’t truly commanded compliance until now. Under the General Data Protection Regulation (GDPR), financial penalties for data protection violations are severe – €20 million (about $24.8 million USD) or 4 percent of annual global turnover (whichever is higher), to be exact. What’s more is that GDPR does not merely apply to EU businesses, but any organization processing personal data of EU … More

What You Should Know Before You Put Your GDPR Program in Motion

At last, it’s time to flip the switch.

In our three most recent blog posts in this series, we’ve been leading up to this moment, discussing everything from assessing your current GDPR readiness situation and designing your approach to transforming your organization’s practices. And now we’re ready to talk about the Operationalize phase of the IBM Security GDPR framework.

Operationalizing Your GDPR Readiness Plan

If the prospect of putting all the gears in motion makes you a little apprehensive, you can rest assured you’re not alone. So take a few moments to think about everything you’ve accomplished up to this point in your GDPR readiness journey, and it’s likely you’ll realize that this is simply the next logical step in the process.

That said, I’d like to offer some suggestions to help make the transition go as smoothly and successfully as possible.


It may sound obvious, but you really do need to let everyone know what’s changing — and why. Try to keep your explanation as simple and straightforward as possible. And remind everyone that while you’ve tested and refined the processes and procedures as much as possible, there may still be a few glitches along the way. So let them know that their patience will be much appreciated.


Have a plan in place for keeping track of how everything is going. It’s one of the best ways to keep small problems from becoming big ones.


One obvious result of your monitoring is that you may need to change things here and there. But because you likely have already tested most of your new systems, processes and procedures (and you have been doing that, right?), we’re really talking about making fairly small adjustments here — and not significant changes.


It shouldn’t come as a surprise to learn that you’re going to need to track your GDPR program’s performance — and measure its success. Decide what you need to measure and then make sure you’re getting reliable (and verifiable) data. For example, you’ll probably want to track the number of:

  • Data protection officers you have in place;
  • People you’ve trained;
  • Data transfers you’ve completed;
  • Data subject access requests you’ve received and fulfilled; and
  • Breaches or incidents you’ve experienced (if any).

Having ready access to that information could be very helpful if regulators come knocking at your door. And one more thing: Remember to check in with your executive team to make sure they’re getting the metrics they need as well.


Whether you’re dealing with 1,000 data subjects or hundreds of thousands, we recommend creating a privacy management office to manage data governance and overall data use. Ideally, you should consider having a system in place for creating and tracking “unique person identifiers” that provide a single point of focus for any one of your data subjects. This can be managed by the privacy team, IT or a separate data protection team.

Accept Reality

What are the odds that the regulators will show up at your door? That’s an impossible question to answer. But I can venture an educated guess that many organizations won’t be fully GDPR-ready by May 25. Still, it makes sense to strive for as much readiness as you can muster.

One More Stop to Go on Your GDPR Readiness Journey

And remember that your GDPR journey doesn’t end here. The fifth and final phase of the IBM Security GDPR framework focuses on conforming, which includes effectively managing your controller/processor relationships and demonstrating that you’ve implemented technical and organizational measures to ensure that appropriate security controls are in place. We’ll be discussing those topics next.

In the meantime, learn more about how IBM can help you navigate your journey to GDPR readiness with privacy and security solutions here and within a broader perspective at


Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

The post What You Should Know Before You Put Your GDPR Program in Motion appeared first on Security Intelligence.

Cyber Security Roundup for January 2018

2018 started with a big security alert bang after Google Security Researchers disclosed serious security vulnerabilities in just about every computer processor in use on the planet. Named 'Meltdown' and 'Spectre’, when exploited by a hacker or malware, these vulnerabilities disclose confidential data. As a result, a whole raft of critical security updates was hastily released for computer and smartphone operating systems, web browsers, and processor drivers. While processor manufacturers have been rather lethargic in reacting and producing patches for the problem, software vendors such as Microsoft, Google and Apple have reacted quickly, releasing security updates to protect their customers from the vulnerable processors, kudos to them.

The UK Information Commission's Office (ICO) heavily criticised the Carphone Warehouse for security inadequacies and fined the company £400K following their 2015 data breach, when the personal data, including bank details, of millions of Carphone Warehouse customers, was stolen by hackers, in what the company at the time described as a "sophisticated cyber attack", where have we heard that excuse before? Certainly the ICO wasn't buying that after it investigated, reporting a large number Carphone Warehouse's security failures, which included the use of software that was six years out of day,  lack of “rigorous controls” over who had login details to systems; no antivirus protection running on the servers holding data, the same root password being used on every individual server, which was known to “some 30-40 members of staff”; and the needless storage of full credit card details. The Carphone Warephone should thank their lucky stars the breach didn't occur after the General Data Protection Regulation comes into force, as with such a damning list of security failures, the company may well have been fined considerably more by ICO, when it is granted vastly greater financial sanctions and powers when the GDPR kicks in May.

The National Cyber Security Centre warned the UK national infrastructure faces serious nation-state attacks, stating it is a matter of a "when" not an "if". There also claims that the cyberattacks against the Ukraine in recent years was down to Russia testing and tuning it's nation-state cyberattacking capabilities. 

At the Davos summit, the Maersk chairman revealed his company spent a massive £200m to £240m on recovering from the recent NotPeyta ransomware outbreak, after the malware 'totally destroyed' the Maersk network. That's a huge price to pay for not regularly patching your systems.

It's no surprise that cybercriminals continue to target cryptocurrencies given the high financial rewards on offer. The most notable attack was a £290k cyber-heist from BlackWallet, where the hackers redirected 700k BlackWallet users to a fake replica BlackWallet website after compromising BlackWallet's DNS server. The replica website ran a script that transferred user cryptocurrency into the hacker's wallet, the hacker then moved currency into a different wallet platform.

In the United States, 
the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.

It was reported that a POS malware infection at Forever21 and lapses in encryption was responsible for the theft of debit and credit card details from Forever21 stores late last year. Payment card data continues to be a high valued target for cyber crooks with sophisticated attack capabilities, who are willing to invest considerable resources to achieve their aims.

Several interesting cybersecurity reports were released in January,  the Online Trust Alliance Cyber Incident & Breach Trends Report: 2017 concluded that cyber incidents have doubled in 2017 and 93% were preventable. Carbon Black's 2017 Threat Report stated non-malware-based cyber-attacks were behind the majority of cyber-incidents reported in 2017, despite the proliferation of malware available to both the professional and amateur hackers. Carbon Black also reported that ransomware attacks are inflicting significantly higher costs and the number of attacks skyrocketed during the course of the year, no surprise there.  

Malwarebytes 2017 State of Malware Report said ransomware attacks on consumers and businesses slowed down towards the end of 2017 and were being replaced by spyware campaigns, which rose by over 800% year-on-year. Spyware campaigns not only allow hackers to steal precious enterprise and user data but also allows them to identify ideal attack points to launch powerful malware attacks. The Cisco 2018 Privacy Maturity Benchmark Study claimed 74% of privacy-immature organisations were hit by losses of more than £350,000, and companies that are privacy-mature have fewer data breaches and smaller losses from cyber-attacks.




10 Steps to Evaluate Cloud Service Providers for FedRAMP Compliance

The Federal Risk and Authorization Management Program (FedRAMP) is a framework that provides a standardized approach to authorizing, monitoring and conducting security assessments on cloud services. It is an integral part of the U.S. Department of the Interior’s Cloud First Policy, which is designed to help government agencies leverage cloud solutions securely and more efficiently. This program focuses on reducing redundant work, streamlining processes, closing security gaps and minimizing costs associated with authorization.

Any accredited federal agency, authorized cloud service provider (CSP) or third-party assessment organization (3PAO) can be associated with FedRAMP. However, implementing it can be challenging. It takes time to execute properly and is not comparable to common reporting frameworks such as Statement on Standards for Attestation Engagements (SSAE 16) and Service Organization Control (SOC 2). In fact, FedRAMP is one of the most complex and in-depth compliance programs an organization can undertake.

10 Steps to Evaluate CSPs for FedRAMP Compliance

Below are 10 steps organizations must take to evaluate their CSPs for FedRAMP compliance.

1. Cloud Risk Assessment

Organizations must categorize the data they plan to store and share in the cloud by type and sensitivity. It’s important to remember that data located in the cloud is inherently more difficult to control and protect. Consider whether or to what extent the manipulation or exposure of this data could affect its confidentiality, integrity or availability. You may also want to perform a security assessment to determine whether a public, private or hybrid cloud solution carries more or less risk than simply hosting the data on-premises.

2. Security Policies

The next step is to create a security policy to define the controls and risks associated with the cloud service. This policy should cover which data, services and applications are secure enough to migrate to the cloud. Work with legal counsel before engaging a CSP to ensure that all internal controls meet the organization’s needs.

3. Encryption

Many CSPs offer encryption, which is one of the most effective protections against cyberthreats. However, it’s crucial to consider the security of the encryption keys provided by the CSP.

4. Data Backup

To achieve FedRAMP compliance, an organization must have adequate controls that back up cloud data. A business continuity and disaster recovery plan is even more critical and should be tested periodically to avoid outages.

5. Authentication

FedRAMP compliance also requires organizations to have robust authentication protocols in place. Most CSPs require an authentication method that facilitates mutual validation of identities between the organization and provider.

These protocols depend on the secret sharing of information that completes an authentication task, which protects cloud-bound data from man-in-the-middle (MitM), distributed denial-of-service (DDoS) and relay attacks. Other methods, such as smart cards, strong passwords and multifactor authentication, defend data against brute-force attacks. Finally, elliptical curve cryptography and steganography help prevent both internal and external impersonation schemes.

6. Determine CSP Capabilities

Cloud providers offer a variety of services, such as software-as-a-service (SaaS), platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) offerings. SaaS is a service in which software is licensed to an organization as a subscription-based model. PaaS, on the other hand, is a public or private offering that sits behind a firewall and enables organizations to develop, execute and manage applications. Finally, IaaS solutions provide controlled automation and scalable resources via an application programming interface (API) dashboard. This type of service is often regarded as a virtual data center.

These common cloud services should be evaluated according to the organization’s cloud security policy and risk assessment.

7. CSP Security Policies and Procedures

FedRAMP also requires organizations to ensure that the CSP has policies and procedures to govern security processes and responsibilities. This involves obtaining an independent audit report from an accredited assessor. It is also important to review these procedures to guarantee compliance with other frameworks, such as the International Standards Organization (ISO) 27000 series.

8. Legal Implications

CSPs must adhere to global data security and privacy laws, meaning they must disclose any and all breaches to the appropriate government agencies. Because FedRAMP’s legal guidelines are in flux, always consult with your legal department to ensure compliance with federal and state laws, which are often defined in the cloud provider agreement. In most states, the owner of the data is responsible for maintaining compliance with these regulations.

9. Data Ownership

Data ownership is a vital criterion when it comes to reviewing a cloud service contract. The parameters can be confusing for organizations that have many stakeholders, so establish a comprehensive data governance program and reflect it in the CSP’s contract.

Implement continuous local backups to make sure any cloud outages do not cause permanent data loss. Security leaders should insist that the CSP uses end-to-end encryption on data in motion and at rest. Also remember that different jurisdictions can affect the security of data that is stored and/or transmitted in a foreign country.

10. Data Deletion

Cloud security compliance should be reviewed in the context of the organization’s policies and procedures for data deletion. You must also consider the difficulty of tracing the deletion of encrypted data. Some cloud providers use one-time encryption keys that are subsequently deleted along with the encrypted data, rendering it permanently useless.

The Long Road to Cloud Security

FedRAMP can help organizations reduce costs, save time and maximize cloud-based resources. However, unlocking these benefits requires a significant investment of time and money. Companies must be extremely thorough when evaluating cloud providers, and true compliance requires many more steps than the ones listed above. But these insights can give organizations seeking to do business with government agencies in the cloud a head-start on the long road to cloud security.

The post 10 Steps to Evaluate Cloud Service Providers for FedRAMP Compliance appeared first on Security Intelligence.

Many businesses lack proper plan for alerting customers to a data breach

This is despite GDPR being clear that organisations need to notify victims of a data breach within 72 hours.Less than a fifth of organisations are fully prepared to notify customers

The post Many businesses lack proper plan for alerting customers to a data breach appeared first on The Cyber Security Place.

Three IT steps to make your GDPR compliance journey smoother

Is your organisation prepared to comply with the upcoming regulation?Businesses are constantly having to overcome the various obstacles that come their way — some might argue this is a large

The post Three IT steps to make your GDPR compliance journey smoother appeared first on The Cyber Security Place.

In 2018, Data Security Is No Longer an Underdog

Underdogs are on everyone’s mind these days, especially with so many winter sporting events just around the corner. Rooting for unexpected or undervalued players and seeing them come out on top is a satisfying, exhilarating experience that can lead us to adopt new perspectives and a greater sense of optimism and possibility.

In the enterprise security world, data security has traditionally been viewed as an underdog. Don’t get me wrong — data security is a necessary control to reduce risks, lower costs and support compliance. In fact, given the increasing number and sophistication of data breaches, explosion of sensitive data being exchanged across dizzyingly complex IT environments and mounting regulatory pressures across the globe, data security is more important than ever when it comes to protecting an enterprise’s crown jewels. This is reflected not only in the conversations I engage in with my own colleagues and clients, but also in market data and predictions. According to one recent report, the database security market alone is expected to grow to $7.01 billion by 2022, up from $2.96 billion this past year.

Even with all this in mind, data security is still not often thought of as a business driver — something that can actually increase revenue and facilitate positive results, rather than just protecting against loss. If we take a closer look at where technology is headed and where business needs are emerging, however, this perception changes. Data security, once an underdog, is becoming a strategic driver capable of enabling competitive differentiation for those who approach it with the right mindset.

Emphasizing Data Security Controls Enhances Customer Trust

According to the “2017 Cost of Data Breach Study,” failure to retain customers after a security incident accounts for a significant portion of costs incurred. Customers are making purchasing decisions based on trust that an organization will protect their privacy. Given the enhanced public scrutiny on the issue after multiple high-profile data breaches occurred in the past year, it’s fair to predict that this trend will continue into 2018 and beyond. In addition, new compliance regulations coming into effect underscore the need to protect the privacy rights of data subjects.

Building and maintaining customer trust is one of the most important — and challenging — things a company must do to maintain competitive advantage and enhance market share. A recent Deloitte study reported that 73 percent of consumers would reconsider using a company if it failed to keep their data safe, but only 51 percent would reconsider if they were charged a higher price for a similar product. Data security and data privacy can function as a competitive differentiator. By ensuring that they’ll keep customer information safe — or, better yet, safer than the competition — from external threats and internal prying eyes, organizations can attract security-savvy customers at a higher rate than competitors who fail to highlight these critical capabilities.

Robust Data Security Facilitates Digital Transformation

Another critical component in the race to capture and retain customers is the ability to accelerate digital transformation initiatives. We all know that digital transformation cannot occur without a mature security program in place to support it, but how does data security drive this transformation forward? If we look at this question through the lens of zero trust and security by design, data security’s centrality to digital transformation becomes clear: By securing the data itself, organizations are able to set it free.

Infusing data security everywhere throughout the organization can empower your mobile workforce, enable faster cloud migrations and assuage the threat of privacy or ethical violations that comes along with leveraging big data analytics. By adopting data security as a foundational element of digital transformation, organizations can attain it more quickly and activate the multitude of business benefits it touts.

Read the complete Forrester report: The future of data security and privacy

Data Security Is Now Top Dog

Enhanced customer trust, faster digital transformation and the revenue associated with both are just some of the ways in which data security can function as a business driver. As a result, these technologies are no longer the underdogs of the security world. As data security takes on a more central role to enabling businesses around the globe to reach their full potential, the question becomes, “What’s next?”

To learn more, download the Forrester Report, “The Future of Data Security and Privacy: Growth and Competitive Differentiation.”

The post In 2018, Data Security Is No Longer an Underdog appeared first on Security Intelligence.

Open Banking and PSD2: Disruption or Confusion?

If you’re not yet familiar with the concept of open banking, you’re not alone. U.K. consumer advice firm Which? reported that 92 percent of the public is unaware of the initiative, which officially launched on Jan. 13, 2018, to promote the use of application programming interfaces (APIs) to enable developers to build applications to augment banking services.

Open banking is the main driver behind the EU’s Revised Payment Service Directive (PSD2), which requires the largest financial institutions in the U.K. to release their data in a standardized format so that authorized third parties can share it more easily. Despite the lack of public awareness, this initiative has the potential to bring many benefits to the banking industry, including more valuable data insights and improved customer experience. However, it also introduces additional challenges from a cybersecurity, antifraud and data protection perspective.

A Brief History of Open Banking

In October 2015, the European Parliament revised its original Payment Services Directive (PSD1) to get the open banking ball rolling. A year later, the U.K. Competition and Markets Authority (CMA) identified competition concerns in the retail business and consumer current account markets. The agency subsequently issued a ruling that is consistent with PSD2, requiring the nine largest banks in the U.K. to grant licensed providers access to certain types of data. The open banking initiative is designed to comply with PSD2, providing the legal framework for the CMA requirements.

In short, PSD2 aims to increase regulation between banks and approved third-party payment providers (TPPs) regarding data they hold, access and share. It grants these entities access to payment accounts that hold information related to credit cards, mortgages, loans, savings and more via APIs. Another goal of open banking is to increase choice, control and protection over how consumers manage financial transactions and help promote the ongoing development and innovation of digital payments.

TPPs are categorized as Payment Initiation Services Providers (PISPs) and Account Information Services Providers (ASIPs). Banks may already fall into one or both categories, but the initiative opens the market to retailers, insurers, price comparison websites, utility providers, financial technology companies and more.

Key Concerns Related to Open Banking

PSD2 has the potential to be a catalyst for disruption in the banking and financial services industry, but there is widespread confusion about its purpose and benefit to customers. Let’s take a look at some of the key concerns related to open banking.

1. Ethics

Customers will begin to rely significantly on TPP’s to ethically manage their financial transaction data. Some experts are concerned that third-party access to accounts and data will create opportunities for TTPs to intrusively profile customers. This profiling may increase predatory lending, where TPP’s target vulnerable borrowers with invasive advertising to sell products and services. Access to financial data puts significant power in the hands of lenders.

2. Cybercrime

Providing access to multiple core banking platforms will significantly increase attack vectors for cybercriminals, meaning that banks will need to reassess and re-engineer their security controls and processes. Applying these controls on legacy IT systems may be extremely complex and costly. Conversely, some of the smaller new entrants may not be equipped with the expertise required to manage fraud, human error, identity theft and the loss of customer data.

3. Social Engineering

Cyberattacks will not be limited to exploiting technical vulnerabilities. Open banking may trigger an increase in social engineering attacks against customers who may be inexperienced using new technology platforms. Risks include phishing, malware, fraudulent apps, and physical theft or loss of endpoint devices that could provide access to third parties.

4. Compliance

As we have seen in recent years, not even highly regulated banks and financial services organizations are impervious to cyberattacks, and the aggregated customer data held and managed by TPPs via open APIs could be an easy target. There is an increased risk of information asymmetry, which could result in significant fines under various privacy regulations. Reputational risk is at stake if data is lost or tampered with in the chain of TPPs.

5. Privacy

The issues of consent, data privacy and permission need to be carefully reassessed. Consumers must fully understand what they are agreeing to, and where, when, how and with whom their data is being shared. According to McKinsey, “There is a fine line to walk: educating and empowering consumers without confusing, scaring or boring them.”

Potential Benefits of PSD2

Open banking also holds potential to bring numerous benefits to financial institutions and their customers. Below are some of the most significant.

1. Financial Control

Open banking and PSD2 will transform the banking sector much like the insurance industry changed after the emergence of price comparison websites. Customers will have greater visibility into and control of their finances to make efficient and meaningful decisions.

2. Security

PSD2 drives both PISPs and ASIPs to embed security and privacy directly into the APIs they are designing and implementing. However, they must balance security and the user experience. Open banking also provides an opportunity for banks to reassess their business model and security posture.

3. Increased Competition

Open banking will generate increased competition between established providers and innovative new entrants aiming to make existing products more flexible, bespoke and convenient. These entities include the likes of Amazon, Apple, Google and Facebook, who have agility in their investment capabilities as well as an advanced technological architecture to utilize customer data insights at scale.

4. Fraud Reduction

Despite concerns of increased fraud, PSD2 enhances existing consumer protection rules through increased security requirements. This includes the mandatory use of strong customer authentication, such as two-factor authentication (2FA) with biometrics. The data gathered will be enriched to reduce the number of false positives, thus ensuring that the customer experience is not adversely impacted.

5. Innovation

Open banking will also help accelerate the use of blockchain and cryptocurrencies in mainstream financial services. As cryptocurrencies such as bitcoin and Ethereum progressively become acceptable forms of payment, providers can take the opportunity to embed cryptocurrency payment mechanisms in their open banking platforms.

Open Banking Gains Momentum

As we march into 2018, the open banking initiative will gain momentum as banks and financial services organizations in the U.K. change their security, antifraud, and privacy policies and controls to comply with PSD2. These policies must include strong governance as well as robust processes and technical controls to protect the privacy and security of customer data.

Like any initiative that introduces sweeping changes to an industry as vital as financial services, PSD2 will come with its fair share of growing pains. However, organizations that embrace open banking and tailor their security strategies accordingly will unlock the benefits of shared data for their business and their customers.

Read the white paper: Harnessing the power of open banking

The post Open Banking and PSD2: Disruption or Confusion? appeared first on Security Intelligence.

Data Privacy Concerns Cause Costly Sales Delays

Recent research suggested that organizations around the world are struggling to keep up with their sales goals due to data privacy concerns.

According to Cisco’s “2018 Privacy Maturity Benchmark Study,” which analyzed the importance of privacy processes in the wake of forthcoming legislation, almost two-thirds of companies experienced substantial delays in their sales cycles due to challenges related to data privacy.

Delays to the sales cycle can have damaging results for businesses. Security professionals should assess data concerns in their own organizations and detail the potential benefits of tighter privacy processes.

Data Privacy Concerns Cause Massive Sales Delays

The report revealed that privacy-related issues forced 65 percent of businesses to delay their sales cycles for an average of 7.8 days in 2017. The good news is that firms with a mature approach to privacy suffered less impact. In fact, privacy-mature organizations suffered average deferrals of 3.4 weeks, as opposed to 17 weeks for less advanced firms.

These mature companies also reported reduced losses due to data breaches, SecurityWeek reported. In addition, just 39 percent of privacy-mature organizations lost more than $500,000, compared to 74 percent of companies with unsophisticated privacy processes.

In many cases, according to the report, the length of the sales delay depended on the privacy model adopted by the business. Organizations with centralized approaches, for example, suffered an average delay of 10 weeks, while those with decentralized resources were delayed for an average of seven weeks. Firms that adopted a hybrid mix of the two approaches managed to cut delays down to less than five weeks.

Average sales delays also varied considerably according to location and sector. The report suggested countries and industries with tighter regulations and higher customer expectations experienced longer delays. Latin America topped the list with an average wait of 15.4 weeks, followed by Mexico (13 weeks) and Japan (12.1 weeks). In terms of industries, government and healthcare organizations suffered the longest deferral times.

The Link Between Data Privacy and the Sales Cycle

The research highlighted the importance of strong data privacy process. Simply put, privacy-mature organizations suffer shorter sales delays and experience lower losses from data breaches. It also emphasized the importance of making sure executives understand how data privacy concerns affect the sales cycle.

To reduce delays, businesses should:

  1. Ensure that salespeople have timely access to information on customer privacy concerns.
  2. Create teams to investigate customer privacy issues as they arise.
  3. Work with development teams to ensure that privacy is built in from the beginning.

In a press release accompanying the report, William Lehr, an economist at Massachusetts Institute of Technology (MIT), noted that the study provides “empirical evidence of the linkage between firm privacy policies and performance-relevant impacts.” He added that the research should help shape future understandings of privacy and cybersecurity.

As privacy regulations mount around the world, these insights will be valuable to help companies that handle customer data reduce sales delays.

The post Data Privacy Concerns Cause Costly Sales Delays appeared first on Security Intelligence.

The Future of IoT: What to Expect From Our Devices This Year

The beginning of the new year is always an exciting time for consumer technology enthusiasts. Business leaders, pioneers and forward-thinking companies gather in Las Vegas to showcase their latest devices at The International Consumer Electronics Show (CES), where next-generation innovations take center-stage and the world gets a glimpse into the future of IoT. I had the pleasure of attending CES with my colleagues this year and was blown away by the breadth of technology showcased. While the innovations stretched across many industries, I’d like to focus on the reoccurring themes in home and personal technology and how we can secure ourselves through the gadget-filled year ahead:

Smart Homes Will Become “Smarter” 

My favorite devices are the ones designed to enhance the smart home. Companies are striving to advance technology and make our lives easier in the comfort of our homes. From smart thermostats to smart assistants, there is certainly no shortage of household innovation; and companies like Google and Samsung are making strides to contribute to the smart home ecosystem. During CES, Samsung pledged to make all of its devices “smarter” by 2020, linking together all devices via its SmartThings cloud. Meanwhile, Google announced that Google Assistant will now be built in (or compatible) with a range of household products including your smart doorbell and ceiling fan.

As our homes become increasingly connected, the need to secure our internet-connected devices is critical. More IoT devices mean more points of data to attack and leverage for cybercrime. Hackers have the ability to access your personal information through connected home devices, which poses a threat to your identity. Consider using a service with built-in security to ensure every device in your home is well protected― especially the ones that often fly under the radar. Secure routers and gateways can protect all of your connected devices, even the ones without screens.

Smart Technology Will Track Your Sleep 

Technology is even changing the way we sleep, with smart sleep solutions for consumers. At CES 2018, Terraillon announced HOMNI, a device designed to help improve a user’s sleep environment. This device tracks the sleeper’s movement, sending your sleep data to a free app so that users can see how well they’ve slept. There’s nothing technology can’t solve for, including a good night’s sleep. However, when it comes to our personal data, it’s wise to be aware of how your data is being tracked or used.

As the use of connected devices in our homes and personal lives grow, so does the need for security beyond your PC or mobile phone. Many of the devices that we welcome into our daily routine aren’t equipped with proper security controls. It’s important to remember that these connected devices often run on our personal information, information such as your name, age, location –and in this case, your sleeping habits. While a sleep tracker may collect your information with the intentions of helping perfect your sleeping patterns, it has the potential to put your information in places that you might not intend. This is another example of why it’s exceedingly important to secure the connection at its source: your home.

“Ask Alexa” Will Live in Your Eyewear

Amazon Alexa has the ability to communicate with just about every connected device, so it’s no wonder that the Alexa Voice Service will have the ability to connect with your glasses soon, too. During CES, Vuzix announced that its latest pair of AR glasses, the Vuzix Blade, can communicate with Amazon Alexa. Blending augmented reality with AI assistant’s functionality, this headset acts as a fully functional computer with the ability to send email and text notifications via Bluetooth through the processing power of Android and unparalleled display.

Amazon Alexa has become a pseudo-family member in many households, offering assistance in the kitchen and even reading bedtime stories to children. To keep Cybercriminals from gaining access to your personal data , be sure you enable an extra measure of security, like setting up a PIN code for your voice command purchases.

Adding an extra layer of security to your smart devices is key to becoming an empowered consumer in today’s day and age. By taking these extra steps you’ll be able to enjoy the benefits of a secured smart home.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.


The post The Future of IoT: What to Expect From Our Devices This Year appeared first on McAfee Blogs.

Top Four Challenges That Can Create Tough Sledding for Your Data Security and Compliance Program

Running a data security program can be an overwhelming and, at times, a thankless job. With one foot in the security world and the other in the database world managing the sources that hold sensitive information, database administrators (DBAs) are under constant pressure to:

  • Store more compliance- and data security-related information for longer periods of time.
  • Keep costs in line.
  • Deliver reports on operations, data security and compliance.
  • Extract meaningful analytics and insights faster than ever.

Top Four Data Security and Compliance Challenges for DBAs

We have examined these responsibilities and identified the most significant challenges DBAs are facing. Below are the top four.

1. Exploding Data Volumes

IDC predicted that the global data volume will expand to 163 ZBs by 2025 — a tenfold increase from the current volume — with most of that increase originating from enterprises rather than consumers. As data continues to expand across databases, file systems, cloud environments and big data platforms, data storage demands are evolving at a breakneck pace. Data security solutions are scalable, but they’re not infinitely scalable, and this creates many problems.

2. The Never-Ending Queue for Data Security and Compliance Reports

It’s not enough to meet compliance and data security requirements. DBAs are also expected to extract data that stakeholders need and deliver it on-demand. That takes time because of the huge volumes of data being stored today in data security platforms.

Additionally, enriching data security and compliance insights with data from other sources, such as Splunk, CyberArk and ServiceNow, can increase the storage requirement and create more of a bottleneck. The pressure to deliver rich, targeted reports on-demand is large and growing, and it can take away from the main task of focusing on data security and compliance activities.

3. Moving-Target Data Retention Requirements

Compliance mandates such as the Sarbanes-Oxley Act (SOX) are now obligating organizations to store data for up to five years. The business’ own retention requirements add to data stores as well. Your data security solution was never meant to be a data storage solution, but these growing requirements create a new burden that can weigh it down. The result is slower performance as storage capacity and processing power are taxed, rising storage costs and frustration as you try to spend your way to better performance.

4. Making Sense of It All and Enhancing Insights

With data stored in so many places, it’s nearly impossible to cross-reference, sift through and deliver what management really wants: data security and compliance insights.

Turbocharge Your Sled With Greater Agility, Retention and Insights

Organizations with data security and compliance deployments that involve a lot of data can now enrich their IBM Security Guardium deployment with the power of a big data platform that is purpose-built for data security. IBM Security Guardium Big Data Intelligence allows you to augment your existing solution and quickly create an optimized security data lake that retains large quantities of historical data over long time horizons to deliver new, enriched insights while reducing costs and delivering nearly real-time reporting. Your data security solution still fulfills its pivotal role as a protection platform while the big data tool lends additional agility, supports longer data retention timelines cost-effectively and provides new context-aware insights.

