The stated mission of Solve.Care is to “Make health care and benefits programs work better for everyone.” Solve.Care aims to improve security and privacy while also improving access and accountability in a manner that current centralized systems cannot accomplish. Solve.Care’s platform intends to vastly improve the administration of benefits and the coordination of care. By […]
Friendz connects brands with their community of users to promote “word of mouth” marketing. Unlike a majority of ICOs, the company has already been in business since 2016. They’re using the ICO as an opportunity to incorporate blockchain technology into their platform to automate picture validation and reward distribution (more on this later). The team […]
A growing number of statistics is showing that very few people save anything at all for their retirement. In a study conducted by Bankrate, it was discovered that from the age of 30, less than half of all Americans save more than 5% of their annual salary. What’s more, 20% of Americans in the same […]
VALID is a two-part blockchain ecosystem for you to use to manage and authenticate your digital and potentially sell your personal data. The project is part of Procivis, a digital identity platform that’s been working with governments to create eIDs for their citizens. VALID Wallet According to the whitepaper, the VALID wallet is a mobile […]
Cryptocurrency market volatility is nothing new to crypto investors. There have been several projects creating asset-backed coins including those secured with diamonds, real estate, and USD to provide investors a sense of stability. Havven looks to add a layer of stability to their project through a dual token system they say will include a crypto […]
During the past few decades, internet connectivity and technological advancement evolved rapidly to satisfy a large spectrum of the digital consumer crowd up to and including finance. The demand for online stock exchange, currency trading and investing has led to the development of thousands of online brokerage platforms and systems all over the globe. However, […]
Acorn Collective, commonly called just ‘Acorn’, is a crowdfunding platform with the mission to provide “free crowdfunding for any legal project in any county.” Crowdfunding platforms like Kickstarter and GoFundMe have grown in popularity over the last 10 years but still exclude many projects looking for funding. As centralized entities, they restrict what projects can […]
According to Research and Markets, “the online recruitment market in the US is forecast to grow at a CAGR of 6.47% during the period of 2016-2020.” As the online recruitment industry continues to grow in size and popularity, online recruiters have developed in-house recruitment CRMs that are heavily reliant on data intelligence. Data helps online […]
Bitcoin and other cryptocurrencies have witnessed an unprecedented growth in volume over the past one year. Although cryptocurrencies were created for purely transactional or utility purposes ,their rapid price appreciation, growing volume and high volatility has rendered them the status of speculative trading assets. Trading mechanisms like the algorithms found in trading bots are now […]
The world of supply chain management is changing rapidly, as new technology and process upgrades continue to drive competition for market share. This has prompted many businesses to re-evaluate their existing processes and performance with an emphasis on boosting efficiency, transparency and customer service. Although processes may be evolving, traceability and transparency remain an integral […]
Participants to the Bee Token ICO were robbed for 100s of ETH, scammers sent out a phishing email stating that the ICO was now open, followed by an Ethereum address they controlled.
Another day, another incident involving cryptocurrencies, hundreds of users fell victims to email scams in the last days.
The victims were tricked by scammers into sending more than $1 million worth of Ethereum to them as part of Bee Token ICO (Initial Coin Offering). Bee Token is a blockchain-based home sharing service, it launched the ICO on January 31 and ended on February 2, when the Bee team obtained the $5 million necessary to start their project.
During the period of the ICO, the crooks sent phishing emails posing as the Bee Token ICO.
The scammers, impersonating the Bee team, sent out emails with a character of urgency to the potential investors inviting them to buy Bee Tokens by transferring Ethereum coins to their wallets.
The scammers attempted to convince users to participate to the ICO by sending Ethereum spreading the news that the company started a partnership with Microsoft and would be giving participants a 100% bonus for all contributions in the next 6 hours.
Cybercriminals also guaranteed that the value of Bee Token would double within 2 months, or participants would receive their RTH back.
“Today, investors who were eagerly waiting for their opportunity to join the Bee Token ICO were robbed for 100s of ETH. Scammers managed to get their hands on the Bee Token mailing list and sent out a phishing email stating that the ICO was now open, followed by an Ethereum address to send their contributions to.” states the blog post published TheRippleCryptocurrency.
