Category Archives: GDPR

This Week in Security News: Malware and Machine Learning

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about an infectious miner-malware and how malware can hide form AV Solutions. Also, understand how to use machine learning to detect malware outbreaks with limited samples.

Read on:

Trend Micro Antivirus for Mac 2019 is Certified by AV-TEST with Top Scores for Protection, Performance, and Usability

Current and potential users of the latest edition of Trend Micro Antivirus for Mac will be pleased to know that it achieved MacOS Certification and top scores in all three categories in the recent report.

UK Lawmakers: Facebook ‘Intentionally and Knowingly’ Violated Data Privacy Laws

UK lawmakers have accused Facebook of violating data privacy and competition laws in a report on social media disinformation that also says CEO Mark Zuckerberg showed “contempt” toward parliament by not appearing before them. 

Monero Miner-Malware Uses RADMIN, MIMIKATZ to Infect, Propagate via Vulnerability

This combination becomes a concern for data exfiltration of enterprise assets and information because of the randomly named and seemingly-valid Windows functions that may go undetected. 

Scott Morrison Reveals Foreign Government Hackers Targeted Liberal, Labor and National Parties in Attack on Parliament’s Servers

Australia’s major political parties have been targeted during a cyberattack by a foreign government on the Australian Parliament’s servers, but Prime Minister Scott Morrison said investigations into the recent hack have yet to find any evidence of electoral interference.

Proof of Concept Shows How Malware Can Hide From AV Solutions via Intel’s SGX Enclaves

Malware can hide from antivirus (AV) software by abusing features in Intel Software Guard Extensions (SGX), recently demonstrated by researchers at Graz University of Technology.

GAO Gives Congress Go-Ahead for a GDPR-Like Privacy Legislation

An independent report authored by the US Government Accountability Office (GAO) auditing agency has recommended that Congress develop internet data privacy legislation to enhance consumer protections, similar to the EU’s General Data Protection Regulation (GDPR), with the Federal Trade Commission (FTC) in charge of overseeing internet privacy enforcement.

Using Machine Learning to Detect Malware Outbreaks With Limited Samples

Trend Micro and researches from the Federation University Australia conducted a study which showed the effectiveness of machine learning analyzing a malware outbreak given a small dataset.

Wendy’s to Pay $50M in Data Breach Settlement

Wendy’s has agreed to pay $50 million to settle negligence claims following its 2015-2016 data breach that affected more than 1,000 of the burger chain’s locations.

Are you surprised that you can use machine learning to detect malware outbreak with a small dataset? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Malware and Machine Learning appeared first on .

To stop phishing in play, rely on human intuition over technology

Playing to your strengths could be the key to keeping your business safe.Due to obvious financial motivations, banks have always been a primary target for cyber-criminals. But, as much as

The post To stop phishing in play, rely on human intuition over technology appeared first on The Cyber Security Place.

Does Compliance Equal Security in the Age of Data Privacy?

May 25th, 2018 is a date that will forever be etched in history as day when the European General Data Protection Regulation (GDPR) was finally implemented. Many assumed it would

The post Does Compliance Equal Security in the Age of Data Privacy? appeared first on The Cyber Security Place.

GDPR: Not Heavy Handed Yet, But Driving Data Breaches Into The Open

With the European Union’s landmark General Data Protection Regulation (GDPR) now in place a bit more than eight months, it seems that at least one of its messages has had

The post GDPR: Not Heavy Handed Yet, But Driving Data Breaches Into The Open appeared first on The Cyber Security Place.

Security roundup: February 2019

We round up interesting research and reporting about security and privacy from around the web. This month: security as a global business risk, insured vs protected, a 12-step programme, subject access requests made real, French fine for Google, and an imperfect getaway.

Risks getting riskier

Some top ten lists are not the kind you want to appear on. Data theft and cyber attacks both featured in the World Economic Forum’s Global Risks Report 2019. Only threats relating to extreme weather, climate change and natural disasters ranked above both security risks.

The report is based on a survey which asked 1,000 decision makers to rate global risks by likelihood over a 10-year horizon. As ZDNet reports, 82 per cent of those surveyed believe there’s an increased risk of cyberattacks leading to the theft of money and data. Some 80 per cent believe there’s a greater risk of cyberattacks disrupting operations.

The report also refers to the increased risk of cyberattacks against critical infrastructure, along with concerns about identity theft and decreasing privacy. The WEF’s overview includes a video of a panel discussing the risks, and the report itself is free to download.

Insuring against cyber attacks

Thinking of buying cyber risk insurance in the near future? The legal spat between Mondelez and Zurich might give pause to reconsider. The US food company sued its insurer for refusing to pay a $100 million claim for ransomware damages. NotPetya left Mondelez with 1,700 unusable servers and 24,000 permanently broken laptops. Zurich called this “a hostile or warlike action” by a government or foreign power which therefore excluded it from cover.

As InfoSecurity’s story suggests, Zurich might have been on safer ground by invoking a gross negligence clause instead, since Mondelez got hit not once but twice. And where does this leave victims? “Just because you have car insurance does not mean you won’t have a car crash. Just because you have cyber insurance does not mean you won’t have a breach,” said Brian Honan.

Lesley Carhart of Dragos Security said the case would have implications for cyber insurance sales and where CISOs spend money. “Not only is Zurich’s claim apparently that nation state adversaries can’t be insured against, but it adds the ever tenuous question of attribution to insurance claims,” she wrote.

The 12 steps to better cybersecurity

Somewhat under the radar, but no less welcome for that, Ireland’s National Cyber Security Centre has published guidance on cybersecurity for Irish businesses. It’s a high-level document that takes the form of a 12-step guide. It’s written in non-technical language, clearly intended for a wide audience. The steps include tips like getting senior management support for a cybersecurity strategy. The full report is free to download from here. We’ve taken a deep dive into the contents and you can read our thoughts here.

Fight for your right to part…ake of your data

GDPR obliges companies to cough up the personal data they hold about us on request, but what does that mean in practice? Journalist Jon Porter exercised his right to a subject access request with Apple, Amazon, Facebook, and Google. Just under 138GB of raw data later, he discovered that little of the information was in a format he could easily understand. If some of the world’s biggest tech companies are struggling with this challenge, what does that say for everyone else? It’s a fascinating story, available here.

Google grapples French fine

And speaking of all things GDPR-related, France’s data protection regulator CNIL has hit Google with a €50 million fine for violating the regulation. The CNIL claims Google didn’t make its data collection policies transparent enough and didn’t obtain sufficient, specific consent for personalising ads.

As Brian Honan wrote in the SANS Institute newsletter: “While the €50 million fine is the item grabbing the headlines, the key issue here is the finding by CNIL of the unlawfulness of Google’s approach to gathering people’s personal data. This will have bigger implications for Google, and many other organisations, in how they ensure they legally gather and use people’s personal data in line with the GDPR.”

You can run, but you can’t hide

Here’s a cautionary tale about the dangers of oversharing personal data on smart devices. UK police collared a hitman for an unsolved murder after data from his GPS watch linked him to scouting expeditions of the crime scene. Runners World covered the story and the Liverpool Echo published CCTV footage of an alleged recon trip near the victim’s home.

It’s an extreme example maybe, but the story shows how heavy our digital footprints can be (running shoes or not). Social media sharing can also be a security risk for a company’s remote workers. Trend Micro’s Bob McArdle outlined this very subject in his excellent Irisscon 2018 presentation. Social engineering expert Lisa Forte tweeted that she can gather intel about target companies from what their employees post online.

Things we liked

Protector, puzzle master, moral crusader, change agent: the many faces of a CISO. MORE

And another thing: want to be a good security leader? Learn to tell a good story first. MORE

Making the contentious case that breaches can be a good thing, and aren’t automatically bad for business. MORE

Google Chrome, used by almost two-thirds of web browsers, has a new plugin that warns users when entering a username/password combination that’s been detected in a data breach. MORE

An offer you couldn’t retweet: meeting the godfather of fake news. MORE

The Council to Secure the Digital Economy (CSDE) has published a guide to help protect the Internet from botnets. The International Anti-Botnet Guide will be updated every year. MORE

ENISA has released a study of CSIRTs and incident response capabilities in Europe to 2025. MORE

The post Security roundup: February 2019 appeared first on BH Consulting.

Is 2019 the year national privacy law is established in the US?

Data breaches and privacy violations are now commonplace. Unfortunately, the consequences for US companies involved can be complicated. A company’s obligation to a person affected by a data breach depends in part on the laws of the state where the person resides. A person may be entitled to free credit monitoring for a specified period of time or may have the right to be notified of the breach sooner than somebody living in another state. … More

The post Is 2019 the year national privacy law is established in the US? appeared first on Help Net Security.

Encrypted malware: a threat facilitated by the GDPR?

Encrypted malware

One of the positive consequences of the increased concern for personal and corporate cybersecurity is the fact that Internet user are increasingly vigilant with their data and who they share it with. At the same time, online platforms have intensified their efforts to provide secure, private browsing in order to safeguard their and their users’ information.

And this trend is on the up. According to the Global Internet Phenomena Report, written by Sandvine, even very conservative estimates suggest that over 50% of Internet traffic is encrypted. And more and more platforms are turning to end-to-end encryption to ensure that their communications are private.

The GDPR encourages even more encryption

There are several factors that have contributed to the growth of encrypted traffic. It is not simply down to the enormous concern shown by users and companies; legal regulations have also had a hand in it. The GDPR states that companies that handle data “should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption,” that “should ensure an appropriate level of security, including confidentiality, taking into account (…) the nature of the personal data to be protected.”

In fact, beyond companies own willingness to encrypt their communications, there are two cases where the GDPR requires encryption: firstly, when it considers that there is a high risk that this data will be breached; secondly, when said organizations use this data for a different purpose than that expressed to the user when their data was requested. A lack of encryption, therefore, can mean that offending companies are infringing the GDPR (and thus facing the subsequent sanctions of up to €20 million or 4% of the company’s global annual turnover). But that’s not all; encryption can also be of help to these companies, since, if they were to suffer a cyberattack, they wouldn’t need to inform their users about it if their information is correctly encrypted and protected.

A window for encrypted malware

However, all of this has its downside; encrypted traffic is already becoming one of the largest niches for cybercrime: according to Ixia’s 2018 Security Report, cybercriminals are starting to carry out attacks in this kind of traffic. In fact, Gartner states that half of cyberattacks carried out in 2019 using malware will use some kind of encryption, while by 2020, the figure is set to rise to 70%.

There are two particularly worrying things about encrypted malware: the first is the fact that it can be found on platforms that have encrypted traffic; this means that users, believing themselves to be safe, let their guard down, trust the platform, and thus become more vulnerable. The second is the fact that this malicious software can to hide its true nature, meaning that some cybersecurity systems do not detect it until it is too late.

How to avoid encrypted malware attacks

If a company wants to avoid attacks that use encrypted malware, they need to follow a series of measures that will keep their corporate cybersecurity safe:

1.- Vigilant browsing. When employees are browsing the Internet, they must exercise caution, even when they are on private platforms whose traffic is being encrypted. Although the platform may seem safe to browse, employees need to be as vigilant as they would be in any other circumstances.