A big data intelligence platform can also apply analytics and machine learning capabilities to all the information gathered and stored in the data lake to provide enrichment and additional context. Security teams can uncover new insights by evaluating this context-aware data over longer time periods. In addition, big data intelligence tools offer services such as noise cancellation and deduplication forensics, trusted connection profiling, privileged access reconciliation, data security-specific user behavior analytics (UBA) and more.

Another key benefit of big data intelligence is that it frees administrators to focus on data security and compliance issues. It also enables them to improve the organization’s security posture by providing authorized users, such as auditors and security analysts, with secure and direct access to the reports and enhanced insights they need almost immediately.

Case in point: Guardium Big Data Intelligence helped one customer retrieve a report derived from 16 billion records in approximately five seconds. Such solutions can help security teams perform analytics on context-aware data, optimize processes, free data by providing direct access to the users that need it, and reduce storage and operational costs. With the agility, retention and insights that big data intelligence provides, security leaders can unleash the full power of their data security solutions.

Learn More About Guardium Big Data Intelligence

The post Top Four Challenges That Can Create Tough Sledding for Your Data Security and Compliance Program appeared first on Security Intelligence.

The Reality of an Incoming C1 Cyberattack on the UK

“When, not if.”

Ciaran Martin, head of the U.K.’s National Cyber Security Centre (NCSC), used those words to say he is expecting a devastating cyberattack will hit the U.K. in the next two years. The attack, he believes, will bring disruption to British elections and critical infrastructure. These remarks were made in light of newly released figures detailing the number of cyberattacks on the U.K. in the last 15 months. Martin said the U.K. has been fortunate to avoid a so-called category one (C1) attack, broadly defined as an attack that might cripple infrastructure such as energy supplies and the financial services sector.

His prediction initially brings one thing to mind – WannaCry. A strain of the ransomware impacted 50 countries and infected more than 250,000 machines in just one day. Its exploits included a massive takedown of 16 U.K. NHS medical centers. WannaCry was rated by the NCSC as a C2 level of attack, milder than the C1 Martin says is still to come.

Organisations across the U.K. were unprepared when WannaCry hit last May, and there is no simple fix to protect everyone. Martin concedes total protection is impossible, stating “Some attacks will get through. What you need to do is cauterise the damage.” The NCSC has been gradually building defenses and is due to publish a 60-plus-page dossier outlining what has worked and what has not since it opened in October 2016. Defense is a responsibility that falls on all of our shoulders, and begins with a new mentality that attacks are inevitable, and preparedness vital for a “culture of security.”

There is a misconception that cybersecurity is an IT issue that affects systems, not ordinary people. The reality is that cybercrime hurts us all. A massive cyberattack impacts economies, governments, innovation, growth, even global state of mind. If we all accept the reality of a potential C1 attack, we also accept the challenge to bond together in a new pact to protect the assets and values we hold dear. We must to do this. It’s a matter of when, not if.

To learn more about modern day threat landscape, be sure to follow us at @McAfee and @McAfee_Labs.

The post The Reality of an Incoming C1 Cyberattack on the UK appeared first on McAfee Blogs.

The Unpatched Mind – How to Get Mental Security in A Digital Landscape

What is an unpatched mind?

First, view your body as hardware

If you’re a Star Wars fan (and you probably are), then you know what the HK-47 droid had to say about humans. He called us meatbags. It’s a term with a long history in SciFi circles. It appeared in Futurama as well.

HK-47 meant it as an insult, but it’s really far from reality.

All scientists agree on the fact that the body, human or otherwise, is a remarkable construct, one that runs with better than clockwork precision.

Even our brains function with EEG, electrical impulses firing in all directions and carrying tremendous amounts of information.

So perhaps, if HK-47 was better inclined towards us, he’d call humans meaty droids or meaty computers.

Sounds yucky but funny, right?

your body as a computer and the unpatched mind


It also sounds true, because our minds are the prototype for software and what software wants to become.

After all, the entire machine-learning buzzword and phenomenon started because we wanted programs capable of learning information just like we do.

And because our minds are software, they also need to be regularly updated and patched for vulnerabilities.

Or else.


Read on and see what you need to patch your brain and what attacks against your well-being look like.

Or smell like, because we’ve seen pyramid schemes designed to both sell essential oils and steal personal data. So let’s dive in.

Now, treat your mind as software

Every document you ever wrote is the fruit of your mind’s labor.

Every photo you take with your phone or camera is a memory from your brain preserved in ones and zeros.

Every dollar you spend online or offline shopping is a dollar you made by working.

Reduced to its essence, working is the process of basically renting out your cognitive capacities to an employer in exchange for a paycheck. So respect your mind and apply the latest security patches because, in this day and age, it’s critical.

An unpatched mind could be a useful term to describe a lot of the problems affecting people nowadays, especially in the digital context. We used it because we’re cybersecurity specialists and, well, the regular vocabulary is a bit different.

“All of our minds can be hijacked. Our choices are not as free as we think they are.”

Warns a former Google employee.

Think of a young, bright girl exposed to social media’s constant scrutiny.

Think about a programmer who spends so much time watching the news and worrying about the fate of his project that his mind starts going into a negative spiral and actually has an effect on that project.

Think of the pressure an older worker faces when having to search for a new job in a landscape constantly shifting its rules and requirements.

Scary, right?

A patch against fear

In meaty droid terms, fear is a security risk that will drive you to click a malicious, badly designed banner promising virus removal from your PC.

  • It will drive you to visit a dating website that’s actually a phishing attempt to capture your credit card data.
  • It will make you spend a lot of money on cryptocurrency and, because of the FOMO phenomenon (fear of missing out), it might just make you skip the warning signs and head to troubled waters.
  • It will lead to hopelessness, which, according to countless experts, is the reason for bad security practices and incidents like ransomware attacks and so on.
  • It will cause stress and that stress will have lasting effects on your hardware.
  • It will make you susceptible to influence.


If you give in to fear of technology, of ads, of conspiracies and so on, you will be vulnerable. If you know what makes you afraid, you’ll know exactly what and when to protect.

Let’s see a basic fear in action

For decades, multi-level marketing schemes (MLMs) have preyed upon women, religious persons, and individuals from underdeveloped areas. The phenomenon has been extensively documented and yet, once an MLM scheme falls, another 3 take its place. How can that be?

Unpatched minds that have fallen prey to fear. In other words, they’re emotional vulnerabilities exploited through insidious messages.

I’ve seen a close relative falling into selling cosmetics, essential oils and laundry detergents from various MLM schemes. Once she tried to convince me my mental health (!!!) would improve with a cleaner house. Fair, but she was promoting a vacuum cleaner that was more expensive than a newish car.

After being subjected to a dozen pitches, I noticed what she was saying was less about the products themselves, and more about what they would do for me as a person.



It’s a basic marketing technique but it’s so pervasive and insidious, all of us should be aware of it. Here’s a not so funny gif, made by someone selling these techniques to other marketers.

All messages started with tangible benefits like “Pay off your debts” or “Get a bit of side cash”. But they soon escalate to target the emotional side by saying “Be empowered” or “Secure your independence”.

While I do not believe the MLM salesman necessarily has a nefarious intention, I do consider messages like “Be empowered” to be personal attacks. They’re cushy pillows hiding sharp and cutting knives.

In a normal conversation, a friend advising you to secure your independence is a lovely thing. If that friend advises you with the intention of selling something or recruiting you, it becomes troubling.

mlm 2


See, it’s undeniable women have had trouble establishing meaningful careers. Here comes the individual pretending to assuage her fears of losing her independence, but actually slowly poking at those vulnerabilities. “Earn more cash to be less of a burden” or “Maintain a bit of independence in your situation.”

Their lines are smoother, but this is the message and vulnerable persons fall for them hook, line, and sinker. It’s a very old marketing trick of identifying pain points. And applying pressure.

Nowadays, another profitable target is tech-savvy individuals who, for various reasons, lost the boat when it came to investing in bitcoin. Sensing that fear of missing out, a lot of pyramid schemes and straight-up Ponzi schemes have popped up. They promise those people another opportunity at huge returns.They spread malware, steal funds and manipulate the markets.

fear of missing out unpatched mind


The individuals at the top of such schemes get there due to their knack for sensing vulnerabilities of the mind. Then apply gentle pressure juuust where it hurts.

In their wake, a lot of people who signed up to be consultants/ agents/ investors etc lose money, reputation, and precious self-confidence.

In the past, unbiased information was hard to come by. Nowadays, we’re lucky to access any information we need in a few seconds. And yet, pyramid schemes and other similar nefarious enterprises don’t show signs of going away. They’re here to stay as long as we allow fear to rule our decisions.

We haven’t found the magic bullet for that yet, but we found the best first step to patch fear. It involves embracing fear, meeting the enemy head-on and avoiding “confirmation bias”.

With the current scandals on how social media ads influenced political events and how technology can be leveraged to effectively brainwash the masses, it’s even more important to step outside your comfort zone.

If you believe something to be true with all your heart, research the opposition. It will hurt to see others slamming the thing you believe in or you love deeply (it’s human nature, after all), but it will make you stronger.

With the rise of the “fake news” spreading like wildfire through social media, research and viewing alternate viewpoints is of the essence.

In cybersecurity, a lot of people are tricked daily by fake antivirus or banners promising virus removals. They work precisely because the user fears a virus infection and will quickly click on the “remedy”.

All this could be avoided if the user keeps their cool and spends a few extra minutes researching the software before downloading or buying.

adware posing as antivirus online scam


Here’s another example that shows how researching the opposition will benefit you in all aspects of life.

If you love watching a TV show, write its name in Google and add “sucks”. You’ll probably find a few trolls but also a couple of great articles. You will also get a Eureka moment, I guarantee it.

Here’s why.

A coworker has probably said that your show sucks and maybe even given a few reasons to why he thinks that. He wasn’t very convincing, you probably thought he was rude.

Here is what happens when you research the opposition.

If you google “My show sucks”, you might end up on a piece written by a great editorialist. That piece will dissect your show into a million little pieces. He might not sell you his viewpoint, but you’ll definitely leave the piece with better insight into why a coworker said your show sucks. Next time you’ll maybe have a more productive discussion with him or, at least, be less irritated with his opinion.

What’s certain is that you just patched your mind against irritation.

And also upgraded your mind with more information, information that will act like an antivirus against annoyance or actual aggression.

After all, countless experts blame echo chambers as the reason for a lot of modern evil.

In the next chapter, I include one of the worst quotes with the most horrible implications to come out of the last US presidential election. It particularly highlights the dangers of echo chambers and why alternate viewpoints are mandatory. Especially if you want to patch yourself against unnecessary anger and irritation!

Basically, don’t be this guy.

confirmation bias comic chainsawsuit


This will also pave the way to the next vulnerability, the one you should close before proceeding online.

A patch against intrusion

“The trouble with having an open mind, of course, is that people will insist on coming along and trying to put things in it.”

Terry Pratchett


No, this doesn’t mean putting yourself in the echo chamber or the comfortable bubble of ignorance. It means selecting your information sources carefully and treating your brain like the advanced meaty computer it is.

an unpatched mind your mind as a computer illustration


If you know the answer to the question “ What is cybersecurity?” then you probably know its core tenets to stay safe online.

Follow the cybersecurity tenets for your mind as well.

“The average person consumes more than 34 Gigabytes of data outside of work each day. It amounts to around 100,000 words consumed via print, the Web, television and radio.”

Oh, by the way. The number above is from a 2009 study. What do you think is the correct figure today?

How much of those words are quality words?

At home, you’re scrolling through enormous amounts of information and you’re bombarded by ads. Once you step outside your door there are billboards waiting for you and newspaper headlines sounding the Doomsday bell.

If you’re shopping, your phone is sending location data to advertisers so they can target you with more relevant ads.

If you’re unlucky to live in a surveillance state, advertisers will serve malvertising or the government itself will try to spy on your habits via ads.

If you live in a developed nation, the government will probably do the same thing. Or a rival government.

This recently happened in the US during the elections, where a tech giant was accused of targeting ads on Facebook and Twitter to convince people not to go out and vote.

Those responsible bragged about the success of their social media campaign.

“We have three major voter suppression operations under way. They’re aimed at three groups Clinton needs to win overwhelmingly: idealistic white liberals, young women, and African Americans.”


On the other front, Russian troll farms tolled day and night to influence popular opinion on social media.

“Savchuk told me she shared an office with about a half-dozen teammates. It was smaller than most, because she worked in the elite Special Projects department. While other workers churned out blandly pro-Kremlin comments, her department created appealing online characters who were supposed to stand out from the horde.”



So you see, maybe you’re comfortable with targeted ads that just sell you better shoes or smarter devices.

Are you comfortable with targeted ads that want to depress you enough so you don’t leave your home and exercise your rights?

This is just in the context of politics. However, have you noticed the alarming rise of wellness tips, self-improvement articles and “educational” webinars in your feed?

Yes, they’re mostly shared by your friends. Did they create them? Probably not.

You see, the entire ecosystem of search engines and finding information online is (or was) built by the demand of consumers. In the early days the tech was weak and the demand for content bigger than the supply. People wanted houses but there were few houses to go around. Once marketing got more involved, things changed and not necessarily for the better.

Now, there are entire content mills that scan Google reports for any hint of demand. Then they flood the Internet with meaningless information just so they will have space for more ads. Bots retweet those ads on fake social media profiles.

Bots build houses so that people randomly wander into them and get tricked into seeing an ad for another house, while another bot steals their info. Writers meanwhile suffer through a combination of low paying jobs from content mills or their own work being drowned in a sea of useless information. Users fare no better.

This author has more than 1 million books to his name, all of them “written” through bots and algorithms.

Watch him in action detailing his process, patented in 2007. How do you think the tech looks like today?

“At least 55,000 of the accounts use the names, profile pictures, hometowns and other personal details of real Twitter users, including minors, according to a Times data analysis.”

Source: NYTimes on the rise of “follower factories” who steal people’s information to create armies of social media bots

We’re not against advertising, social media or technology or the mixture of all of these. That would be a dangerous combination of being a Luddite, paranoid and a bit hypocritical.

We’re humans, geeky and with a mission to do good that doesn’t stop to our own security product.

In cybersecurity terms, adware is one of the biggest threats to consumers, with billions of malicious ads being designed to deliver infections, steal credit card info and more.

As it is with designing our own product, we prefer a proactive approach to protecting our customers. That design philosophy stems partly from viewing the mind as a highly precious piece of software, one that holds a lot of information and needs constant support.

An unpatched mind can develop issues by being bombarded by low quality or insidious information, just like your browser without an ad blocker will probably assault your eyes with at least 10 banners per page. So what to do?

Our advice would be to constantly ask yourself these questions:

➡What is valuable?

➡Are you actually getting valuable information for your needs or just absorbing a stream of questionable insights?

➡Is all the advice designed to help you or is it just trying to monetize your attention?

In #cybersecurity and #personaldevelopment, which advice is actually valuable?
Click To Tweet

Here’s an example:

Maybe you wanted to lose some weight, learn to play the mandolin or improve your mental health. Or maybe you did not want to play the damn mandolin, it’s a silly mini-guitar.

However, your online social circle keeps yapping about the benefits of mandolins and you clicked one of the articles. Now there’s an ad that keeps popping up on Skype for 70% off floral-printed mandolins. There was also a girl in your feed who looked amazing playing her mandolin in a poppy field.

And her mandolin was just a basic brown!



Maybe, just maybe, by purchasing a cooler mandolin, you’ll reap the benefits you keep hearing about AND get a few more likes.

If not, no biggie. After all, in the words of Macklemore, it was just 99 cents!

This is just an exaggerated example but we, as humans, are all susceptible to these types of influences. They stem from our innate need to improve and be appreciated, which is not bad in itself.

If you accept all these ads hawking self-improvement for the low price of 99 cents, before you know it, your mind will be like grandma’s browser. Yes, filled with so many useful extensions that they simply don’t work together and bog down the overall performance.

Moreover, this entire ecosystem built on intrusion can prey on those actually needing help.

“Deceptive practices are common in online rehab marketing, including Google and SEO scams that redirect callers away from legitimate treatment centers.”


As highlighted in the quote above, every purchase or mindless click sends a signal to malicious actors that you’re susceptible to a certain message.

Because your mind is valuable, they will target you with something worse.


A patch against attacks

I know you reasonably well. I also know why you’re here.


I can make a reasonable assumption without opening any of the dozens of tracking tools freely available online. Let’s just use common sense.

  • You’re here because you probably spend a lot of time and money online.
  • You have valuable data on your computer and probably connect your smartphone to your bank account.
  • You’re also knowledgeable or intelligent enough to always seek out new information.

How do I know this?

Well, you landed on this article so this means you’re interested in security. Because this is a cybersecurity blog, and a relatively popular one if I might say so.

The bitcoin was just a wild guess because the cryptocurrency landscape is filled with malicious hackers wanting to steal money with no consequences. Any crypto enthusiast is or should be focused on cybersecurity, so they should land here.

If you came from Facebook, it means you either followed our profile or a friend linked you to us. Your friends reveal a lot about you because they tend to have common interests.

If I were cleverer, I’d probably infer a lot more about you, but I think that would be rude.

Malicious hackers try to get to know you the same way but their intentions are vastly different than ours. Through a combination of social engineering and malware attacks, they go after your information.

how malware works

We put together the above gif for you to better visualize how malware creators target your devices. The same principle applies to your mind.

What you keep on your devices are products of your mind, so they’re quantifiable in actual money.

This is why there are so many cyber criminals and families of ransomware out there.

They will get those dollars by locking your information and demanding ransom, steal your financial info or simply trick you into spending money on something via adware.

You don’t need to fear them, but you do need to be aware.

Our advice is to actively research the best information from trusted sources, install the antivirus that cleans infected files, use the proactive solution that prevents new and adaptive malware from infiltrating your device and always update the software you use.

In short, to successfully navigate this digital landscape, avoid having unpatched devices AND, more importantly, avoid the dangers of an unpatched mind.

Spend time with your family, not updating their apps!
Let Heimdal FREE Silently and automatically update software Close security gaps Reinforce your antivirus of choice


Download Heimdal FREE

If you have other tips for maintaining good mental security, we’d love to hear them!

Feel free to leave a comment below. If you prefer to talk via email, you can also hit Reply when we send out new stories in our newsletter.

It’s time to get serious about email security

In today’s hyper-connected world, email is the foundation of every organization’s collaboration, productivity, and character. And despite annual rumors of its demise, there’s no reason to believe we’ll be writing its eulogy anytime soon. With its ubiquity and universal appeal, email is a treasure trove of sensitive business information. That’s why emails leaks aren’t just data loss events. They’re direct attacks on your brand and reputation. Despite team collaboration and communication tools like Slack and … More

How can we avoid another record year for breaches and ransomware?

More than 14.5 billion emails laced with malware were sent in 2017 according to the annual Global Security Report issued by AppRiver. The majority of cyber threats were initiated in the US and persisted throughout the year, with significant peaks in August, September and October. In the first half of 2017, 1.9 billion data records were lost or stolen as a result of cyberattacks. This followed a tough year in 2016, when losses totaled $16 … More

WeLiveSecurity: Babies’ personal data hawked on dark web

The price puts the data records at a significant premium when compared to other stolen datasets. While, in general, many adverts in the dark recesses of the internet are fake, children’s personally identifiable information (PII) has for long been viewed as a particularly valuable commodity.

The post Babies’ personal data hawked on dark web appeared first on WeLiveSecurity


Babies’ personal data hawked on dark web

The price puts the data records at a significant premium when compared to other stolen datasets. While, in general, many adverts in the dark recesses of the internet are fake, children’s personally identifiable information (PII) has for long been viewed as a particularly valuable commodity.

The post Babies’ personal data hawked on dark web appeared first on WeLiveSecurity

GDPR: Great Data Protection Rocks – Especially on Data Privacy Day

International Data Privacy Day might seem like an odd holiday, especially for businesses to observe. That’s what we thought about Earth Day, launched in 1970, and today companies around the world announce their public support every year. International Data Privacy Day marks the day – back in 1981 — that the Council of Europe recognized the importance of the right to privacy with a treaty. *

This Data Privacy Day, Jan. 28, finds Europe looking ahead to major new privacy rules in the form of General Data Protection Regulation (GDPR) to be enforced starting on May 25. And this has given us an opportunity to address privacy the way we have come to respect environmentalism. It’s everywhere, it’s everyone’s business, and it’s good business.

As I have worked to ready McAfee for GDPR, one thing I have learned is that it truly takes everyone to focus on the protection of data.  I’ve been privileged to meet and work with hundreds of my McAfee colleagues to sort out what GDPR prepared means to us, from security architects, lab folks, the product teams, and great messaging people.  It takes a city, not just a village, to get ready for GDPR.

This year, most data protection professionals will celebrate Data Privacy Day on Thursday, January 25th, just four months before the official enforcement date for GDPR.  One of my favorite things to come out of the many conversations about GDPR is a new slogan: Great Data Protection Rocks.  The slogan, compliments of our senior writer Jeff Elder, captures my thoughts perfectly — Great Data Protection is not just good digital hygiene and good technological maintenance. It’s an admirable, even cool, ideal, and it’s part of McAfee’s Culture of Security, described by chief executive Chris Young in December in New York. “Ten years ago, if I were to ask a CEO about cybersecurity, he might say, ‘Yeah, I’ve got some guy in IT that’s working on this.’ Now everybody cares and I think that’s going to make a big difference,” Chris told CNBC’s Jim Cramer.

He’s right: Security in general and data protection are not big, monolithic initiatives achieved with one initiative, but rather require the whole city to have a Culture of Security – and you don’t get that by writing checks, or by formulating one list of best practices. We won’t be washing our hands of data protection and putting a bow on top on Data Privacy Day, on May 25 when GDPR goes into effect, or ever. If that sounds ominous, you may be looking at it the wrong way.

My colleague Mo Cashman, Director Sales Engineering, Principle Engineer lays out the journey to real culture change: “First think of security strategy in terms of governance, people, processes and technology. Then consider the security outcomes you need to be GDPR-ready, and the relevant solutions.”

Great Data Protection means all of us being advocates for good practices. It means making sure you know where you are putting your data, and knowing what protections exist when you use cloud applications… It means saying no to an organization that wants to bypass privacy, security, or vendor practices and do a quick-and-dirty connection to your database or even your brand’s social media accounts. That’s not cool. It’s the equivalent of your company disposing of waste in environmentally harmful ways.

It’s also bad business because winging it every time you handle data is a waste of time and energy. Nailing down good practices that everyone can adhere to every time is economical in many ways. Making that effort a real and admirable value of your company is a beautiful thing.

I confess to being a bit of an International Privacy Day geek (my mother has it written on her calendar and calls and wishes me a happy day).  I generally get a cake and try to touch base with far-flung data protection colleagues.  But the early companies that embraced Earth Day look good now. If Great Data Protection Rocks seemed a little dorky in 2017, I’m good with that. We’ll keep your data safe until you come around.

For additional information about GDPR please visit our Solutions Page, or join in on the conversation by following @McAfee or @McAfee_Business on Twitter.

*  The treaty, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,anticipated the cross-border transfers of data that we take for granted now.

The post GDPR: Great Data Protection Rocks – Especially on Data Privacy Day appeared first on McAfee Blogs.

McAfee Blogs: GDPR: Great Data Protection Rocks – Especially on Data Privacy Day

International Data Privacy Day might seem like an odd holiday, especially for businesses to observe. That’s what we thought about Earth Day, launched in 1970, and today companies around the world announce their public support every year. International Data Privacy Day marks the day – back in 1981 — that the Council of Europe recognized the importance of the right to privacy with a treaty. *

This Data Privacy Day, Jan. 28, finds Europe looking ahead to major new privacy rules in the form of General Data Protection Regulation (GDPR) to be enforced starting on May 25. And this has given us an opportunity to address privacy the way we have come to respect environmentalism. It’s everywhere, it’s everyone’s business, and it’s good business.

As I have worked to ready McAfee for GDPR, one thing I have learned is that it truly takes everyone to focus on the protection of data.  I’ve been privileged to meet and work with hundreds of my McAfee colleagues to sort out what GDPR prepared means to us, from security architects, lab folks, the product teams, and great messaging people.  It takes a city, not just a village, to get ready for GDPR.

This year, most data protection professionals will celebrate Data Privacy Day on Thursday, January 25th, just four months before the official enforcement date for GDPR.  One of my favorite things to come out of the many conversations about GDPR is a new slogan: Great Data Protection Rocks.  The slogan, compliments of our senior writer Jeff Elder, captures my thoughts perfectly — Great Data Protection is not just good digital hygiene and good technological maintenance. It’s an admirable, even cool, ideal, and it’s part of McAfee’s Culture of Security, described by chief executive Chris Young in December in New York. “Ten years ago, if I were to ask a CEO about cybersecurity, he might say, ‘Yeah, I’ve got some guy in IT that’s working on this.’ Now everybody cares and I think that’s going to make a big difference,” Chris told CNBC’s Jim Cramer.

He’s right: Security in general and data protection are not big, monolithic initiatives achieved with one initiative, but rather require the whole city to have a Culture of Security – and you don’t get that by writing checks, or by formulating one list of best practices. We won’t be washing our hands of data protection and putting a bow on top on Data Privacy Day, on May 25 when GDPR goes into effect, or ever. If that sounds ominous, you may be looking at it the wrong way.

My colleague Mo Cashman, Director Sales Engineering, Principle Engineer lays out the journey to real culture change: “First think of security strategy in terms of governance, people, processes and technology. Then consider the security outcomes you need to be GDPR-ready, and the relevant solutions.”

Great Data Protection means all of us being advocates for good practices. It means making sure you know where you are putting your data, and knowing what protections exist when you use cloud applications… It means saying no to an organization that wants to bypass privacy, security, or vendor practices and do a quick-and-dirty connection to your database or even your brand’s social media accounts. That’s not cool. It’s the equivalent of your company disposing of waste in environmentally harmful ways.

It’s also bad business because winging it every time you handle data is a waste of time and energy. Nailing down good practices that everyone can adhere to every time is economical in many ways. Making that effort a real and admirable value of your company is a beautiful thing.

I confess to being a bit of an International Privacy Day geek (my mother has it written on her calendar and calls and wishes me a happy day).  I generally get a cake and try to touch base with far-flung data protection colleagues.  But the early companies that embraced Earth Day look good now. If Great Data Protection Rocks seemed a little dorky in 2017, I’m good with that. We’ll keep your data safe until you come around.

For additional information about GDPR please visit our Solutions Page, or join in on the conversation by following @McAfee or @McAfee_Business on Twitter.

*  The treaty, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,anticipated the cross-border transfers of data that we take for granted now.

The post GDPR: Great Data Protection Rocks – Especially on Data Privacy Day appeared first on McAfee Blogs.

McAfee Blogs

McAfee Blogs: Key Considerations for Consumers Around Data Privacy

It’s 2018 – and though we’re not living in the age of flying cars, we are living in an age defined by the digital lifestyle. In today’s new age of technology, consumers are sharing more online than ever before. But, are people thinking about the privacy they sacrifice when they overshare online? This is especially top of mind as Data Privacy Day is upon us, which is an international effort held annually on January 28th to create awareness about the importance of respecting privacy, safeguarding data, and enabling trust. Data Privacy Day acts as an important reminder for consumers to step back and consider the digital footprint they are leaving, and the potential sensitive data they are exposing to cybercriminals. Let’s take a look at the way data is shared in the modern era, and how much of a priority data privacy really is.

The impact of the Internet of Things

One of the biggest changes to the modern digital age is the introduction of the Internet of Things, or, IoT devices. We sometimes refer to the growing amount of IoT devices as the “Internet of Me,” because these connected devices run on our personal info more often than not. The information or action provided by IoT devices is typically based on your data. Take a fitness tracker as an example, it might need some personal details in order to customize a health plan and calculate your progress towards your health goals. This is just one example of the amount of data shared with IoT devices, but reminds us that we all must remember that IoT devices put our personal information in more places in ever before, and potentially in more hands too.

Privacy as a priority

So, when it comes to keeping all of this data private – just how concerned are consumers? Well, per our recent survey, 43% of those surveyed feel like they lack control over their personal information. And another 33% are unsure to what degree they can control how companies collect their personal information.

What’s more — even though consumers are concerned about personal information and identity, only 37% of individuals use an identity theft protection solution, and 28% have no plans to sign up for an ID theft protection solution. Plus, despite the recent increase in breaches, 39% of respondents claim their concern about online security has remained the same or has decreased over the past five years.

How to protect your personal information

Now, the question is – what next? How can you channel the important takeaways from Data Privacy Day into your everyday life? Start by following these tips:

  • Think carefully about what you are posting/sharing. Are you broadcasting that you are out of town on social media? Are you giving that app or IoT device more information than it really needs? It’s important to be conscious about how and when you share your personal information online or with an app/service. It’s also a good security practice to only share personal data when it’s truly necessary.
  • Check your privacy settings. This is an easy one. If you are inclined to overshare personal information, make sure you adjust your settings so that you only share data when required, or only with people you know and trust.
  • Utilize an identity theft solution. With all this personal data floating around online, it’s important to stay aware of any attempts to steal your identity. Use an identity theft solution, such as McAfee Identity Theft Protection, that can help you protect you personally identifiable information from identity theft and fraud.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Key Considerations for Consumers Around Data Privacy appeared first on McAfee Blogs.

McAfee Blogs

Key Considerations for Consumers Around Data Privacy

It’s 2018 – and though we’re not living in the age of flying cars, we are living in an age defined by the digital lifestyle. In today’s new age of technology, consumers are sharing more online than ever before. But, are people thinking about the privacy they sacrifice when they overshare online? This is especially top of mind as Data Privacy Day is upon us, which is an international effort held annually on January 28th to create awareness about the importance of respecting privacy, safeguarding data, and enabling trust. Data Privacy Day acts as an important reminder for consumers to step back and consider the digital footprint they are leaving, and the potential sensitive data they are exposing to cybercriminals. Let’s take a look at the way data is shared in the modern era, and how much of a priority data privacy really is.

