Digital watermark leads police straight to Bollywood pirates

Készült: 2017. máj. 23

Movie pirates have been running amok in recent months – hacking TV series and pre-release films from Netflix and Walt Disney and causing HBO to batten down the hatches with 2FA and to scupper paper scripts.

But for once, the law has scored a win. Instead of the FBI throwing up its hands and telling the studios to just pay the ransom, police have collared the pirates. As The Times of India reports, police arrested six people in India earlier this month, while one more managed to escape.

They apparently managed to track the extortionists to the specific theater where an HD print of the big hit – Bahubali: The Conclusion, which is reportedly taking the country by storm – had been unlocked with a digital key, illegally downloaded and held for ransom.

Torrent Freak explains that the movie was somehow marked forensically:

In most instances when movies are tracked in this manner, it’s because a watermark identifying the location has been transferred to a ‘cam’ copy. However, in this case the original ‘pirate’ copy had been made digitally. This meant that someone had managed to get hold of the encryption key used to decrypt titles subject to digital distribution.

One of the men arrested was Divakar Kumar, owner of Veena Cinema Hall at Tivhra in Begusarai. He confessed that the suspect who escaped arrest, Monu, had helped him copy the digital print of the movie with the digital key supplied by the distributor.

Two of the suspects are already known to police. In fact, they were arrested two years ago for pirating Bahubali: The Beginning, the first installment of the movie series.

If you eyeball the Bahubali series – the first movie is available in full on YouTube, as is the trailer for Conclusion – you’ll understand why they’re bait for film kidnappers and catnip for movie goers: they’re epic, blood-drenched, and Game of Thrones-like.

Speaking of which, the latest law enforcement win apparently stands alone in a season that’s held nothing but bad news for the studios.

Last month, Netflix refused to pay a ransom demanded by hackers who stole the next season of the hit series, Orange is the New Black. After Netflix balked, a hacker uploaded 10 episodes of the upcoming season to The Pirate Bay, six weeks ahead of the series’ official June 9 launch.

HBO apparently learned its lesson from that one: a week after Netflix’s run-in with content kidnappers, HBO told the cast of Game of Thrones to set up multifactor authentication. It also reportedly stopped sending out paper scripts. Instead, one of the stars said, the cast now has to look at the scripts digitally, and the studio is only sending them out to cast members who’ve enabled two-step verification (2SV) on their email accounts.

Last week also saw hackers claim to have commandeered the new blockbuster Pirates of the Caribbean movie from Walt Disney. They’re threatening to release it online unless the studio pays a ransom in bitcoin, according to Disney chief executive Bob Iger.

According to The Hollywood Reporter, about a half-dozen Hollywood agencies have also been targeted by extortionists recently. It’s overwhelming the FBI’s Los Angeles field office, which can’t properly investigate them all, sources told the news outlet.

Thus, according to The Hollywood Reporter’s industry sources, this has been the FBI’s surprising advice: pay the ransom.

You can see the Bureau’s rationale: the extortionists are asking what’s little more than a rounding error when you’re talking about Hollywood profits. The hackers have reportedly demanded less than $80,000 in each of the cases. One law enforcement source told The Hollywood Reporter that in California, losses would have to exceed $50,000 for the US Attorney’s office to bother with prosecution.

You can see why HBO’s rightfully paranoid. Winter is coming, says Game of Thrones character Ned Stark? No, it’s smack dab right here: the extortionists have already wrapped their cold claws around the studios’ winter stores!

Source: Naked Security


Man jailed for stealing images and details from more than 50 women

Készült: 2017. máj. 23

Consider Kevin M Maldonado: he’s the reason to limit the personal information you put online, and he’s the reason why your password shouldn’t be your anniversary or your cat’s name.

The 35-year-old man from the US state of Alabama has been sentenced to six months in federal prison and three years of supervised release after he pleaded guilty to spending two years hacking and tormenting at least 50 women.

The total number of victims can’t be ascertained, since all we know about for sure are the 50 he managed to steal from. We have no idea how many accounts he targeted and/or broke into but didn’t manage to steal sexual content from.

Some of them he knew. Some of them he didn’t. Some were arbitrarily plucked from online. From the sentencing memorandum:

He targeted women he knew and women he did not; women he had been romantically involved with and women he merely interacted with briefly; women with whom he had a connection, like a shared military history or high school and women who he found on the internet; and women who lived or worked near him in Shelby County, Alabama, and others who lived across the country and he was unlikely to ever see. The only thing that the defendant’s victims had in common was the defendant’s desire to delve into the details of their lives for his own pleasure.