2.- Monitoring of processes. Since encrypted malware has the ability to slip past some traditional protection solutions, being able to constantly monitor everything that is happening on the system is more important than ever. Panda Adaptive Defense actively monitors all systems processes in real time, which means that it is able to proactively detect anomalous activity and stop infections before they happen.

3.- Offline backups and online files. There are ever more companies that, when it comes to safeguarding their information, choose to double up: firstly by storing a large part of their information in the cloud, so that their physical devices are not affected in case of infection. Secondly, by storing secure backups offline, to keep them from being affected by a possible a posteriori infection.

Encrypted traffic is hugely important to help make networks more secure, and to keep all our information safe; but this doesn’t mean that it is totally attack-proof. Therefore, the more sophisticated cybercriminals become, the more companies should exercise proactive precaution.

The post Encrypted malware: a threat facilitated by the GDPR? appeared first on Panda Security Mediacenter.

This Week in Security News: Consumer Data and Malware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn what security issues and critical threats will impact consumer data this year. Also, learn about a malicious Adobe app targeting macOS systems.

Read on: 

Keys to Safeguarding Consumer Data in 2019

Trend Micro reports that there are certain security issues which will specifically impact consumer data, including phishing and fraud attacks. 

Linksys Partners with Trend Micro for Network Protection on Velop Wi-Fi Systems

Linksys and Trend Micro have partnered to deliver a security solution for home networks to give families an added layer of digital projection.

Collaborating with Law Enforcement to Tackle the Scourge of ATM Attacks

Trend Micro contributed to a new Europol report detailing guidelines on logical ATM attacks, in support of ongoing efforts by both law enforcement and the financial industry to stop ATM abuse. 

Report: Over 59,000 GDPR Data Breach Notifications, But Only 91 Fines

Since the European Union’s General Data Protection Regulation (GDPR) came into effect in May last year, EU organizations have reported almost 60,000 data breaches, but so far fewer than 100 fines have been issued by regulators.

MacOS Malware Poses as Adobe Zii, Steals Credit Card Info and Mines Monero Cryptocurrency

Trend Micro found a malicious app posing as Adobe Zii (a tool used to crack Adobe products) targeting macOS systems to mine cryptocurrency and steal credit card information. 

Auto Engineers Warn Your Car Might be Easier to Hack Than You Think

As auto makers roll out more sophisticated features, the upgrades are also making cars more vulnerable to cyberattacks, according to a new report from the Ponemon Institute.

Managing Digital Footprints and Data Privacy

A massive data dump involving more than two billion user credentials was reported earlier this year. The ramifications of this dump is just the beginning for many of those whose data are included. 

Just Two Hacker Groups are Behind 60% of Stolen Cryptocurrency

A new report from blockchain investigation company Chainalysis reveals that just two criminal groups are responsible for around 60% of all cryptocurrency stolen from exchanges.

EU Orders Recall of Children’s Smartwatch Over Severe Privacy Concerns

For the first time, EU authorities have announced plans to recall a product from the European market because of a data privacy issue. The product is Safe-KID-One, a children’s smartwatch produced by German electronics vendor ENOX.

Do you agree phishing and fraud attacks will be the main threats impacting consumer data in 2019? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Consumer Data and Malware appeared first on .

8 months of GDPR: 59,000+ reported breaches, 91 fines

A little over eight months have passed since the EU General Data Protection Regulation (GDPR) became enforceable, but it’s becoming clear that sweeping data breaches under the carpet has become

The post 8 months of GDPR: 59,000+ reported breaches, 91 fines appeared first on The Cyber Security Place.

Four differences between the GDPR and the CCPA

By passing the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, the Golden State is taking a major step in the protection of consumer data. The new law gives consumers insight into and control of their personal information collected online. This follows a growing number of privacy concerns around corporate access to and sales of personal information with leading tech companies like Facebook and Google. The bill was signed by … More

The post Four differences between the GDPR and the CCPA appeared first on Help Net Security.

Houzz data breach: Why informing your customers is the right call

Houzz is an online platform dedicated to home renovation and design. Today (February 1, 2019), they notified their customers about a data breach that reportedly happened in December 2018.

Data breaches unfortunately have become a common event. In fact, we dubbed 2018 the year of the data breach tsunami. Also Houzz is not a giant corporation with millions of customers. So why are we writing about this, you may ask? Mainly because we feel there are some giant corporations out there who can learn from this event as an example on how to handle a data breach properly.

Turnaround

Discovering and informing your customers about a breach that happened less than two months ago is a lot better than what we have seen recently. They did not wait until the investigation on how the breach happened was finished. As soon as they knew what was stolen, they decided to inform those concerned. Of course it is imperative that you get this information into your customers’ hands as soon as possible. Which is probably why the investigation is being conducted by a leading forensics firm. Law enforcement has been notified as well.

Informing customers

Houzz informed their customers directly by email, as well as on their website, about the breach. They said:

Houzz recently learned that a file containing some of our user data was obtained by an unauthorized third party.

The mail starts with this disclosure, goes on to explain what happened, and which information was stolen. It also contains a link to their website, where you can find more information.

Houzz mail customers

The information given is concise and precise—not just some general remark that no financial information was stolen, which thankfully wasn’t indeed. Houzz included a list of information that was stolen.

The following types of information could have been impacted by this incident:

  • Certain publicly visible information from a user’s Houzz profile only if the user made this information publicly available (e.g., first name, last name, city, state, country, profile description)
  • Certain internal identifiers and fields that have no discernible meaning to anyone outside of Houzz (e.g. country of site used, whether a user has a profile image)
  • Certain internal account information (e.g., user ID, prior Houzz usernames, one-way encrypted passwords salted uniquely per user, IP address, and city and ZIP code inferred from IP address) and certain publicly available account information (e.g., current Houzz username and if a user logs into Houzz through Facebook, the user’s public Facebook ID)

Importantly, this incident does not involve Social Security numbers or payment card, bank account, or other financial information.

On the website, customers can find detailed information on how to change their password. And, like we have done in the past, they advise their customers to use a unique password for each service, which does not need to be as big a hassle as you might expect.

Improvements

Houzz announced security improvements without going into detail. While customers might find this vague, it makes sense to withhold the specifics, as the investigation is ongoing, and they wouldn’t want to make threat actors any wiser. Seeing that they were already using one-way encrypted passwords salted uniquely per user was certainly encouraging.

Dealing with data breaches

Data breaches happen all the time. It happens to the best of companies. It’s the way those organizations deal with them that can save face. What other businesses can take away from this example:

  • Inform customers as soon as it makes sense and be precise about the stolen information.
  • Approach your customers directly. Don’t let them read about it in the papers or social media.
  • Engage law enforcement and a firm specialized in forensic investigations.
  • Learn from what went wrong and improve on that.

Stay safe, everyone!

The post Houzz data breach: Why informing your customers is the right call appeared first on Malwarebytes Labs.

Airbus Reveals It Suffered a Digital Security Incident

European aerospace corporation Airbus SE has revealed that a digital security incident recently affected some of its computer systems. In a press release published on 30 January, Airbus confirmed that its “Commercial Aircraft business” information systems suffered a security incident. The corporation said that the event did not affect Airbus’ commercial operations. But it clarified […]… Read More

The post Airbus Reveals It Suffered a Digital Security Incident appeared first on The State of Security.

Most IT Pros Share and Reuse Passwords: Report

Nearly two-thirds (63%) of IT professionals are more concerned about data privacy and security than they were two years ago, but their poor online practices continue to drive cyber-risk, according

The post Most IT Pros Share and Reuse Passwords: Report appeared first on The Cyber Security Place.

Cybersecurity Experts Share Insight For Data Privacy Day 2019

You’ll have to forgive my ignorance—but what is an appropriate gift for Data Privacy Day? Perhaps an encrypted portable drive? That might not be a bad idea, but what I have

The post Cybersecurity Experts Share Insight For Data Privacy Day 2019 appeared first on The Cyber Security Place.

IT Security Expert Blog: 43% of Cybercrimes Target Small Businesses – Are You Next?

Cybercrimes cost UK small companies an average of £894 in the year ending February of 2018. Small businesses are an easy target for cybercrooks, so it little surprise that around about 43% of cybercrime is committed against small businesses. According to research conducted by EveryCloud, there is much more at stake than a £900 annual loss, with six out of ten small businesses closing within six months of a data breach.

Damage to a small company’s reputation can be difficult to repair and recover from following a data breach. Since the GDPR data privacy law came in force in May 2018, companies face significant financial sanctions from regulators if found negligent in safeguarding personal information. Add in the potential for civil suits the potential costs start mounting up fast, which could even turn into a business killer.  Case in point is political consulting and data mining firm Cambridge Analytica, which went under in May 2018 after being implicated with data privacy issues related to its use of personal data held on Facebook. However, most small businesses taken out by cyber attacks don't have the public profile to make the deadly headlines.

Most big companies have contingency plans and resources to take the hit from a major cyber attack, although major cyber attacks prove highly costly to big business, the vast majority are able to recover and continue trading. Working on a tight budget, small businesses just doesn't the deep pockets of big business. Cyber resilience is not a high priority within most small businesses strategies, as you might image business plans are typically very business growth focused.

Cyber resilience within small business need not be difficult, but it does involve going beyond installing antivirus. A great starting point is UK National Cyber Security Centre's Cyber Essentials Scheme, a simple but effective approach to help businesses protect themselves from the most common cyber attacks. You’ll also need to pay attention to staff security awareness training in the workplace.

Every employee must ensure that the company is protected from attacks as much as possible. It’s your responsibility to make sure that everyone understands this and knows what preventative measures to put in place.

It may cost a few bob, but getting an expert in to check for holes in your cybersecurity is a good place to start. They can check for potential risk areas and also educate you and your staff about security awareness.

We all know the basics, but how many times do we let convenience trump good common sense? For example, how many times have you used the same password when registering for different sites?

How strong is the password that you chose? If it’s easy for you to remember, then there’s a good chance that it’s not as secure as you’d like. If you’d like more tips on keeping your information secure, then check out the infographic below.




IT Security Expert Blog

43% of Cybercrimes Target Small Businesses – Are You Next?

Cybercrimes cost UK small companies an average of £894 in the year ending February of 2018. Small businesses are an easy target for cybercrooks, so it little surprise that around about 43% of cybercrime is committed against small businesses. According to research conducted by EveryCloud, there is much more at stake than a £900 annual loss, with six out of ten small businesses closing within six months of a data breach.

Damage to a small company’s reputation can be difficult to repair and recover from following a data breach. Since the GDPR data privacy law came in force in May 2018, companies face significant financial sanctions from regulators if found negligent in safeguarding personal information. Add in the potential for civil suits the potential costs start mounting up fast, which could even turn into a business killer.  Case in point is political consulting and data mining firm Cambridge Analytica, which went under in May 2018 after being implicated with data privacy issues related to its use of personal data held on Facebook. However, most small businesses taken out by cyber attacks don't have the public profile to make the deadly headlines.