The impact of the Internet of Things

One of the biggest changes to the modern digital age is the introduction of the Internet of Things, or, IoT devices. We sometimes refer to the growing amount of IoT devices as the “Internet of Me,” because these connected devices run on our personal info more often than not. The information or action provided by IoT devices is typically based on your data. Take a fitness tracker as an example, it might need some personal details in order to customize a health plan and calculate your progress towards your health goals. This is just one example of the amount of data shared with IoT devices, but reminds us that we all must remember that IoT devices put our personal information in more places in ever before, and potentially in more hands too.

Privacy as a priority

So, when it comes to keeping all of this data private – just how concerned are consumers? Well, per our recent survey, 43% of those surveyed feel like they lack control over their personal information. And another 33% are unsure to what degree they can control how companies collect their personal information.

What’s more — even though consumers are concerned about personal information and identity, only 37% of individuals use an identity theft protection solution, and 28% have no plans to sign up for an ID theft protection solution. Plus, despite the recent increase in breaches, 39% of respondents claim their concern about online security has remained the same or has decreased over the past five years.

How to protect your personal information

Now, the question is – what next? How can you channel the important takeaways from Data Privacy Day into your everyday life? Start by following these tips:

  • Think carefully about what you are posting/sharing. Are you broadcasting that you are out of town on social media? Are you giving that app or IoT device more information than it really needs? It’s important to be conscious about how and when you share your personal information online or with an app/service. It’s also a good security practice to only share personal data when it’s truly necessary.
  • Check your privacy settings. This is an easy one. If you are inclined to overshare personal information, make sure you adjust your settings so that you only share data when required, or only with people you know and trust.
  • Utilize an identity theft solution. With all this personal data floating around online, it’s important to stay aware of any attempts to steal your identity. Use an identity theft solution, such as McAfee Identity Theft Protection, that can help you protect you personally identifiable information from identity theft and fraud.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Key Considerations for Consumers Around Data Privacy appeared first on McAfee Blogs.

Your Back To School Tech Plan

I am such a fan of school holidays! No music lessons, no sport, no commitments. Bliss!! The crazy school term routine is no more and people can just ‘be’. Marvellous!! But all good things must come to an end. So, unless you want the police knocking on your door, the kids must go back to school. Ughh! So much to do. Where to start?

So, there’s shoes, uniforms, enrolments in music, drama and sport, haircuts, stationery and then of course, all things technology! Ah yes, the ‘t’ word. When you’re juggling work, running a house and a tribe of kids, managing your kids and their tech lives can be overwhelming. But as parents, it is essential that we take the time to make sure we have all things technology covered for our kids.

What Are The Main Risks Kids Face Online?

The internet, our connected devices and online activity are such a huge (and permanent) feature of our modern lives. As parents, we owe it to our kids to make sure we can prevent some of the dangers associated with a connected life. Whether it’s phishing scams, online predators, oversharing, downloading malware, falling for an online scam or worst case, becoming the victim of cyberbullying, teaching our kids how to navigate some of the perils of the online world is essential.

How Can I Help My Kids Navigate Online Dangers?

Without a doubt, the absolute best way of protecting our kids is taking the time to better understand how the online world really works. And I understand that means time – something many of just don’t have. But if you could scan the tech news of your favourite online news site every day and then allocate 20 minutes each week to research a new app or social media platform, you’d be surprised how quickly you could get yourself into good cyber parenting shape.

The Back To School To-Do List

But let’s keep it simple. It’s already January and there isn’t a lot of time left to get organised. So, here’s what I think you should focus on tech-wise to make sure you can cross technology off your ‘back to school’ to-do list.

1. Install Security Software On ALL Devices.

Many people invest in security software for their laptops, which is great. However, all devices need to be protected. Anything you can download on a laptop, you can download on a tablet or phone.

Many security software packages will include coverage for a ‘fleet’ of devices. McAfee® Total Protection software provides premium antivirus, identity and privacy protection for all your PCs, Macs, smartphones and tablets – in one subscription. Easy!

2. Know How To Connect Safely On Public Wi-Fi Networks.

Wi-Fi can be an extraordinarily risky affair with hackers spending a lot of time developing ways to extract users’ personal information. If your kids absolutely must connect, ensure it is a secured Wi-Fi which means it requires a password. However, this is still not 100% safe so no banking, financial or shopping transaction should be conducted on Wi-Fi.

Why not consider investing in a Virtual Private Network (VPN)? A VPN provides a secure encrypted connection which means that anything you send or receive is safe. Check out McAfee’s VPN, McAfee® Safe Connect – it provides bank-grade Wi-Fi encryption, which means you can relax!

3. Schedule Regular Data Backups.

‘Losing’ a document is so frustrating! Avoid those late-night homework traumas and ensure your kids regularly scheduled data backups for their main devices. You could choose to back-up to a hard drive, but I think an online backup service is probably easier to use. Whether it’s Google Drive, Dropbox or OneDrive – find an online provider and set this up BEFORE school projects get underway!

4. Ensure All Device Software Is Up-To-Date.

Software updates (and reminders) can be super annoying and interrupt the flow of a busy day. But keeping your software up-to-date is actually one of the best ways of protecting yourself from the latest online threats.

Why not select auto-updates for software on all your devices – including your smartphones? If your software doesn’t offer auto-updates, schedule a monthly reminder in your calendar to check for and install available updates.

5. Understand Your Child’s School BYOD Policy.

Make sure you understand the Bring Your Own Devices (BYOD) policy of your child’s school. Some schools require parents to be responsible (and pay) for repairs, insurance and online security associated with your child’s laptop or tablet; others will provide this for an annual fee. Please take the time to understand this before the school year starts and an issue occurs.

I know it may seem like a bit of work but taking these precautionary steps now means your kids are as protected as can be when enjoying their online lives and of course doing their homework this year! And make sure you also take the same steps to protect the adults (and their devices) in your house as well! They are just as important.

Here’s to a great school year!!

Take care,

Alex xx


The post Your Back To School Tech Plan appeared first on McAfee Blogs.

SecurityWeek RSS Feed: Seagate Patches Flaws in Personal Cloud, GoFlex Products

Seagate recently patched several vulnerabilities discovered by researchers in the company’s Personal Cloud and GoFlex products, but some weaknesses impacting the latter remain unfixed.

GoFlex Home vulnerabilities

read more

SecurityWeek RSS Feed

GDPR: Whose problem is it anyway?

With the GDPR deadline looming on May 25, 2018, every organization in the world that transmits data related to EU citizens is focused on achieving compliance. And for good reason. The ruling carries the most serious financial consequences of any privacy law to date – the greater of 20 million EUR or 4 percent of global revenue, potentially catastrophic penalties for many companies. Compounding matters, the scope and complexity of GDPR extends beyond cyber security, … More

Data Risk Management, Part 2: Who Is Ultimately Accountable When a Big Breach Happens?

This is the second installment in a three-part series about data risk management. For the full story, be sure to read part 1.

High-profile cyberattacks and data breaches shine a spotlight on an infrequently discussed organizational issue: Who is ultimately responsible for the security of mission-critical data within the enterprise?

All too often, this question is examined in the heat of post-incident response to determine who should be taken to task. Who loses his or her job for failing to protect sensitive information in the event of a massive breach? Is it the chief data officer (CDO), chief information officer (CIO), chief security officer (CSO), chief risk officer (CRO) or chief executive officer (CEO)?

Who Is Responsible for Data Risk Management?

By taking a more proactive approach to determining who should actually hold most of the responsibility and how that responsibility is divided before a data breach occurs, the C-suite can help avoid catastrophic breaches in the first place. Any such examination requires participants to agree on and understand the following:

  • Who owns the organization’s critical data/crown jewels?
  • Who knows where that critical data resides?
  • Who manages the security of that critical data?
  • Who decides what data is considered critical versus what data is deemed noncritical?
  • Who is accountable if the data is exposed?

By clearly defining lines of responsibility, it’s possible to enhance organizational processes and procedures that reinforce critical data protection. Although it’s not easy to discover all the different players who handle or are otherwise responsible for critical data, organizations can bring a greater level of accountability to those involved by identifying the players who have custodianship or a hand in accessing and processing that data. A holistic picture that provides answers to the above questions can help C-level executives cut through the complexity to better focus on managing critical data risk.

Why Is Critical Data so Hard to Defend?

For many organizations, targeted risk management will require a significant change in their current processes. It’s not uncommon for executives to assign line-of-business (LOB) managers the task of determining the acceptable risk level. Without a big-picture view of critical data risk, however, the risk is equated with not meeting financial or other business objectives rather than avoiding data threats. Spreading the task of managing data risk across multiple units, departments and stakeholders means there is no clear line of accountability.

The diffusion of responsibility for managing data risk also makes it impossible for the chief information security officer (CISO) and his or her team to prioritize securing the organization’s crown jewels. Few cross-organizational security teams actually know where the most critical data is located, and they often lack a complete understanding of what data would do the most damage if it were compromised. Without that insight, security teams have to treat all digital assets equally, essentially taking a boil-the-ocean approach to data protection.

Data Risk Management Is a Team Effort

By answering the questions listed above, organizations can determine who owns the most critical data. They can then team those data owners with IT security practitioners to prioritize protection. Data owners can take responsibility for creating the policies for what the data risk level should be and to what extent data should be protected. The CISO’s team can then take responsibility for the technical implementation and communication of these data security and privacy policies. Sharing that context allows the security team to understand what it is protecting and begin the process of prioritizing discovery, classification, hardening and monitoring mission-critical data.

Finally, the entire C-suite must be able to track the status of data risk via analytics that explain it in the context of the organization’s business objectives. Data risk management should be a proactive engagement for all members of the C-suite. But at the end of the day, it’s the CEO who should take ultimate responsibility.

Watch the on-demand webinar: Do You Speak Risk? Bring Data Security to the C-Suite

The post Data Risk Management, Part 2: Who Is Ultimately Accountable When a Big Breach Happens? appeared first on Security Intelligence.

A Transparent Review of Data Security in 2017

Data Privacy Day is right around the corner! This international celebration occurs on January 28 and promotes advocacy for privacy and data security awareness — particularly the protection of personally

The post A Transparent Review of Data Security in 2017 appeared first on The Cyber Security Place.

Misconfigured Jenkins Servers Leak Sensitive Data

A researcher has conducted an analysis of Jenkins servers and found that many of them leak sensitive information, including ones belonging to high-profile companies.

London-based researcher Mikail Tunç used the Shodan search engine to find Jenkins servers accessible from the Internet and discovered roughly 25,000 instances.

read more

Applying the Principles of Quantum Entanglement to Secure Communication

Have you seen the Jackie Chan movie “Twin Dragons” or its remake, “Judwa,” with Bollywood star Salman Khan? The story is about twin brothers who are entangled with one another despite having been separated at birth. The entanglement causes each brother to feel and experience the actions and sensations of the other, and the quality of the connection diminishes with increasing distance.

This connection is quite similar to Albert Einstein’s theory of quantum entanglement. In simple terms, here’s how it works: Two quantum particles (atoms, photons or ions) become correlated with each other, meaning that if one particle changes its state, the entangled particle will undergo the same change. Therefore, by measuring one particle, you can also determine the state of the other.

Unlike in the movies, this quantum entanglement phenomenon can occur at any distance — even from opposite sides of the universe. The change of state happens instantly. Without quantum particles, this communication would need to travel many times faster than the speed of light, which, according to the theory of relativity, is impossible. For this reason, Einstein himself rejected the phenomenon as “spooky action at a distance.”

Applying Quantum Mechanics to the Three Pillars of Secure Communication

Researchers are currently studying quantum entanglement for possible applications to secure communication. This type of communication is built on three key principles: nonrepudiation, confidentiality and integrity. Let’s take a closer look at these components.

1. Nonrepudiation

While quantum mechanics can facilitate trusted communications, untrusted transactions still need to ensure nonrepudiation. This means that several different entities must verify the digital signature of the sender. Therefore, a quantum intermediary is still required for untrusted communications in which nonrepudiation is possible and can be exploited. Quantum digital signatures require the message recipient to have a copy of sender’s public key. The exact identity of the recipient is only known to the sender.

2. Confidentiality

Communication through the public key encryption system can only ensure confidentiality or nonrepudiation at a given time. The public key is used to encrypt the message, which can only be decrypted by the receiver’s private key. Although the confidentiality is maintained, the nonrepudiation of the sender cannot be established.

Similarly, when the sender encrypts a message using his or her private key, nonrepudiation is maintained but confidentiality cannot be established. The number of public keys for the distribution of quantum digital signatures must be limited to be secure. If the public key is allowed only one time, then the communication becomes confidential and secure. However, this is a costly solution.

3. Integrity

If an eavesdropper tries to measure the state of a photon, the laws of quantum mechanics cause the entangled particles to lose their magic connection. This property makes the communication secure, since any attempt to eavesdrop would change the state of the particle and thus be exposed.

How does a quantum particle change its state in response to a change in the other entangled particle? What if an organization discovers the mechanism of communication and uses this knowledge for malicious purposes, such as spying on communications? The problem is that the mechanism of communication is not completely known. Particles don’t just magically change states without a medium.

It will take time, but the medium for type of communication will eventually be discovered. The situation is similar to Einstein’s 1916 speculation about gravitational waves, a phenomenon that was first detected nearly 100 years later.

A Bright Future and a Long Road Ahead

The quantum technology used for data security comes with plenty of implementation challenges. The concept is still being researched and use of the technology requires costly infrastructure. In addition, long-distance surface communications are impeded by the Earth’s curvature and the limitations of fiber communication. This means that quantum transactions might require satellite technology to be effective.

On Sept. 29, 2017, the Austrian and Chinese academies of science used a key generated through quantum entanglement to conduct secure communication between two stations 700 miles apart. The successful test augurs well for the future of communication, but there is still much ground to cover when it comes to employing the principles of quantum mechanics to data security.

The post Applying the Principles of Quantum Entanglement to Secure Communication appeared first on Security Intelligence.

Ransomware Decryption Tools – Unlock Your Data for Free

If your computer gets infected with ransomware, here is how to recover your data:

Step 1: Do not pay the ransom because there is no guarantee that the ransomware creators will allow you to recover your data.

Step 2: Find any available backups you have.

Step 3: If there are no back-ups, you will need to try to decrypt the information locked by ransomware by using the best ransomware decryption tools available.


In this anti-ransomware guide, we included these tools below and a very useful checklist to avoid all types of malware. Use the links below to navigate through it.

How to identify the ransomware you’ve been infected with
Ransomware decryption tools
Explanation on ransomware families and tools for decryptio
How to avoid ransomware in the future
Quick checklist for ransomware protection

How to identify the ransomware you’ve been infected with

Sometimes, the ransom note says what type of ransomware your files have been encrypted with, but it can happen that you don’t have this information at hand. Readers have asked us to show which encryption extensions belong to which ransomware families. Many of these extensions signaled new types of encrypting malware, for which there are no decryptors available.

If you need help with identifying what ransomware your system has been infected with, there are two tools you can use:

Crypto Sheriff from No More Ransom

ID Ransomware from MalwareHunter Team

Please read the terms and conditions specific to these tools before using them.

Ransomware decryption tools – an ongoing list

As a disclaimer, you should know that the list below is just a starting point. Use it, but do a bit more research as well. Safely decrypting your data can be a nerve-wrecking process, so try to be as thorough as possible.

We’ll do our best to keep this list up to date, but it’ll probably never be definitive. Contributions and suggestions are more than welcome, as we promise to promptly follow up on them and include them on the list.

Some of the ransomware decryption tools mentioned below are easy to use, while others require a bit more tech knowledge to break. You can try asking for help on one of these malware removal forums, which feature tons of information and helpful communities.

OpenToYou decryption tools

Globe3 decryption tool

Dharma Decryptor

CryptON decryption tool

Alcatraz Decryptor tool // direct tool download

HiddenTear decryptor (Avast)

NoobCrypt decryptor (Avast)

CryptoMix/CryptoShield decryptor tool for offline key (Avast)

Damage ransomware decryption tool

.777 ransomware decrypting tool

7even-HONE$T decrypting tool

.8lock8 ransomware decrypting tool + explanations

7ev3n decrypting tool

AES_NI Rakhni Decryptor tool

Agent.iih decrypting tool (decrypted by the Rakhni Decryptor)

Alcatraz Ransom decryptor tool

Alma decrypting tool

Al-Namrood decrypting tool 

Alpha decrypting tool

AlphaLocker decrypting tool

Amnesia Ransom decryptor tool

Amnesia Ransom 2 decryptor tool

Apocalypse decrypting tool

ApocalypseVM decrypting tool + alternative

Aura decrypting tool (decrypted by the Rakhni Decryptor)

AutoIt decrypting tool (decrypted by the Rannoh Decryptor)

Autolocky decrypting tool

Badblock decrypting tool + alternative 1

BarRax Ransom decryption tool

Bart decrypting tool

BitCryptor decrypting tool

BitStak decrypting tool

BTCWare Ransom decryptor

Chimera decrypting tool + alternative 1 + alternative 2

CoinVault decrypting tool

Cry128 decrypting tool

Cry9 Ransom decrypting tool

Cryaki decrypting tool (decrypted by the Rannoh Decryptor)

Crybola decrypting tool (decrypted by the Rannoh Decryptor)

CrypBoss decrypting tool

Crypren decrypting tool

Crypt38 decrypting tool

Crypt888 (see also Mircop) decrypting tool

CryptInfinite decrypting tool

CryptoDefense decrypting tool

CryptoHost (a.k.a. Manamecrypt) decrypting tool

Cryptokluchen decrypting tool (decrypted by the Rakhni Decryptor)

CryptoMix Ransom decrypting tool

CryptoTorLocker decrypting tool

CryptXXX decrypting tool

CrySIS decrypting tool (decrypted by the Rakhni Decryptor – additional details)

CTB-Locker Web decrypting tool

CuteRansomware decrypting tool

Damage ransom decrypting tool

Dharma Ransom Rakhni decryptor tool

DeCrypt Protect decrypting tool

Democry decrypting tool (decrypted by the Rakhni Decryptor)

Derialock ransom decryptor tool

DMA Locker decrypting tool + DMA2 Locker decoding tool

Fabiansomware decrypting tool

Encryptile decrypting tool

FenixLocker – decrypting tool

Fury decrypting tool (decrypted by the Rannoh Decryptor)

GhostCrypt decrypting tool

Globe / Purge decrypting tool + alternative

Gomasom decrypting tool

Harasom decrypting tool

HydraCrypt decrypting tool

HiddenTear decrypting tool

Jaff decrypter tool

Jigsaw/CryptoHit decrypting tool + alternative

KeRanger decrypting tool

KeyBTC decrypting tool

KimcilWare decrypting tool

Lamer decrypting tool (decrypted by the Rakhni Decryptor)

LambdaLocker decryption tool

LeChiffre decrypting tool + alternative

Legion decrypting tool

Linux.Encoder decrypting tool

Lock Screen ransomware decrypting tool

Locker decrypting tool

Lortok decrypting tool (decrypted by the Rakhni Decryptor)

Marlboro ransom decryption tool

MarsJoke decryption tool

Manamecrypt decrypting tool (a.k.a. CryptoHost)

Mircop decrypting tool + alternative

Merry Christmas / MRCR decryptor

Mole decryptor tool

Nanolocker decrypting tool

Nemucod decrypting tool + alternative

NMoreira ransomware decryption tool

Noobcrypt decryption tool

ODCODC decrypting tool

Operation Global III Ransomware decrypting tool

Ozozalocker ranomware decryptor

PClock decrypting tool

Petya decrypting tool + alternative

Philadelphia decrypting tool

PizzaCrypts decrypting tool

Pletor decrypting tool (decrypted by the Rakhni Decryptor)

Pompous decrypting tool

PowerWare / PoshCoder decrypting tool

Popcorn Ransom decrypting tool

Radamant decrypting tool

Rakhni decrypting tool

Rannoh decrypting tool

Rector decrypting tool

Rotor decrypting tool (decrypted by the Rakhni Decryptor)

Scraper decrypting tool

Shade / Troldesh decrypting tool + alternative

SNSLocker decrypting tool

Stampado decrypting tool + alternative

SZFlocker decrypting tool

Teamxrat / Xpan decryption tool

TeleCrypt decrypting tool (additional details)

TeslaCrypt decrypting tool + alternative 1 + alternative 2

TorrentLocker decrypting tool

Umbrecrypt decrypting tool

Wildfire decrypting tool + alternative

WannaCry decryption tool + Guide

XData Ransom decryption tool

XORBAT decrypting tool

XORIST decrypting tool + alternative

Explanation on ransomware families and tools for decryption

As you may have noticed, some of these ransomware decryption tools work for multiple ransomware families, while certain strains have more than one solution (although this is rarely the case).

From a practical perspective, some of the decryptors are easy to use, but some require some technical know-how. As much as we’d want this process to be easier, it doesn’t always happen.

No matter how much work and time researchers put into reverse engineering cryptoware, the truth is that we’ll never have a solution to all of these infections. It would take an army of cyber security specialists working around the clock to get something like this done.

This list of #ransomware decryption tools could help you get your data back for free:


How to avoid ransomware in the future

Being pragmatic doesn’t mean adopting a pessimistic outlook. In fact, if you apply the simple steps we outlined in the anti-ransomware security plan, you can avoid this kind of attacks and the need to use ransomware decryption tools to recover your data.

Even if cyber criminals do manage to infect your PC, you can just wipe the system clean and restore your latest backup. No money lost and, most importantly, no important information compromised! So, please, please back up your data. Not tomorrow, not this weekend, not next week. Do it today!

I hope that it will solve some of your ransomware-related problems. Moreover, please think about sharing the simple principle of proactive protection with your friends and family. It could spare them the negative experience of being a cyber attack victim.

As new types of ransomware emerge, researchers decrypt some strains and others get new variants. There are tens or hundreds of them. Just like in a cat and mouse game, the chase never stops.

If this graphic would be filled out with the discoveries until 2018, you’d need a bigger screen (possibly 3) to see this.

ransomware discoveries CERT RO 3 1

Source: CERT-RO

Believe it or not, there is a silver lining to ransomware’s popularity: the quality of the malicious code is steadily decreasing. As a result, cyber security specialists can crack the code faster. This gives ransomware victims a change to retrieve their data without further funding attackers.

Unfortunately, low quality ransomware also endangers the affected data: one error in the code and it can all be erased instead of encrypted. But that’s a story for another time.

Quick checklist for ransomware protection

Instead, take the time see how to avoid ransomware attacks with this essential sheet. How many check marks can you score?

your anti ransomware checklist petya 1

This article was originally published by Andra Zaharia on October 5th, 2016 and was updated by Ana Dascalescu on January 18th, 2017.

Lacking Cloud Security Policies Leave 60 Percent of Data at Risk

Ninety-five percent of businesses have adopted some form of the cloud. But, according to recent research, securing cloud-based data remains a major concern.

A new study by Gemalto found that 77 percent of companies recognize the importance of security controls such as encryption. Although this number would seem to suggest a steady march toward more defensible cloud data, just 47 percent of companies queried in the report actually use encryption to secure their sensitive data. This creates a disconnect whereby good knowledge is not backed up by solid global policies, putting cloud data at risk.

The Evolving Cloud Security Challenge

Although 88 percent of survey respondents said they are confident that new global regulations will impact cloud governance and 91 percent believe that the need to encrypt data will become more important over the next two years, security practices don’t match the preaching.

On average, according to the study, just 40 percent of all data stored in the cloud is secured with encryption and key management solutions. Meanwhile, just 25 percent of IT professionals surveyed were “very confident” they knew the exact type and number of cloud services used by their business.

The hard truth here is that these aren’t great numbers — but they’re not exactly surprising, either. Consider the trajectory of the cloud. At first it was a disrupter, but now cloud services have become essential for day-to-day operations, application development and big data analysis.

Giving up the cloud is unthinkable, but the prospect of both securing distributed data and actively keeping track of every cloud-based application is overwhelming for many IT departments. As a result, global cloud policies rarely make it past the drawing board even as more cloud services are added to the corporate roster.

A Growing Cloud Infrastructure

There’s no shortage of cloud infrastructure investment. Google recently announced that it spent $30 billion over the last three years building up cloud infrastructure and now has plans for undersea cables connecting Chile and Los Angeles; the U.S., Ireland and Denmark; and Australia and Southern Asia.

In other words, companies already using the cloud will find it even more convenient to spin up new servers, deploy new applications and store more data. However, organizations with existing security issues will face even greater challenges — especially because 75 percent of survey respondents said it’s more complex to manage privacy and data protection regulations in the cloud than on-premises.

Navigating the Wild West of Cloud Policy

So how do companies grow with the cloud and ensure they’re acting responsibly when it comes to cloud security? It all starts with policy.

Right now, global clouds remain a kind of Wild West, where data unseen is data ignored, and applications roam freely across personal and corporate networks. Clamping down on security issues means drafting a global, cloud-specific policy that addresses emerging problems.

For example, many organizations are now writing policies that embrace the utility of shadow IT while placing it under the purview of IT departments. In effect, this allows employees to retain some control over their cloud environment while granting IT the final word.

Encryption policies, meanwhile, are best designed for new data. Enterprises should mandate that all data moving to cloud storage be properly encrypted, then provide the personnel and technological support to make this a viable outcome. After all, the enemies of great policy are poor budgeting and sky-high expectations. Post-storage encryption is a long-term project that is doomed to sink new policies if attached as a core component.

The bottom line is that companies understand the need for cloud security but lack the global processes to follow through. Better outcomes demand specific policies backed by budgets that accommodate both trained security professionals and cutting-edge cloud solutions.

The post Lacking Cloud Security Policies Leave 60 Percent of Data at Risk appeared first on Security Intelligence.

Why GDPR will drive a best practice approach

When GDPR was first discussed, many feared that it would force businesses to act more insular and become more defensive about their data. Some even believed there would be a counter-movement against the cloud with organisations taking back data into their internal systems. Thankfully, the reality has been very different. Instead we’ve seen a new willingness to work together with partners and specialist cloud providers. Now it looks likely that this collaboration will help to … More

Change Doesn’t Happen All at Once: Navigating the GDPR Transformation Process

Here we are at the beginning of 2018. And with the start of a new year, we often find ourselves thinking about making changes both big and small. So it seems especially fitting to turn our attention to the Transform phase of the IBM Security General Data Protection Regulation (GDPR) framework.

The goal here is to reach at least a minimum level of readiness before GDPR comes into effect on May 25, 2018. Ideally, that would include being ready to produce a privacy risk impact assessment. That’s one of the first items a regulator is likely to want to see — along with the assurance that you have validated processes and activities in place to sustain or refresh its status.

A secondary goal would be to demonstrate your readiness to address the GDPR Article 30 requirement for records of processing. To do so, you would need to at least be able to provide a summary inventory or catalog of the personal data that’s relevant to your business — including information about where it’s stored and processed and its lineage.


Start Slowly

In our two most recent blog posts, we discussed the process of deciding what you need to do and how you can do it. You’ve made some of the important decisions and it’s likely you’ve developed a plan. Now you should be ready to start implementing that plan. Note that I used the word “start.” That’s because the Transform phase is all about beginning to make your transformation toward GDPR readiness. It’s a slow and controlled rollout that allows you to take an incremental approach to making the changes you’ve deemed necessary.

Clearly, it’s not time to flip the switch just yet. But it is a good time to recognize that there may be problems. In fact, that’s the reason the Transform phase is one of the key elements of the framework. It gives you an opportunity to tease out the problems and determine what works and what doesn’t — in a controlled environment. Think of it as a road test on a closed track where your mistakes can be easily detected and aren’t likely to result in catastrophes.

Where to Begin?

In terms of GDPR privacy requirements, this is where you begin to implement and execute policies, processes and technologies, including those related to data subject access requests. And to meet GDPR security requirements, you should be starting to implement privacy-enhancing controls such as encryption, tokenization and dynamic masking.

You should also consider implementing required security controls, including access control, activity monitoring and alerting. In addition, you may need to mitigate any access risks and security vulnerabilities that you discover.

What Exactly Will You Be Transforming?

If you’ve already worked through the Assess and Design phases of the framework (which is likely at this point), you should have the answer. During those two phases, you would have identified your targets, decided your metrics, focused your team and agreed on a plan — because it will take a united effort to move forward.

Now is the time to start rolling out your new processes and procedures for meeting the GDPR privacy requirements. Start with a few and see what works for your organization.

At the same time, you can start rolling out your security-enhancing controls. Test them with a pilot team and determine what’s useful. And keep in mind that these may be major changes for some parts of your organization, which makes it your job to see that the transition to new policies and procedures goes as smoothly as possible.

How to Succeed

Frustration can come easily when you’re making a lot of significant changes to the way things are done. And while there isn’t any single right way to navigate the Transform phase, consider what I view as best practices to help you avoid unnecessary conflict at this point. Here’s a list of the most important ones:

  • Pay attention to your stakeholders. They’re the ones in the best position to spot problems and propose workable solutions.
  • Start with a solid project plan. That can help you identify potential issues and pitfalls before they impact the entire process.
  • Station a good team on the ground. They should be able to both see the big picture and know when to zoom in on the details.
  • Insist on active participants. You need a team of doers who are ready and eager to both do the work and communicate constantly.
  • Cultivate executive leadership support. It’s good to have the C-suite on your side when you to need to make some tough decisions.
  • Set expectations. You know this is going to be a slow process and that things may go wrong; make sure everyone else knows it, too.
  • Communicate your vision early on. Be clear about what you want to see happen and about how you’ll define success.

So, yes, GDPR requires making a lot of changes. And, as you’ve likely figured out, some of those changes can be pretty complicated. But as we’ve been saying for some time now, with a clear understanding of what you need to do and a plan for doing it, you can resolve to make those changes happen.

Learn more about how IBM can help you navigate your journey to GDPR readiness with privacy and security solutions here and within a broader perspective at


Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

The post Change Doesn’t Happen All at Once: Navigating the GDPR Transformation Process appeared first on Security Intelligence.