After the Bee team became aware of fraudulent activity it issued three security alerts to warn of the ongoing scam:
“The Bee Token team has been made aware of phishing sites that have copied the Bee Token website in an attempt to deceive users into sending them their money. Please DO NOT trust any website other than https://www.beetoken.com/ . REPEAT: DO NOT trust any website other than https://www.beetoken.com/” reads one of the Bee Token Security Notice.
The Bee Token team also created a Google scam reporting form to allow users to report scams.
The RippleCryptocurrency.com had access to two different versions of the email that reported the following Ethereum addresses used by crooks:
a third one was reported on Reddit by users:
The overall amount of money contained in the three wallets at the end of the ICO was over $1 million.
Unfortunately such kind of incident is not uncommon, for this reason, Facebook banned ads for ICOs and cryptocurrencies on its social network.
(Security Affairs – Bee Tokens, scam)
The post More than 1 million worth of ETH stolen from Bee Token ICO Participants with phishing emails appeared first on Security Affairs.
Bubbletone Blockchain has generated a lot of buzz in the ICO world. In the age of globalization and heightened cross-border travel, the promise of global telecom without intermediaries is quickly gaining traction. Imagine traveling anywhere in the world and being able to use your mobile device seamlessly without changing your SIM card or paying huge […]
The decentralized home sharing network The BeeToken customers have been
This is a post from HackRead.com Read the original post: BeeToken’s ICO Hit by Phishing Scam; $1M worth of Ethereum Stolen
Naked Security - Sophos
There is a profound shift underway in the labor market: many people are disavowing traditional 9-5 employment in favor of the ever-growing ‘gig economy’ – a phrase that describes the bustling world of freelancing and short-term contracts. Although the transition partly reflects the breakdown of stable employment opportunities, it also taps into an even bigger […]
Another Ethereum Startup Prodeum Vanished Into Thin Air After Collecting
This is a post from HackRead.com Read the original post: Ethereum Startup Leaves Penis for Investors & Vanishes with $11
Digital advertising is the fastest growing segment of the advertising industry, and now has the highest market share in terms of ad spending beating TV in 2017. Despite losing billions of dollars in revenue to challenges like ad blocking or insignificant banner ads, the digital ad industry is still multiplying due to new growth avenues. […]
Just a week after the biggest hack in the history of
This is a post from HackRead.com Read the original post: Phishing Scam: Hackers Steal $150,000 in Ethereum from Experty ICO
As human capital continues to rise worldwide and supply chains gain international footprints, companies are increasing looking for ways to have cross-border collaboration in terms of employment and freelance work. However, current payroll processes create regulatory and compliance hurdles and also come with significant currency exchange fees when companies look to hire abroad. One […]
When it comes to security, video surveillance is currently one of the best ways to ensure ‘what really happened’ in any situation. Public crime and terrorist activity are the main factors that generate the need for the development of the global surveillance market. According to Stratistics MRC, the global video surveillance market was worth an estimated $19 billion in 2015 […]
According to Newzoo, the global leader in eSports, games, and mobile intelligence, the eSports economy was worth $696 million in 2017, a dramatic increase from $71.5 million in 2013. Growing demand for online streaming media platforms, particularly Amazon’s Twitch.tv, has become central to the expansion and promotion of eSports competitions, and their prize pools respectively. Newzoo estimates a […]
People generally prefer the convenience of taxis over other public transportation methods various reasons. Unlike public transportation that has a predestined operational path, moving speed and multiple users at the same time, taxis give you the options of privacy, dedicated service and the convenience of arriving right at your doorstop. The global taxi market is […]
I love the way The Economist describes the data economy: “Data are to this century what oil was to the last one: a driver of growth and change. Flows of data have created new infrastructure, new businesses, new monopolies, new politics and—crucially—new economics. Digital information is unlike any previous resource; it is extracted, refined, valued, […]
The gaming industry crossed the $100 billion revenue mark in 2017, becoming one of the fastest growing industries globally. To give you a perspective on things, games generated nine times more revenue than Hollywood in 2016. The gaming industry has also attracted the widespread attention of the blockchain community, with roughly 30 blockchain-based gaming projects […]