Most big companies have contingency plans and resources to take the hit from a major cyber attack, although major cyber attacks prove highly costly to big business, the vast majority are able to recover and continue trading. Working on a tight budget, small businesses just doesn't the deep pockets of big business. Cyber resilience is not a high priority within most small businesses strategies, as you might image business plans are typically very business growth focused.

Cyber resilience within small business need not be difficult, but it does involve going beyond installing antivirus. A great starting point is UK National Cyber Security Centre's Cyber Essentials Scheme, a simple but effective approach to help businesses protect themselves from the most common cyber attacks. You’ll also need to pay attention to staff security awareness training in the workplace.

Every employee must ensure that the company is protected from attacks as much as possible. It’s your responsibility to make sure that everyone understands this and knows what preventative measures to put in place.

It may cost a few bob, but getting an expert in to check for holes in your cybersecurity is a good place to start. They can check for potential risk areas and also educate you and your staff about security awareness.

We all know the basics, but how many times do we let convenience trump good common sense? For example, how many times have you used the same password when registering for different sites?

How strong is the password that you chose? If it’s easy for you to remember, then there’s a good chance that it’s not as secure as you’d like. If you’d like more tips on keeping your information secure, then check out the infographic below.


A week in security (January 21 – 27)

Last week on the Malwarebytes Labs blog, we took a look at Modlishka, the latest hurdle in two-factor authentication (2FA), the potential for abuse of push notifications, a malware-phishing combo by the name of CryTekk ransomware, and why we detect PUPs, but enforce the power of users’ choice.

We also pushed out the 2019 State of Malware report, which you can readily download here.

Other cybersecurity news

  • Fortnight, the hugely popular video game, uses in-game currency. And this, The Independent has found, is fueling money laundering schemes. (Source: PYMNTS.com)
  • Thanks to the new European General Data Protection Regulation (GDPR) privacy law, a French regulator fined Google to the tune of €50 million ($56.8 million) for not getting enough user consent to data collection and targeted advertising. (Source: The Wall Street Journal)
  • A clever mobile malware affected Android devices is able to elude emulators, tools which are used by security researchers to study potentially malicious apps, by running only when it detects the that device it’s installed in moves. (Source: Ars Technica)
  • A recently released list of top out-of-date (aka vulnerable) applications installed on computer systems include a number of Adobe products, Skype, Firefox, and VLC. If you have any of these installed, now is a good time to update them. (Source: Help Net Security)
  • Automatic license plate recognition (ALPR)—or automatic number plate recognition (ANPR) in the UK—are cameras that track license plates. And some of them are connected to the Internet, leaking sensitive data and vulnerable to attacks. (Source: TechCrunch)
  • Because of authentication weaknesses in GoDaddy, the world’s largest domain name registrar, disruptive spam, malware, and phishing campaigns taking advantage of dormant web sites owned by trusted brands are possible. (Source: KrebsOnSecurity)
  • Japanese car manufacturer, Mitsubishi, has created its own cybersecurity technology for cars, which is inspired by defenses designed for systems in critical infrastructures. (Source: Security Week)
  • Researchers from the Cyprus University of Technology, the University of Alabama at Birmingham, Telefonica Research, and Boston University, authored a paper and created a deep learning classifier algorithm that protects children from videos in YouTube by detecting disturbing content. (Source: Bleeping Computer)
  • A new voicemail phishing campaign that uses recorded messages attached to emails are fooling recipients into verifying their passwords twice to confirm the legitimacy of credentials. (Source: Bleeping Computer)
  • A convincing new attack abusing the App Engine Google Cloud Platform (GCP) comes to light, which is found to be targeting mostly organizations in the financial sector. The Cobalt Strike group is behind this campaign. (Source: Dark Reading)

Stay safe, everyone!

The post A week in security (January 21 – 27) appeared first on Malwarebytes Labs.

What does ‘consent to tracking’ really mean?

Thanks to Jerome Boursier for contributions.

Post GDPR, many social media platforms will ask end users to consent to some form of tracking as a condition of using the service. It’s easy to make assumptions as to what that means, especially when the actual terms of service or data policy for the service in question is tough to find, full of legal jargon, or just long and boring. Part of the shock of Facebook stories was in discovering just how expansive their consent to tracking really was. Let’s take a look at what can happen after you hit OK on a new site’s Terms of Service.

What we think they’re doing

Most commonly, users think that social media sites limit their tracking to actual interactions with the site while logged in. This includes likes, follows, favorites, and general use of the site as intended. Those interactions are then analyzed to determine a user’s rough interests, and serve them corresponding ads.

We asked some non-technical Malwarebytes staffers what they thought popular companies collected on them and got the following responses:

“Hmm I would assume just my name, birthday, trends in the hashtags I use, and locations I’m at. Nothing else.”

“As far as IG goes, I’m guessing they collect data on the hashtags I follow and what I look at because all the ads are home improvement ads.”

While these are common use cases for tracking, innovations in user surveillance have allowed companies to take much more invasive actions.

What they’re actually doing

The Cambridge Analytica reports were quite shocking, but in theory their data practices were actually a violation of the agreement they had with Facebook. Somewhat more concerning are actions that Facebook and other social media companies take overtly with third parties, or as part of their explicit terms of service.

In June 2018, a New York Times report revealed partnerships between Facebook and mobile device manufacturers allowed data collection on your Facebook friends, irrespective of whether those friends had allowed data sharing with third parties. This data collection varied by device manufacturer, and most were relatively benign. Blackberry, however, seemed to go beyond what most of us expect to be collected when we log in:

Facebook has been known for years to have somewhat creepy partnerships like this. But what about other platforms? Instagram has an interesting paragraph in its terms and conditions:

Does communications include direct messages? How long is this information stored, where, and under what conditions? It could be perfectly secure and anonymized, but it’s difficult to tell because Instagram is a little vague on these points. Companies tell us what they collect consistently but they don’t always tell us why or disclose retention conditions, which makes it difficult for a user to make a proper risk assessment for allowing tracking.

Outside of the Facebook family of products, Pinterest does some data sharing that you might not expect:

Kudos to Pinterest for providing clear opt-out instructions.

A reasonable user might not expect that when consent to tracking connected with a Pinterest account, they would also agree to offsite tracking. Pinterest does stand out, however, by presenting well organized and clear information followed by simple opt-out instructions after each section.

What they might be doing

Most platforms that engage in user tracking do so in ways that raise concern, but are not overtly alarming. Abuses we’ve heard about tend to center on the tracking company sharing information with third parties. So what might happen if the wrong third party gains access to this data?

In 2016, a Pro Publica investigation was able to use Facebook ad targeting to create a housing ad that excluded minorities from seeing it. (This probably violates the US Fair Housing Act.) Using user data to discriminate in plausibly deniable ways predates the Internet, but the unprecedented volume of data collected makes schemes by bad actors much more efficient and easy to launch.

A more speculative harm is the use of tracking tags on sensitive websites. In France, a government website providing accurate information on reproductive health services was using a Facebook tracker. A “trusted partner” receiving user metadata, as well as which sections of the site that user clicks on, has the potential to be profoundly invasive. From a risk mitigation perspective, a user with a Facebook account might not have anticipated this sort of tracking when they initially consented to Facebook’s terms of service.

A common counter to complaints regarding user tracking is, “Well, you agreed to their terms, so you should have expected this.” This is arguably applicable to basic metadata collection and targeted ads, but is it reasonable to expect a Facebook user to understand that their off-platform browsing is subject to surveillance as well? User tracking has progressed so far in sophistication that an average user most likely does not have the background necessary to imagine every possible use case for data collection prior to accepting a user agreement.

What you can do about it

If any of the above examples make you uncomfortable, check out how to secure some common social media platforms using internal settings. If you want to implement additional technical solutions, browser extensions like Ghostery and the EFF’s Privacy Badger can prevent trackers from sucking up data you would prefer not to hand over.

Messenger services are a bit harder to transition away from, but not impossible. Signal is a well-regarded messenger app with end-to-end encryption, and a history of respecting user privacy. Alternatively, Wire can provide a more business-oriented alternative, with screen sharing, file sharing, and access role management.

Most important is to stay suspicious when accessing a new platform. No one can mishandle data that you never agree to hand over to begin with. Stay vigilant, stay safe, and enjoy your social media platforms knowing exactly how your data is being used.

The post What does ‘consent to tracking’ really mean? appeared first on Malwarebytes Labs.

No-deal Brexit and GDPR: here’s what you need to know

Business craves certainty and Brexit is currently giving us anything but. At the time of writing, it’s looking increasingly likely that Britain will leave the EU without a withdrawal agreement. This blog rounds up the latest developments on data protection after a no-deal Brexit. (Appropriately, we’re publishing on Data Protection Day, the international campaign to raise public awareness about privacy rights and protecting data.)

Under the General Data Protection Regulation, no deal would mean the UK will become a ‘third country’ outside of the European Economic Area. Last week, the Minister for Data Protection Pat Breen said a no-deal Brexit would have a “profound effect” on personal data transfers into the UK from the EU. Speaking at the National Data Protection Conference, he pointed out that although Brexit commentary has focused on trade in goods, services activity rely heavily on flows of personal data to and from the UK.

“In the event of a ‘no-deal’ Brexit, the European Commission has clarified that no contingency measures, such as an ‘interim’ adequacy decision, are foreseen,” the minister said.

This means personal data transfers can’t continue as they do today. At 11pm BST on Friday 29 March 2019, the UK will legally leave the European Union. All transfer of data between Ireland and the UK or Northern Ireland will then be considered as international transfers.

Keep calm and carry on

Despite the ongoing uncertainty, there are backup measures, as the Minister pointed out. “While Brexit does give rise to concerns, it should not cause alarm. The GDPR explicitly provides for mechanisms to facilitate the transfer of personal data in the event of the United Kingdom becoming a third country in terms of its data protection regime,” he said.

The latest advice from the Data Protection Commissioner is that Irish-based organisations will need to implement legal safeguards to transfer personal data to the UK after a no-deal Brexit. The DPC’s guidance outlined some typical scenarios if the UK becomes a third country.

“For example, if an Irish company currently outsources its payroll to a UK processor, legal safeguards for the personal data transferred to the UK will be required. If an Irish government body uses a cloud provider based in the UK, it will also require similar legal safeguards. The same will apply to a sports organisation with an administrative office in Northern Ireland that administers membership details for all members in Ireland and Northern Ireland,” it said.

Some organisations and bodies in Ireland will already be familiar with the legal transfer mechanisms available for the transfer of personal data to recipients outside of the EU, as they will already be transferring to the USA or India, for example.

Next steps for ‘third country’ status

BH Consulting’s senior data protection consultant Tracy Elliott says that data protection officers should take these steps to prepare for the UK’s ‘third country’ status under a no-deal Brexit.

·       review their organisation’s processing activities

·       identify what data they transfer to the UK

·       check if that includes data about EU citizens

“Consider your options of using a contract or possibly changing that supplier. If your data is hosted on servers in the UK, contact your hosting partner and find out what options are available,” she said.

Larger international companies may already have data sharing frameworks in place, but SMEs that routinely deal with UK, or that have subsidiaries in the UK, might not have considered this issue yet. All communication between them, even if they’re part of the same group structure, will need to be covered contractually for data sharing. “There are five mechanisms for doing this, but the simplest and quickest way to do this is to roll out model contract clauses, or MCCs. They are a set of guidelines issued by the EU,” Tracy advised.