5 Ways to Be Proactive When Protecting Your Personal Data

WannaCry, Equifax and Uber—in the wake of a data emergency, I often find myself hyperconscious of my online security measures: I immediately change my passwords, I’m careful about what emails I open, and what links I click. However, once the news cycle passes, I admit I fall back into my old habits, which aren’t always as secure as they should be. It’s important to incorporate good practices into your daily routine to keep your digital life safe even before a breach happens, and well after the latest hack becomes old news. Here are 5 simple ways you can help improve your online security.

Take a Break to Update

We all know how frustrating it can be to receive pop-ups for a software update when you’re busy. They can take time, slow down what you’re working on, and often seem unimportant. But, they are important. Updates fix bugs—bugs that potentially could leave your device vulnerable to an attack. In fact, operating systems and browsers require regular updates to stay on top of vulnerabilities. So, take the time to let the updates run as needed—think of it as investing time in your security.

Delete, Delete, Delete

Does your device have pages of apps that haven’t been used in months? If so, it’s time to delete. It’s a good security practice to take a minimalist approach to your application use, especially since some older apps may no longer be supported by the Google or Apple stores. Over time apps can get infected with malware and could be part of a larger data problem. Check the status of your mobile apps regularly, and delete them if they’re no longer supported in stores, and you haven’t used them in months.

Keep Your Private Passwords, Private

The age-old saying, “sharing is caring” should never apply to personal passwords. Last year’s survey showed that 59% of people were open to sharing their passwords. But when it comes to online safety, passwords should never be shared with anyone under any circumstance. It may be exciting to share the latest video streaming app with your friends and loved ones, but your privacy could be compromised. It’s simply not worth the risk, so keep your passwords to yourself.

Stay Current on Your URLs

Hackers are masters of disguise, and often hide behind convincing URLs to launch phishing attacks. Pay close attention before you click on a link — if the link looks “phishy,” go directly to the company site to confirm that the URL is legitimate.

Enlist Some Backup

As major data breaches continue to hit the scene, it’s important to be proactive in protecting your identity. Reviewing your account info, and setting up alerts if there’s a chance your personal data has been compromised is a key component to securing information that has been compromised. Consider using a comprehensive monitoring and recovery tool that can help you take action.

Interested in learning more about mobile security tips and trends? Follow @McAfee_Home on Twitter, and like us on Facebook.

The post 5 Ways to Be Proactive When Protecting Your Personal Data appeared first on McAfee Blogs.

Companies Around the World are Ramping Up for GDPR — Is Yours?

General Data Protection Regulation (GDPR) is coming. It’s a wide-ranging regulation that requires both heightened protection for personal data and thorough notification to any European Union (EU) data subject whose personal data is breached. This applies to living individuals on EU soil, both citizens and noncitizens alike.

The Clock Is Ticking for GDPR Compliance

A surprising number of organization leaders seem to be taking a wait-and-see approach to GPDR. They want to see just how the law’s provisions will be carried out in practice. That’s understandable, but it might not be wise. GDPR isn’t just a toothless suggestion. It’s a serious directive, and avoiding its penalties, which can range as high as 4 percent of an enterprise’s worldwide financial turnover, is going to be an important objective for any business that does business in the EU or with EU residents.

Read the Interactive Solution Brief: Ready, Set, GDPR

As of May 25, 2018, any enterprise that handles the personal data of EU residents will face stiff penalties for data handling practices that violate the new law. The wide scope of the regulation may come as a surprise to business leaders and IT professionals outside the EU, even ones accustomed to dealing with local or national regulations of their own. Of note is that where the data resides is irrelevant — what’s important is that it belongs to an EU data subject, even if the data itself is stored elsewhere. This seems understandable enough, though some businesses worldwide are either unaware or only dimly aware of the upcoming regulation.

Until the new regulation takes full effect in May 2018, organizations are expected to make the preparations they need to meet the set forth demands. During this period, you should pay special attention to the preparations companies similar to yours are making for GDPR compliance. This can help you avoid being blindsided by enforcement actions.

Name, Rank and Serial Number? Not By a Long Shot

Under GDPR, personal information that your company might routinely collect, such as customer demographics, requires intense care if it can personally identify an individual. Preparation for GDPR compliance means, first of all, an enterprisewide assessment of the kind of data your organization collects or holds. You’ll need to identify personal data or — perhaps the most efficient course — treat all personal data with the same heightened level of protection. The simplest course may well be to delete nonessential personal records entirely. Remember, the high price of noncompliance can turn unprotected personal records into toxic assets.

Under GDPR, enterprises will need to carefully steward any information that could be used to identify a covered individual, including information such as:

  • Name;
  • Unique identifiers, such as social insurance account numbers;
  • Location data that can be used to pinpoint an individual;
  • Email address and other contact information; and
  • Characteristics specific to the individual, such as political opinions, religion, physical details, and special categories of data such as genetic and biometric information.

Organizations will also be expected to comply with requests to erase data belonging to individuals who do not wish for it to be held. This provision is officially known as the right to erasure (sometimes more colloquially called the right to be forgotten).

Why GDPR Preparation Isn’t Just a Day at the Park

Preparing for GDPR compliance will take time, because GDPR calls for accountability as well as compliance.

In fact, one of the most challenging elements of meeting GDPR’s requirements is one of record keeping. Companies will not only have to appropriately classify and protect  personal information, but they will also have to document their compliance with the regulation. They’ll need careful record keeping so they can meet the requirement to notify affected data subjects in the event of a breach. GDPR also requires that you maintain and enforce internal data policies — time frames for data retention, for example — and these should be articulated for all stakeholders.

Equally challenging for many organizations will be the adjustments they will need to make to their internal structure to meet GDPR mandates. Both personnel and practices will be affected. GDPR compliance, for example, may call for enterprises to designate a data protection officer to represent the interest of data holders in certain circumstances, such as where required by member state law or when processing special categories of data on a large scale.

What Should You Be Doing?

Best practices can be hard to describe in depth when they concern a regulation that’s not yet in full effect. But GDPR is concrete enough that some steps are easier to identify, for example:

  • Work together. Make sure every part of your organization — from legal to accounting to sales to customer service — is aware of the implications of GDPR and operates with the common goal of meeting its requirements.
  • Assess the impact. Survey all data you hold (from customers, employees or other individuals) for all the kinds of identifiers the law affects, and make protecting them a priority. This also includes business contacts, not just consumers.
  • Plan judicious data use and collection. Identify, as closely as you can, what data will be necessary for new and ongoing projects, and use the least amount of personal data possible. At the same time, test your procedures for meeting individuals’ requests for data access or erasure. Frugal use of data will help you avoid challenges to your data practices and help reduce the risk of a breach.
  • Create a notification plan. In the event of a breach, the ability to contact the supervisory authority within 72 hours and notify affected data subjects is critical. If you don’t report the breach or can’t reach the data subjects, you may face fines and other penalties, even when the breach is no fault of your own.

As wide-sweeping as it is, GDPR is ultimately a regulation that can be tackled like any other. We think the single best thing you can be doing about GDPR compliance is setting yourself and your team in motion rather than sitting on the sidelines.

Read the Interactive Solution Brief: Ready, Set, GDPR

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

The post Companies Around the World are Ramping Up for GDPR — Is Yours? appeared first on Security Intelligence.

Hackers increasingly target patient records as HCPs do little to protect data – research

One in five healthcare professionals has experienced breaches of patient data, yet many also say they’re “very confident” in their facility’s ability to protect that data against theft, according to a survey by University of Phoenix College of Health Professions.

Despite increased data breaches in all industries, only a quarter of registered nurses (RNs) have seen changes in the way their companies handle data security over the past year.

The data also reveals a worrying disconnect between healthcare professionals’ confidence in protecting sensitive patient data and the actual protection of that data.

Some 48% of RNs and 57 percent of administrative staff say they are “very confident” their institution can safeguard patient records against potential data theft. At the same time, only 25 percent of RNs and 40 percent of administrative staff cited data security & privacy improvements over the past year.

The University acknowledges that the healthcare industry is “one of the highest targeted by cybercriminals, due to its heavy reliance on technology and vast amount of available patient data.”

Research by Cryptonite NXT supports this claim. According to the company’s Health Care Cyber Research Report for 2017, stolen medical records make for a terrific extortion tool.

One example is the London Bridge Plastic Surgery data breach three months ago, when The Dark Overlord cybercriminal group hacked the high-profile clinic and stole graphic images of celebrities undergoing plastic surgery. The purpose behind the breach was believed to be extortion. No reports confirm this theory, but it’s possible the group got what they were after and kept a lid on it.

Dennis Bonilla, executive dean for the College of Information Systems and Technology at University of Phoenix, believes healthcare providers (HCPs) are “extremely susceptible to human error.”

“If one employee accidently invites malicious malware into a system, the impact can be catastrophic. To limit the amount of breaches, cybersecurity governance must improve,” Bonilla said.

Again, the University’s findings can be easily supported with real-life examples. The WannaCry ransomware attack in May 2017 revealed just how easily malware could move laterally in a computer network.

As avid readers know, the UK’s National Health Service lost hundreds of thousands of patient records in the attack, which leveraged unpatched Windows computers. Patients with life-threatening conditions had to be put on hold, and the financial consequences to NHS were devastating.

On a positive note, nurses and staff administrators agree that additional support and training is needed for healthcare privacy and security. The survey also found that HCPs are taking some steps to better protect patient data, such as updated privacy and access policies, role-based access to sensitive information, and enhanced data surveillance.

Inspection of Electronic Devices: CBP Redraws Data Handling Borders

The rules that regulate the inspection of electronic devices at U.S. border entry points are changing. As noted by ABC News, almost 20,000 devices were inspected by border agents in 2016, and that figure rose nearly 60 percent to just over 30,000 devices last year.

Not surprisingly, the increased scrutiny and seizure of devices has digital privacy groups worried. How much power is too much when it comes to accessing personal electronic devices? A new directive from U.S. Customs and Border Protection (CBP) has redrawn basic data handling rules and placed restrictions on how agents manage specific searches.

CBP Intensifies Inspection of Electronic Devices

Under the old rules, agents were allowed to conduct device searches, which involved physically examining devices, viewing photos and messages, copying data and accessing information stored in the cloud, with or without suspicion.

According to Threatpost, the new directive divides such searches into two categories: basic and advanced. Basic searches can still be conducted without suspicion but are limited to viewing photos and messages and physically examining the devices. Advanced searches now require reasonable suspicion. Agents are allowed to “review, copy and analyze a digital device’s contents,” but not to access cloud data.

As noted by Lexology, while this is a significant change from prior policy, it is largely a reflection of a recent Federal Court of Appeals finding, which confirmed that “officers needed reasonable suspicion of criminal activity before they could justify a forensic search of a laptop seized at the border.”

It also doesn’t affect agents’ ability to seize devices with supervisor approval and hold them for a “reasonable period of time.” Typically, this period is no more than five days, but if CBP claims “extenuating circumstances,” the seizure could be extended indefinitely.

The Traveler’s Dilemma

There’s a real and growing need to manage the influx of digital data across U.S. points of entry, but tech-savvy travelers are understandably reticent to hand over their mobile devices. Travelers are used to having bags and briefcases searched, but digital devices often contain personal and business data that many are unwilling to share with anyone, including customs agents. Even under the new rules, basic searches are permitted without suspicion, and officers typically ask travelers to provide their passcodes to simplify access and speed evaluation.

As noted by the Electronic Frontier Foundation (EFF), travelers can limit their risk by leaving some devices at home and deleting data on devices they carry. It’s also worth noting that U.S. citizens cannot be denied entry to the country if they refuse to consent to device searches, but foreign visitors can be turned away.

Even with redrawn lines of authority, CBP agents still possess broad powers when it comes to the inspection of electronic devices. The requirement for reasonable suspicion and restrictions on accessing cloud data are solid starting points, but more work is required to balance the need for data security against the digital privacy of citizens.

The post Inspection of Electronic Devices: CBP Redraws Data Handling Borders appeared first on Security Intelligence.

Data Protection Bill Amended to Protect Security Researchers

The Government is to amend the data protection bill, in order to protect researchers who work to uncover cyber criminals, after fears were raised that the bill would accidentally criminalize legitimate research.

View Full Story 


The post Data Protection Bill Amended to Protect Security Researchers appeared first on IT SECURITY GURU.

Don’t Get Scared — Get Back in Operation With the Right Incident Response Strategy

Incident response (IR) is a significant challenge because organizations are often shellshocked when faced with a cyberattack. IR teams may have the right skills to react to and resolve security events, but a lack of preparation can exacerbate the problem at hand. To carry our their missions quickly and completely, IR teams need unfettered access to network resources. But they also need to do a better job of communicating with and advising business leaders and other nontechnical stakeholders in the event of a breach.

Preparing for Disruption

Cyberattacks always come as a surprise. They could be discovered by a rank-and-file employee who receives a notification that his or her system is locked, along with a demand for a ransom payment. Or perhaps the security team detects a breach and takes action to halt the attack.

In either case, normal operations are likely to be interrupted. It’s bad enough that regular business functions are affected, but many employees have heard about similar attacks in which company data has been encrypted and subsequently never recovered. The additional anxiety about all their work being lost can put an entire company in panic mode.

Incident response teams need to get ahead of the next possible attack by letting employees know what to expect and what to do when they are faced with an interruption. The specifics of this information will be different for every company, but it should cover the basics of what happened and what could happen next.

Assembling Incident Response Experts

An IR team typically includes an IR manager, security analysts and threat researchers. But because intrusion incidents can affect a wide segment of the enterprise, additional people and departments need to be advised regularly and included in IR activities. The level of inclusion will vary based on the particular incident and the functions affected, so the IR team must work in a cross-functional mode that varies as conditions change.

The IR team should start by requesting participation from specific business units, including upper management, public relations, human resources, risk management and general counsel. Each department needs to have basic information about what kinds of incidents could affect the company and what their roles might be.

Standard disaster recovery protocols, including contact details and alternate assignees, need to be available, and every contact must receive updates. By the time an incident arises, it’s too late to assemble a team and bring it up to speed. Each business unit should have a clear understanding of its role prior to a security event, and the IR team should announce the incident with sufficient detail so that employees can react appropriately.

Staying Ahead of Unpredictable Threats

Preparation makes responding to incidents more manageable. But like any other disaster recovery effort, unanticipated issues are likely to make the job of the IR team more laborious and time-consuming. The IR team should have full network visibility at the same level as the security team. Otherwise, hidden segments are just as likely as any other to become active distributors of attacks.

The IR team should also have access to packet-based network forensics, the training necessary to put that information to use and the storage space to collect suspicious packets. Analysts don’t have time to look through every potentially problematic packet when they are simply trying to recover from an attack. After the system has been reinstated, however, the team can investigate those saved packets for clues as to cause of the most recent incident. This will also help make predictions about attacks that may be lurking on the network but have yet to execute.

Cyberattacks are inevitable, but a properly prepared incident response team can minimize their effects. It’s also key to getting operations back to normal to help the organization avoid significant downtime, data loss and the reputational damage that comes with it.

Listen to the podcast: Get Smarter About Disaster Response — 5 Resolutions for 2018

The post Don’t Get Scared — Get Back in Operation With the Right Incident Response Strategy appeared first on Security Intelligence.

UK Data Protection Bill Changes Would Help Protect Security Researchers

Proposed amendments to the United Kingdom’s Data Protection Bill would help protect security researchers working with anonymized data. Introduced by Lord Ashton of Hyde, Parliamentary Under-Secretary of State at the Department for Culture, Media and Sport, the draft changes (PDF) address Clause 162 of the third generation of data protection law that has entered the […]… Read More

The post UK Data Protection Bill Changes Would Help Protect Security Researchers appeared first on The State of Security.

India’s Biometric Database Reportedly Breached, More Than One Billion Compromised

Between Equifax and Uber, there’s been a plethora of massive data breaches lately. These breaches not only compromise personal data, but they’re also leaving those impacted concerned about potential identity theft as a result. Now, India is faced with their largest data breach yet – as their governmental database Aadhaar has reportedly been compromised, which could affect the personal data of practically all of its 1.3 billion citizens.

How did this happen, exactly? Let’s start back in 2010 when, according to Buzzfeed, India started scanning personal details like names, addresses, dates of birth, mobile numbers, and more, along with all 10 fingerprints and iris scans of its 1.3 billion citizens, into a centralized government database called Aadhaar to create a voluntary identity system.

Fast forward to current day, and all of this crucial data is simply handed over to the Tribune newspaper for a whopping $8. The publication said its reporters were able to access names, email addresses, phone numbers and postal codes simply by paying an individual $8, who provided them access to the database. What’s more – for another $5 dollars, the same individual offered the reporters unique identification cards (called Aadhaar cards) that can be used to access various government services. The individual responsible for the leak is apparently part of a larger group that was able to access the giant database through former Aadhaar workers.

Mind you, there’s still a lot of speculation and questions around this massive leak with the government authority that oversees the database claiming that the data is “fully safe and secure.” However, one thing is for sure, the entire country’s population needs to be on alert for their personal data becoming compromised, or even potential identity theft.

So, what can these citizens do to ensure their personal information stays secure? Start with these tips:

  • Regularly review your online account info. Things like regularly reviewing transactions online and making sure account contact info hasn’t changed are also good for keeping tabs on anyone trying to hijack your account.
  • Set up an alert. If you know there’s a chance your personal data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Consider an identity theft protection solution. With this breach and others before it, consumers have been focused on stay protected against identity theft. That’s why, just this week, McAfee announced a solution that aids with exactly that. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post India’s Biometric Database Reportedly Breached, More Than One Billion Compromised appeared first on McAfee Blogs.

Five Epic Fails in Data Security: Do You Know How to Avoid Them?

Data security is on everyone’s mind these days, and for good reason. The number of successful data breaches is growing thanks to the increased attack surfaces created by more complex IT environments, widespread adoption of cloud services and the increasingly sophisticated nature of cybercriminals.

One part of this story that has remained consistent over the years, however, is that most security breaches are preventable. Although every organization’s security challenges and goals are different, there are certain mistakes that many companies make as they begin to tackle data security. What’s worse, these mistakes are often accepted as the norm, hiding in plain sight under the guise of common practice.

Should you be concerned about the potential for a data breach? Let’s see if you can fill in the blanks:

  • Compliance does not equal ______.
  • Recognize the need for _____ data security.
  • Establish who _____ the data.
  • Fix known ______.
  • Prioritize and ______ data activity monitoring.

Read the white paper: Five Epic Fails in Data Security  and How to Avoid Them

Five Common Data Security Failures

Below are five common data security failures that, if left unchecked, could lead to unforced errors and contribute to the next major data breach.

1. Failure to Move Beyond Compliance

It is often said that compliance does not equal security, and most security professionals would agree with that statement. However, organizations often focus their limited security resources on achieving compliance and, once they receive their certifications, become complacent. As a result, many of the largest data breaches in recent years have happened in organizations that may have been fully compliant on paper.

2. Failure to Recognize the Need for Centralized Data Security

Compliance can help raise awareness of the need for data security, but without broader mandates that cover data privacy and security, companies forget to move past compliance and actually focus on consistent, enterprisewide data security. A typical organization today has a heterogeneous IT environment that is constantly changing and growing. New types of data sources pop up weekly, if not daily, and sensitive data is dispersed across all of these sources.

Related to this Article

3. Failure to Assign Responsibility for the Data Itself

Even if stakeholders are aware of the need for data security, in many companies no one specifically owns responsibility for the sensitive data that’s being collected, shared and leveraged to perform business operations. This becomes obvious once you try to find out who is actually responsible.

4. Failure to Fix Known Vulnerabilities

According to Gartner, 99 percent of all exploits use known vulnerabilities, while malware and ransomware attacks typically leverage vulnerabilities that are at least six months old. Recent high-profile breaches have resulted from known flaws that went unpatched even after fixes were released. Cybercriminals actively seek unpatched vulnerabilities because they are easy points of entry.

5. Failure to Prioritize and Leverage Data Activity Monitoring

In addition to moving past compliance, spreading security awareness, establishing data ownership and addressing vulnerabilities, monitoring data access and use is an essential part of any data security strategy. Organizations need to know who, how and when people are accessing data, whether they should be, whether that access is normal and whether it represents elevated risk.

Taking Steps to Close Data Security Gaps

There is nothing easy about securing sensitive data to combat today’s threat landscape, but companies can take steps to ensure that they are devoting the right resources to their data protection strategy. Few organizations, however, can afford all the security measures they would like to have. When resources and budgets are limited, it is of paramount importance to prioritize and leverage the resources they do have.

To learn more about common data security missteps, read the white paper, “Five Epic Fails in Data Security: Common Data Security Pitfalls and How to Avoid Them” and watch the on-demand webinar, “Epic Fails in Data Security and How To Avoid Them.”

The post Five Epic Fails in Data Security: Do You Know How to Avoid Them? appeared first on Security Intelligence.

2018 Resolution: Lose the Weight of Tech Safety Guilt Once and for All

January is here, and we’ve got goals to crush. We want to be more productive. We want to spend more quality time with family. We want to get fit and lose some weight. Then there are those brave enough to tackle what’s going on in their parenting knower.

The knower is located in every parent’s internal command center. It knows what it should do but hasn’t quite gotten around to doing it. It won’t appear on an anatomy chart, but if you are a parent, you know precisely where your knower is because you can feel the weight of the guilt that collects there. One of the biggest guilt generators is knowing what we should do to lock down our family’s digital life, but somehow keep putting it off.

According to McAfee’s 2018 digital threat predictions several of the top technology threats coming our way this year target family safety specifically. The first threat: The growing power of the connected home and potential threats to family data privacy from big corporations. And, the second threat: Risky apps kids use and how companies can use content posted by users.

Both issues are big deals as our homes become more connected in new ways that are both exciting and, frankly, concerning when it comes to the issue of privacy.

So who is brave enough to lose the unwanted guilt weight? Here are a few easy things you can do to start 2018 to get your digital life in shape.

Inventory Your Homefront

Chances are you’ve accumulated a stockpile of digital products you don’t even realize pose a threat to your family’s security. Those devices likely need a password and privacy setting tuneup. Four steps to home safety: 1) Make a list of your devices 2) go into the settings and make the necessary updates 3) if a software update is needed, do that as soon as you get a notification. 4) To streamline that process, consider a central built-in security product that ensures every device in your house is well protected.

Products to put on your list: Smart TVs, digital assistants such as Alexa and Echo, drones, laptops, tablets, personal computers, home automation systems such as The Nest, home security systems, your home network, smartphones, Bluetooth car kits, digital toys, game systems, electronic keypads on doors and garages, digital cameras, baby monitors, and any digital appliance. Even cars can be targets for hackers as seen in the Jeep hack of 2015, in which hackers used a laptop to disable a car’s engine on the freeway and forced Fiat Chrysler to recall hundreds of thousands of vehicles.

With more homes becoming fully connected, experts agree it’s going to become harder to secure your privacy not only from hackers but marketers spying on users for profit. Do your homework on a product’s security standards before you purchase items and know what security gaps are currently in your home. Tip: Companies know that customers rarely read privacy agreements. Weak agreements tempt corporations to frequently change the privacy agreement after the devices and services are deployed to capture more customer information and revenue.

Talk More About the Big 3

Talking to your kids about digital safety is your most valuable defense against family security mishaps. Remind your kids of the Top Three Rules of Digital Responsibility 1) Don’t interact with strangers online 2) Don’t share personal information such as home address, email, birthdate or personal activities and plans and 3) Don’t upload or download inappropriate content or photos. The Internet never forgets and the damage done can be devastating.

Pay Attention to App Privacy

As identified in our threat predictions report, more and more kids are downloading apps with loose guidelines on how companies can use user-generated content. Educate your child about why this poses a danger and how daily interactions with these fun, social apps can affect their reputations in the future.

Slow Down, Click with Care

Living in a streaming, posting, click-here-now world has forced us to read and respond quickly. In doing so, we miss vital details, get in digital misunderstandings, and risk our privacy by clicking suspicious links. In 2018, take back your digital control by merely slowing down. Be it email, texts, social media posts — stop and think before you post, respond, or click links. Cybercrooks understand our habits and are always looking to exploit our weak points.

Make More Meaningful Connections

The ability to connect with others 24/7 can be both empowering and debilitating. We know in our knower when we are spending too much time glued to our smartphone and when our kids are also. Online connections will never compare to the rich relationships we can experience offline. This year, resolve to help your kids maintain a healthy perspective on digital versus face-to-face interactions. A healthy digital balance is especially crucial during tween and teen years since studies show that the more time kids spend online, the more isolation and depression can set in. Resolve to curb screen time by modeling balance, planning physical activity and phone-free outings, and establishing phone free zones in the home.

Remember, in making changes in this new year resolve not to look back. Embrace 2018 for all it is: A clean slate primed and ready for your family to establish and set new habits in motion. You’ve got this!

toni page birdsong


Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).


The post 2018 Resolution: Lose the Weight of Tech Safety Guilt Once and for All appeared first on McAfee Blogs.

Our Analysis of 1,019 Phishing Kits

In recent years phishing activity has grown rapidly, with thousands of phishing sites popping for a virtual moment that last weeks, days or even hours, before becoming ineffective—either getting blacklisted by security providers, or brought down by internet providers and authorities, or (in most cases) both. In order to keep up with this dynamic, a significant portion of the phishing activity relies on phishing “kits”—software packages that allow quick and easy deployment of a new phishing site.

We set forth to learn about phishers’ methods and motivations, particularly about phishing kit packages that contain complete phishing web sites in an easy-to-deploy format.

Here are the insights we gained from our research, which we review in detail in this post:

  • Free phishing kits often contain hidden exfiltration mechanisms that send the entered information to third parties, which are probably the kits’ authors
  • Half of the packages belongs to large families of kits. While a third belong to three large families of kits. This means that phishing kits come from a restricted number of sources.

Industrialization of Phishing

Being one of the most effective ways to gain a foothold within the enterprise, many network and data breaches start with phishing. According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords.

Like many other cyberthreats, the phishing domain has evolved in recent years from a world where a few know-all attackers build, execute and manage entire phishing campaigns, into a role-based ecosystem where different people with different skill sets fulfill different roles. This industrialization allows modern cybercriminals to stop worrying about the technical stuff like building fake sites and collecting stolen credentials, and instead focus on their portion of the process and work in large scale, both of which result in increased revenue.

In this research we explore one of the significant enablers of this evolution, which is the channel between phishing technology providers and the campaigners – known as do-it-yourself (DIY) phishing kits – which dramatically reduce the cost and time required to set up a phishing campaign. DIY phishing kits include the files necessary to create a copy of target web sites, steal valuable information, and simplify the configuration of the phishing web site. Furthermore, DIY kits are constantly evolving and various features are being introduced for different management purposes, like extending the usability of their pages and servers.

Along with improvement of industrial-grade platforms and infrastructure, the business model of phishing is also evolving. Underground markets are full of phishing kits at all levels and cost, some even distributed at no charge, usually revealing one of the oldest rules in the book – you get what you pay for. Here we found the only free cheese is in the mousetrap. Many of the free phishing kits have hidden back doors in them which allow their provider to track activity of the phishing campaigner, and get copies of the stolen information that was obtained, thus reducing their level of effort and risk and increasing their return on investment (ROI) by harvesting the work of inexperienced criminals who deploy their kits.

This makes the phishing world a live ecosystem with various players, obeying basic rules of economy. It allows technology providers to maximize the revenue on their development, phishing campaigners to focus on campaigning, and “dishonest” hack-the-hacker DIY kit providers to cheat naive campaigners (which are of course dishonest to their victims). In our research we focused on families of kits that seem to be related to each other, and in many cases even derived from the same source. Unsuprisingly, we found that DIY phishing kits obey the Pareto principle, with majority of the kits attributed to a small number of sources.

Phishing Attack Flow

The following flow demonstrates a standard phishing attack using a phishing kit.

  • First, the attacker buys a compromised server (or uses a hosting service) and uploads the phishing kit to the server
  • Then, the attacker uses a spam service to send a burst of phishing emails to potential victims
  • The victims fall into the phishing trap, visit the phishing pages and enter their credentials
  • The phishing kit processes the credentials and sends them to an external email account
  • Finally, the attacker accesses this email account and harvests the new credentials

phishing attack flow - figure 1

Figure 1: Phishing attack flow

The Research from 20,000 Feet

Our research had four phases (Figure 2):

  • Finding sources for phishing sites and their kits
  • Obtaining phishing kits
  • Retrieval and normalization of features from the phishing kits
  • Statistical analysis and clustering of the extracted features

research phases - figure 2

Figure 2: Research phases

Phishing Sites Sources

We used two different sources to locate and obtain phishing kits:

  •, which publishes a collection of URLs for phishing kits gathered throughout 2016
  • Open Phish feed, which offers URLs of zero day phishing sites

Obtaining Phishing Kits

From the first source,, we downloaded long-life phishing kits. From the second source, Open Phish, we obtained phishing kits by crawling live phishing sites. We developed a tool which gets a list of phishing URLs and retrieves the phishing kit from the backend of the phishing server.

This was possible because phishers’ common practice is to deploy a phishing site by uploading a kit to a web server. After deploying a kit, attackers often forget to remove it, and when a server is vulnerable to directory traversal it is possible to locate and download the kit.

Extracting Features

Before comparison analysis we performed several preprocessing steps. We extracted features that characterize phishing kits, cleaned up redundant white space and normalized feature values.

Analyzing Phishing Kits

We created a statistical analysis of extracted features to understand the importance and incidence of each one. Then we performed hierarchical clustering on the extracted features (more details in the “Research Method” section below).


From both sources we collected 1,019 phishing kits in total. We obtained 428 phishing kits from pastes, which are 9.6% of the checked URLs. From the Open Phish feed we obtained 591 kits, which are 7% of the checked URLs. From the above, we can see a bias in coverage to inexperienced attackers who leave their kits on the compromised servers.