The use of blockchain technology is rapidly proliferating, and it has already become a strong candidate to be the most revolutionary technology of this decade. The first generation of blockchain technology came with the invention of bitcoin by Satoshi Nakamoto in 2008. It depended heavily on a virtual ledger, which keeps track of all transactions […]
As more and more asset managers begin to allocate a portion of their portfolio to cryptocurrencies, they’ll be seeking risk-adjusted returns from a diversified basket of tokens. However, the current index funds that are available may not be what they are looking for. This is because many asset managers are constrained by mandates and risk-controls, […]
Feast Coin is a decentralized currency and app you can use to order from your favorite take-out and/or delivery restaurant. With Feast Coin you can pay using cryptocurrency without having to go through the arduous process of converting to fiat. Differing from the majority of other ICOs, Feast Coin is built on the Waves platform. Waves […]
DADI (Decentralized Architecture for a Democratic Internet) is a platform for decentralized cloud and web-based services. The platform uses a Decentralized Autonomous Organization (DAO) and fog computing to bring you these services in a cheaper, more secure fashion. The project is attempting to remove the power of the behemoths (Microsoft Azure, Amazon Web Services, Google […]
Blockchain technology is still in its infancy. There are many issues preventing developers and businesses from creating widespread, decentralized blockchain applications. Performance is one of the main challenges facing current blockchain solutions. The blockchain that bitcoin uses is designed to handle seven transactions per second, and Ethereum can only handle a few more. As of […]
The Information Commissioner's Office (ICO) is back to doing what it does best today, slapping Carphone Warehouse with a £400,000 fine for a 2015 data breach that exposed the personal information of over 3 million customers and 1,000 staff. It's one of the heftiest invoices the ICO has ever written up, though TalkTalk was fined just as much for failing to protect user data from a cyberattack that same year. Carphone Warehouse suffered a comparably serious breach that affected several of the company's brands. Not only were names, addresses, dates of birth and other personal details exposed, but the "historical" card details of 18,000 customers. According to the ICO, though, "there has been no evidence that the data has resulted in identify theft or fraud."
As Uber prepares to defend itself following news that it suffered -- and subsequently hid -- a massive data breach in 2016, the company has begun shedding light on how many people it affected locally. At first count, 57 million global users were implicated in the attack, but the ride-hailing service today revealed that as many as 2.7 million UK customers and drivers had their names, email addresses and mobile phone numbers stolen.
After reports emerged that Uber had suffered a massive data breach, the UK's Information Commissioner's Office (ICO) has said it has "huge concerns" about the company's data protection policies and has confirmed it has launched its own investigation into Uber's decision to cover it up.
Second-hand goods firm CeX disclosed a compromise of up to 2 million online customer accounts due to a hack, however, CeX has yet to disclose any details about the cyber attack. My blog post and advice about this is here http://blog.itsecurityexpert.co.uk/2017/08/up-to-2-million-cex-customer-account.html
Hackers had a field day taking over social media accounts, from Real Madrid and FC Barcelona to Game of Thrones, much embarrassment could have been avoided if they had adopted multi-factor authentication on the accounts, aside from the spate of Instagram hacks which were caused by the exploitation of a software vulnerability, namely within Instagram's API.
In what looks like a follow on from the UK's Parliament's email brute force email account attack in June, the Scottish Parliament was hit by a very similar cyber attack, it was reported, as per the Westminister attack, many SMPs were found to be using weak passwords. Let's hope the Welsh Assembly have taken note and have learned the password security lessons.
A massive 'spambot' holding 711 million email addresses was found to be spreading malware by a security researcher. It was said to have been put together using stolen data from previous LinkedIn and Badoo data breaches. Using legitimate email addresses helps in the avoidance of anti-phishing and spam filters.
On the ransomware front, LG reported WannaCry caused a two-day shutdown of its business in South Korea. TNT customers were said to be furious after NotPeyta badly affected its ability to deliver hundreds of thousands of items, particularly within in the Ukraine. And Digital Shadows reported a trend in cyber criminals dropping Exploit kits for Ransomware, as there is simply a lot more money to be made out of ransomware attacks.
On the critical security patching, Microsoft released 25, Adobe released 43, and Drupal patched a critical bug. And there was an interesting article posted by Microsoft on Cyber Resilience worth reading.