Sarah Clarke, a specialist in privacy, security, governance, risk and compliance with BH Consulting, points out that using MCCs has its own risks. The clauses are due for an update to bring them into line with GDPR. Meanwhile the EU-US data transfer mechanism known as Privacy Shield is still not finalised, she added.

In the short term, however, MCCs are sufficient both for international transfers between legal entities in one organisation, and for transfers between different organisations. “For intra-group transfers, binding corporate rules are too burdensome to implement ‘just in case’. You can switch if the risk justifies it when there is more certainty,” Sarah Clarke said.

Further reading

The European Commission website has more information on legal mechanisms for transferring personal data to third countries. The UK Information Commissioner’s Office has a recent blog that deals with personal data flows post-Brexit. You can also check the Data Protection Commission site for details about transfer mechanisms and derogations for specific situations. The DPC also advises checking back regularly for updates between now and Brexit day.

The post No-deal Brexit and GDPR: here’s what you need to know appeared first on BH Consulting.

11 Expert Takes On Data Privacy Day 2019 You Need To Read

The Council of Europe agreed that January 28 should be declared European Data Protection Day back in 2007; two years later the U.S. joined in with the Data Privacy Day

The post 11 Expert Takes On Data Privacy Day 2019 You Need To Read appeared first on The Cyber Security Place.

Industry reactions to Data Privacy Day 2019

The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Privacy Day is observed annually on Jan. 28. Cindy Provin, CEO, nCipher Security These high profile policy developments are sending a signal that the days of using personal data for commercial advantage … More

The post Industry reactions to Data Privacy Day 2019 appeared first on Help Net Security.

Regulatory Fines, Prison Time Render “Check Box” Security Indefensible

In May 2017, the Equifax data breach compromised critical credit and identity data for 56 percent of American adults, 15 million UK citizens and 20,000 Canadians. The Ponemon Institute estimates that the total cost to Equifax could approach $600M in direct expenses and fines. That doesn’t include the cost of the security upgrades required to […]… Read More

The post Regulatory Fines, Prison Time Render “Check Box” Security Indefensible appeared first on The State of Security.

This Week in Security News: Ransomware and Cyber Threats

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about new routines for encryption of JobCrypter ransomware. Also, understand how Emotet has managed to evolve into one of the most notorious cyber threats in existence.

Read on:

Spotted: JobCrypter Ransomware Variant With New Encryption Routines, Captures Desktop Screenshots

A variant of JobCrypter ransomware was observed by Trend Micro using new routines for encryption and features the ability to send a screenshot of the victim’s desktop to an email address. 

For Industrial Robots, Hacking Risks Are On the Rise

In the future, industrial robots may create jobs, boost productivity and spur higher wages. But one thing seems more certain for now: They’re vulnerable to hackers.

Microsoft CEO Satya Nadella made a global call for countries to come together to create new GDPR-style data privacy laws

Microsoft CEO Satya Nadella is a major proponent of the the recent European data regulation GDPR, which came into force in May 2018.

Protecting Critical Infrastructure and Roadways: How Smart Cities Create New Risks

While advanced components to support utilities, critical infrastructure, and more can bring numerous benefits, these solutions also open both urban and rural areas to new risks and cyber threats.

DHS Releases Emergency Order to Prevent DNS Hijacking

The Department of Homeland Security has issued a rare “emergency” directive ordering federal civilian agencies to secure the login credentials for their internet domain records out of concern that they could be vulnerable to cyberattacks.

As BYOD Adoption and Mobile Threats Increase, Can Enterprise Data Security Keep Up?

While most security professionals have come to embrace — or, at least, accept — bring-your-own-device (BYOD) policies, leadership still often lacks confidence in the data security of employees’ personal phones, tablets and laptops.

Going In-depth with Emotet: Multilayer Operating Mechanisms

Over a period of just five years, Emotet has managed to evolve into one of the most notorious cyber threats in existence – one that causes incidents that cost up to $1 million dollars to rectify.

Online Casino Group Leaks Information on 108 Million Bets, Including User Details

An online casino group has leaked information on over 108 million bets, including details about customers’ personal information, deposits and withdrawals. 

Google Fined €50 Million for GDPR Violation in France

France’s data protection regulator, CNIL, has issued Google a €50 million fine (around $56.8 million USD) for failing to comply with its GDPR obligations. 

Security is the no. 1 IT barrier to cloud and SaaS adoption

More than 70% of tech professionals said security spending has increased in the past year, according to a Ping Identity report.

Millions of Financial Records Leaked at Texas-Based Data Firm

More than a decade’s worth of credit and mortgage records, many linked to some of the country’s largest banks and lenders, was temporarily exposed online.

What do you think are some other risks smart cities will create within the next years? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Ransomware and Cyber Threats appeared first on .

Implementing ISO 27001 and Avoiding Potential GDPR Consequences

With the increase in cyber-attacks and information security breaches – 72% of large UK firmsidentified an information security breach in 2018, a rise from 68% from 2017 – the importance of protecting both

The post Implementing ISO 27001 and Avoiding Potential GDPR Consequences appeared first on The Cyber Security Place.

GDPR-ready organizations see lowest incidence of data breaches

Organizations worldwide that invested in maturing their data privacy practices are now realizing tangible business benefits from these investments, according to Cisco’s 2019 Data Privacy Benchmark Study. The study validates the link between good privacy practice and business benefits as respondents report shorter sales delays as well as fewer and less costly data breaches. Business benefits of privacy investments The GDPR, which focused on increasing protection for EU residents’ privacy and personal data, became enforceable … More

The post GDPR-ready organizations see lowest incidence of data breaches appeared first on Help Net Security.

Google fined €50 million for infringing the GDPR

Google Fine GDPR Sanction

Between the massive data breaches in world-famous companies and the plethora of ongoing scandals at Facebook, 2018 was the year that personal data protection began to make headlines – and generate concern – all over the world. And there was one game-changer among all these cases: the GDPR, the new European General Data Protection Regulation, which has been mandatory since May 25 last year.

As well as reputational damage, the GDPR carries with it hefty fines for infringement: up to €20 million or 4% of a company’s annual global turnover. Corporate cybersecurity necessities are shifting from remediation to prevention and protection of stored personal data. It is no longer enough to react once data has been exfiltrated; the only way to avoid the consequences of the GDPR is to comply with it, getting ahead of incidents involving personal data (PII).

And towards the end of 2018, the first sanctions began to appear. The highest (until now) was a €400,000 fine for a Portuguese hospital. However, this week, on January 21, 2019, we witnessed the first multi-million euro fine. And, what’s more, it’s for one of the world’s most valuable companies: Google.

Google fine GDPR Panda Security
The first economic sanctions under the GDPR

Google and the issue of forced consent

The CNIL (Commission Nationale de l’Informatique et des Libertés), the French data protection agency, has fined Google LLC €50 million for violating GDPR rules about transparency and for not having a valid legal basis for processing personal data for advertising purposes.

This fine is clearly much more than a mere slap on the wrist. However, large though it is, it is much lower than it could have been, given that Alphabet, Google’s parent company, had revenue of €97.5 billion in 2017; the fine, therefore, could have been as much as €3.9 billion.

Another important aspect of the case is the fact that the GDPR stipulates that the investigation of any case must be carried out in the country where the the company’s “main establishment” is located. Although Google’s European headquarters is in Ireland, the CNIL does not consider that this HQ has decision making power for the processing of personal data. This means that the complaint is against Google LLC in the USA.

The first complaints about Google came on May 25, minutes after the regulation came into effect, when the non-profit organization noyb.eu presented the first complaints against several companies, including Google. The French digital rights group, Quadrature du Net also lodged a complaint against Google a few days later.

Both complaints are related to forced consent; they claim that the company lacks a sound legal basis to process its users’ personal data, since it forced them to consent to data processing they didn’t understand.

According to the CNIL, when a user creates a Google account on an Android mobile, they receive much of the information required by the GDPR – categories of personal data, purposes of data processing etc. – but state that the information is “excessively disseminated  across several documents, with buttons and links on which it is required to click to access complementary information.”

“The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions,” says the CNIL It also claims that the information offered by Google is very vague and generic when it comes to explaining to its users how their data will be used, and that there is a lack of information related to how long their data will be stored.

Another issue was the “I agree with Google’s terms of service” tick-box, instead of boxes with more detailed options.

The CNIL concludes that Google lacks valid permission from its users, since consent was neither “specific” nor “unambiguous” as stipulated by the GDPR.

How to avoid the million euro fines

One of the first steps towards complying verbatim with the GDPR is to provide appropriate protection for the personal data that your company stores and processes. A good start is to know exactly where this personal data is stored and who has access to it.

Panda Data Control, the data protection module of Panda Adaptive Defense does exactly this. Panda Data Control identifies all the files that contain personal data (PII) and records any kind of access to it, providing real time alerts about leaks, use, and suspicious or unauthorized traffic.

Panda Data Control helps your company to comply with several specific articles of the GDPR, including the right to erasure; notification of a personal data breach to the supervisory authority; and data protection impact assessment.

This fine for Google is the first million euro fine within the framework of the GDPR, but it won’t be the last: we are still waiting to see what happens in the cases of British Airways and Marriott, and the multiple Facebook cases.

If you don’t know how to protect the personal data stored on your corporate network, and want to save your company’s image and keep it from being fined astronomical amounts, don’t miss out on this opportunity to find out about the advantages of Panda Data Control.

Request a Live Demo

The post Google fined €50 million for infringing the GDPR appeared first on Panda Security Mediacenter.

National Data Privacy Day Is Wishful Thinking

You have to have a supreme sense of irony, or be in major denial, to call Monday, Jan. 28, Data Privacy Day. Given the current state of big data collection

The post National Data Privacy Day Is Wishful Thinking appeared first on The Cyber Security Place.

Smashing Security #112: Payroll scams, gold coin heists, web giants spanked

Smashing Security #112: Payroll scams, gold coin heists, web giants spanked

Business email compromise evolves to target your company’s payroll, how the world’s largest gold coin was stolen from a Berlin museum, and are internet giants feeling the heat yet over data security?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by people hacker Jenny Radcliffe.

Debunking conventional wisdom to get out of the security and privacy rut

Given the unprecedented rate of technological change, the dizzying news cycle, and an always-on social media mentality, it may be surprising to learn that when it comes to security and

The post Debunking conventional wisdom to get out of the security and privacy rut appeared first on The Cyber Security Place.

First Large GDPR Fine issued and its to Google for €50 million

Every member state, organisation and almost every individual have been watching supervisory authorities closely to see if and who will

First Large GDPR Fine issued and its to Google for €50 million on Latest Hacking News.

Google Fined 50 Million EUR for Violating GDPR Rules

Tech giants Amazon, Apple, Google, Netflix and Spotify have all been accused of not complying with GDPR, Europe’s data privacy regulations, and could face hefty fines for continuous violations. Things have now escalated, as Google has to pay a fine of 50 million euros for an ongoing violation after French data regulator CNIL accused the company of “lack of transparency, inadequate information and lack of valid consent regarding ads personalization,” writes the BBC.