Phishing Kit Anatomy

Phishing kits contain two types of files: 1) resource files which are needed to display a copy of the targeted web site and 2) processing scripts which are used to save the stolen information and send it to attackers.

Based on analysis of our collection of phishing kits, we noticed that the majority of phishing kits contain all the resources required to copy the targeted web site, including images, HTML pages and CSS files. This reduces the number of requests the kit issues to the target site, and hence the chances of being detected if the original site analyzes incoming requests. However, we observed several kits with phishing pages containing links to the original targeted sites.

google docs phishing kit - figure 3

Figure 3: Google Docs phishing kit

Figure 3 is an example of a common Google Docs phishing kit, which is about 15 percent of our collection. Kits’ resource files contains Google figures and CSS password validation files, while PHP files are processing code which store and send the stolen information to the attacker.

processing code of google docs phishing kit - figure 4-1

processing code of google docs phishing kit - figure 4-2

Figure 4: Processing code of a Google Docs phishing kit

Figure 4 shows processing code of the Google Docs kit. The first part of the code checks which email provider was selected by the victim. Then it retrieves the victim’s details such as browser, IP address and geolocation.  If Gmail is the email provider of a victim, the victim will be redirected to the next page ‘verification.php’ which will lure them to re-enter their recovery email or phone number. This is required by Google for authentication from an unrecognized device.

The second part of the code is building the phishing result email message. In our example, processing code is signed by signature ‘CANADA’. The phishing results message contains: email provider, email and password, IP address and geolocation of the victim. The resulting message is sent to the attacker’s email address which we assume is the buyer of the kit.

The last part of the code redirects a victim to a legitimate landing page of Google Drive, to avoid the victim’s suspicions.

The marked features on Figure 4 are those we used in our statistical analysis and clustering.

Phishing Kit Capabilities

Exfiltration Mechanisms of Phishing Kits

One of the main functions of a phishing kit is to automatically send stolen information to the attackers. The vast majority of kits (98%) used email to exfiltrate stolen data to attackers. Only two percent of kits stored collected information in a file on the compromised server.

From our automated analysis of the 1,019 phishing kits, we extracted 843 unique email addresses. They were registered at 53 different domains: is the most frequently used (79%), followed by (5%), (4%), Hotmail and Outlook (3%).

But What Happens When You Buy from a Thief?

About 25 percent of the kits contained implicit recipients which receive emails with the phishing results as well as the kit buyers who were intended to receive it. We assume that the hidden addresses belong to the kits’ authors, which are actually stealing from the inexperienced phishers who deploy these kits. This is likely the main reason that phishing kits are distributed for free in underground circles.

We saw multiple techniques used to hide the author’s email address, but the most popular were address obfuscation (Figure 5) and repeated mail statements (Figure 6) that leverage the fact that PHP is case-sensitive for variable names. Thus, the apparently repeated mail statements have actually two different recipients.

address obfuscation technique - figure 5

Figure 5: Address obfuscation technique to hide phishing kit author’s email address

mail statements hide phishing author - figure 6

Figure 6: Repeated mail statements technique to hide phishing kit author’s email address

We also observed many kits contain a comment: “Don’t need to change anything here”, at the top of one of the scripts. This comment aims to deter kit’s operators from examining the script that contains the hidden field with the email address of the kit author.

Extending the Lifespan

With so many prying eyes of security vendors, researchers and index services, phishing campaign operators are trying to find ways to extend the life expectancy of their pages and servers.

Block Unwanted Access

One of the common methods we found in the kits (in 17% of them) was a mechanism for blocking unwanted visitors, thus creating the façade that the site is already down, and therefore extending its life expectancy and increasing the owner’s ROI.

The following are common techniques to hide phishing kits:

  • .htaccess files — contain a list of blocked IP addresses related to search engines and security companies bots
  • txt files —used to prevent bots from accessing specific remote directories
  • PHP scripts — dynamically check if the remote IP address is allowed to access the phishing pages

extend lifespan of phishing kit - figure 7

Figure 7: Block unwanted access techniques

Blacklist Evasion

13% of phishing kits contain blacklist evasion techniques, which redirect each new victim to a newly-generated random location. It’s basically randomizing the URL per visitor using the following steps:

  • Creates a random phishing kit subdirectory
  • Copies the content of the entire kit inside it
  • Redirects the visitor to the newly generated random location

The following PHP code presents an example of such behavior:

blacklist evasion - figure 8

Figure 8: Blacklist evasion techniques

This approach allows phishers to hide the real link to the phishing kit from being blacklisted, and thus extend the lifespan of phishing pages and servers.

Research Method

We developed an automated tool that extracts features from phishing kits.  The following features were extracted from metadata of the phishing kits:

  • Name of the kit
  • A list of file names contained in a kit. To clear noise from data we excluded images and CSS files.
  • Size of the phishing kit

The features below were extracted using regular expressions from the processing code which builds the phishing results email:

  • Author’s signature – which was extracted from processing code. For example:

authors signature - for example

  • Recipient – which we assume is a buyer of the kit. For example:

recipient - for example

  • Sender – which was extracted from the From field of processing code. For example:

sender - for example

  • Subject – of the results email. For example:

subject - for example

Afterwards, we performed a statistical analysis on the extracted features. The features we chose were:

  • The list of files contained in the phishing kit
  • Author’s signature from the processing code
  • Subject and sender of phishing results email

Statistical Analysis

Authors’ Signature

We started our statistical analysis with the authors’ signatures feature. We extracted 271 authors’ signatures from our collection of kits. About a third of the kits didn’t contain any signature, while half of the kits had a non-unique signature. This could imply that at a least half of the kits on the underground market are created by a restricted number of authors.

author signature distribution - figure 9

Figure 9: Phishing kit authors’ signature distribution

The most popular author was “NoBODY” which appeared in about 7% of the kits in our collection. The second most popular author was “me’” and the third “FUD TOOL DOT COM”, which appeared in 2% of kits.

The figures below show three examples of processing code which contains popular authors’ signatures:

popular kit author signature - figure 10a

popular kit author signature - figure 10b

popular kit author signature - figure 10b

Figure 10: Examples of  popular authors’ signature

The below table summarizes the top 10 authors’ signatures found in the phishing kits:

top 10 author signatures - figure 11

Figure 11: Top 10 author signatures in phishing kits

We searched for one of the most popular signatures, “FUD TOOL DOT COM” and found a few interesting sites. This author publishes different tools, hosting services and phishing pages for free and for profit (see Figures 12a and 12b).

spam tools facebook ad - figure 12a

Figure 12a: “Chase new page 2015” advertising by FUD TOOL DOT COM found on Facebook


spam tools landing page - figure 12b

Figure 12b: Ad landing page, “Fresh Spam Tools” page by FUD TOOL DOT COM

A Shopping Cart of Kits’ Buyers

The next feature we analyzed was email recipient (kit buyers). From all analyzed kits we extracted 716 buyers.

distribution of phishing kit buyers - figure 13a

Figure 13: Distribution of phishing kit buyers according to the quantity of kits purchased

We noticed that about a quarter (24%) of attackers used several phishing kits (which represented 56% of the examined kits), most likely to maximize their potential profit.

distribution of purchased kits - figure 14

Figure 14: Distribution of kits according to the quantity of kits purchased

Subject Feature

Most of the kits have non-unique subjects. It strengthens the claim that phishing kits come from a restricted number of sources.

email subject distribution - figure 15

Figure 15: Phishing kits – email subject distribution

Clustering Method

We performed clustering on extracted features in three steps.  First, we chose features that characterized the phishing kits and were applicable for comparison between kits.

  • The list of files contained in the phishing kit
  • Author’s signature from the processing file
  • Subject of phishing results email
  • Sender of phishing results email

Afterwards, we performed clustering on the first feature, list of files contained in the phishing kits, while distance between each of two kits was defined as:

distance between two kits

Finally, we performed clustering on the results of the previous step and other features that were mentioned above.  In our clustering, every cluster of kits had at least one of the features in common. To streamline the analysis, we used a native distance function that set the distance to 0 if two kits had at least one common feature, and 1 otherwise.

Clustering Results

We identified 230 clusters, with more than half of the kits grouped in nineteen big clusters of size greater or equal to 10. Furthermore, 72% of kits belonged to medium-sized clusters of size greater or equal to five.

The following graph demonstrates the clustering of deployment kits. The blue dots are phishing kits, while the purple triangles are cluster identifiers. The largest cluster contains 153 kits, the second largest cluster contains about 78 kits, and the third 66 kits.

clustering of phishing kits - figure 16

Figure 16: Clustering of phishing kits

Based on clustering results we can conclude that about half of the kits were created by a small group of experienced phishers.  With almost a third of the kits belonging to three large clusters, this indicates the phishing kits came from a restricted number of sources.

We also noticed that more than a third of the kits that belonged to the large clusters contained implicit recipients which are probably the kits’ authors. This might explain the phishers’ motivation to distribute free phishing kits in the underground community.

Role-based Ecosystem

Phishing activity has rapidly changed in recent years. It emerged from a small-scale practice into an industrialized automated operation involving multiple actors with well-defined roles. The underground circles shift from a reputation-based society into a profit-driven economy, resembling legitimate economic ecosystems, but also one in which experts resort to treachery against newcomers. This shows that criminals not only target gullible users, but are also taking advantage of the inexperienced (or competing) criminals.

phishing role based ecosystem - figure 17

Figure 17: Phishing role-based ecosystem

The veteran players try to minimize their effort and operational costs and maximize their return on investment by harvesting the work of newcomers.  It takes place in three steps:

•         Experts advertise and distribute phishing kits to newcomers

•         Newcomers deploy them and steal valuable information from victims

•         Experts steal from newcomers using hidden exfiltration mechanisms (hidden recipients emails)

Summary and Conclusion

Do-it-yourself phishing kits are effective tools available to phishers and one of the significant factors in reducing the price and time to set up a phishing scam.

In this research, we analyzed a large collection of phishing kits obtained from a variety of sources and discussed the kits’ technical characteristics.

In summary, here are the insights we gained on the phishing kits’ main capabilities, their origin and their effect on the phishing market:

  • Phishing campaign operators are trying to find ways to extend the life expectancy of their pages and servers and increase their ROI. 17% of kits contained a mechanism for blocking unwanted visitors, thus creating the façade that the site is already down. Furthermore, 13% of phishing kits contain blacklist evasion techniques, which redirect each new victim to a newly-generated random location.
  • The “business model” of phishing has emerged. Initially, criminals started to create phishing kits and offer them for sale. As various features have been introduced to make phishing sites more efficient and to extend the life expectancy of their pages, phishing kits have become actively promoted and distributed at no charge on underground sites. However, the “free cheese” is a trap. Free phishing kits often hide implicit recipients (probably the original kits’ authors), who receive new phished information in addition to the kit buyer. Therefore free phishing kits respond to rational economical motivations—attackers can decrease their effort and risk, and increase their ROI by harvesting the work of inexperienced criminals who deploy their kits. At least a quarter of phishing kits contained hidden recipients that transmitted the stolen information to third parties (likely the original kits’ authors).
  • About half of the kits were created by a small group of experienced phishers, while almost third of the kits belonged to three large clusters. This shows that phishing kits come from a restricted number of sources.

Doxxing Can Ruin Your life. Here’s How (You Can Avoid It)

What is doxxing?

Doxxing is a cyber attack that involves discovering the real identity of an Internet user. The attacker then reveals that person’s details so others can target them with malicious attacks. Doxxing is analyzing information posted online by the victim in order to identify and later harass that person.
Here is what we’re going to cover today in this anti-doxxing guide. Use the links below to easily navigate it:

doxxing 2 1


What is doxxing – a definition

The term “doxxing” comes from the expression “dropping dox”, which was a revenge tactic used by hackers where they dropped malicious information on a rival.

Nowadays, doxxing is used to shame or punish people who would rather stay anonymous, because of their controversial beliefs or other types of non-mainstream activity.

Think of it like Hansel and Gretel, only it’s a much scarier story when it happens to you.

The original story says that, a few hundred years ago, Hansel and Gretel were living in a German land struck by famine.

Their stepmother despised the two children, and used the famine to manipulate their father to abandon them in the woods, claiming there were too many mouths to feed.

Hansel learned of her plan, and used breadcrumbs to leave a trail on the road. After they were abandoned in the wood, Hansel and Gretel simply needed to follow the breadcrumb trail to find their way back home.

doxxing 1 1024x507 1


This is a children’s story of course, but using breadcrumbs to find your way back to a destination has stuck in the popular imagination. Using breadcrumbs like these is a tactic used by many malicious people when trying to hack someone.

So why do we write about a children story on a cybersecurity blog?

Because most of us are careless with the information we share on the Internet. We leave behind a trail of breadcrumbs a cybercriminal can use to find out our real identity, then deploy a string of malicious attacks.

This is called doxxing, and has messed up the life of more than one person.

How a troll gets doxxed – violentacrez, an example of doxxing

Michael Brutsch created an online persona named violentacrez for the Internet messaging board Reddit.

Over the years, he created a reputation as a troll because of his posts on the website. For instance, he created subreddits (subforums) around misogyny or sexualized photos of underaged women.

For a long while, Michael Brutsch succeeded in keeping his online identity, violentacrez, a secret.

But Gawker journalist Adrian Chen managed to connect Michael Brutsch to violentacrez, and then went public with the information. In other words, Michael Brutsch was doxxed.

Chen was able to do the doxxing because Michael Brutsch took risks with his identity. For one, he actually met Reddit users in real life, in meetups and parties. In photo shoots, he asked for his face to be blurred. Not only that, but he also hosted a podcast, which Chen used in a phone call with Michael Brutsch to see if the voices matched.

After he was doxxed, Brutsch ended up losing his job and enduring a very public shaming, which was made even worse by his decision to do a CNN interview. After this episode, there is little information to go around as to what happened next to Michael Brutsch. But his life as a notorious Reddit troll is just one search away.

How a Nazi gets doxxed – did he deserve it?

With the current political landscape being what it is, a large number of people are fighting against Nazi and Neonazi organizations rising to attention both online and offline. In the pursuit of trying to silence dangerous agendas, the number of online vigilantes has risen alarmingly. In the past few months we’ve seen a lot of cases of Neonazi forum users being doxxed, harrassed online and even getting fired because of their opinions, as reported in this New York Times piece.

While the cause might seem worthy, doxxing is and remains online vigilantism and this is never good.

Kyle Quinn, a professor from Arkansas, was wrongly accused of participating in the neo-Nazi march in Charlottesville. Overnight, Mr Quinn found his image being shared by thousands of people across social media and he was bombarded by messages on Twitter and Instagram. Even worse, his employers were contacted by doxxers demanding Mr Quinn’s firing.

Doxxing victims – how doxxing and swatting lead to tragedy

A practice related to doxxing is Swatting. Swatting means prank-calling the police or SWAT units to another person’s address. In the online area, a victim getting doxxed can also lead to swatting. Malicious hackers find someone’s address and make fake bomb threats or other serious incidents, then the police shows up to the unsuspecting victims’ home.

In December 2017, such an incident lead to the death of Andrew Finch from Kansas. Finch was fatally shot by an officer responding to a false domestic violence dispute.

28 year old Finch had previously played a Call of Duty game online and started fighting with 25 year old Tyler Barris. Another player, going under the username “Miruhcle”, escalated the conflict to dramatic proportions. He provided Barris with Finch’s home address and dared him to do a swatting.

Barris had two prior swatting incidents, making calls to the police about fake bomb threats. This time, the doxxing and swatting took a turn for tragedy. Barris sent police at Finch’s house by falsely reporting a murder and hostage situation. Police arrived at Finch’s house and, when he opened the door, shot him dead.

As if it wasn’t enough, before Tyler Barris was arrested, he was bragging on Twitter about his “achievement”.



Doxxing victims – leaked photos

This user’s life was turned upside down after naked photos of her were posted on the infamous website 4chan. By the time she wrote her story, 24,000 men had seen her photos. Her Facebook inbox was filled with soliciting messages from men she never knew. Some of them physically went to see her at the address posted by the 4chan doxxer.

In her words, she became an Internet commodity.

Doxxing turned her body into an internet commodity.


Doxxing victims – targeted by Instagram influencers

What happens if you take a stand against a popular Instagram page that posts sexist content?  Quite a lot, as this journalist would find out.

Stef wrote a series of critical comments on the photos from a famous Instagram account. Her comments touched a nerve, so the admins retaliated by publicly revealing her name, her partner’s name, her telephone number and address, with an explicit instruction to harass Stef.

The fans duly followed the instructions and insulted Stef with racist comments, unearthed some of her business ventures as well threatening to reveal her Social Security Number.

The harassment eventually died out, but only after Stef went through complicated legal hoops and issued DMCA takedown notices.

How you can get doxxed and how to avoid getting doxxed

Cybercriminals and trolls can be very resourceful in how they doxx you. They can use a single clue, and then follow it up until they slowly unravel your online persona and reveal your identity.

Here’s what you should look out for if you want to stay anonymous on the web.

Revealing your identity through the information you post

doxxing 5 1

The more you write on forums and message boards, the higher your chances become of accidentally revealing personal information about you. If you use social media, it’s even more dangerous.

You don’t even have to outright say where you live. Instead, it’s possible to roughly pinpoint your location by way of elimination.

For instance, you make a post saying you don’t live in the Americas. In another you said you wanted to visit a different continent, so you chose Asia.

With only two posts, the cybercriminal made an educated guess you most likely lived in Europe.

In another post, you said Walmart isn’t present in your country, but that Carrefour is the dominant retail chain.

By now, your possible location has been narrowed down to 3-4 countries.

As the doxxer keeps sifting through your information, he slowly figures out what country you live in, and even your current city.

A doxxer can use what you post on forums to reveal your identity


Packet sniffing

Packet sniffing is a hacking method where the doxxer intercepts your Internet data, looking for valuable information about you, such as emails, passwords, credit card data and so on.

Basically, the doxxer connects to a network, such as a Wi-Fi, breaks its security measures and after that he intercepts all of the data coming in and out of the network.

hs Public Wi Fi sniffer attack 3

What’s more, the malicious hacker has access to this data in real time, so everything you type in a form, will simultaneously show up on his screen.

Here’s a more thorough guide on how you can protect yourself from wireless sniffing.

Matching information between online persona and social media profile

Ross Ulbricht was the founder of infamous dark net website Silk Road, which traded drugs, guns and so on.

To hide his identity, he used the nickname “Dread Pirate Roberts”.

The police was able to connect Ross Ulbricht and Dread Pirate Roberts partly because both of these “personas” said they were a) libertarians b) followers of the Mises Institute c) both of them wanted to create “an economic simulation of what it would be like to live in a world without systemic use of force”.

During the trial, Ross Ulbricht built his defense claiming he gave away the Dread Pirate Roberts account, and someone else made Silk Road the Internet’s hot spot for illicit trade.

As far as coincidences go, this was a bit too much to believe. The judge threw out the defense and sentenced Ross Ulbricht to a long time in jail.

doxxing 6 1

I bet you never really expected Clark Kent to actually be Superman, did you?

Doxxers analyze file metadata

Microsoft Office files such as Word or Excel documents have something called “metadata”.

This is information about the document, which you can find by right clicking a Microsoft Office file -> Properties -> Details

 doxxing 7 1


This section contains data about who made the file, when, from what computer, the company who made it and even total editing time.

Simply by glancing over this metadata, a doxxer can learn a great deal about you. Here’s a guide by Microsoft on how to limit the amount of metadata you share with a document.

But it’s not just Microsoft Office files that remember metadata, even photos have something similar called EXIF data. This contains data regarding camera or smartphone model, resolution, location (if you enabled GPS) and time when it was taken.

Doxxing through IP logging

IP loggers are tools used on the Internet to sniff out a person’s IP address. In a nutshell, these loggers attach an invisible code to a message or email, and once the receiver opens the message, the code tracks his IP address and secretly sends it back to the IP logger.

Doxxing prevention

Protect your IP address with a VPN/Proxy

VPN is short for Virtual Private Network, and acts as a filter for Internet traffic. Basically, the traffic from your PC or other device goes into the VPN and acquires its identifying properties, meaning its IP address, location and any other similar data. It even encrypts your data and makes it so that even your ISP isn’t able to figure out your IP address.

doxxing 10 1


An IP logger, for instance, wouldn’t reveal your real personal IP, but the IP of the VPN.

A proxy server is a bit different than a VPN, even though it works on roughly the same principles. For one, a proxy server doesn’t encrypt your data like a VPN does, so an ISP knows your real IP address at all times. Since your Internet traffic isn’t encrypted, it’s also more vulnerable to hacking and other interception methods.

Don’t use the Login with Facebook/Google buttons

doxxing 8 1

Most apps and websites that require you to register now use the “Login with Facebook” or “Login with Google” buttons.

These login methods register you on the website by using the email you used to create your Facebook or Google account.

But on top of that, you will automatically give the website information attached your Facebook/Google account, such as current city, job, phone number, your native language, family info and more.

Sure, it’s not as convenient, but by introducing your data manually, you can control the type of information the website has about you.

It’s especially critical to follow Facebook security best practices, secure all of your social media accounts, including Instagram, and know how cybercriminals hack Facebook, Instagram and Snapchat passwords.

Don’t use your personal email to register on forums or other similar websites.

Chances are your main email goes something like this: [firstname][lastname]

It’s a simple, professional looking combination. However, it immediately gives away your identity if someone learns it.

In most cases, forums have weak security measures so malicious hackers can break into them and then leak the emails used to register the accounts.

But if the website publicly displays user emails, then all an attacker needs to do is to simply check out your user profile.

So as a takeaway advice, use a different email than your main one when registering on forums or message boards.

Hide your personal data from a website’s WHOIS.

Owning a blog or website requires that you register the Internet domain with some personal information. This information is then stored into a database called WHOIS.

The problem is that this database is public, meaning everyone can see the information used to register a website, including addresses, phone numbers and so on. Below you can find the WHOIS information for

doxxing 4 1

However, by paying a small fee, you can hide some of your personal information from the public search.

To edit your information, simply go to your domain registrar and see what options they provide for you to make your WHOIS information private.

Remove yourself from data broker websites

Some websites function as a sort of Yellow Pages. They mine the Internet for data and gather it all in one place. This can include an address, social media profile, photos, phone number, email.

doxxing 3 1 1


If you find this hard to believe, then simply check out or We warn you though, the amount of information stored in this sort of databases can be downright creepy.

Fortunately, most of these companies offer a way for you to opt out and remove any information they have about you. Unfortunately, this is bad for business, so they make it as difficult and time-consuming as possible.

The service we previously recommended, DeleteMe, cleans up all this information for you, so you don’t have to. As soon as the European General Data Protection Regulation kicks in, companies will be forced to make it easier for you to delete your information. Until that happens, you have to rely on this guide to avoid getting doxxed.

Make sure Google doesn’t have any personal information about you

This can be a pretty tough undertaking, since you would have to go up against one of the world’s biggest corporations.

Simply google your name, and see if you’ve revealed who you are on internet forums, Reddit, niche social networks, messaging boards or any other similar websites.

Delete any information you find, including the accounts if they aren’t valuable to you anymore. If you don’t have access, ask the web administrator to do it for you.

Just how much info does Google have on you? Check out your Google History by typing in your browser when logged in to a Google account. Google knows your location as well – you can find your personal Google map with all the places you visited at the URL.

Moreover, secure any account you have with Google by following the rules outline in the ultimate cybersecurity guide. Make sure you follow the password security best practices. Lastly, don’t reveal too much about yourself when using your smartphone. You need to check your app permissions and follow close the smartphone security guide.

You can also check out DeleteMe, a service that removes your personal data from the Internet.

Know your rights, and use the law whenever possible

If you live within the EU or Argentina, then you benefit from a so called “right to be forgotten”. This allows you to petition a search engine to remove a search results concerning you.

The legal options available in the United States are more limited, but Google for one does offer an option for you to remove content about you.


Reading this, you might say you’re safe from doxxing because you don’t have anything to hide. Is that really true?

We’re not implying that you might do anything immoral or illegal,. We’re saying everyone has some aspects of their lives that they would rather keep private. Those aspects may be harmless but they should remain private. They can range from hiding a surprise or a possibly insensitive comment from your spouse, to keeping a political opinion from your coworkers and so on. Everyone has something they want to keep for themselves or share with a specific community.

Moreover, there are a lot of angry people on the internet who rely on doxxing to “win” an argument. Any seemingly innocuous comment of yours has the potential to draw the anger of an internet mob.

Avoid getting doxxed. Follow the steps outlined in this anti-doxxing guide to stay safe and anonymous. For an added layer of security, here’s a guide to online privacy you can implement in under 1 hour.

Have you ever had to deal with a fake social media profile? If yes, tell us your story in the comments and also what you’ve learned from the whole thing.

This article was initally published on February 2, 2017 by Paul Cucu and was updated on January 3, 2018 by Ana Dascalescu.

Heimdal PRO makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Heimdal PRO provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.


Get Heimdal PRO

Cyber Security Roundup for December 2017

UK supermarket giant Morrisons, lost a landmark data breach court case in December after a disgruntled Morrisons employee had stolen and posted the personal records of 100,000 co-workers online, the supermarket chain was held liable for the data breach by the UK High Court. The High Court ruling now allows those affected to claim compensation for the "upset and distress" caused. Morrisons said it believed it should not have been held responsible and would be appealing against the decision. If the appeal is lost it could open up the possibility of further class action lawsuits cases by individuals. Pending the GDPR becoming law in May 2018, such a court ruling sets a legal precedent for individuals to claim damages after personal data losses by companies through the courts as well. After May 2018, the GDPR grants individuals the right sue companies for damages following personal data breaches. So we can expect 'ambulance chasers' lawyers to pick up on this aspect of the GDPR, with class action lawsuits following data breaches, it well could become the new "P.P.I. industry"

Any businesses or individuals using Kaspersky should be aware the UK National Cyber Security Centre has warned government agencies against using the Russian supplier’s products and services, which follows a ban by US government departments in November. Barclays responded to the warning by stopping their free offering of Kaspersky anti-virus products to its customers. 2017 saw Cyber Security become a political football, so it is no real surprise that the UK and US once again blamed North Korea for the devasting WannaCry attacks earlier in the year, personally, I blame poor patch management and hackers, not the North Korea cyber army!

Nadine Dorries MP got herself in hot water after trying to defend now former political colleague Damian Green, following claims of Mr.Green accessed porn on his Parliment computer. This was activity was reported by a retired Police officer, which was said to be a breach of the data protection act. Nadine tweeted "my staff log onto my computer on my desk with my login everyday" to suggest anyone could have used Damian Green's PC to access the illicit websites. This led to widespread condemnation and a warning by ICO to MPs on password sharing. 

The fact illicit websites were not blocked by Parliament systems is one concerning lack security issue, but the flagrant disregard for basic cybersecurity by government MPs is gobsmacking, especially when you consider they are supposed to be understanding the risk and setting laws to protect UK citizens from cyber attacks and data breaches. Its another "slap palm on head" after the last UK Prime Minister announced he wanted to ban encryption.

2017 has seen huge rises in cryptocurrencies values, which has placed cryptocurrency brokers and user crypto coin wallets in the sights of cybercriminals. This month mining platform NiceHash was breached by hackers, who stole £51 million worth of Bitcoin and Bitcoin exchange Youbit, which lets people buy and sell Bitcoins and other virtual currencies, shut down and filed for bankruptcy after losing 17% of its assets in the cyber-attacks. I think we can expect further cryptocurrencies attacks in 2018 given the cryptocurrency bubble is yet to burst.

Faked LinkedIn profiles are nothing new, however, the German Intelligence Agency (BfV) said it had spotted China were using faked LinkedIn profiles to connect with and gather information on German officials and politicians, which is an interesting development.

Finally, Hackers were reported as taking advantage of poorly secured systems at UK private schools, and it was claimed hackers could turn off heating systems at UK schools and military bases.


Be Unhackable: Here’s Your Post-Holiday Gift Safety Checklist

‘Twas the night after Christmas, when all through the house
All the smart toys were buzzing and beeping about,
The chargers were plugged near the chimney with care,
Without a clue that the hackers soon would be there.

With the height of the season now behind us, you may be experiencing a bit of a holiday hangover. But as you wade through the holiday fallout of wrapping paper, instruction manuals, batteries packs, and downloads, don’t forget that the most important step to your family enjoying its cache of digital gifts is protecting them.

McAfee’s Most Hackable Toys  2017 survey revealed our shared habits of connectivity minussolid safeguards. What we know: While most of us realize the importance of protecting our internet-connected devices, we aren’t too concerned with making device security a priority.

So, now that you’ve purchased that new smartphone, drone, smart toy, or appliance, take that next simple step to secure your expanding digital home. Here’s a short, post-holiday checklist to help get you started.

Smart Gift Checklist

Settings, passwords, software. Once you’ve powered up your new device: 1) Make sure it’s password protected with tw0-step authentication. 2) Set a pin or passcode to lock your device. 3) Install the latest software versions as soon as possible and update them regularly. 4) Protect your new devices with additional security software if possible. 5) Avoid downloading suspicious apps and never click on strange links that arrive via email, messenger, or text. 6) And here’s a biggie: If you are selling, donating, or recycling your old devices, make sure you wipe them clean.

Research the risks. According to the same McAfee study, some of the most popular digital gifts of 2017 include tablets, smartphones, drones, digital assistants, and connected toys and appliances — all of which come with inherent security risks. With the growing list smart devices, hackers have a million new entryways into our homes. Google the name and model of your new gift and read about possible security holes. Another valuable resource is online reviews posted by people who have encountered security issues.

‘Take Five’ before having fun. Securing a new gift often takes five minutes, but it’s a must in today’s wired world. Go into your new product’s privacy settings and change manufacturer settings and set a new password. Keep the process simple and allow your kids to do it alongside you so that device security is more likely to become a habit.