- Up to 2 Million CeX Customer Accounts Stolen in Hack
- Giant Spambot Scooped up 711 Million Email Addresses to Spread Ursnif Malware
- Scottish Parliament targeted by Email Brute-Force Cyber Attack
- TalkTalk Fined for Poor Staff Monitoring causing a Data Breach of 21,000 Customers
- Instagram Flaw allowed Celebrity Contact Details Stolen by Hackers
- Real Madrid Twitter accounts Hacked shortly after FC Barcelona Account is Breached
- LG hit by WannaCry Ransomware, causing a Two Day Shutdown
- World of Warcraft, Overwatch, Hearthstone and other games hit by DDoS
- Hackers steal nearly £400K from Enigma Virtual Currency ICO Investors
- Anonymous Hacks NHS System, Data of 1.2 Million Patients Allegedly Exposed
- Customers 'furious' with TNT after NotPetya Cyber Attack Meltdown
- Game of Thrones Social Media Hacked in spate of Cyber Attacks against HBO
- Fancy Bears Release Data on Footballers' TUE drug use after New Hack
- Russian Hackers Accused of Spying on Hotels
- Microsoft release 25 Critical Updates to fix flaws in IE, Edge, SQL, Flash & Windows
- Adobe releases fixes for 43 Critical Security Vulnerabilities in Acrobat and Reader
- Drupal Patches Critical Remote Access Bypass Bug
- Popular Robots are Dangerously Vulnerable and Easy to Hack, Researchers Say
- SyncCrypt Ransomware able to Sneak Past most Antivirus Defenses
- Major Decline in Exploit Kits due being Less Financially Viable than Ransomware
- SSL Encrypted Malware Doubles this Year, Phishing Over SSL/TLS up 400%
- Malicious PowerPoint slide show files deliver REMCOS RAT
The insider threat danger manifested at Bupa where an employee stole and shared 108,000 customer health insurance records. Bupa dismissed the employee and is planning to take legal action. The Bupa data breach was reported both to the FCA and the ICO, it remains to be seen if the UK government bodies will apportion any blame onto Bupa for the data loss.
- Bupa Data Breach affects 100,000 Insurance Customers
- AA fails to Alert Customers after Server Leaks 13 Gigabytes
- UniCredit Bank's Third Party leads to hack of 400,000 clients
- Multinational talks of £100 mil loss as Petya/NotPetya leaves its Mark
- Backdoor placed in popular Ukrainian software enabled NotPetya Attack
- blogpost by Eset
- Morestaff cyber-security aware following WannaCry devastation in May
- Petya cyber-attack still disrupting firms weeks later
- Unencrypted PII records leaked from WWE database hosted on AWS server
- NHS patients' data was illegally transferred to Google DeepMind
- Mirai Botmaster behind Deutsche Telekom Router Hijack pleads Guilty
- Lloyd's of London: Major global Cyber Attacks could cost £40 billion
- Verizon 3rd Party Data Security Vendor exposes Six Million Accounts
- Russia and China tighten Internet Controls
- Hackers 'Probably Compromised' UK Industry
There are plenty of Cyber Security Sales and Marketing teams jumping on the General Data Protection Regulation (GDPR) bandwagon at the moment, often peddling fear of massive fines and in far too many cases spouting nonsense and unnecessary guesswork about the GDPR's information security requirements.
You do not need to be a lawyer or a fancy pants security consultant to understand the GDPR's information security requirements, they are freely provided by the European Union. It is just a matter of taking the time to actually read and digest each of the GDPR's requirements and then interpreting how your organisation will comply, albeit some requirements result in full blown project plans. I recommend reading the bite-sized formatted and section headed version of the GDPR on www.privacy-regulaton.eu rather than the EU released GDPR paper.
The United Kingdom’s exit from the European Union will not occur before GDPR comes into UK law on 25th May 2018. Therefore all UK organisations storing or processing any personal data records will have to comply with the GDPR from May 2018. It is highly likely GDPR compliance will continue to be a UK personal data legal requirement post Brexit. The GDPR applies to any non-EU country processing EU Citizen personal data, it is unlikely that the UK will adopt a tiered data protection legal requirements system, where UK nationals have fewer privacy rights than EU nations.
Only 3 of the 99 GDPR Requirements are directly Information (Data) Security Related
That's right, there are just three information (data) security requirements in the GDPR, Articles 33, 34, and 35, the other 96 Articles relate to data subject rights, data controller responsibilities, sending personal data outside the EU and general administration. There is a hidden Information Security requirement in GDPR Recital 63, but aside from that, there is not a lot for information security professionals to worry about unless you have been tasked to prepare an organisation to meet all the GDPR's requirements, in which case you need to be a data privacy qualified.