“The user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalization, speech recognition etc.),” CNIL said. “However, the GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose.”

The regulator says Google’s consent policies are neither transparent enough nor “easily accessible,” which kept users in the dark about how their personal data was used in personalizing ads and other services. Also, the information was “disseminated across several documents” making it difficult for users to review.

“The relevant information is accessible after several steps only, implying sometimes up to five or six actions,” the regulator said. “Users are not able to fully understand the extent of the processing operations carried out by Google.”

CNIL acted upon complaints filed in May by privacy advocates noyb and La Quadrature du Net (LQDN) as soon as legislation went into effect.

“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR,” a Google spokesperson said in a statement to a local publication. “We’re studying the decision to determine our next steps.”

France watchdog fines Google with $57 million under the EU GDPR

The French data protection watchdog CNIL announced a fine of 50 million euros ($57 million) for US search giant Google under GDPR.The French data protection watchdog CNIL announced a fine of 50 million euros ($57 million) for US search giant Google under GDPR.

On 21 January 2019, the CNIL’s restricted committee imposed a financial penalty of 50 Million euros against the company GOOGLE LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” reads the press release published by the CNIL.

The investigation conducted by the French watchdog was started with two complaints against Google by the non-profit organizations None Of Your Business (NOYB) and La Quadrature du Net (LQDN).
Both organizations filed a complaint against Facebook in May.

The CNIL condemned Google for the violation of transparency and consent rules under the EU GDPR,

The search engine giant made it difficult for its users to find and manage preferences on data processing purposes, data retention, in particular with regards to targeted advertising.

Google has intentionally disseminated this information among too many documents, access them required up to 6 separate actions.

Anyway, the CNIL confirmed that that information is “not always clear nor comprehensive.”

“Moreover, the restricted committee observes that some information is not always clear nor comprehensive.” continues the press release.

“Users are not able to fully understand the extent of the processing operations carried out by Google,” the Commission says. “Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent and not the legitimate interest of the company.”

Google French watchdog

Google was also condemned because it does not obtain its user’s explicit consent to process data for targeted advertising.

the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked. However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance).”

The French watchdog also noted that before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to proceed with the operation. But in this way, the user gives his full consent for all the processing operations purposes carried out by GOOGLE, including ads personalization, speech recognition. However, the GDPR provides that the consent must be explicit and “specific” for each purpose, broader consent is not allowed.

Are 50 euros million a big fine?

Absolutely no in comparison to the fines allowed by GDPR that could be also of 4 percent of the company’s annual global revenue.

Google has contested the decision of the French watchdog, it said that it should not apply only to the global Google.com domain.

“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.” reads a statement issued by the company.

Pierluigi Paganini

(SecurityAffairs – French watchdog, Google)

The post France watchdog fines Google with $57 million under the EU GDPR appeared first on Security Affairs.

Industry reactions to Google’s €50 million GDPR violation fine

On 21 January 2019, the French National Data Protection Commission (CNIL) imposed a financial penalty of €50 million against Google, in accordance with the GDPR. This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided and the publicity of the fine are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent. Here are some reactions … More

The post Industry reactions to Google’s €50 million GDPR violation fine appeared first on Help Net Security.

Google fined $57 million by France for lack of transparency and consent

The French data protection watchdog CNIL has issued its first fine of €50 million (around $57 million) under the European Union's new General Data Protection Regulation (GDPR) law that came into force in May last year. The fine has been levied on Google for "lack of transparency, inadequate information and lack of valid consent regarding the ads personalization," the CNIL (National Data

Why other Hotel Chains could Fall Victim to a ‘Marriott-style’ Data Breach

A guest article authored by Bernard Parsons, CEO, Becrypt

Whilst I am sure more details behind the Marriott data breach will slowly come to light over the coming months, there is already plenty to reflect on given the initial disclosures and accompanying hypotheses.

With the prospects of regulatory fines and lawsuits looming, assimilating the sheer magnitude of the numbers involved is naturally alarming. Up to 500 million records containing personal and potentially financial information is quite staggering. In the eyes of the Information Commissioner’s Office (ICO), this is deemed a ‘Mega Breach’, even though it falls short of the Yahoo data breach. But equally concerning are the various timeframes reported.

Marriott said the breach involved unauthorised access to a database containing Starwood properties guest information, on or before 10th September 2018. Its ongoing investigation suggests the perpetrators had been inside the company’s networks since 2014.

Starwood disclosed its own breach in November 2015 that stretched back to at least November 2014. The intrusion was said to involve malicious software installed on cash registers and other payment systems, which were not part of its guest reservations or membership systems.

The extent of Marriott’s regulatory liabilities will be determined by a number of factors not yet fully in the public domain. For GDPR this will include the date at which the ICO was informed, the processes Marriott has undertaken since discovery, and the extent to which it has followed ‘best practice’ prior to, during and after breach discovery. Despite the magnitude and nature of breach, it is not impossible to imagine that Marriott might have followed best practice, albeit such a term is not currently well-defined, but it is fairly easy to imagine that their processes and controls reflect common practice.

A quick internet search reveals just how commonplace and seemingly inevitable the industry’s breaches are. In December 2016, a pattern of fraudulent transactions on credit cards were reportedly linked to use at InterContinental Hotels Group (IHG) properties. IHG stated that the intrusion resulted from malware installed at point-of-sale systems at restaurants and bars of 12 properties in 2016, and later in April 2017, acknowledging that cash registers at more than 1,000 of its properties were compromised.

According to KrebsOnSecurity other reported card breaches include Hyatt Hotels (October 2017), the Trump Hotel (July 2017), Kimpton Hotels (September 2016) Mandarin Oriental properties (2015), and Hilton Hotel properties (2015).

Therefore perhaps, the most important lessons to be learnt in response to such breaches are those that seek to understand the factors that make data breaches all but inevitable today. Whilst it is Marriott in the news this week, the challenges we collectively face are systemic and it could very easily be another hotel chain next week.

Reflecting on the role of payment (EPOS) systems and cash registers within leisure industry breaches is illustrative of the challenge. Paste the phrase ‘EPOS software’ into your favourite search engine, and see how prominent, or indeed absent, the notion of security is. Is it any wonder that organisations often unwittingly connect devices with common and often unmanaged vulnerabilities to systems that may at the same time be used to process sensitive data? Many EPOS systems effectively run general purpose operating systems, but are typically subject to less controls and monitoring than conventional IT systems.

So Why is This?
Often the organisation can’t justify having a full blown operating system and sophisticated defence tools on these systems, especially when they have a large number of them deployed out in the field, accessing bespoke or online applications. Often they are in widely geographically dispersed locations which means there are significant costs to go out and update, maintain, manage and fix them.

Likewise, organisations don’t always have the local IT resource in many of these locations to maintain the equipment and its security themselves.

Whilst a light is currently being shone on Marriott, perhaps our concerns should be far broader. If the issues are systemic, we need to think about how better security is built into the systems and supply chains we use by default, rather than expecting hotels or similar organisations in other industries to be sufficiently expert. Is it the hotel, as the end user that should be in the headlines, or how standards, expectations and regulations apply to the ecosystem that surrounds the leisure and other industries? Or should the focus be on how this needs to be improved in order to allow businesses to focus on what they do best, without being quite such easy prey?


CEO and co-founder of Becrypt

Nine for 2019: New Year tips for cybersecurity and privacy professionals

A new year is almost upon us, and that means one thing: resolutions. Easily made, even more easily broken, they’re nevertheless a useful way of setting goals for the next 12 months. We asked Brian Honan, Tracy Elliott, Sarah Clarke, Valerie Lyons and David Prendergast to share their tips for information security practitioners and privacy professionals. Here’s what you can do differently or better to protect your organisation and its critical data in 2019.

1 Attend security conferences

The first resolution is to attend at least two cybersecurity conferences this coming year. Choose the events well, and they can be a great source of knowledge and learning to apply in the daily security role. “It’s important to pick conferences that you feel will help you learn, not a vendor event that’s about how great their products are. Look for conferences that provide independent speakers, or topics on areas of interest to you,” says Brian.

Another reason to go to more conferences is the valuable opportunity to network with peers. “Sometimes we learn more from talking to others thanfrom training courses or reading articles,” adds Brian.

2 Collaborate more with your peers

Resolve to take key business leaders in your organisation out to lunch, to discuss the challenges they face and understand how security can help them to address those challenges. Those lunchtime conversations can uncover important business needs. For example, HR might have difficulty retaining staff. Devising a secure way to let certain employees work remotely, or from home, could help employee retention rates without putting sensitive data at risk. Similarly, the marketing department might need a way of exchanging large documents and files with external design houses or ad agencies. But how is this possible if the company restricts mailbox sizes and blocks file sharing platforms like Dropbox?

These lunches can help to position the security function as a business enabler, not an obstacle to getting things done. It’s about finding workable solutions that maintain security because otherwise, people will find their own workarounds – and that introduces risk. “When you meet with your business peers, you can better understand their challenges. It becomes about how I as a security professional support that business objective while protecting the company’s key assets. Rather than ‘no”, the security practitioner says ‘yes, but’. Or better still, ‘yes and this is how we recommend you do it’,” says Brian.

3 Rest up

Brian’s third tip for security practitioners is to try and sleep more. By his own admission, it’s slightly tongue-in-cheek but there’sa serious point behind it. There’s a growing conversation around the high levels of fatigue and stress in the profession, leading to burnout. “To be effective, we need to look after our own personal health. It’s important to take steps to ensure we can keep ourselves in the best condition to do our jobs. It’s trying to make sure you’re compliant as well as your security programme,” Brian advises.

4 Get Detailed on Privacy Regulations [GDPR]

Turning to privacy, Tracy Elliott predicts 2019 will see activity around the General Data Protection Regulation [GDPR] move from theory to practice. “A lot of 2018 was about writing data protection policies and putting governance structures in place. The next 12 months will focus on training people in specific jobs in what they need to know about data protection,” she says. 

The responsibility for training and awareness falls to an organisation’s designated data protection officer (DPO). That ranges from simple things like posters in staff canteens to help refresh people’s memory about, and awareness of, GDPR. Then DPOs should identify key roles in an organisation,who need tailored data protection training that reflects their specific job. For example, a nursing home healthcare assistant needs to know about speech privacy as part of protecting sensitive patient information.

5 Batten down for Brexit

Even as confusion surrounds Brexit, it’s time to plan for whatever the outcome might be. (Insert your own joke about seeing the words ‘Brexit’ and ‘plan’ in the same postcode, let alone the same sentence.)

Sarah Clarke points out that a future adequacy agreement is not certain between the UK and the EU. It’s possible that in the event of a no-deal Brexit, the UK will become a third country outside of the EEA. That would mean all transfer of data between Ireland and the UK will be considered as international transfers.

With this in mind, Tracy Elliott says data protection officers should review their organisation’s processing activities. They should identify what data they are transferring to the UK, and whether that includes data about EU citizens. “Consider your options of using a contract or possibly changing that supplier. If your data is hosted on servers in the UK, contact your hosting partner and find out what options are available,” she says.