Don’t be duped by cute. From fuzzy talking puppies to adorable dolls, toys can also carry massive security risks. It’s important to research if there have been any reported security vulnerabilities with toys you’ve purchased or have been gifted, so you know how to secure them. Don’t let a toy’s appearance lull you into a false sense of security. Remember: It may look like a kitty cat, but if it connects to the world wide web, then it’s a computer that could be transmitting data to a remote server. When using connected toys: 1) Use toys in places with trusted and secured wi-fi. 2) Monitor your child’s activity with the toys (such as conversations and voice recordings) through the toy’s partner parent application, if available. 3) Take time to read the toy’s disclosures and privacy policies.

Refresh passwords on your home network. Secure all of your connected devices and your home internet at its source — the network. Avoid routers that come with your ISP (Internet Security Provider) since they are often less secure. And, make it a point to change your passwords regularly.

It’s impossible to protect against all risks, but you can frustrate a hacker’s plans by putting up some security obstacles. Even though security and privacy risks come with our new gifts, it’s clear that the demand for faster, better, more impressive digital products is here to stay. Taking the time to boost your family’s security will help make sure this holiday remains a happy one into the New Year and beyond.

The post Be Unhackable: Here’s Your Post-Holiday Gift Safety Checklist appeared first on McAfee Blogs.

What To Do If Your Email Is Hacked

I think I could count on my hand the people I know who have NOT had their email hacked. Maybe they found a four-leaf clover when they were kids!

Email hacking is one of the very unfortunate downsides to living in our connected, digital world.  And It’s often a situation that even the savviest tech experts find themselves in. In August this year, over 700 million email addresses (and a large number of passwords) were leaked publicly courtesy of a misconfigured spambot (a program designed to collect email addresses). Many savvy tech types were caught up in the hack including Troy Hunt, a leading Australian computer security expert and creator of Have I Been Pwned?.

Just this month it was confirmed that every single Yahoo email account was compromised in the 2013 data breach. A whopping 3 billion accounts with stolen data including names, email addresses, phone numbers and birth dates. And recent reports have confirmed that thousands of Australian Government Officials including high-profile politicians, Defence Officials, judges and members of the Australian Federal Police were among the victims.

So, in short – it can happen to anyone…

But Why Should I Worry? I Have Nothing Valuable in My Email

If you have an identity and email address you are very valuable to a hacker – no exceptions! Even if you don’t consider yourself to have Kim Kardashian’s celebrity status or the CEO power of  James Packer, a hacker is still very keen to collect every piece of information they can about you.

Remember, hackers want to get their hands on your data. Why – I hear you ask? So, they can cash in! Some will keep the juicy stuff for themselves – passwords or logins to government departments or large companies they may want to ’target’. But the more sophisticated ones will sell your details including name, telephone, email address and credit card details and cash in on The Dark Web. They often do this in batches. Some experts believe they can get as much as AU$140 for a full set of details including credit cards.

So, you can see why they’d be interested in you!

How Big Is the Problem?

There is a plethora of statistics on just how big this issue is – all of them concerning!

According to IDCARE – a support service for Australian and New Zealand victims of identity fraud – about 1 million Australian have their identity stolen each year at a cost of about $1 billion.

The Australian Competition and Consumer Commission (ACCC) recently revealed that hacking scams cost Australian businesses close to $3 million during 2016 with the number of people reporting scams activity at record levels.

The Australian Cyber Security Centre nominates $20 million as the fallout from ‘phony emails’ aka phishing in 2016/7.

Regardless of which statistic you choose to focus on, we have a big issue on our hands!

So, What Do I Do If My Email Is Hacked?

If you find yourself a victim of email hacking there are a few very important steps you need to take. But the key here is to act FAST!!

1. Change Your Password

This is the very first thing you must do to ensure the hacker can’t get back into your account. It is essential that your new password is complex and totally unrelated to previous passwords. Always use at least 8-10 characters with a variety of upper and lower case and throw in some symbols and numbers. I really like the idea of a crazy, nonsensical sentence – easier to remember and harder to crack!

If you find the hacker has locked you out of your account by changing your password, you will need to rest the password to by clicking on the Forgot My Password link.

2. Let Your Email Contacts Know

A big part of the hacker’s strategy is to ‘get their claws’ into your address book with the aim of hooking others as well. Send a message to all your email contacts as soon as possible so they know to avoid opening any emails (most likely loaded with malware) that have come from you.

3. Change Your Security Question

If you have a security questions associated with your email account, please change this too. And please make it unpredictable and niche! It is possible that this was how the hackers broke into your account in the first place. When Yahoo had 500 million accounts hacked in 2014, not only were the passwords stolen but the security questions too. If you have a security question associated with your account, make up a response that makes no sense. This is the perfect opportunity to tell a lie!

4. Commit to Multi Factor Authentication

Yes, multi-factor authentication adds another step to your login but it also adds another layer of protection. Enabling this will mean that in addition to your password, you will need a special one-time use code to login. This is usually sent to your mobile phone. So worthwhile!

5. Check Your Email Settings

It is not uncommon for hackers to modify your email settings so that a copy of every email you receive is automatically forwarded to them. Not only can they monitor your logins for other sites but they’ll keep a watchful eye over any particularly juicy personal information! So, check your mail forwarding settings to ensure no unexpected email addresses have been added.

Don’t forget to check your email signature to ensure nothing spammy has been added. And also ensure your ‘reply to’ email address is actually yours! Hackers have been known to create an email address here that looks similar to yours – when someone replies, it goes straight to their account, not yours!

6. Scan Your Computer for Malware and Viruses

This is essential also. If you find anything, please ensure it is addressed and then change your email password again. And if you don’t have it – please invest. Comprehensive security software will provide you with a digital shield for your online life. McAfee Total Protection lets you protect all your devices – including your smartphone – from viruses and malware. It also contains a password manager to help you remember and generate unique passwords for all your accounts.

7. Change Any Other Accounts with the Same Password

Time consuming but very worthwhile! Ensure you change any other accounts that use the same username and password as your compromised email. Hackers love the fact that many of us use the same logins for multiple accounts, so it is guaranteed they will try your info in other email application and sites such as PayPal, Amazon, Netflix – you name it!

8. Consider Creating a New Email Address

If you have been hacked several times and your email provider isn’t mitigating the amount of spam you are receiving, then consider starting afresh but don’t delete your email address! Many experts do warn against deleting email accounts as most email providers will recycle your old email address. This could mean a hacker could spam every site they can find with ‘forgot my password’ request and try to impersonate you – identity theft!

Your email is an important part of your online identity so being vigilant and addressing any fallout from hacking is essential for your digital reputation. And even though it may feel that ‘getting hacked’ is inevitable, you can definitely reduce your risk by installing some good quality security software on all your devices. Comprehensive security software such as McAfee Total Protection will alert you when visiting risky websites, warn you know when a download looks ‘dodgy’ and will block annoying and dangerous emails with anti-spam technology.

It makes sense really – if don’t receive the ‘dodgy’ phishing email – you can’t click on it! Smart!

And finally, don’t forget that hackers love social media – particularly those of us who overshare on it. So, before you post details of your adorable new kitten, remember it may just provide the perfect clue for a hacker trying to guess your email password!


Alex x

The post What To Do If Your Email Is Hacked appeared first on McAfee Blogs.

Botnets, Breaches, and the End of Defense in Depth: Our 2017 Cybersecurity Predictions in Review

As 2016 closed out, Imperva once again peered into its crystal ball. As usual, there was much to foretell regarding the ever-changing cybersecurity realm in 2017.

We’ll be doing the same soon as we look ahead into 2018. But before we do, we like to assess how accurate we were against the predictions we made last year. Here’s how we scored ourselves against our 2017 predictions.

1. Botnet of Things (BoT)

We expected to see two distinct types of trends in this area in 2017; a surge in botnet numbers and sizes and even more botnet for hire activity.

Nailed it: We were right on both counts. Mirai was the big IoT botnet news last year. Starting in February, the IEEE reported that one variant ran a DDoS assault against a US college over two-and-a-half days. Also sharing Mirai’s code base, Persirai is an IoT botnet that launched this past April. And that same month researchers discovered yet another Mirai-like botnet, BrickerBot.

Also in April, Imperva researchers intercepted encoded communications from a botnet consisting of 80,000 compromised devices. Their investigation revealed the botnet was used for an innovative spam campaign built to circumvent security countermeasures.

The IEEE says developers have become increasingly more sophisticated in making their botnets more powerful, as well as in cloaking their activity. This past October The Hacker News reported about IoT_reaper (a.k.a., IoTroop), a malware that takes advantage of vulnerabilities in disparate IoT devices, subjugating them into a botnet network. Two million devices ranging from routers to cameras and network video recorders may have been affected. Security journalist Brian Krebs reports that while IoTroop isn’t yet at full attack strength, it takes advantage of nine or more acknowledged vulnerabilities spread across a dozen device manufacturers.

The intentions of another growing botnet discovered this year, Hajime, remain unknown. Ostensibly it’s run by a white hat hacker looking to secure vulnerable IoT devices on our behalf. But researchers are wary—remaining very active, its real purpose may not yet be known.

As we predicted, botnets for hire remain readily available (at the end of 2016 we were already seeing declining costs of DDoS-for-hire services). An amateur with no prior knowledge can run a short attack for a few hundred dollars. A few thousand lets anyone play “Master of the Universe.” There is also significant ’net chatter regarding free tips and help in creating an IoT botnet.

2. Ghosts from the Past

We predicted ghost hacks from prior years would continue to haunt us in 2017.

Solid A: Yahoo was perhaps the biggest of the bad ghosts. We learned this year that every single Yahoo account was hacked, not just those previously reported from the August 2013 theft – three billion in all.

While “ghosts from the past” more specifically referred to hacks that went unknowingly undetected for years, related were the breaches that simply happened in the past, but weren’t made known publicly until this year. Take the Uber breach. Hackers stole the personal data of 57 million customers and drivers and Uber concealed it for more than a year (and even paid hackers to delete the data).

While smaller in scale, there’s also the recently reported data breach at Stanford University. Student financial aid information and the personal information of 10,000 employees were hacked back in June 2016, but the school wasn’t aware of the breach until February 2017 when a business student found sensitive data on a public server and reported it. Disclosure of the breach occurred just now—December. And not coincidentally, the university’s chief digital officer is now out of a job. Adding insult to injury, the student who identified the breach also wrote a 378-page paper exposing the university’s misleading financial aid practices he was able to glean from the data.

The issue here is that, Uber being an exception, most “ghosts from the past” become public because corporate identifiable data is found by third parties and brought to people’s attention. It’s (sadly) fairly rare that companies identify their own breaches. The problem of ghosts will continue to occur as long as companies aren’t watching their data (hopefully GDPR will help here!). Unless they’re watching, how would they know for sure when someone took data they shouldn’t have? Almost never. Data security solutions have been available since the beginning of the last decade, and while we do see more and more companies adopting a data security strategy, many still don’t or have too late, so these ghosts may still come back to haunt them later.

3. The End of Defense in Depth

Too Early to Tell: In 2016 we found many organizations were buying trends rather than mitigating risks and continuing to use outdated solutions out of a commitment to a defense-in-depth strategy that no longer served them (antivirus for example). We predicted enterprises would try to improve usage of their existing security arsenal in 2017 and smarter organizations will rethink their strategy in general.

In 2017, discussions about data security became more frequent and were elevated broadly across many industries such that security experts are now often required to answer questions from senior management about how corporate data won’t be stolen or extorted.  The dialogue is critical to begin the process of change within a traditional security defense in depth framework. Many of the organizations we spoke to throughout the year were ready to rethink their strategy, but it remained unclear what (outdated) solutions they might drop that are no longer serving them.

The good thing about the upcoming GDPR regulation (and the tightening and growth of regulatory controls in general) coming forth is that it’s helped create board level discussions with CIOs and CISOs about how they could avoid having the same problems as Yahoo, Uber and others. This has allowed for both budget allocation and a rethinking within the CISO team around how would they answer questions about where their organization’s personal data resides, who accesses that data and why. Thinking through those answers will help frame a security strategy—or possibly reframe an existing one.

And lastly, in 2017, the results of data breaches saw the ousting of some senior level security management professionals, further emphasizing the priority organizations are beginning to place on the responsibilities of data security professionals and the seriousness with which security is being taken in general.

There are as many possible solutions in the data security space as there are in the network security space, so the “solution” for each customer will be a bit different. Time will tell which technologies and practices work best to detect, if not prevent, breaches in the data core of an environment with more than the traditional layered network and endpoint security solutions used in defense in depth.

How Flash Vulnerabilities Expose You To Attacks

Adobe Flash is the technology that both made the Internet into something you love and exposed you to getting hacked via Flash vulnerabilities. It will die also in 2020 as its makers will pull support from it.

Until then, make sure you know what Adobe Flash is, what Flash vulnerabilities are and how you can avoid getting your data compromised.

adobe flash player how to disable flash

First of all, here is how to disable Flash Player in your operating system:

  1. On Windows, open the Start menu, type “Programs and Features” or “Apps and Features” for Windows 10 into the search bar, and hit Enter. Find “Adobe Flash Player” in the program list, and double-click to open the uninstall dialog.
  2. On MacOS, download the Adobe Flash Player Uninstaller, find your Mac OS version by clicking the Apple icon and choose About This Mac. Input that information in Adobe Flash Uninstaller and remove Adobe Flash from your system.

For popular browsers, this is how you disable Adobe Flash Player:

  1. In Chrome: go to chrome://settings/content, click Advanced Settings, click Flash and select Ask First, so you will be warned if a website you visit uses Flash.
  2. In Chromium: Type about:plugins in the address bar of the browser window, click Details in the right upper corner, find Adobe Flash or Shockwave Flash and click the Disable button.
  3. In Edge: go to the top-right corner and click the three dots. Scroll and go to View advanced settings, then deselect Use Adobe Flash Player
  4. In Firefox: click the menu button in the top right corner and choose Add-ons. It will open Add0ons Manager. Then select the Plugins panel, find Adobe Flash Player and select Never Activate.

This is why we recommend this.

You, me and millions of other people in the world use Flash Player. To most of us, it’s a necessity and we don’t pay much attention to it because it’s that thing that runs in the background that some apps need in order to work.

But here’s why you should care:

Adobe Flash is one of the preferred methods that cybercriminals use to attack users worldwide!

cp flash


You might wonder why, so I’m going to take you on a short and informative ride through its troubled history, showing how all this affects you specifically.

Here are some numbers to start you off with:

According to Adobe:

  • more than 1 billion devices are addressable today with Flash technology
  • more than 20,000 apps in mobile markets, like the Apple App Store and Google Play, are built using Flash technology.
  • 24 of the top 25 Facebook games were built using Flash technology. The top 9 Flash technology-enabled games in China generated over US$70 million a month.
  • More than 3 million developers used the Adobe Flash technology to create engaging interactive and animated web content.

But here’s the worrying statistic of the set that Adobe provides on the official page:

  • More than 400 million connected desktops update to the new version of Flash Player within six weeks of release.

Six weeks is a very long time when it comes to cybersecurity. In six weeks, millions of Flash users can be compromised. And the worse news is that they usually become victims of cyber attacks.

Do you how many Adobe Flash vulnerabilities were identified this year alone?


And out of those 63 security vulnerabilities, 57 were critical, allowing information exposure, allowing attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors or to execute arbitrary code.

Translation: vulnerabilities in the code provide cyber-criminals with the opportunity to infiltrate their own code into the victims’ computers. From there, they can do pretty much what they want, including collecting your login data, your credit card information or encrypting your computer and asking a hefty ransom.

More than 63 security vulnerabilities affected Adobe Flash users this year!
Click To Tweet

But what does Flash actually do and why do we need it?

Adobe created Flash (formerly called Macromedia Flash and Shockwave Flash) as a platform that allows developers to create vector graphics, animation, browser games, rich Internet applications, desktop applications, mobile applications and mobile games.

Here’s what Flash can do:

  • Display text and graphics to provide animations, video games, and applications
  • Allows audio and video streaming
  • Can capture mouse, keyboard, microphone, and camera input.

It can do lots of other things as well, but you probably already got the idea:

Flash is ingrained in your web browser, your applications, and the websites you use every day.

Fortunately, better technologies appeared and Adobe Flash is approaching the natural end of its life cycle, so support is being discontinued.

chartoftheday 3796 websites using flash n

Statista shows a good trend, but the real numbers behind those percentages are huge. 

(And you should protect yourself, not wait for Flash to die its natural death).


  • Flash Player is used on 5.6% of all the websites in the world. This means more than 65 million websites
  • Adobe Air, also built in Flash, is the base for thousands of popular apps, from banking tools to Disney content, as stated by Adobe itself.
  • Adobe Reader is used for opening 200 billion PDFs every year and over 6 billion electronic and digital signature transactions are processed through Adobe Document Cloud every year.

Again, these numbers come from the horse’s mouth.

And they spell trouble when it comes to cybersecurity.

These apps and technologies are constantly exposed to vulnerabilities which turn into cyber threats which, more often than not, turn into fully-blown cyber attacks. Particularly concerning is the fact that PDFs are prime malware infection sources.

flash vulnerabilities types


And these types of threats can sometimes be combined to incur even more damage.

Can’t software developers use other, more secure platforms?

For a long time, Flash has been the platform of choice. Now developers moved on to other technologies, but Flash still has a strong market share and Flash vulnerabilities abound.

In hindsight, Steve Job’s decision to give up Flash was very appropriate, although it may not have seemed so for many at that time.

Realistically speaking, chances are, as another platform will become the go-to solution for developers, it will suffer the same fate as Flash.

But let’s see how things actually work:

So how do cybercriminals use Flash vulnerabilities against you?

The more complex software gets, the more security holes it has. It’s as simple as that.

This is a simple version of how things happen in real life:

A vulnerability or more are discovered.

The software makers, in this case, Adobe engineers, work on an update to fix the Flash vulnerabilities.

They release the update – sometimes relatively fast, because users are sure targets for cyber attacks – and more bugs appear.

And this loop NEVER ends.


Here’s how cyber-criminals use vulnerabilities in Flash or other software to penetrate your system:

how an exploit works 600 1

That’s why we insist that unpatched software is a huge security threat. By ignoring cyber threats and allowing vulnerabilities to exist, we’re fueling the malware economy, which is impacting all of us.

Do you know how cybercriminals can penetrate your system via a Flash security hole?
Click To Tweet

Cybercriminals have a number of approaches they use when targeting their victims:

  • They infiltrate advertising networks that deliver banners and infect those banners (which sometimes are displayed on healthy, normal websites)
  • They infect browser games
  • They share PDF documents that exploit vulnerabilities in readers, such as Adobe Reader, to drop ransomware or other types of malware
  • They penetrate desktop applications and many more.

To put it bluntly: they can be anywhere and they also change tactics during their attacks.

Why exploits kits target Flash and go undetected until it’s too late

One of the most common methods of infection that cybercriminals use is exploit kits.

An exploit kit is a toolkit that automates the exploitation of client-side vulnerabilities. It targets browsers and programs that a website can invoke through the browser.

Here’s what Trustwave had to say about this in their 2017 Global Security report:

Trustwave conducted an experiment in 2016 running online ads that tested for vulnerable versions of Flash to gauge the cost of spreading exploits through malvertising. Researchers estimate an attacker could reach approximately 1,000 computers with exploitable vulnerabilities for about $5 — less than $.01 per vulnerable machine.

So it’s dirt cheap for malicious hackers to target you. Aaand incredibly profitable for them!

Cybersecurity specialist Lenny Zeltser explains why:

A key characteristic of an exploit kit is the ease with which it can be used even by attackers who are not IT or security experts. The attacker doesn’t need to know how to create exploits to benefit from infecting systems. Further, an exploit pack typically provides a user-friendly web interface that helps the attacker track the infection campaign.

Some exploit kits offer capabilities for remotely controlling the exploited system, allowing the attacker to create an Internet crimeware platform for further malicious activities.

We also examined exploit kits’ history in one of our security alerts. It seems they’ve come a long way since 2006!

Furthermore, exploits kits pose a serious challenge to traditional cyber security products, such as antivirus.

Antivirus can’t protect you from advanced exploit kits. Find out what can!

Antivirus can’t protect you from advanced exploit kits. Find out what can!
Click To Tweet

Highly advanced exploit kits sometimes don’t even need to place a single file on your system, so antivirus is useless against them. Since antivirus employs a file-detection system to identify a threat or an infection, it won’t be able to block an exploit kit such as Angler.

There are, of course, next generation anti-hacking tools that can help you enhance your protection against sophisticated threats, so I recommend you test them to see what fits your needs best. We explored here the anti-virus vs anti-malware dilemma and what the best protection is.

Hot topic: the Zero Day Flash vulnerabilities problem

Exploits kits are especially dangerous when they go after Zero Day vulnerabilities. A Zero Day vulnerability is a security hole in the software that is unknown to the software vendor. That means that cybercriminals can exploit that hole before any updates that can fix it are released.

Here’s the Zero Day scenario, as depicted in the 2015 Trustwave Global Security Report:

zero day vulnerability trustwave 1

And here’s a headline from October 2017, as seen on Wired:


It’s about an Adobe Flash vulnerability that allowed malicious hackers to compromise Microsoft Word documents with Finspy malware. How did it spread? Those malicious actors posed as refugees and sent journalists a harrowing “personal” tales from the migrant crisis, knowing they will definitely open those documents.

So it’s not easy-as-pie to avoid Zero Hour exploits and exploit kits in general. It’s not impossible though! You just have to do a bit of research on your part to make sure malicious websites don’t affect you.

I recommend a mix of security products that include:

  • an antivirus solution
  • a product that ensures anti-exploit protection
  • a security product that filters your Internet traffic for threats and blocks them before reaching your system
  • and a patching tool that delivers software updates as soon as they’re available

Some of these products can be found standalone, and some of them include these features bundled. Do take some time to do a little research, it will save you a lot of trouble (and money) in the future!

When it comes to Adobe, its history of Zero Day Flash vulnerabilities is not something to ignore.

So how do you protect yourself from cyber threats targeting Adobe Flash?

If you’ve read this blog before, you must’ve heard this plenty of times. Still, here it goes again:

Keep your software updated at all times!

Now there are 2 ways you can do this:

  1. Manually
  2. Automatically

If you choose to update your software manually, you should never ignore an update prompt!

But what if you’re somewhere where you have limited Internet access?

Or click away from the update window?

Or turn off your computer by mistake, run out of battery, etc., etc.?

Then you should choose option number 2.

Flash can deliver automatic updates by itself or through various applications that have Flash built-in, such as Google Chrome.

The easiest way, however, is to use a patching application. It will update not only Flash but also other vulnerable software on your system, such as browsers. Install it, forget it, benefit from protection!

Then focus on the other important aspect! Exploits use your browser most of the time, so make sure you secure it properly. We put together the definitive list of steps to enhance your browser’s protection.

The question is….

Can you live without Flash?

Yes, you can, but you might find it annoying if you’re used to having everything ready to go.

Security specialist Brian Krebs did an experiment earlier in 2015 and tried to go without Flash Player for a month. Of course, it’s been a while, so nowadays living without Flash is pretty easy. There’s no reason why you should still have it on, at least not without serious protective measures.

In almost 30 days, I only ran into just two instances where I encountered a site hosting a video that I absolutely needed to watch and that required Flash (an instructional video for a home gym that I could find nowhere else, and a live-streamed legislative hearing).

We already stressed enough that you should not allow Flash content. Browsers already warn you so, the next time you see a message like this, please think twice about clicking Allow.

FlashUX.0 1

The risks of Flash far outweigh the benefits. Such is always the case when using free software – it may sometimes cost you your privacy or security, or both. Don’t let that be the case and avoid Flash vulnerabilities by simply not using this antiquated tech.

Keep your software up to date, use the appropriate cybersecurity tools and keep an eye out for trouble. That’s what you need to enjoy everything that the web has to offer!

Spend time with your family, not updating their apps!
Let Heimdal FREE Silently and automatically update software Close security gaps Reinforce your antivirus of choice


Download Heimdal FREE

Kids, Travel and Wi-Fi

If your brood of kids is anything like mine, holiday travel is all about devices and Wi-Fi. Sure, we’ll focus on sights and activities when we get to our destination, but the journey is made all the sweeter with a huge dose of technology!

And as all my boys have pretty basic mobile phone plans (I’m paying!), a technology binge means Wi-Fi! Whether it’s connecting at the airport, on the plane – yes this is a thing now, in trains or in hotels – finding Wi-Fi is possibly more important to my boys than finding the next snack bar.

But unfortunately, Wi-Fi is not the great nirvana. There can be some serious risks associated with connecting to random Wi-Fi outlets, as I continuously tell my offspring. The recent KRACK Wi-Fi saga, which potentially affected iOS and Android users worldwide, gave us all a big scare and reminded us yet again that modern Wi-Fi is not risk free.  Discovered by a Belgian researcher, the KRACK vulnerability meant a hacker could access your device even through a password protected Wi-Fi network. It was such a big deal that even the US Department of Homeland Security issued a warning!

‘It Won’t Happen To Me’

Regardless of the warnings, there are still many amongst us that are not convinced Wi-Fi poses genuine risks, particularly when we travel. Many of my friends and family members still believe horror stories only happen to ‘other people’.

And research conducted by McAfee confirms this very opinion with the majority Aussies surveyed not worried about the risks associated with Wi-Fi. In fact, 62% of people on holiday either don’t care or don’t bother ensuring they have a secure Wi-Fi connection. And 41% believe our personal information is as secure when we connect to public Wi-Fi on holiday as when we are home or at work. Eeek!!!

Why Do We Need To Worry?

In short, accessing dodgy Wi-Fi means you are more likely to get hacked which can cause you a world of pain! If you have connected to a Wi-Fi hotspot that has either been set up by a hacker or a hacker has broken in to, anything you send or share online – you are also sharing with the hacker: banking details, online shopping logins, social media passwords… the list goes on. And once the hacker has that information, he/she can access your accounts as if they were you.

In addition to potentially stealing your private information, hackers can also use public Wi-Fi to distribute malware aka malicious software.  Some hackers have been known to hack the Wi-Fi connection point itself to try and trick Wi-Fi users into downloading malicious software. Attractive, believable pop-ups appear on users’ screens offering free upgrade to commonly used software. However, clicking the link in the pop-up ad downloads the malicious software!

What Should We Do To Stay Safe?

Well, let me tell you I’m not staying home… holidays keep me going! So, what we need to do is spend just a little time implementing a few strategies so we can securely manage our kids and their online lives when we travel. Not only will this minimise the risk but just as importantly, the stress!

Here is how I’ll be managing my boys and their Wi-Fi connections when we set off on our annual family vacation this year:

1. Ban Free Wi-Fi

If your kids just have to connect to Wi-Fi, ensure it is password protected option NOT a random free Wi-Fi. While this does not provide any guarantee of security, it is another layer of protection. However, no banking, financial or shopping transactions are to be undertaken on this Wi-Fi – no exceptions!

2. Invest in a VPN

A Virtual Private Network (VPN) is one of the best services you can sign up to. In simple terms, it creates a secure encrypted connection which means that anything you send or receive is safe. McAfee’s VPN, SafeConnect, provides bank-grade Wi-Fi encryption which means your personal data and online activities are kept private even when you are connected to public Wi-Fi.

3. Update ALL Your Devices Before You Leave Home

I know it is a pain but if the software and apps on your devices are not up to date, you’re essentially leaving a ‘back door’ open for a hacker. App creators and hardware vendors will release patches or updates when they become aware of a security vulnerability – so it is essential you have the latest and greatest installed before you walk out of your door!

4. Turn Off Bluetooth When Not Using It

This needs to become a family rule – just like turning off the lights before you leave the house! When your Bluetooth is active, hackers can see which networks you have connected previously. It then takes very little effort for them to copy these networks and fool your device into connecting with their Bluetooth devices. Within minutes, the hacker can steal your data, download malware and create a world of pain!

5. Download Security Software for All Your Devices including Smartphones!

Ensuring your devices are protected with comprehensive security software is the same as locking the backdoor and turning on the house alarm – common sense. McAfee’s Total Protection software provides protection for your entire fleet of devices and includes anti-virus and anti-malware software, a firewall, anti-spam functions, parental controls and a password management tool.

So, don’t cancel your holiday. Managing Wi-Fi safely when you travel with kids is absolutely possible with just a little planning. And if Nana and Pop are joining you on vacation, please ensure they are up to speed with the family Wi-Fi rules too! With 85% of older Australians accessing the internet every day, they will very likely have their eye on the Wi-Fi too!

Happy Christmas and Safe Travels!

Alex xx

The post Kids, Travel and Wi-Fi appeared first on McAfee Blogs.

How To Avoid Christmas Scams? Here’s 10+ Valuable Expert Advice

Christmas scams and winter holidays go together like horse and carriage, this I tell you, brother, you can’t have one without the other.

Unfortunately, this is the jingle of online scammers, who take advantage of the buzz around holidays to find new and creative ways of relieving you of your money, your data or both.
However, you don’t have to be a cybersecurity expert to avoid their grips, as we will outline in this run-down. We also include valuable advice from experts, so you can better protect yourself against any and all online Christmas scams.

We’d love to hear from you with your experience: were you ever tricked or almost tricked into a Christmas scam? Let us know how you handled it in the comments below.

Did you see any Christmas scams online?
Now let’s see how Christmas scams online look like and how they attack not just online shoppers, but gamers, job seekers, and other demographics.

Quick links here:

1. How to avoid online shopping Christmas scams
2. How to stay away from gift card scams
3. How charity scams work and how to detect them
4. How to see Christmas e-card scams for what they are
5. How to be safe from catfishing and other romance scams
6. How to stay clear of games giveaways and lotteries scams
7. How to identify winter holidays travel scams
8. How to avoid Christmas screensavers bundle malware
9. How to identify shipping notification Christmas scams
10. How to spot fake jobs, financial opportunities, and Christmas scams for loans

Here are the top online scams to watch out this Christmas
Click To Tweet

Now let’s see what you need to avoid this season!

1. How to avoid all online shopping Christmas scams

For example, in 2016 City of London police officers estimated about £10 million losses to these kinds of scams. One victim lost £86,000 when they tried to purchase a boat from a fraudster on eBay, police said. That’s just a very tiny tip of a very big iceberg.