Information Security Vs Data Privacy
Some companies like to lump data privacy within information security management, but to properly understand and manage modern data privacy rights in medium to large organisations, it requires individual(s) with the appropriate qualifications and background in privacy law. Data Privacy is a completely separate discipline, applying privacy rights intricacies within business processes can be completely alien to the average information security professional. We still live in an age where the information security function is incorrectly placed as a subset of IT in some organisations, but nether-the-less even though privacy and security are linked they should be regarded as separate business functions and as separate professions, a notion included as a requirement in the GDPR under Article 37.
Article 37 “Designation of a Data Protection Officer”
"the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39."
Article 37 & Article 38 requires the designation of a Data Protection Officer (DPO)
Article 39 “Tasks of a Data Protection Officer” outlines a number of privacy officer duties, including monitoring compliance with the GDPR.
Article 32 Apply an Appropriate level of Information Security (Risk Assess)
This is best practice Information Security Management, nothing specific or new here, it all should be already being done. Take a risk assessed approach, 101 information security; confidentiality, integrity and availability of all personal data within the organisation. Don't forget the availability as unlike PCI DSS the GDPR security regards the availability of personal data as a requirement. Article 32 requires information security to be of an industry best practice standard, appropriate to the size and nature of the organisation, this means information security does not need to achieve a 'state of the art' level but what a level that is generally considered an adequate level of security for the nature and type of organisation. So if your organisation already has a strong security posture, to the standard of ISO27001:2013, you are in an excellent position to meet GDPR information security requirements.
The ability report data breaches to the ICO within 72 hours, so part of incident management and response policy and planning, include a process to inform the company designated Data Protection Officer (DPO) about any detected personal data breaches, allowing the DPO to be informed and to report any data breaches to the ICO.
Article 34 Notification of Breach to Data Subjects
Article 35 – Data Protection Impact Assessment
Data Subject Access Rights Portal
Recital 63 refers to organisations providing a Data Subject Access Rights Portal.
"Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data."
Providing a portal is “possible” for most organisations, for many organisations it could mean adding additional functionality to existing staff and customer facing websites/portals.
Bear in mind even though Recital 63 reads like a GDPR requirement, it is the Articles are the legal requirement to meet not Recitals. Then there is Article 12 which states
"Where the data subject makes the request by electronic form means, the information shall be provided by electronic means".
The provision or expansion of an internet-connected portal to handle GDPR's data privacy rights could fulfil this requirement. Obviously, the privacy portal needs to be secure. As such it will be an information security responsibility and GDPR requirement to secure it.
GDPR Privacy Data Subject Rights (via an Internet Portal)
The GDPR requires the following data subject privacy rights to fulfilled within a one month and without any charge, so given Recital 63 and Article 12 the best way to do achieve this, especially where there are thousands of personal data records in the care of the organisation, is using internet facing portal to provided each data subject with the ability to exercise their new GDPR privacy rights.
- Article 13 - explain how personal data is processed
- Article 15 - provide a copy of personal data (Data Subject Access Request)
- Article 16 - correct any incorrect personal data
- Article 17 - personal data erasure
- Article 18 - restrict the processing of personal data
- Article 20- personal data portability, provide personal data to another data controller
- Article 21 - object at any time to the processing of personal data
- Article 22 - not be subject to not automatic data processing and profiling
Should go without saying, the security of any Internet facing portal hosting personal data on mass, needs to be highly robust and security tested via penetration testing at least annually and after any significant change.
The Information Security Breach GDPR Fines Truth
A breach of Information Security means an up to 10 Million Euro (not 20 Million Euro) or up to 2% of global turnover (not 4%)
Article 83 states "be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: - (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43" - Articles 32, 33, & 34 are the information security requirements, the higher level penalty rates are for privacy breaches.
Recital 1 is titled "Data Protection as a fundament right*"
but Recital 4 states "The right to the protection of data is not an absolute right" and goes on to state "it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality".
So the GDPR is rights-based and respects all other EU 'rights', which must include the right of 'the freedom to conduct business' as stipulated in various EU Charters and Treaties, remember the EU is founded upon a free trading block of countries, not as a nation state. I am not a lawyer so I am not making a conclusion, but pointing out what might be an area of interest to lawyers fighting GDPR enforcement penalties.