Larger international companies may already have data sharing frameworks in place, but SMEs that routinely deal with UK, or that havesubsidiaries in the UK, might not have considered this issue yet. All communication between them, even if they’re part of the same group structure, will need to becovered contractually for data sharing. “There are five mechanisms for doing this, but the simplest and quickest way to do this is to roll out model contract clauses [MCCs]. They are a set of guidelines issued by the EU,” Tracy advises.

6 Plan for all outcomes

Here’s where contingency planning is vital. “Use of MCCs has its own risks as they are due an update to bring them into line with GDPR,and Privacy Shield [the EU-US data transfer mechanism] is still on trial,” Sarah warns. However in the short term, MCCs fits the bill both for international transfers between legal entities in one organisation, and for transfers between different organisations. “For intra-group transfers, binding corporate rules are too burdensome to implement ‘just in case’. You can switch if the risk justifies it when there is more certainty,” she adds.

Sarah points out that regulators won’t tolerate inactivity. That said, they may grant some leeway if an organisation decides on a particular approach and documents its reason for doing so – even if that approach needs to change later. In other words, doing nothing is not an option – a bit like the best New Year’s resolutions.

7 Prepare beyond regulations

Valerie Lyons writes: “If we look to the US patents office, we see the top patents of 2017 fell into cloud, AI, machine learningand big data. Privacy regulation alone will not be able to address the challenges associated with many of these technologies. Gartner agrees, highlighting Digital Ethics and Privacy as one of its top trends of 2019. Privacy practitioners should familiarise themselves with digital ethics frameworks and look not just at privacy governance but information strategy and data management.”

8 Complete one thing

Sometimes, working as a security or privacy professional can feel like the circus act who keeps plates spinning. There are so many things to do, and so many places in the organisation to start mitigating risks. All the time, there’s an audience of compliance officers, auditors, regulators and bosses, waiting to see if one of the plates will drop. “Stop prevaricating. Pick one initiative and get it done, rather than starting three things and finishing none. That way, you’ve achieved something tangible you can point to. And it’s one less task on the list,” says David Prendergast.

9 Just do it

When it comes to security awareness strategy, as a certain sportswear company might say, just do it. “Don’t wait for a big budget. You don’t need huge sacks of money to explain to people what the risks are, and why they need to change behaviour,” says David. “Security professionals can often be quite shy of talking to IT people because we think they want us to fail. They don’t. They read different press, and if you just tell them the basics, you might just win some allies.” David also agrees with Brian’s point about collaborating more during 2019. “Talk to your colleagues and talk to your peers; they’re probably struggling with the same issues you are. The only daft question is the one you didn’t ask,” he says.

What resolutions have you made for 2019? Let us know in the comments below.

The post Nine for 2019: New Year tips for cybersecurity and privacy professionals appeared first on BH Consulting.

The Year Ahead: Cybersecurity Trends To Look Out for In 2019

A Proven Record Tracking Cybersecurity Trends

This time of the year is always exciting for us, as we get to take a step back, analyze how we did throughout the year, and look ahead at what the coming year will bring. Taking full advantage of our team’s expertise in data and application security, and mining insights from our global customer base, we’ve decided to take a different approach this time around and focus on three key, and overriding trends we see taking center stage in 2019.

2018 brought with it the proliferation of both data and application security events and, as we predicted, data breaches grew in size and frequency and cloud security took center stage globally. With that in mind, let’s take a look at what next year holds.

Data breaches aren’t going away anytime soon, which will bolster regulation and subsequent compliance initiatives

Look, there’ll be breaches, and the result of that is going to be more regulation, and therefore, more compliance, this is a given. In fact, the average cost of a data breach in the US 2018 exceeded $7 million.

Whether it’s GDPR, the Australian Privacy Law, Thailand’s new privacy laws or Turkey’s KVKK; it doesn’t matter where you are, regulation is becoming the standard whether it be a regional, group, or an individual country standard.

Traditionally when we looked at data breaches, the United States lit up the map, but as regulatory frameworks and subsequent compliance measures expand globally, we’re going to see a change.

The annual number of data breaches and exposed records in the United States from 2005 to 2018 (in millions) [Statista]

What you ’ll see in 2019, and certainly, as we move forward, is a red rosy glow covering the entire globe. In 2019 you’ll hear more of “It’s not just the United States. This happens everywhere.”

 

Let’s unpack this for a second. If you were going to steal private data or credit card details, why would you do it in an environment that has world-class, or even mediocre cybersecurity measures in place? If everyone else is even slightly less protected, that’s where you’re going to find people targeting data, but we hear more about it in regions where regulation and compliance is a major focus.

 

To that end, we don’t necessarily see 2019 as the year where regulators start hitting companies with massive fines for compliance. Maybe by the end of the year, or if you see outright egregious negligence. But, you’ll find that companies have put in the legwork when it comes to compliance.

Having your head in the cloud(s) when it comes to managing risk… not a bad idea

McKinsey reports that, by 2020, organizations will be spending more than six times on cloud-specific products than they do on general IT services; and according to a survey by LogicMonitor, up to 83% of all enterprise workloads will be in the cloud around that same time.

LogicMonitor’s Future of the Cloud Study [Forbes]

Organizations continue to capitalize on the business benefits of the digital economy and, as such, end up chunking more data into the cloud. Now, we’re not saying that this is being done without some forethought, but are they classifying data as they go along and increasingly open their businesses up to the cloud?

 

Teams need to recognize that, as they transition their data to the cloud, they transition their awareness of what’s in the cloud; who is using it, when they’re using it, and why they’re using it. 2019 isn’t going be the year that businesses figure out they need to do that. What we will see, however, is increasingly cloud-friendly solutions hit the market to solve these challenges.

Social Engineering and the rise of AI and machine learning in meeting staffing issues

One of 2019’s most critical developments will be how the cybersecurity industry steps up to meet the increasing pressure on security teams to perform. According to the Global Information Security Workforce Study, the shortage of cybersecurity professionals will hit 1.8 million by 2022, but at the same time, a report by ESG shows just nine percent of millennials are interested in a career in cybersecurity.

 

What we’re going to see is how AI  and machine learning in cybersecurity technology will close the gaps in both numbers and diversity of skills.

 

Organizations today have to solve the problem of cybersecurity by hiring for a host of specialized competencies; network security, application security, data security, email security and now, cloud security. Whatever it is, underscore security, those skills are crucial to any organization’s security posture.

 

Here’s the thing, there aren’t a lot of people that claim to know cloud security, database security, application security, data security, or file security. There just isn’t a lot. We know that and we know businesses are trying to solve that problem, often by doing the same old things they’ve always done, which is the most common solution. Do more antimalware, do more antivirus, do more things that don’t work. In some cases, however, they’re doing things around AI and trying to solve the problem by leveraging technology. The latter will lead to a shift where organizations dive into subscription services.

 

There are two facets driving this behavior: the first is the fact that, yes, they realize that they are not the experts, but that there are experts out there. Unfortunately, they just don’t work for them, they work for the companies that are offering this as a service.

 

Secondly, companies are recognizing that there’s an advantage in going to the cloud, because, and this is a major determining factor, it’s an OpEx, not CapEx. The same thing is true of subscription services whether that be in the cloud or on-prem, it doesn’t matter. Driven by skills shortages and cost, 2019 will see an upswing in subscription services, where organizations are actually solving cybersecurity problems for you.

 

We should add here, however, that as more organizations turn to AI and machine learning-based decision making for their security controls, attackers will try to leverage that to overcome those same defenses.

Special mention: The ‘trickledown effect’ of Cyberwarfare

The fact is, cyber attacks between nations do happen, and it’s a give and take situation. This is the world we live in, these are acceptable types of behavior, quite frankly, right now, that won’t necessarily lead to war these days. But someone still stands to gain.

 

Specifically, they’re attacking third-party business, contractors and financial institutions. That’s why cybersecurity is so important, there needs to be an awareness that somebody might be stealing your data for monetary gain. It might be somebody stealing your data for political gain too, and protecting that data is just as critical, regardless of who’s taking it.

 

Now, while state-hacking isn’t necessarily an outright declaration of war these days, it doesn’t end there. The trickledown effect of nation-state hacking is particularly concerning, as sophisticated methods used by various governments eventually find their way into the hands of resourceful cybercriminals, typically interested in attacking businesses and individuals.

Repeat offenders

No cybersecurity hit list would be complete without the things that go bump in the night and, while all of them might not necessarily be ballooning, they’ll always be a thorn in security teams’ sides.

  • Following the 2017 Equifax breach, API security made it onto the OWASP Top 10 list and remains there for a good reason. With the expanding use of APIs and challenges in detecting attacks against them, we’ll see attackers continuing to take aim at APIs as a great target for a host of different threats; including brute force attacks, App impersonation, phishing and code injection.
  • Bad actors already understand that crypto mining is the shortest path to making a profit, and continue to hone their techniques to compromise machines in the hope of mining crypto-coins or machines that can access and control crypto-wallets.
  • Low effort, easy money, full anonymity and potentially huge damage to the victim… what’s not to like when it comes to ransomware? It’s unlikely that we’ll see these types of attacks go away anytime soon.

 

If there’s one overriding theme we’d like to carry with us into 2019 it’s the concept of general threat intelligence, the idea that it’s better to have some understanding of the dangers out there and to do something, rather than nothing at all.

 

We often talk about the difference between risk and acceptable risk or reasonable risk, and a lot of companies make the mistake of trying to boil the ocean… trying to solve every single problem they can, ultimately leaving teams feeling overwhelmed and short on budget.

 

Acceptable risk isn’t, “I lost the data because I wasn’t blocking it. I get it. And it wasn’t a huge amount of data because at least I have some controls in place to prevent somebody from taking a million records, because nobody needs to read a million records. Nobody’s going to read a million records. So, why did I let it happen in the first place?”

 

Acceptable risk is “I know it happened, I accept that it happened, but it’s a reasonable number of events, it’s a reasonable number of records, because the controls I have in place aren’t so specific, aren’t so granular that they solve the whole problem of risk, but they take me to a world of acceptable risk.”

 

It’s better to begin today, and begin at the size and relevance that you can, even if that only takes you from high to medium risk, or reasonable to acceptable risk.

The post The Year Ahead: Cybersecurity Trends To Look Out for In 2019 appeared first on Blog.

Marriott Hotels 4 Year Hack Impacts Half a Billion Guests!

A mammoth data breach was disclosed by hotel chain Marriott International today (30 Nov 18), with a massive 500 million customer records said to have been compromised by an "unauthorized party". 
Image result for marriott
The world's largest hotel group launched an internal investigation in response to a system security alert on 8th September 2018, and found an attacker had been accessing the hotel chain's "Starwood network" and customer personal data since 2014, copying and encrypting customer records. In addition to the Marriott brand, Starwood includes W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. 

Image result for starwood
You are at risk if you have stayed at any of the above hotel brands in the last 4 years

The Marriott statement said for around 326 million of its guests, the personal information compromised included "some combination" of, name, address, phone number, email address, passport number, date of birth, gender and arrival & departure information. The hotelier also said encrypted payment card data was also copied, and it could not rule out the encryption keys to decrypt cardholder data had not been stolen.