Only in Australia, a Commonwealth Bank report revealed that Aussie shoppers will spend $11 billion during the 2017 Holiday season.

Christmas scams online shopping scams

Up to 13.3 million Australian citizens will also shop online. It stands to reason that the numbers are similar across developed nations, so protection against online shopping scams is essential.

We are surfing online looking for the perfect gift and so many options in front of us that we don’t know what to choose from. But are they real? Online scammers and IT criminals post fake ads and run websites they control in order to retrieve our online banking credentials and get access to our sensitive data.

To stay safe from this type of scam look for a few clues:

  • Is the advertised price too low to be true? Check the price for the item on other websites and see where it should be.
  • Avoid any unusual payment system for an online item, like a money order or wire transfer.
  • If you choose to pay from the website’s payment system, look for details that could indicate you are on a hacker-controlled website. There are cases when the scammers direct you to a fake payment site, so look at the URL of the page.

Expert advice #1: 

• Verify the Web address of the shopping sites you visit. There are many copycat websites of large retailers, especially this time of year.
• Beware of Websites with steep discounts on brand name or highly sought-after products. If you’re visiting a Website you’re not familiar with and the prices seem too good to be true, they probably are. Cybercriminals will purchase these products with stolen credit cards and quickly create a site to sell them at steep discounts. Or, you might place an order and never get anything. In both cases, the thieves obtain your credit card details when you place an order. Check domain registration sites like to find out when a Website was created and where it is registered. If the Website was created in the last few months, proceed with caution.
• Use caution when making purchases through advertisements on social media. Cybercriminals often place ads to phish for credit card information or to infect your computer or phone with malware. Use a search engine to verify the company name is legitimate, search for the company’s name + “reviews” and/or look in the comments of an add or post, as many times other consumers will comment if the ad is a scam.
• Only purchase gift cards from reputable businesses. Credit-card thieves love purchasing gift cards with stolen credit cards because many hold their value well and there is a thriving secondary market.

Via Cardnotpresent

2. How to stay away from gift card scams

The holiday gift cards are usually promoted via the social media networks, like Facebook or Twitter, and claim to offer exclusive deals or hidden deals.

The problem appears when the gift card is fake and it’s just an excuse to ask the victim for its personal details or credit card numbers. In the 2016 Holiday season, Amazon shoppers were tricked in droves by third-party sellers who used phishing and spoofed emails.

Fake amazon giftcard christmas scams


These malicious sellers lured consumers to leave the Amazon site at the time of payment via very convincing confirmation emails or gift card offers. Amazon itself stayed silent on this topic.

This year we will probably see even more ways of tricking consumers out of their hard-earned cash.

To avoid being fooled into buying a fake gift card, make sure you:

  • Don’t click suspicious links on social media sites, even when the “special offer” comes from a friend.
  • Don’t fill online surveys that ask for your personal information.
  • Check the offer online if it’s just too good to be true. You can contact directly the official website of the producer or you can look it out on search engines and see what results appear. The scammers usually target a large number of people and some results should appear, in case this is a real scam.
  • Pay special attention when buying small animals, mobile devices, cars or motorbikes, since they are some of the most used scamming items.
  • Don’t use Amazon gift card generator tools, websites or apps, they’re all scams.

Expert advice #2:  Never use Gift Cards for payment outside of Amazon.  

Via Amazon itself.

3. How charity scams work and how to detect them

Christmas time is a good reason to be kind and generous with the less fortunate people around. That is why we find so many legitimate charity organizations appeal for money or food donations. At the same time, it is a good cover-up for scammers and online crooks to steal your money.

We also want to highlight sites that sell cheap trinkets while pretending to be a charity.

You probably saw something like it in the last week, when it appeared on your newsfeed promising a free octopus ring or a free glowing necklace. We highlighted many types of scams on Facebook here.  Another example is Save Our Oceans NOW, who has 1 stars on TrustPilot but still continues to fool consumers.

save the oceans scam or deceiving promotion


Here’s how it works:

  • They claim to be an online store that donates to a charity or a charity selling wares to support itself
  • They offer a guaranteed freebie, you just have to pay shipping fees
  • You willingly give out all your sensitive personal info and pay a modest sum (5-10 dollars) for the product
  • If lucky, you receive the product
  • If you receive the product, you’re happy and advertise their scam to more friends

In the best case scenario, you got yourself a “free octopus ring”, after only paying 8 dollars in shipping fees.

Meanwhile, that ring costs around 50 cents in China and is delivered to you through a tactic called ‘dropshipping’. That means the store you make your purchase at doesn’t actually have the products available, it just places an order on your behalf to a Chinese factory.

This factory processes your order and requires absolutely no shipping fee. The original store in which you placed your order has absolutely nothing to do with the product in question, it just gets your money and your data, then makes the manufacturer send you that product.

how dropshipping works


Dropshipping is a popular and respected e-commerce practice, but it also leaves room for shadiness like these scams.

Back to the Save Our Oceans one.

So you just paid for shipping and your money goes not to the shipping of the ring (because that’s free) or to a charitable cause because that’s the scam. Your money goes to the website holders themselves.

In the process, if you haven’t paid by Paypal, you also willingly gave out your name, address, phone number and credit card info to the scammers.

They will use this data to target you with other scams as well, then sell their “customer” database to any takers (most of them with bad intentions).

To send your money in the right direction, take the following measures:

  • Check if the website is genuine before sending your money. The site may use official logos and appear as real. This doesn’t mean it is.
  • Contact the real charity groups directly to make your donation. Do not donate anything to intermediary people or suspicious sites.
  • If you are approached by a charity group or person and you are in doubt, check online for the organization’s name or the person’s name who requested the money.
  • Never pay shipping for a “freebie” like this. Just use the money and buy the freebie directly from a reputable seller, it’s often much cheaper and safer for your personal information.

Expert advice #3: Do your research first to make sure your contributions go to actual causes and not scammers’ pockets.


4. How to see Christmas e-card scams for what they are

Christmas time period is that time of the year when we give presents to friends and family members. But we also send Christmas e-cards to people we appreciate. And of course, we too receive Christmas e-cards, which is a good thing, unless we are dealing with an online scam.

ecard scam online scams christmas


In these unfortunate cases, the Christmas e-cards we receive could contain hidden malicious software or a link to a hacker-controlled website.

For this reason, we need to pay attention to the animations, pictures, videos or links in the e-card that could download malware or send us to a site that contains malicious content.

Therefore, in the end, it is the malicious content that should worry us because it may be used to steal sensitive data from our computers or valuable information.

To stay safe from special holidays’ compromised e-cards, follow these general guidelines:

  • Pay attention to spam campaigns that try to push these phishing attempts to you.
  • If you receive a suspicious e-mail, do not open it, do not click any link or download any attachment.
  • Make sure you have not only antivirus protection, but also a good anti-spyware program.
  • Even if you receive such an e-mail from a friend, it doesn’t mean that he or she actually sent that e-mail.

According to the Kount Merchant Holiday Retail Guide, Cyber Monday 2017 saw the biggest increase in fraud attacks, at 134%.

Expert advice #4:  Not sure if the eCard you received is a scam? One simple thing you can do before opening an eCard is to contact the sender and ask them if they really sent you the card.

If they did indeed send the eCard, you’ll get peace of mind before opening it and the opportunity to thank them properly!

Via IdentityForce

5. How to be safe from catfishing and other romance scams

This is an old one and we have all seen it in a form or another. In 2016 there was a 20% increase in this type of spam, with an estimated $230 million in losses. However, FBI says that only about 15% of romances scams are reported, so the true number can be much higher.

A classic romance scam usually starts with a conversation on a social media account or by exchanging a few e-mails.

Since we are dealing with an old scam, this one involves a lot of experience from the scammers and a little knowledge of human psychology. All of us want company and affection, especially in winter time, and all of us spend even more time connected to the Internet.

Just to name a few practices from what we mentioned in this article, online crooks use fake profiles on apparently legitimate sites in the famous practice called catfishing, run Tinder, Viber or Kik bots in phishing attempts to obtain your data and even inject malware into your computer or smartphone.

catfishing online scams christmas scams romance


To avoid a romantic disappointment and protect yourself:

  • Do not trust anyone you meet online or someone who asks for money or your credit card information.
  • Beware of sharing your most intimate information on social media or dating sites. Even if you receive similar information from the other person, you cannot verify the truth of this info.
  • Take advantage of these security guides and be proactive with what you care most about
  • If targeted by spammers, warn others of their methods

Expert advice #5: Getting the information out there is the number one way to disrupt spammers. Put all that stuff out there so other people can be warned.

Via Wayne May, Scam Survivors founder

6. How to stay clear of games giveaways and lotteries scams

There ain’t such a thing as a free lunch. This old adage applies to both giveaways and lotteries scams.  There is no Microsoft Email Lottery, no Uber Online Lottery with free rides and no Linkedin Online Lottery, just to name a few common ones.

The lottery scam will never truly go away because people will always hope to win something.

lottery scam uber scam

It starts with a message being sent to the victim and letting the person know a ridiculously huge amount of money or benefits have been won. All the victim needs to do is “just” pay for the small processing fees or complete some forms.

To stay safe from this online scheme:

  • Do not trust such an e-mail or offer. Google it beforehand.
  • Do not even open such an e-mail, least of all click anything in it.
  • Do not complete forms in a giveaway

A similar lottery scam, a much harder one to detect, is targeting gamers around the world. It’s harder to detect because many game companies or influencers do host giveaways offering free games.

riot games fake giveaway online scam


In general, with games you should do this:

  • Do not click links sent via private messages in the game client (League of Legends, Steam, Battlenet etc) or on streaming platforms like Twitch
  • Don’t sign up for quizzes promising that the winner will get a free game
  • Don’t sign up for contests requiring more than a simple comment on Reddit or a forum, one which does not ask for your personal information
  • Go to the official webpage of the supposed giveaway provider and check if they mention the contest. If League of Legends hasn’t announced a giveaway, then there is none.

Expert advice #6: The primary advice I would offer is to choose a secure password that is not used on any other sites(definitely not your email account password).

A long, non-recycled password is a great way to protect your account in combination with email verification
We also have a very fun account security video that the Riot team worked on 🙂

Via Christopher Hymes, Director of Information Security at Riot Games

7. How to identify winter holidays travel scams

We wrote one of the most comprehensive guides on protecting yourself against airline scams. Since the holidays are approaching, we really need to underline the fact that airline scams are just a tiny part of a booming industry: online travel scams.

online travel scams facebook southwest scam


The worst scams of this type simply take your money and don’t send you anywhere, maybe just to the police to file a report.

This is what happened here when a couple was just one of the many to lose thousands of pounds on fake Airbnb listings.

The “happy” cases of Christmas scams based on holiday bookings hide the real costs of your trip. You will end up paying more than initially thought.

These hidden costs could be necessary to pay when you get there to access a local attraction, pay for transport costs or other hidden fees.

To make sure you are not the victim of travel scams:

  • Always buy airline tickets or book a travel offer from official travel websites.
  • If the price for the trip or for the flight may be too low to be true, it may actually be some sort of scam.
  • Here are another 3 useful tips to avoid airline scams online

Expert advice #7: It’s really simple; don’t click anything in any unsolicited email you receive, even if it’s addressed to you.

If it’s a bona fide deal, open a new browser window and go to the agent’s or retailer’s website, and you’ll find it. Better still, use Gmail and Google’s excellent spam filter will put everything suspicious in a junk folder, and prompt you not to reply or click, even if you get tempted.
However, even official airline websites don’t exactly help foster consumer trust. Just yesterday after I entered my credit card number to buy a flight I was told that the price had risen since I started the booking process. That’s dishonest and unhelpful, to say nothing of airline booking websites that pre-select travel insurance and confirmed seat fees.

Via Jamie Carter, travel journalist

8. How to avoid Christmas screensavers bundle malware

Sites hosting screensavers have long been plagued by malware and trojans, and the biggest vector for infection might just be the biggest problem in town.

As Emsisoft also highlights, holiday search terms are loaded with additional downloads like potentially unwanted programs. In essence, they’re the gift that keeps on giving. Not joy or beautiful Christmasy landscapes, but pop-ups and dangerous types of malware and ransomware.

christmas screensavers bundles scam

So, before decorating your PC with snow-laden houses, do make sure you’re visiting safe websites and not downloading anything malicious. You can do this by using a traffic-filtering software that blocks malicious websites and, of course, by having an antivirus installed.

We also found a great list of screensaver suggestions and safe sources on Digital Citizen.

Expert advice #8: Be mindful of unsolicited download prompts, unusual friend requests and fake bank emails.

Via Emsisoft

9. How to identify shipping notification Christmas scams

This time of the year marks a big increase in the number of items purchased online and, at the same time, in the number of confirmation emails and shipping notifications we receive.

But are all these notifications real? As we previously highlighted, some of them may be fake and dangerous! An email requesting an update on your shipment could be a disguised attempt to retrieve valuable information from your online banking account.

fake ups shipping update online scams christmas

This email might or might not have an attachment that you are requested to download. You could be dealing with a phishing e-mail, an e-mail designed to spread ransomware or any other combination, so take precautions!

Expert advice #9: Should you receive any of these emails, do not follow any links provided or click on any attachments. Instead, simply delete the email. If you’ve accidentally selected a link, you should run a virus scan immediately.

Via Webroot

10. How to spot fake jobs, financial opportunities, and Christmas scams for loans

One of the busiest periods in recruitment is the holiday season. Job seekers around to world flock to job sites in order to boost their careers. Malicious hackers get a present as well: the personal details of those jobs seekers.

A popular method of gathering sensitive information is phishing via fake job sites. Unsuspecting victims simply give out their name, address, phone number and even SSN, thinking they’re applying for a job through an established career portal.

Another one is good old-fashioned emails from “recruiters” or “staffing agencies” – click the link and at best you give out your personal information, at worst you find yourself with a malware infection.  

Expert advice #10: Be aware of forms asking for your personal information like bank account and passport numbers.

Be rational. Unless you’ve been actively applying for jobs, it’s unlikely someone is going to find you in the “internet resources” and offer you an amazing job.
Via Spamfighter

The holidays are a time for presents, not falling prey to Christmas scams, so use this guide to stay safe and spread the cheer (and valuable info!) to your loved ones.
Here’s a handy infographic to warn your friends about the Holiday scams and what threats they pose for individuals.

Online Christmas scams in 2017 Infographic

Share This Infographic On Your Site

Holidays are for fun, not troubleshooting
Heimdal PRO will: Quickly and silently update software (no interruptions) Shield your PC against malware and other threats Catch and block the attacks your antivirus can't

What Leakbase Going Dark Means for the Data Breach Lifecycle

“Big Company Hit with Data Breach, Millions of Users Impacted.” An all too familiar news title, for an all too familiar issue. It almost seems that each week we read about a new data breach in the news. We learn how it happened, what the hackers went after, and the ramifications. Those affected scan their credit, potentially chopping up compromised cards. But what happens after that?

A data breach is just that – data that has been breached. After they’ve attacked an organization, hackers have barrels of stolen information just sitting in their laptops. So, the next question for black hats is often – what do we do with this stolen data? Answer: turn it into profit.

That’s where sites like Leakbase come into play. These crooks can hand over this stolen data to Leakbase, which is a website that has indexed and sold access to billions of usernames and passwords swiped in some of the world’s largest data breaches. Leakbase began its operations in late 2016, advertising access to crucial data stolen from data breaches involving LinkedIn, Myspace, and Dropbox. That is until this week when the site suddenly went dark, discontinuing their service entirely.  In fact, after being discontinued, the domain was redirected to Troy Hunt’s site, which actually allows anyone to check to see if specific email addresses have been involved in a data breach. There’s speculation that Dutch law enforcement has been involved in this shutdown, but as of now it remains only that – speculation.

So, even though Leakbase is gone, the existence of the site and others like it serves as an important reminder that the impact of data breaches reverberates louder and longer than we may imagine. “Warehouses of stolen data extend the risk of breaches,” says Christian Beek, lead scientist and principal engineer at McAfee, who helped identify this trend in cybercrime in a 2017 Threats Predictions report.

Beek says the same thing goes for cloud data services, which can be mined for valuable information while also allowing criminals to change and hide their own identities. “The same cloud capabilities that help businesses can also house stolen data and help bad guys constantly cycle through their own information, making them harder to track.” Beek says this brings home the need for evolving security operations centers connected to a community. “If it’s you vs. them, it’s very hard. If it’s all of us vs. them, we have much better odds.”

To learn more about Leakbase and the ramifications of data breaches, be sure to follow us at @McAfee and @McAfee_Labs.

The post What Leakbase Going Dark Means for the Data Breach Lifecycle appeared first on McAfee Blogs.

How to Keep Your Data & Devices Safe While Traveling

Whether you are traveling for the holidays, summer break, or for business, there are steps you can take to make sure that your devices are travel-ready. Whether you realize it or not, you can face new dangers while you’re on the road and away from your secure home network. Not only are devices more likely to be lost or stolen, you also run a greater risk of connecting to an unsecured network, or leaking your location and private information to potential crooks or scammers. That’s why it’s important to take the following precautions before you travel with your technology.

Know Your Networks—If you plan to stay connected while you’re away, be very careful about which networks you use, and avoid free Wi-Fi, like those offered in many airports, cafes and hotels, which may or may not be secure. It’s very easy for a hacker to access the private information stored on your device over an unsecured network. They simply use a piece of software to scan the network and look for any services you may have left open. Or, they can setup their own free Wi-Fi network in a public place, giving them access to any device that connects with it. That’s why you should make sure that you only use password-protected networks, at the least.

If you are on your mobile device consider turning off Wi-Fi all together and connecting through your network provider. They use encryption to scramble your data so third parties cannot read it.

Consider investing in a virtual private network (VPN), which is a piece of software that allows you to connect to a secure network over the Internet.

Turn Off Location Information—Many apps and online services track your location in order to map or tag you to certain spots, but unless you need navigation help while on the road you should turn this option off.

Sharing your location while you’re away can be dangerous since it alerts potential thieves when your home is empty. You should also avoid posting social media updates and photos while on vacation, for the same reason. Wait until you return home to tell people about your trip.

It’s also a smart idea to check to see if services you use access your location even though they don’t need this information to work properly. If so, turn off the location sharing option if you can, or consider deleting nosy apps to protect your privacy.

Use Mobile Security—Locking your devices with a PIN code so strangers cannot access your data is a great first step, but you should also consider comprehensive mobile security. This can help safeguard you from malware, risky links sent in email or via text, and even provide anti-theft protection. For instance, McAfee Mobile Security allows you to track a lost or stolen device, and even sound an alarm and take a picture of the culprit. It also allows you to lock down your sensitive apps, for banking or shopping, for instance, so they cannot be accessed even if your device falls into the wrong hands.

Don’t Leave Your Devices Unattended—Considering that we now carry our whole lives on our devices, including identity information, contacts, banking logins, and more, it’s essential that you do not leave your devices unattended in public. Make sure to keep them tucked away, with both screen locks and mobile security activated. Also, avoid loaning your devices to strangers to make a phone call or look something up, for instance, since this could be a scam.

Travel Data Light—Consider using a pared down phone while on the road that only has the apps you need, such as mapping, and allows you to make calls. That way, you’re not putting all of your critical data at risk if your device is lost or stolen. If you are traveling abroad, picking up a cheap phone to use while out of the country also gives you the advantage of being able to call and text at local rates.

Backup All Your Data—Do this before you go, just in case you lose your device. This way you still have all your data, no matter what happens.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How to Keep Your Data & Devices Safe While Traveling appeared first on McAfee Blogs.

Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen. Uber revealed around 2.7 million of the stolen records were British riders and drivers. As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet. The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had "huge concerns" about the breach and was investigating.

Jewson, Cash Converters, and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of personal customer data. Equifax reported their net income had dropped by £20 million due to the hack, and their breach bill was coming in at a whopping £67 million.

November was a very busy month for security patches releases, with Microsoft, Apple, Adobe, Oracle, Cisco and Intel releasing a raft of patches to fix critical vulnerabilities. Apple even had to quickly release an emergency patch at end of November to fix a root access flaw reported in macOS High Sierra version 10.13.1. So just keep patching everything IT to ensure you and your business stays ahead of enterprising cybercriminals, the Equifax breach is a prime example of what can go wrong if system patching is neglected.

November also saw Open Web Application Security Project (OWASP) finally released an updated version to its Top Ten application vulnerabilities list, which is a ‘must know’ secure coding best practice for all software developers and security testers, especially considering that Akamai reported web application attacks had increased by 69% in the third quarter of 2017. Look out for an updated OWASP Top Ten IBM DeveloperWorks Guidance from me in December to reflect the updated list.


Don’t fear GDPR – it’s the Key to Creating a Culture of Secure IT

With just a few months to go, reports and surveys frequently indicate that CIOs and business owners are concerned about and unprepared for GDPR. And the race is on, with a Veritas study indicating that more than half of organisations are yet to start work on meeting the minimum requirements set by GDPR.

Many organisations are looking to bring their cyber procedures and capabilities up to scratch ahead of its becoming enforceable, May 2018. But, with an evolving IT threat landscape, new technologies introducing new risk, and a cyber-skills deficit, it’s important that CIOs and IT directors not only focus on this critical deadline but also look beyond it.

The GDPR presents CIOs and IT directors with a once-in-a-professional lifetime opportunity to transform both their company’s IT procedures and security capabilities, to future proof the way it approaches cyber and provides services.

A British Approach to GDPR

While many organisations have been slow to prepare, GDPR will dramatically change the way companies globally deal with EU citizens’ data. The new European legal framework provides rules that affect the full data lifecycle from collection, processing, storage, usage and destruction.

While not prescriptive in the controls, the regulation requires organisations to implement appropriate measures to protect personal data. And failing to take the right measures could result in a heavy fine for unlawful processing, data breaches, or not reporting data breaches.

The UK government has vocally backed GDPR, and hopes to use it to improve cyber risk management in the wider economy. In the Cyber Security Regulation and Incentives Review, launched in late 2016, the government pointed to how the breach reporting requirements and fines that can be issued under GDPR present a significant call to action for industry.

Once-in-a-Generation Opportunity

From large enterprises to SMEs, many organisations are shifting their traditional business model away from physical assets in favour of a data-driven business model. Cloud, mobility and the advent of Internet of Things are driving this digital transformation, introducing new challenges that organisations must navigate to ensure citizens’ and employees’ data is protected.

While the combination of new technologies and the new regulation may seem an insurmountable task to manage over the next 12 months, CIOs and IT directors should look at GDPR as an opportunity. Rather than approaching it separately and in isolation, the new regulation has put a price on cybersecurity and secure data management – bringing it to the attention of the C-Suite.

CIOs and CISOs should harness this opportunity to get the budget and procedures in place that will enable them to transform their organisations’ approaches to cybersecurity, and reposition IT as a function that enables business transformation and growth.

Creating a Culture of Secure IT

With the fear of hefty fines and concepts such as ‘privacy by design’, CIOs and CISO are likely to find themselves with full-company backing to create a culture of secure IT within the organisation, with a focus on protecting personal data – perhaps for the first time in a while.

This will have a dramatic impact on a number of current security challenges many IT teams are facing, such as the massive growth in Shadow IT. Due to the ease of procurement, the McAfee Labs Report found that almost 40 percent of cloud services are now commissioned without the involvement of IT, and unfortunately, visibility of these Shadow IT services has dropped year on year.

Sixty-five percent of IT professionals think this phenomenon is interfering with their ability to keep the cloud safe and secure. This is not surprising given the amount of sensitive data now being stored in the public cloud and more than half (52 percent) of respondents reporting they have definitively tracked malware from a cloud SaaS application.

For the first time, GDPR gives CIOs and IT leaders the authority to clamp down on shadow IT in their company, with the support of rest of the board who fear the ramifications of GDPR.

Embrace the Change

The innumerable opportunities that digitalisation brings is introducing many new security and data management challenges. To mitigate these new threats, CIOs and CISOs must ensure that future processes are planned securely – especially as we embrace the increase in complexity, and migration to the cloud.

CIOs and IT directors must use the power of GDPR to get and keep board level attention and support in introducing transformational technology and processes that will protect personal data now and in the future.

The post Don’t fear GDPR – it’s the Key to Creating a Culture of Secure IT appeared first on McAfee Blogs.

Don’t Let the Grinch Hack Your Christmas!

What’s on your family’s Christmas list this year? Let me guess – technology! Our desire for shiny, fast, connected devices is almost a biological condition this time of year. However, our single-minded desire to get these devices in our hands at all costs, often means we forget about the risks…

To try and understand how us Aussies are planning on managing the risks associated with this season’s must-have Christmas gifts, McAfee Australia interviewed over 1000 Aussies aged 18-55. Participants were asked whether they were planning on buying internet-connected gifts this Christmas, how they plan to buy them and what they know about how to secure their new devices. And the findings were very interesting…

  • Online shopping is Booming But We Are Taking Risks!

76% of us are likely to purchase gifts online this coming holiday season – an increase of 2% from last year. And while most of us will purchase from online stores of well-known retailers,

some of us (18%) will choose stores that we find randomly through online shopping searches.

  • There Is Still Confusion About Protecting Our Devices

90% of us feel it is important that our online identity and connected devices are safe and secure but alarmingly, only 14% of us feel that it is necessary to protect devices with security software – down from 15% in 2016.

  • Our Devices are Collecting Our Information But Most of Us Are OK with It

Many consumers (76%) believe their devices are collecting their personal information

  • Some of Us ‘Need’ The Latest Devices At All Costs

Despite acknowledging that our chosen device may be susceptible to security breaches, 22% of us still commit to buying it!

There is no doubt we value our digital assets with 61% of us believing their digital assets (our online files and media) are worth more than $1000 and 34% worth more than a whopping $5000!!

So, What Does This All Mean?

There is no doubt that we love our technology! In fact, in recent research from Telefonica, we are ranked 3rd worldwide when it comes to embracing technology. We even beat the Japanese!

However, the way we shop online, protect (or not) our devices and share our information plays a major role in how easy (or not) it is for cybercriminals to hack us, putting our much-loved digital assets at risk. And add a dose of Christmas cheer (and chaos) into the mix – and you can see how the risk increases!

Which Are The Most Hackable Devices?

To minimise the chance of the Grinch (aka cybercrims) ruining our Christmas this year, McAfee Australia has compiled a list of the devices most Australians have nominated as top of their Christmas lists. Each of the device’s security vulnerabilities has then been highlighted so you can take the required steps to ensure you are not hacked!! Here’s the lowdown:

1. Laptops, Smartphones and Tablets

According to our McAfee experts, laptops, smartphones and tablets take out first place for being the ‘Most Hackable’ gifts for Christmas 2017! As soon as those Christmas decorations come out, so do the sexiest models about. Slim, powerful yet light PCs, laptops and smartphones packed with the latest features and apps fill the stores… and we go into a frenzy!

Risks: Malware, especially ransomware, continues to dominate the headlines and has grown to more than 10 million samples worldwide. Just like laptops and PCs, tablets and smartphones are vulnerable to ransomware and can be compromised.

Tips: Slow down and think before clicking. One of the easiest ways for cybercriminals to infect your PC or smartphone is through malicious links. Be sceptical if you receive a link you are not expecting, use comprehensive security software that is kept updated, and install parental controls on all your children’s devices.

2. Drones

Drones won second place this year in the ‘Most Hackable’ stakes and it seems we can’t get enough of them. US drone sales are expected to top US$1 billion (A$1.3 billion) in 2017, up from US$799 million (A$1.04 billion) in 2016. And what a terrific gift – perfect for the amateur flight enthusiast through to the professional photographer looking to get that unique angle from up high!

Risks: Drones can be vulnerable in multiple ways. While it’s true they can be hacked in flight, they can also emit a Wi-Fi signal designed to steal your personal information after connecting.

Tips: Always keep the software updated on your drone, and apply software patches when they are made available from the manufacturer.  Be careful about connecting to unsecured Wi-Fi networks. If you must connect, do so with a Virtual Private Network (VPN) like McAfee Safe Connect.

3. Digital Assistants

The must-have tech gadget of 2017, the Digital Assistant comes in at 3rd place on the ‘Most Hackable’ honours list. Digital Assistants are without doubt the perfect gift for anyone. However, like any connected device digital assistants can also be the target of cybercriminals. As new technology comes to market the cybercriminals are always trying to stay a step ahead – Digital Assistants are no exception!

Risks: Built-in microphones that are always listening for a wake-up command and, in some cases, cameras, can be compromised and turned into listening devices.

Tips: Just like your smartphone or PC, be sure to keep your device’s software up-to-date, and never allow physical access to anyone you do not trust.

4. Connected Toys

Coming in at 4th place, Connected Toys seem to be featured on every mini digital native’s Christmas list this year. Many of the must-have connected toys come equipped with GPS chips, cameras and an interactive conversation ability making them super attractive!

Risks: Be aware of the privacy and security risks that could affect connected toys. Manufacturers may not be putting the device’s security as a top priority which could leave it vulnerable to leaking personal information, location, or even allow a hacker to hijack the camera or microphone.

Tips: Research before you buy to make sure the toy you plan to purchase has not had any reported security issues. If the toy comes with a default password, ensure you change it to something more secure. Finally, monitor children when they are playing with connected devices and turn the toy off when it’s not in use to ensure that their privacy is being protected.

5. Connected Appliances

Vacuums, refrigerators, bathroom scales and cameras that connect to the internet aka ‘connected appliances’ are also on hackers’ lists this year. I’m very partial to some of these devices – they just make modern life so much easier!

Risks: While an attack on your refrigerator is unlikely, it’s not unheard of for connected home appliances to be hijacked and used as a pawn in a distributed denial of service attack (DDoS). A connected appliance could also leak personal information or provide details about your home, like its size and dimensions, making you a bigger target for cybercriminals.

Tips: Do not allow your connectable devices to connect to the internet without any filtering. Always change your connected devices’ default manufacturer passwords to something strong and complex. Read the privacy policies provided by manufacturers so you know exactly what information your device is collecting.

Before you start wrapping up your shiny tech Christmas gifts, please make sure you have a plan in place to protect the device from a Christmas hack. Why not write share a few of the above tips with the lucky recipients in their Christmas card? Or better still, why not spend a little time on Christmas Day working through it together. A great Christmas bonding exercise!

Happy Christmas!

Alex x

The post Don’t Let the Grinch Hack Your Christmas! appeared first on McAfee Blogs.

How Cybercriminals Are Shopping for Personal Data This Black Friday

Thanksgiving is here, which means it’s time to stuff our bellies and prep our bank accounts for lots of bargain shopping. Black Friday and Cyber Monday have practically become holidays themselves, as each year they immediately shift our attention from stuffing and turkey toward holiday shopping. They also get quite a bit attention from cybercriminals, so it’s unsurprising that a new Black Friday scam has emerged this holiday season, which includes more than 32,000 malicious Black Friday-themed apps spoofing the branding of top U.S. online retailers.

According to a recent report, one in 25 Black Friday apps are fake, with at least 15 malicious Black Friday apps for each of the top five U.S. e-commerce brands. These apps are said to scam users in a multitude of ways, either tricking shoppers into entering credit card information, giving up Facebook and Gmail log-in details, or even downloading malware and ransomware. Plus, they’re available on legitimate app stores such as the Apple App Store or Google Play.

But the threats don’t just stop there. As our Most Hackable Gifts survey highlighted, both online holiday shopping and the gifts being bought make personal data more vulnerable than ever. Laptops, smartphones, tablets, IoT toys, digital assistants – the gifts that fill our wish lists are make cybercriminals feel like kids on Christmas morning. Beyond these vulnerable gifts, there’s also the potential for scammers to create fake retailer microsites, invent targeted phishing scams for fake deals, create malvertisements, or execute new malware to swoop all the financial data from physical point-of-sale systems. Therefore, it’s important consumers understand securing their information now more than ever. To do just that, follow these tips:

  • Go to the source. One easy way to avoid counterfeit Black Friday apps is to go to the retailer’s website on your mobile browser and look for a link to the app from their website. With Safari on iOS, if a website already has an app, you will get a box at the top asking if you want to open the page in the app or download the app if it isn’t already installed.
  • Avoid “too good to be true” deals. With Black Friday and Cyber Monday, we’re all trying to save as much money as we can. But here’s the reality: if a deal seems too good to be true, it often is. These deals are usually a cybercriminal attempting to lure you in via phishing so that you cough up your personal data. Trust deals that are advertised directly from the vendor, and if you’re unsure about their legitimacy, scan their site or call their support line for reassurance.
  • Pay with a credit card. Credit cards overall offer better protection against financial fraud than debit cards. You won’t be liable for fraudulent purchases and the thieves won’t be able to drain your bank account if they get ahold of your account number. Any abnormal use of your credit card number will be automatically flagged or not approved by your bank.
  • Use a mobile security solution. As fake or malicious Black Friday apps work to infect mobile devices, be sure to cover these devices with a mobile security solution, such as McAfee Mobile Security.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post How Cybercriminals Are Shopping for Personal Data This Black Friday appeared first on McAfee Blogs.

GDPR: Data-Protection Soul-Searching, Not Just Compliance

The General Data Protection Regulation requires companies to review how they handle data of European Union residents. Thirty-one of its 88 pages are non-binding recitals, statements that help define some of the specific requirements in the articles, and a good number more pages are about the departments and organizations that will enforce the law.  There are specific requirements in the Regulation — reporting breaches, reviewing processing in advance, making sure vendor contracts have particular language. But GDPR makes a larger and more fundamental ask: That each company look carefully and studiously at its environment, evaluate the data it holds, and “implement … measures to ensure a level of security appropriate to the risk.” It’s a sort of data protection soul-searching designed to protect people and their data from harm. And this perspective challenges organizations to embrace the spirit of the law and be accountable for it, not just to tick a box.

“Appropriate” and “adequate” – tough words in a security context – are found repeatedly in the GDPR.  The regulation suggests that “(i)n assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.” That sounds like a basic risk assessment.  At McAfee we are aligning our processes, products and services to be compliant with GDPR and looking at ways of going beyond basic compliance to allow for maximum protection of our customers’ data.

But what should you consider in this high-stakes risk assessment, and how do you get to where you can say you have appropriate security? Remember: This isn’t legal advice – each company has to decide for itself what it needs to do to comply with GDPR. Consider these steps as ways to get started on the journey:

  1. Scope. Know what you have.  We can’t protect what we don’t know we have.  This is a good time for companies to figure out how and where they hold personal data – and not just of EU residents, and not just for its EU affiliates.
  2. Protect.  Know how you are protecting those assets.  Are you doing the basics?  Could you do more?  Are your peers doing more? Are you following your data classification policy in automated ways or just expecting employees to know it? Do you delete unnecessary data?
  3. Monitor and detect.  Do you have technologies in place (such as encryption, data-loss prevention or anti-virus software) to protect those assets from malicious actors, loss, unwanted leaks?  And do you know what to do if something goes wrong?
  4. Review.  Do you have a process to make sure that all new applications or cloud services are reviewed and that you know how you are using them?  Are you implementing data protection by design by thinking of privacy and security at the very beginning of any project?
  5. Then repeat.  The regulation requires “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

Some of the specifics of what the regulation requires will take years to truly understand as regulators and courts issue rulings on what comes in front of them, and companies will have different paths to compliance with GDPR.  But at the core of the regulation is knowing what you do with the personal data of your employees and customers, and making sure you have stopped to consider the risks inherent to personal data in your business. Thinking of GDPR as an opportunity to review the robustness of your data protection program and to make reforms that are good security, good business, and the right thing to do turns GDPR from a many-headed monster into healthy data-centric reform. After all, the GDPR tells us that “(t)he processing of personal data should be designed to serve mankind.”

For more information on the upcoming GDPR, join us at our live webcast on November 15th.

The post GDPR: Data-Protection Soul-Searching, Not Just Compliance appeared first on McAfee Blogs.

Massive Malaysian Data Breach Compromises Over 46 Million Phone Numbers

There are data breaches that impact an entire customer group, or even a certain state. And then there are data breaches that impact practically everyone in a nation. This actually happened this week, as practically every citizen of Malaysia, a country that boasts a population of some 31.2 million, was impacted by a cyberattack. A complex data breach compromised over 46.2 million mobile numbers, which could mean multiple numbers for one person, as well as exposed details such as home addresses and SIM card information.

This attack actually first came to light last month, when, a local technology news website, reported receiving a tip-off that someone was attempting to sell huge databases of personal data. From there, the Malaysian Communications and Multimedia Commission (MCMC) began looking into the matter with the police.

The police have since claimed to have identified multiple potential sources of the leak, but have yet to name them. However, one researcher speculated at the strategy behind these attacks, telling ZDNet that “’low and slow’ attacks could lay stealthily in networks for years without anyone noticing.” Basically, this attack may have been tediously conducted over the course of a few years.

So, what’s the damage? This breach impacted both postpaid and prepaid numbers, as well as all subscribers from major mobile carriers in the country, including Maxis, Altel, Digi, and Celcom. What’s more – in addition to customer data from local telecommunications providers, data was also leaked from various websites containing sensitive information such as, Malaysian Medical Association, and Malaysian Housing Loan Applications. Leaked data from, for instance, contained the candidate’s login name, nationality, and hashed password.

This means that the impact of this breach goes beyond simply having phone numbers out in the open — this entire set of data is comprehensive enough for cybercriminals to create fraudulent identities to make online purchases.

So, with this massive breach putting private data as well as personal identities at risk, it’s important all those impacted act now to protect themselves. They can start by following these security tips:

  • Set up an alert. If you know there’s a chance your personal data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Freeze your credit. By freezing your credit, you seal your credit reports so that no one else can take out new accounts or loans in your name. You can do this without impacting your existing lines of credit, such as credit cards. If you want to apply for services or open new accounts, you can temporarily “unfreeze” your credit using a personal identification code only you have.
  • Make passwords a priority. First off, immediately change your password to any of the sites that have been impacted by this breach. Then, be sure to always keep your passwords complex in the case crooks try to guess new ones you’ve set up for your account. You can do this by leveraging a password manager, such as the True Key app. The True Key app can help you create strong passwords, remove the hassle of remembering numerous passwords and log you into your favorite websites automatically using multi-factor authentication.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Massive Malaysian Data Breach Compromises Over 46 Million Phone Numbers appeared first on McAfee Blogs.

What To Do If Your Data Is Stolen

If you’re like most people, you share your personal information with a number of companies and service providers, from banks to social media sites. And even if you’re careful, what happens if there is a weak link and your personal data is either stolen or leaked? That’s when you need to know how to minimize the damage.

The recent high-profile breach of credit reporting agency Equifax, in which data on over 145 million customers was potentially revealed, served as a wakeup call to many people who suddenly had to scramble to keep their data safe. After all, much of their sensitive information, such as Social Security numbers, birth dates and addresses were potentially exposed to scammers and identity thieves.

If you get caught in a situation like this, simply lose your wallet, or just want to take preventative measures, here is what to do next:

1) Place a Fraud Alert—If you know your data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account. Then, make sure you correct your credit report by filing a dispute with each of the three credit bureaus.

2) Freeze Your Credit—This allows you to seal your credit reports so no one else can take out new accounts or loans in your name. You can do this without impacting your existing lines of credit, such as credit cards. If you want to apply for services or open new accounts, you can temporarily “unfreeze” your credit using a personal identification code only you have.

For this to be truly effective, however, you need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion & Experian). They usually charge a small fee both to freeze and unfreeze your credit.

3) Setup Alerts & Stay Vigilante—Many banks and credit card companies have begun offering free alerts to notify you via text message or email when new purchases are made, when there is an unusual charge, or when your account balance drops to a certain level, for example. Make sure you take advantage of these services to keep a close eye on your accounts. You’ll also want to review your statements regularly for any suspicious activity. 

4) Consider Identity Theft Protection—An identity theft protection service can monitor your accounts, alert you of potential problems, insure you against ID theft, and even help you regain your money and credit if something goes wrong.

5) Lock Down Your Information—While there’s not a lot you can do to prevent data leaks that may occur with companies that have access to your information, you can take steps to ensure you are doing everything you can to keep your information safe.

Make sure the privacy settings on your social media accounts and mobile apps are as strong as possible and commit to multi-factor authentication on your critical accounts, such as online banking. This means you have to take multiple steps to verify your identity before logging into an account, such as entering a passcode and then responding to a text message sent to your phone.

Pick strong, unique passwords for each of your sensitive accounts so even if a password is leaked not all of your accounts are vulnerable. Or, employ a password manager to help you.

Be careful about how much personal information you share online and never respond to emails or text messages requesting sensitive data, unless you know and trust the source.

Always use comprehensive security software, and keep all your software up-to-date to help protect you from the latest threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post What To Do If Your Data Is Stolen appeared first on McAfee Blogs.

The GDPR Basics: What Consumers Need to Know

What companies do with consumer data has always been a hot topic – and becomes hotter after every security breach, when consumers learn more about what can go wrong with their data and worry about the implications of their personal information in the wrong peoples’ hands. In the United States, most states and several cities now have laws about data breaches and many have laws regarding some form of consumer data protection. Europe has had a data protection law covering its residents for more than twenty years.

But the past twenty years have seen lots of changes in technology and in the way data can help consumers, so the European Union has refreshed the former law – the Data Protection Directive – with a more robust law, the General Data Protection Regulation (GDPR). But what exactly does GDPR entail for consumers? Let’s take a look. 

What is GDPR?

The General Data Protection Regulation (GDPR) updates EU law to consider the internet, e-commerce, online advertising, and the increase in data driven marketing.  Many of the provisions of the prior law are restated in the GDPR, but now companies face tougher fines for non-compliance.  The new Regulation also requires companies to report breaches to their regulators and often to consumers, and allows people to ask what companies they work for and they do business with do with their data. Replacing the Data Protection Directive, GDPR is more of an evolution of existing rules rather than a revolution, but it brings in important changes and reduces the number of country-specific laws that will be allowed. These changes have been introduced due to the changing nature of the world we live, the volume and prevalence of data, and the value of personal data in an increasingly connected world.

Who Does It Affect?

With enforcement of the Regulation starting on May 25th, 2018, it’s important to know what this legislation specifically impacts. The scope of “personal data” is broad, ranging from online identifiers such as IP addresses to social identities in addition to the usual names and contact information (both personal and work in the EU), but basically GDPR will cover anything that can be traced back to you as a specific individual, aiming to better enforce the protection of personal data as a basic human right. It protects the data of EU residents– in fact, it is irrelevant where a company collecting data is based in the world as long as they have EU customers. GDPR places a requirement on companies to “implement appropriate technical and organizational” measures to ensure the security of the personal data.

The Regulation requires companies to look at how they collect and store consumer data, keep records of certain kinds of consent, and be transparent about how they use personal data.  The Regulation allows EU residents to ask companies questions about how their data was obtained, to opt out of marketing, and – in some cases – to ask that their data be deleted.

How to Prepare for It

With GDPR enforcement fast approaching, the most important thing both companies and European Union consumers can do is be educated and prepared. Companies have to review their practices and make sure they are complying with the Regulation. Consumers need to know their rights and how GDPR will enable them to ask questions about what happens to their personal data. They’ll likely see more “consent” requests attached to any data collection – and notices about data breaches.   But like any new law, the true meaning of the GDPR regarding consumer data may take years of court cases to truly unravel.

Stay on top of the latest consumer and security news by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post The GDPR Basics: What Consumers Need to Know appeared first on McAfee Blogs.

Science of CyberSecurity: Latest Cyber Security Threats

As part of a profile interview for Science of Cybersecurity I was asked five questions on cyber security last week, here's question 5 of 5.

Q. What keeps you up at night in the context of the cyber environment that the world finds itself in?
The growing dependence and integration of connected computers within our daily lives, means we are embarking on an era where cyber attacks will endanger our lives. Networked and complex IT systems are inherently insecure, meaning it is open season for nation-states, cyber terrorists and the curious to attack these life integrated emerging technologies, from driverless cars and countless new home IoT devices. I fear it will only be a matter time before a cyber attack causes human harm or even loss of life. The impact of the recent NHS ransomware attack serves as a warning, this cyber attack directly caused the closure of accidental and energy departments and the cancellation of operations. The future threats posed artificial intelligence and quantum computing are also growing concerns for cyber security, and well worth keeping an eye as these technologies continue to progress.

Cyber Security Roundup for August 2017

TalkTalk yet again made all the wrong cyber security headlines in the UK this month, after it was handed a £100,000 fine by the Information Commissioner's Office (ICO) for not adequately protecting customer records from misuse by its staff. The ICO investigated the Internet Service Provider after receiving complaints from customers, who said they received cold calls from scammers who knew their TalkTalk account information.

Second-hand goods firm CeX disclosed a compromise of up to 2 million online customer accounts due to a hack, however, CeX has yet to disclose any details about the cyber attack. My blog post and advice about this is here

Hackers had a field day taking over social media accounts, from Real Madrid and FC Barcelona to Game of Thrones, much embarrassment could have been avoided if they had adopted multi-factor authentication on the accounts, aside from the spate of Instagram hacks which were caused by the exploitation of a software vulnerability, namely within Instagram's API.

In what looks like a follow on from the UK's Parliament's email brute force email account attack in June, the Scottish Parliament was hit by a very similar cyber attack, it was reported, as per the Westminister attack, many SMPs were found to be using weak passwords. Let's hope the Welsh Assembly have taken note and have learned the password security lessons.

A massive 'spambot' holding 711 million email addresses was found to be spreading malware by a security researcher. It was said to have been put together using stolen data from previous LinkedIn and Badoo data breaches. Using legitimate email addresses helps in the avoidance of anti-phishing and spam filters.

On the ransomware front, LG reported WannaCry caused a two-day shutdown of its business in South Korea. TNT customers were said to be furious after NotPeyta badly affected its ability to deliver hundreds of thousands of items, particularly within in the Ukraine. And Digital Shadows reported a trend in cyber criminals dropping Exploit kits for Ransomware, as there is simply a lot more money to be made out of ransomware attacks.

On the critical security patching, Microsoft released 25, Adobe released 43, and Drupal patched a critical bug. And there was an interesting article posted by Microsoft on Cyber Resilience worth reading.


Cyber Security Roundup for July 2017

Apologises for the delay in this month's Cyber Security Roundup release, I been away on holiday and taking a breach for monitor screens and keyboards for a couple of weeks.

The insider threat danger manifested at Bupa where an employee stole and shared 108,000 customer health insurance records. Bupa dismissed the employee and is planning to take legal action. The Bupa data breach was reported both to the FCA and the ICO, it remains to be seen if the UK government bodies will apportion any blame onto Bupa for the data loss. 

The AA was heavily criticised after it attempted to downplay a data compromise of over 13 gigabytes of its data, which included 117,000 customer records. The AA’s huge data cache was incorrectly made available online after an AA online shop server was “misconfigured” to share confidential data backup files.

A customer databreach for the World Wrestling Entertainment (WWE) should serve as a stark warning for businesses to adequately assure third parties and to secure hosted cloud systems. Three million WWE fan records were compromised after a third party misconfigured a cloud hosted Amazon server used by the WWE online shop.

The aftershock of Peyta \ NotPeyta rumbles on with, with malware still reported as disrupting firms weeks after the attack. There there are claims the mass media coverage of the attack have improved overall staff cyber security awareness.

It was found that over 1.6 million NHS patient records were illegally provided to Google's artificial intelligence arm, DeepMind, without patient concern meant the NHS and Google have breached the Data Protection Act.

A 29 year old British hacker named as Daniel K, but better known by his hacker handle "BestBuy" or "Popopret" admitted to hijack of 900,000 Deutsche Telekom routers in Germany after he was arrested at Luton airport in February. He said he made "the worst mistake of my life" when he carried out a failed attack in November for a Liberian client who paid him 8,500 Euros to attack the Liberian's business competitors. BestBuy used a variant of the Mirai malware to take advantage of a security vulnerability in Zyxel and Speedport model routers which were used by Germany Internet Service provider, with his intention to increase his botnet, and so the scale of DDoS attacks he could perform on behalf of clients.

A document from the National Cyber Security Centre (NCSC) was obtained by Motherboard and was verified by the BBC with NCSC as being legitimate. The document states some industrial software companies in the UK are "likely to have been compromised" by hackers, which is reportedly produced by the British spy agency GCHQ. The NCSC report discusses the threat to the energy and manufacturing sectors. It also cites connections from multiple UK internet addresses to systems associated with "advanced state-sponsored hostile threat actors" as evidence of hackers targeting energy and manufacturing organisations.

UniCredit Bank had over 400,000 customer loan accounts accessed through a third party. This is the second security breach at the Italian bank in a year.

Finally this blog was awarded with the Best Technology Blogs of 2017 by Market Inspector and by Feedspot this month.


What is Data Privacy and why is it an important issue?

The question of whether privacy is a fundamental right is being argued before the honorable Supreme Court of India. It is a topic to which a young India is waking up too. Privacy is often equated with Liberty, and young Indians wants adequate protection to express themselves.

Privacy according to Wikipedia is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. There is little contention over the fact that privacy is an essential element of Liberty and the voluntary disclosure of private information is both part of human relationships and a digitized economy.

The reason for debating data privacy is due to the inherent potential for surveillance and disclosure of electronic records which constitute privacy such as sexual orientation, medical records, credit card information, and email.

Disclosure could take place due to wrongful use and distribution of the data such as for marketing, surveillance by governments or outright data theft by cyber criminals. In each case, a cybercitizens right to disclosure specific information to specific companies or people, for a specific purpose is violated.

Citizens in western countries are legally protected through data protection regulation. There are eight principles designed to prevent unauthorized use of personal data by government, organizations and individuals

Lawfulness, Fairness & Transparency
Personal data need to be processed based on the consent given by data subjects. Companies have an obligation to tell data subjects what their personal data will be used for. Data acquired cannot be sold to other entities say marketers.
Purpose limitation
Personal data collected for one purpose should not be used for a different purpose. If data was collected to deliver an insurance service, it cannot be used to market a different product.
Data minimization
Organizations should restrict collection of personal data to only those attributes needed to achieve the purpose for which consent from the data subject has been received.
Data has to be collected, processed and used in a manner which ensures that it is accurate. A data subject has to right to inspect and even alter the data.
Storage limitation
Personal data should be collected for a specific purpose and not be retained for longer than necessary in relation to this purposes.
Integrity and confidentiality
Organizations that collect this data are responsible for its security against data thefts and data entry/processing errors that may alter the integrity of data.
Organizations are accountable for the data in their possession
Cross Border Personal information
Personal information must be processed and stored  in secured environment which must be ensured if the data is processed outside the border of the country

It is important for cybercitizens to understand their privacy rights particularly in context of information that can be misused for financial gain or to cause reputational damage.

Simple GDPR Information Security Guidance: Don’t believe the Hype

PDF version of this blog post is available here - ITSE-GDPR-InfoSec-Guide-Jun17.pdf

There are plenty of Cyber Security Sales and Marketing teams jumping on the General Data Protection Regulation (GDPR) bandwagon at the moment, often peddling fear of massive fines and in far too many cases spouting nonsense and unnecessary guesswork about the GDPR's information security requirements.

You do not need to be a lawyer or a fancy pants security consultant to understand the GDPR's information security requirements, they are freely provided by the European Union. It is just a matter of taking the time to actually read and digest each of the GDPR's requirements and then interpreting how your organisation will comply, albeit some requirements result in full blown project plans. I recommend reading the bite-sized formatted and section headed version of the GDPR on rather than the EU released GDPR paper

Everything in this blog post is not official legal advice but an interpretation and personal opinion on meeting the GDPR’s requirements. Further official and detailed GDPR Information Security guidance are expected to be released.

The United Kingdom’s exit from the European Union will not occur before GDPR comes into UK law on 25th May 2018. Therefore all UK organisations storing or processing any personal data records will have to comply with the GDPR from May 2018. It is highly likely GDPR compliance will continue to be a UK personal data legal requirement post Brexit. The GDPR applies to any non-EU country processing EU Citizen personal data, it is unlikely that the UK will adopt a tiered data protection legal requirements system, where UK nationals have fewer privacy rights than EU nations.  

Only 3 of the 99 GDPR Requirements are directly Information (Data) Security Related
That's right, there are just three information (data) security requirements in the GDPR, Articles 33, 34, and 35, the other 96 Articles relate to data subject rights, data controller responsibilities, sending personal data outside the EU and general administration. There is a hidden Information Security requirement in GDPR Recital 63, but aside from that, there is not a lot for information security professionals to worry about unless you have been tasked to prepare an organisation to meet all the GDPR's requirements, in which case you need to be a data privacy qualified. 

Information Security Vs Data Privacy
Some companies like to lump data privacy within information security management, but to properly understand and manage modern data privacy rights in medium to large organisations, it requires individual(s) with the appropriate qualifications and background in privacy law. Data Privacy is a completely separate discipline, applying privacy rights intricacies within business processes can be completely alien to the average information security professional. We still live in an age where the information security function is incorrectly placed as a subset of IT in some organisations, but nether-the-less even though privacy and security are linked they should be regarded as separate business functions and as separate professions, a notion included as a requirement in the GDPR under Article 37.

Article 37 “Designation of a Data Protection Officer”
"the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39."  
Article 37 & Article 38 requires the designation of a Data Protection Officer (DPO)

Article 39 “Tasks of a Data Protection Officer” outlines a number of privacy officer duties, including monitoring compliance with the GDPR.

GDPR's Information Security Requirements (Recitals & Articles)
GDPR has 173 Recitals and 99 Articles. Recitals set out the reasons and what is trying to be achieved by the regulation, while Articles are the regulatory requirements, the GDPR rules.

Article 32 Apply an Appropriate level of Information Security (Risk Assess)
This is best practice Information Security Management, nothing specific or new here, it all should be already being done. Take a risk assessed approach, 101 information security; confidentiality, integrity and availability of all personal data within the organisation. Don't forget the availability as unlike PCI DSS the GDPR security regards the availability of personal data as a requirement. Article 32 requires information security to be of an industry best practice standard, appropriate to the size and nature of the organisation, this means information security does not need to achieve a 'state of the art' level but what a level that is generally considered an adequate level of security for the nature and type of organisation. So if your organisation already has a strong security posture, to the standard of ISO27001:2013, you are in an excellent position to meet GDPR information security requirements.

Article 33 Notification of Breaches to the ICO
The ability report data breaches to the ICO within 72 hours, so part of incident management and response policy and planning, include a process to inform the company designated Data Protection Officer (DPO) about any detected personal data breaches, allowing the DPO to be informed and to report any data breaches to the ICO.

Article 34 Notification of Breach to Data Subjects
As per article 33, ensure company DPO notification is included as part of your incident management/response process, to allow your DPO to inform data subjects should their personal data be at risk due to a security incident.

Article 35 Data Protection Impact Assessment
“7. The assessment shall contain at least: (7d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.”
Article 35’s 11 requirements is a Data Privacy Officer responsibility in my view so it is not concluded as one of the 3.  However to meet some of Article 7d it cites a repeat of Article 32, a risk assessed approach to applying information security controls appropriate to protecting personal data.

Documentation and assessments evidence is required to demonstrate compliance, again such documentation and security assessments should already be in place if your organisation operates a best practice level information security management.

Article 30 – Records of Processing Activities
“1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information. g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).”

“2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Another Data Privacy Officer set of requirements, but Article 30 references the Information Security “Article 32”. In other words, make sure the record processing activities are in scope of the information security policy/programme, and the security controls are documented, which they already should be.

Data Subject Access Rights Portal
Recital 63 refers to organisations providing a Data Subject Access Rights Portal.
"Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data."
Providing a portal is “possible” for most organisations, for many organisations it could mean adding additional functionality to existing staff and customer facing websites/portals. 
Bear in mind even though Recital 63 reads like a GDPR requirement, it is the Articles are the legal requirement to meet not Recitals. Then there is Article 12 which states 
"Where the data subject makes the request by electronic form means, the information shall be provided by electronic means".

The provision or expansion of an internet-connected portal to handle GDPR's data privacy rights could fulfil this requirement. Obviously, the privacy portal needs to be secure. As such it will be an information security responsibility and GDPR requirement to secure it.

GDPR Privacy Data Subject Rights (via an Internet Portal)
The GDPR requires the following data subject privacy rights to fulfilled within a one month and without any charge, so given Recital 63 and Article 12 the best way to do achieve this, especially where there are thousands of personal data records in the care of the organisation, is using internet facing portal to provided each data subject with the ability to exercise their new GDPR privacy rights.
  • Article 13 - explain how personal data is processed
  • Article 15 - provide a copy of personal data (Data Subject Access Request)
  • Article 16 - correct any incorrect personal data
  • Article 17 - personal data erasure
  • Article 18 - restrict the processing of personal data
  • Article 20-  personal data portability, provide personal data to another data controller
  • Article 21 - object at any time to the processing of personal data
  • Article 22 - not be subject to not automatic data processing and profiling
Not complying with the above articles means a data subject can go after compensation through engaging with a solicitor and complaining to a court (Article 79 & Article 80). Or through a complaint to the ICO (Article 77) which has the infamous up to 20M Euro or 4% of global turnover fine potential.

Should go without saying, the security of any Internet facing portal hosting personal data on mass, needs to be highly robust and security tested via penetration testing at least annually and after any significant change.

The Information Security Breach GDPR Fines Truth
A breach of Information Security means an up to 10 Million Euro (not 20 Million Euro) or up to 2% of global turnover (not 4%)
Article 83 states "be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:  - (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43" - Articles 32, 33, & 34 are the information security requirements, the higher level penalty rates are for privacy breaches.

The GDPR Right to Data Protection (not that clear-cut as you might think) 
Recital 1 is titled "Data Protection as a fundament right*
but Recital 4 states "The right to the protection of data is not an absolute rightand goes on to state "it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality".  

So the GDPR is rights-based and respects all other EU 'rights', which must include the right of 'the freedom to conduct business' as stipulated in various EU Charters and Treaties, remember the EU is founded upon a free trading block of countries, not as a nation state.  I am not a lawyer so I am not making a conclusion, but pointing out what might be an area of interest to lawyers fighting GDPR enforcement penalties.

Cyber Security Roundup for May 2017

The WannaCry ransomware outbreak within the NHS dominated the national media headlines earlier this month. Impacting 45 NHS sites in England and Scotland, the massive cyber attack led to cancelled operations and diversions of emergency medical services. The WannaCry outbreak was not just limited to the NHS, as thousands of computers were shut down at companies in almost 100 countries. After an initial infection via a phishing email and file encryption, the ransomware has the added ability to rapidly self-replicate, infecting other networked Windows computers without Microsoft’s March 2017 critical update (MS17-010) installed, this drove the swift spread of the malware within large organisations and across the world.

Debenhams had 26,000 customer personal details stolen through its flowers service website, which was operated on Debenhams behalf by a third party company. The data breach has been reported to the ICO.

With a year to ago until General Data Protection Regulation (GDPR) goes into law, there were several news reports stating UK businesses need to do more to prepare and highlighting the new data breach fines which could run into Billions for FTSE 100 companies.

If you live in Manchester, your computer is 4 times more likely to be infected with malware than elsewhere in the world according to statstics by Enigma Software Group.

Over in the United States, Brooks Brothers disclosed a major payment card breach, after an individual installed malicious software which captured credit card information within payment systems at locations across the USA and Puerto Rico for 11 months, a remind of the importance of PCI DSS compliance where businesses store, process and/or transmits credit/debit card data (cardholder data). 

Hackers stole a copy of Disney's forthcoming Pirates of the Caribbean film, and tried to hold Disney ransom, Disney didn't pay.

Interesting blog post by MacKeeper Security, on how cyber criminals are linking various stolen credential datasets to leverage access to systems.

And finally, it was another busy month of security update releases by Microsoft and Adobe, the WannaCry impact on the NHS is a stark warning to ensure all newly issued critical security updates are quickly applied