The hotel giant said it would notify customers affected and offer some a fraud detecting service for a year for free, so I expect they will be making contact with myself soon. In the meantime, Marriott has launched a website for affected customers and a free helpline for concerned UK customers 0808 189 1065.

The UK ICO said it would be investigating the breach, and warned those who believe they are impacted to be extra vigilant and to follow the advice on the ICO website, and by the National Cyber Security Centre
. The hotel chain could face huge fines under the GDPR, and possibly a large scale class action lawsuit by their affected guests, which could cost them millions of pounds. 

What I really would like to know is why the hotel chain had retained such vast numbers of guest records post their stay. Why they held their customer's passport details and whether those encryption keys were stolen or not. And finally, why the unauthorised access went undetected for four years.

Tom Kellermann, Chief Cybersecurity Officer for Carbon Black, said "It appears there had been unauthorised access to the Starwood network since 2014, demonstrating that attackers will get into an enterprise and attempt to remain undetected. A recent Carbon Black threat report found that nearly 60% of attacks now involve lateral movement, which means attackers aren’t just going after one component of an organisation - they’re getting in, moving around and seeking more targets as they go."

The report also found that 50% of today’s attackers now use the victim primarily for island hopping. In these campaigns, attackers first target an organisation's affiliates, often smaller companies with immature security postures and this can often be the case during an M&A. This means that data at every point in the supply chain may be at risk, from customers, to partners and potential acquisitions.”

Jake Olcott, VP of Strategic Partnerships at BitSight, said "Following the breaking news today that Marriott’s Starwood bookings database has been comprised with half a billion people affected, it highlights the importance of organisations undertaking sufficient security posture checks to avoid such compromises. Marriott’s acquisition of Starwood in 2016 allowed it to utilise its Starwood customer database. Therefore, proactive due diligence during this acquisition period would have helped Marriott to identify the potential cybersecurity risks, and the impact of a potential breach".

“This is yet another example of why it is critical that companies perform cybersecurity analysts during the due diligence period, prior to an acquisition or investment. Traditionally, companies have approached cyber risk in acquisitions by issuing questionnaires to the target company; unfortunately, these methods are time consuming and reflect only a “snapshot in time” view.

“Understanding the cybersecurity posture of an investment is critical to assessing the value of the investment and considering reputational, financial, and legal harm that could befall the company. After an investment has been made, continuous monitoring is essential.”

How Safe and Secure are Wearables?

The ‘wearable technology’ market has been exponentially growing in recent years and is expected to exceed 830 million devices by 2020. One of the key drivers pushing this rapid expansion are fitness trackers, namely wristband tech and smartwatch apps which monitors our daily activity and health. But as we integrate wearables devices seamlessly into our everyday lives, what are the privacy and security risks they pose? How should wearable manufacturers and app developers be protecting consumers?

245 million wearables will be sold in 2019

Insurance company Vitality offers customers a heavily discounted Apple Watch to customers in return for their fitness routines and health data, the more activity you do each month, the greater your reward through a monthly discount. While this exchange of information for rewards provides a great incentive for consumers to improve their health, the personal data consumers are sharing in return has a tangible value for the insurance company. However, providing an insurance company with a daily data breakdown of one's health is an unacceptable tradeoff for some, regarding such a practice as an invasion of their privacy. 

As of May 2018, all EU citizen's privacy rights are legally protected by the General Data Protection Regulation (GDPR). GDPR compliance is required by all companies which process EU citizen data, including those based outside of the European Union. The privacy regulation requires wearable device and app providers to obtain each EU citizen's explicit consent before collecting their personal information, they must also clearly explain what types of personal information they intend to collect, how they intend to use the data, and inform consumers about any other organisation they intend to share their data with. If they don’t, wearable tech firms and app providers should brace themselves for heavy fines by European Information Commissioners.

For further details about the GDPR requirements and for Wearables Software Development Security Advice, read my IBM developerWorks 3 part guidance "A developer's guide to the GDPR" and my Combating IoT Cyber Threats

Wearable personal data is also of value to hackers and criminals, for instance, your fitness routine provides a clear picture of the best times to burglarise your home. With personal consumer data potentially at stake, fitness wearable manufacturers should incorporate both default privacy and security standards into the infrastructure of the device, to help ensure personal information remains safeguarded from known and future cyber threats.  ULa global safety science company, has developed testing for cybersecurity threats and offers security verification processes to assist manufacturers in assessing security risks and helping mitigate them before the product even goes to market. If the industry takes these steps, wearable consumers will feel safe and secure as they reap the intended benefits of this new innovation, while the wearables industry will be well positioned to meet the promise of its growth projections.

Cyber Security Roundup for October 2018

Aside from Brexit, Cyber Threats and Cyber Attack accusations against Russia are very much on the centre stage of UK government's international political agenda at the moment. The government publically accused Russia's military 'GRU' intelligence service of being behind four high-profile cyber-attacks, and named 12 cyber groups it said were associated with the GRU. Foreign Secretary Jeremy Hunt said, "the GRU had waged a campaign of indiscriminate and reckless cyber strikes that served no legitimate national security interest".

UK Police firmly believe the two men who carried out the Salisbury poisoning in March 2018 worked for the GRU.

The UK National Cyber Security Centre said it had assessed "with high confidence" that the GRU was "almost certainly responsible" for the cyber-attacks, and also warned UK businesses to be on the alert for indicators of compromise by the Russian APT28 hacking group.  The NCSC said GRU hackers operated under a dozen different names, including Fancy Bear (APT28), had targetted:
  • The systems database of the Montreal-based World Anti-Doping Agency (Wada), using phishing to gain passwords. Athletes' data was later published 
  • The Democratic National Committee in 2016, when emails and chats were obtained and subsequently published online. The US authorities have already linked this to Russia.
  • Ukraine's Kyiv metro and Odessa airport, Russia's central bank, and two privately-owned Russian media outlets - Fontanka.ru and news agency Interfax - in October 2017. They used ransomware to encrypt the contents of a computer and demand payment 
  • An unnamed small UK-based TV station between July and August 2015, when multiple email accounts were accessed and content stolen

Facebook was fined the maximum amount of £500,000 under pre-GDPR data protection laws by the UK Information Commissioner's Office (ICO) over the Cambridge Analytica Scandal. Facebook could face a new ICO fine after revealing hackers had accessed the contact details of 30 Million users due to a flaw with Facebook profiles. The ICO also revealed a 400% increase in reported Cyber Security Incidents and another report by a legal firm RPC said the average ICO fines had doubled, and to expect higher fines in the future. Heathrow Airport was fined £120,000 by the ICO in October after a staff member lost a USB stick last October containing "sensitive personal data", which was later found by a member of the public.

Notable Significant ICO Security Related Fines

Last month's British Airways website hack was worse than originally reported, as they disclosed a second attack which occurred on 5th September 2018, when the payment page had 22 lines of malicious Javascript code injected in an attack widely attributed to Magecart.  Another airline Cathay Pacific also disclosed it had suffered a major data breach that impacted 9.4 million customer's personal data and some credit card data.

Morrisons has lost a challenge to a High Court ruling which made it liable for a data breach, after an employee, since jailed for 8 years, stole and posted thousands of its employees' details online in 2014.  Morrisons said it would now appeal to the Supreme Court., if that appeal fails, those affected will be able to claim compensation for "upset and distress". 

Interesting article on Bloomberg on "How China Used a Tiny Chip to Infiltrate U.S. Companies". However, there was a counter-narrative to the Bloomberg article on Sky News. But didn't stop Ex-Security Minister Admiral Lord West calling the Chinese when he said Chinese IT Kit 'is putting all of us at risk' if used in 5G.  He raises a valid point, given the US Commerce Department said it would restrict the export of software and technology goods from American firms to Chinese chipmaker Fujian Jinhua BT, which uses Huawei to supply parts for its network, told Sky News that it would "apply the same stringent security measures and controls to 5G when we start to roll it out, in line with continued guidance from government". Recently there have been warnings issued by the MoD and NCSC stating a Chinese espionage group known as APT10 are attacking IT suppliers to target military and intelligence information.

NCSC is seeking feedback on the latest drafts 'knowledge areas' on CyBOK, a Cyber Security body of knowledge which it is supporting along with academics and the general security industry.

Google are finally pulling the plug on Google+, after user personal data was left exposed. Google and the other three major web browser providers in the world said, in what seems like coordinated announcements, businesses must accept TLS Version 1.0 and 1.1 will no longer support after Q1 2018.

So its time to move over to the more secure TLS V1.2 or the more secure & efficient TLS V1.3.

NEWS

British Airways Hack Update: Caused by Injected Script & PCI DSS Non-Compliance is Suspected

On Friday (7th September 2018), British Airways disclosed between 21st August 2018 and 5th September 2018, 380,000 BA customer's payment card transactions were compromised by a third party through its website and mobile app. This data included the customer's full name, email address, debit\credit card 16 digit number (PAN), expiry date and card security code i.e. CVV, CV2

Details of how the hack was orchestrated have now come to light. In a blog post RiskIQ researchers have claimed to have found evidence that a web-based card skimmer script was injected into the BA website, very similar to the approach used by the Magecard group, who are believed to be behind a similar attack against the Ticketmaster website recently. Web-based card skimmer script attacks have been occurring since 2015.

In this case, once the customer has entered their payment card details and then submits the payment either on a PC or on a touchscreen device, the malicious script executes and captures their payment card data, sending it to a virtual (VPS) server hosted in Romania. The server was hosted on a domain called baways.com and was certified (https) by Comodo to make it appear legit within the website html (code). The server domain was registered 6 days before the breach started, this obviously went undetected by BA's security, perhaps the domain registration could have been picked up by a threat intelligence service.

Other Researchers have also claimed the BA website wasn't PCI DSS compliant. Marcus Greenwood found files loaded from 7 external domains onto the BA website, and crucially said the BA payment page wasn't isolating the card payment entry within an iframe, which would prevent any third-party scripts (and XSS attacks) from being able to read the payment card form fields. The Payment Card Industry Data Security Standard (PCI DSS) is required by all organisations which accept, process, store and/or transmit debit and credit cards.

Here is the advice from CEO of global cybersecurity specialist SonicWall, Bill Conner:

"Organizations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost. While the British Airways breach may not have been as detrimental as I’m sure its culprits would have liked it to be, it should serve as a wake-up call to CTOs, CIOs and CISOs. The fact is, it is early days, and the true damage done is yet to be seen. Personal information that does not change as easily as a credit card or bank account number drive a high price on the Dark Web. This kind of Personally Identifiable Information is highly sought after by cybercriminals for monetary gain. Companies should be implementing security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course."

My view mass credit\debit card data (cardholder data) complete with the security code has always been targeted by cyber crooks as it is very easily sellable on the dark web, as the data only can be used in cardholder-not-present transaction fraud, where credit card holder is not physically present i.e. online, app, phone. The finger can be pointed at lack of PCI DSS compliance by merchants like BA, however, I think it is about time technology was used to improve the security of all cardholder-not-not present transactions, namely Multi-factor authentication (MFA).  While MFA on all cardholder-not-present is not a silver bullet, there is no 100% security, enforced usage across all industries would certainly devalue debit\credit card data considerably.

British Airways Customer Data Stolen in Website and Mobile App Hack

In a statement, British Airways stated: "From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised." The airline said they will be notifying affected customers, and if anyone has been impacted to contact their bank or credit card providers.
The Telegraph reported 380,0000 payments were compromised, and that BA customers had experienced payment card fraud as a result before the BA breach disclosure, which strongly suggests unencrypted debit\credit cards were stolen.

There are no details about the data theft method at the moment, but given the statement said the BA website and BA mobile app was compromised, I think we could be looking at another example of an insecure API being exploited, as per the Air Canada breach and the T-Mobile breach last month.

We'll see what comes out in the wash over the next few days and weeks, but thanks to the GDPR, at least UK firms are quickly notifying their customers when their personal and financial data has been compromised, even if there is little detail reported about how. Without knowing how the data was compromised, customers cannot be truly assured their private data is safe. It also will be interesting to learn whether the BA systems were compliant with the Payment Card Industry Data Security Standard (PCI DSS), required by all organisations that accept, process, store and/or transmit debit and credit cards.

Update: 
A spokesperson at BA said "hackers carried out a sophisticated, malicious criminal attack on its website" and impacted BA customers would be compensated. 

380,000 card payment transactions were confirmed as stolen, specifically:
  • Full Name
  • Email address
  • Payment card number (PAN)
  • Expiration date
  • Card Security Code [CVV] - typically a 3 digit authorisation code written on the back of the debit\credit card
BA insists it did not store the CVV numbers, these are not allowed to be stored after payment card authorisation under PCI DSS. This suggests the card details may have been intercepted during the payment transaction, perhaps by a maliciously injected or compromised third party website plugin, as opposed to data theft from the database, as often seen with SQL injections attacks against web apps.

BA have published help and FAQs to anyone that is impacted by this data breach.
https://www.britishairways.com/en-gb/information/incident/data-theft/latest-information

British Airways is owned by IAG, their share price dropped by more than 4%, which equates to a £500m+ value loss in the company.

Update on the Attack Method (11 Sept 2018)
In a blog post RiskIQ researchers have claimed to have found evidence that a web-based card skimmer script was injected into the BA website, very similar to the approach used by the Magecard group, who are believed to be behind a similar attack against the Ticketmaster website recently. Web-based card skimmer script attacks have been occurring since 2015.

In this case, once the customer entered their payment card details and submitted the payment either on a PC or on a touchscreen device, the malicious script captured their data and sent it to a virtual (VPS) server hosted in Romania. The server was hosted on a domain called baways.com and was certified (https) by Comodo to make it look legit. The server domain was registered 6 days before the breach started, this obviously went undetected by BA's security, perhaps the rogue domain registration could have been picked up by a threat intelligence service.

Researchers have also claimed the BA website wasn't PCI DSS. They found 7 scripts running on the BA website, but crucially said the BA payment page wasn't isolating the card payments within an iframe, which would prevent third-party scripts (and XSS attacks) from being able to read the payment card form fields.

Bill Conner, CEO SonicWall said "Organizations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost. While the British Airways breach may not have been as detrimental as I’m sure its culprits would have liked it to be, it should serve as a wake-up call to CTOs, CIOs and CISOs. The fact is, it is early days, and the true damage done is yet to be seen. Personal information that does not change as easily as a credit card or bank account number drive a high price on the Dark Web. This kind of Personally Identifiable Information is highly sought after by cybercriminals for monetary gain. Companies should be implementing security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course."

Latest on the Currys PC World Data Breach Impacting 10 Million Customers

Following further investigations, Currys PC World today confirmed 10 million of their customer personal details may have been stolen by hackers, a revised number from the 1.2 million customers and 5.9 million payment cards it advised back in June.

In June 2018, the company said there was "an attempt to compromise" 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked after hackers attempted access to company's payment processing systems.

The hack was said to have occurred nearly a year before it was disclosed, so it either went undetected, which is common where there is inadequate security monitoring in place, or the business knew about the breach but choose not to disclose it to their impacted customers.

The Information Commissioner's Office (ICO) fined the Dixons Carphone £400,000 for a data in 2015 breach, however, Currys PC World stated the incidents were not connected.

The business stressed it has now improved its security measures including enhanced controls, monitoring, and testing to safeguard customer information, and "trebling their investment in cybersecurity". Unfortunately, no details have been disclosed explaining how the hackers were able to access such large quantities of personal data. The company "security improvement" statement suggests their IT security was rather underfunded and not at a sufficient standard to adequately secure their business operations and customer data.

The ICO (statement) and the NCSC (statement) both have released statements in June about the breach. So we'll see what the ICO makes of it, but I think the business is likely to be fined again, although not the potentially massive GDPR penalties, as this data breach occurred before the GDPR came into force in May.

Customer statement by Currys PC World to their customers today

On June 13, we began to contact a number of our customers as a precaution after we found that some of our security systems had been accessed in the past using sophisticated malware.

We promptly launched an investigation. Since then we have been putting further security measures in place to safeguard customer information, increased our investment in cyber security and added additional controls. In all of this we have been working intensively with leading cyber security experts.

Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address.

While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and we have no confirmed instances of customers falling victim to fraud as a result. We are continuing to keep the relevant authorities updated.

As a precaution, we are letting our customers know to apologise and advise them of protective steps to take to minimise the risk of fraud. These include:

If you receive an unsolicited email, letter, text or phone call asking for personal information, never reveal any full passwords, login details or account numbers until you are certain of the identity of the person making the request. Please do not click on any links you do not recognise.


If you think you have been a victim of fraud you should report it to Action Fraud, the UK’s national fraud and internet crime reporting centre, on 0300 123 2040*.

We also recommend that people are vigilant against any suspicious activity on their bank accounts and contact their financial provider if they have concerns.
You can find more information here


We take the security of your data extremely seriously and have previously announced that we have taken action to close off this access and have no evidence it is continuing. Nevertheless, we felt it was important to let customers know as soon as possible.

We continue to make improvements and investments to our security systems and we’ve been working round the clock to put this right. We’re extremely sorry about what has happened – we’ve fallen short here. We want to reassure you that we are fully committed to protecting your data so that you can be confident that it is safe with us.

Cyber Security Roundup for May 2018

I'm sure the release of the GDPR on 25th May hasn't escaped anyone's attention. After years of warnings about the EU parliament's intended tough stance on enforcing the human right to privacy in the digital realm, a real 'game changer' of a global privacy regulation has finally landed, which impacts any organisation which touches EU citizen personal data. 

The GDPR's potential hefty financial penalties for breaching its requirements is firmly on the radar of directors at large enterprises and small businesses alike, hence the massive barrage of emails we have all have received in recent weeks, on changes to company privacy statements and requesting consent, many of which I noted as not being GDPR compliant as obtaining "explicit consent" from the data subject. So there is a long way to go for many organisations before they become truly GDPR compliant state based on what I've seen so far in my mailbox.

Cybercriminals have been quick to take advantage of the GDPR privacy emails deluge, using the subject matter in their phishing attacks to cheat access to accounts and con victims.
On a positive GDPR note, also on 25th May, IBM developerWorks released a three-part guidance series written by myself, aimed at helping Application Developers to develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

Overshadowed by the GDPR coming in force, was the release of new NHS Data Security and Protection Toolkit, aimed at the NHS and their service providers, and the European NIS Directive (for telecom providers) went under the radar, but they are significant to those working in those industries.

Always make sure your Broadband Router\Hub does not permit remote administrative access (over the internet) and is always kept up-to-date with the latest security patches, otherwise, it will be at serious risk of being hacked and remotely controlled by cyber-criminals. As evidenced with month, after a DNS flaw in over 800,000 Draytek Routers has allowed hackers to take them over, malware called VPNFilter has infected 500,000 routers, and serious vulnerabilities has been reported in TP-Link EAP controllers.

IBM made headlines after banning its workers from using USB sticks, which I think is a good and reasonable policy. As quite frankly any modern enterprise, whether large or small, with a decent IT infrastructure and cloud services, staff shouldn't need to use USB devices to move data either internally or externally with third parties, so I see this as a rather smart business and security move to ban all USB devices, as it forces staff to use the more secure and more efficient technology made available.

As my @securityexpert twitter account crossed the 10,000 follower threshold Twitter advised 300 million users to reset their passwords after internal error. Apparently, the passwords for the Twitter accounts were accidentally stored in a database in their "plain text" value instead of using a hashed value for the password, as per best practice. I always strongly recommend Twitter users to take advantage and use the multi-factor authentication system Twitter provides, which reduces the risk of account hacking.

Breaches of note in May included a T-Mobile website bug which exposed personal customer data, Coca-Cola said an insider breached 8,000 accounts, and BMW cars were found to have over a dozen security vulnerabilities.

As always a busy month of new security patch releases, with Microsoft, Adobe, PHP, PGP, Google, Git, and Dell all releasing critical security updates to fix significant security flaws. Click the links for the full details.

Analysis of DDoS Attacks at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacks
Some interesting articles about the Welsh Cyber Security Revolution and a review of the NHS a year on from the WannaCry outbreak

Reports of interest this month include the Thales Data Threat Report, which found UK businesses to be the most breached in Europe. The LastPass Psychology of Passwords Report which found 59% of people surveyed used the same passwords across multiple accounts, despite 91% of them knowing that using the same password for multiple accounts is a security risk. The 2017 Cylance Report stated the number of cyber-attacks on industries such as healthcare, manufacturing, professional services, and education rose by about 13.4% between 2016 and 2017.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Application Development GDPR Compliance Guidance

Last week IBM developerWorks released a three-part guidance series I have written to help 
Application Developers develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

The GDPR
The General Data Protection Regulation (GDPR) was created by the European Commission and Council to strengthen and unify Europe's data protection law, replacing the 1995 European Data Protection Directive. Although the GDPR is a European Union (EU) regulation, it applies to any organizations outside of Europe that handle the personal data of EU citizens. This includes the development of applications that are intended to process the personal information of EU citizens. Therefore, organizations that provide web applications, mobile apps, or traditional desktop applications that can indirectly process EU citizen's personal data or allow EU citizens sign in are subject to the GDPR's privacy obligations. Organizations face the prospect of powerful sanctions should applications fail to comply with the GDPR.

Part 1: A Developer's Guide to the GDPR
Part 1 summarizes the GDPR and explains how the privacy regulation impacts and applies to developing and supporting applications that are intended to be used by European Union citizens.

Part 2: Application Privacy by Design
Part 2 provides guidance for developing applications that are compliant with the European Union’s General Data Protection Regulation. 

Part 3: Minimizing Application Privacy Risk

Part 3  provides practical application development techniques that can alleviate an application's privacy risk.

GDPR Material and Territorial Scopes

The new EU General Data Regulation will enter into force 25 May of this year. The GDPR contains rules concerning the protection of natural persons when their personal data are processed and rules on the free movement of personal data. The new regulation is not revolutionary but an evolution from the previous Data Protection Act 1998 […]