Sure, he was after their nude photos and videos. But you can get better quality porn online than what he stole. It wasn’t so much the images he was after, it seems; rather, it appears that he was motivated mostly by a compulsive need to violate others’ privacy, the sentencing memorandum suggested:

…as many others as he could.

According to the US Attorney’s office in the Northern District of Alabama, Maldonado spent “countless” hours cyberstalking his victims, as he researched their personal information online, looking for hints to what they might have used as passwords for their accounts.

The defendant spent countless hours creating numerous fictitious email accounts impersonating email administrators from multiple email providers; sending numerous emails from these accounts demanding login and password information; and then frequently checking the fictitious email accounts for response emails from victims.

The defendant also spent untold hours trolling the accounts he accessed via phishing for additional password information and conducting extensive open source research, for example on websites such as, on potential victims and making note of information about them including birth dates, places of employment, collegiate affiliations, etc. He then used this information to try to guess victims’ passwords, or answer the security questions necessary to re-set them.

Resetting passwords didn’t always work to fight off this guy. Sometimes, he’d reset victims’ passwords multiple times so he could keep stealing women’s personal data from multiple platforms, including their web-based email accounts, iCloud and Dropbox.

Maldonado wasn’t satisfied with sexual content, mind you. He also downloaded innocent images that allowed the thief to pry into his victims’ personal lives, such as photos of kids, pets, family parties and nights on the town. He also turned his victims into accomplices, capturing their contacts so he could troll and stalk them, too. He went so far as to impersonate a victim so he could ask one of her contacts to send sexual images to him.

You can think of Maldonado as a librarian of creepiness. After he broke into women’s accounts and stole their data – including personal identifying information (PII) and personal photographs and videos, some of which were images of them nude, partially nude, or engaged in sexual activity – he catalogued the data by victim or group and saved it to an external hard drive for easy access.

In February, Maldonado pleaded guilty to one count of intentionally accessing the Gmail account of a victim identified by the initials KM in order to access her documents and images without her permission and to thereby invade her privacy. The plea deal let him off the hook for other crimes, including aggravated identity theft. He starts his jail sentence on July 17.

How to avoid phishers, cyberstalkers and thieves

Maldonado did his dirty work by guessing at, and/or phishing, victims’ passwords and security questions. We leave ourselves vulnerable to such low-tech attacks by leaving our personal information strewn around the web, be it by advertising our birthdays on Facebook, publicly posting the names and relationships of our children and family, or any other number of ways we expose our PII.

All that PII can be used to guess at answers to security questions that are supposed to be protecting our accounts, not putting down a welcome mat for hackers to waltz in. “Protecting” our accounts with passwords that are easy to guess is another welcome mat: at one point, Google Apps did a survey that found that the top 10 most common passwords were our pets’ names.

Lists of the top worst passwords come out as often as spring rain, but they tend to have much in common, and often it’s our PII. For example, after pets’ names, the other worst passwords off that Google Apps survey were:

  • Significant dates (such as a wedding anniversary)
  • Date of birth of close relation
  • Child’s name
  • Other family member’s name
  • Place of birth
  • Favorite holiday
  • Something related to favorite football team
  • Current partner’s name
  • The word “Password”

We could make it much tougher for creeps like Maldonado to crack open our accounts if we stopped cooking up passwords that are entirely-super-easily-guessable-by-anybody-on-the-planet. Some steps to protect ourselves with tougher passwords and other cyber security safeguards:

  • Check out the tips we’ve passed along on how to check that you’re not giving away information that can be used against you in a cyber attack.
  • Choose more complicated passwords. We’ve got a short video on how to pick a proper password; see below.
  • Always log out of services. Don’t walk away from your computer before you’ve logged out of email, for example.
  • Consider using two-factor authentication whenever it’s available.
  • Need to provide an answer to a security question? Lie your brains out. Manufacture pure gunk. Just make sure to track the nonsense you entered in case you need to reset your password. You might want to track your made-up security question answers in a password manager, for example.
  • Consider also using a password manager to concoct and to store passwords that are tough to crack. First educate yourself about the risks, though: we’ve seen multiple issues arise with password managers, including this zero day in LastPass, more holes that cropped up in April, and yet another hole at the end of March.
  • Locking down Facebook is a thing unto itself. To maintain privacy, you need to use privacy controls, but research has shown that millions of Facebook users are oblivious to, or just don’t use, privacy controls.

With that last one in mind, here are a few more Facebook-specific tips:

  • Don’t be one of the legions of privacy-control oblivious. Know how to use Facebook’s privacy controls. While you’re at it, don’t let your friends or family fall into that category. To see who can find the things you’ve shared, you can use privacy shortcuts and Activity Log to review your personal trail of glory and misdeeds. Go to Facebook’s Activity Log page for a list of your posts and activity, from today back to the dawn of your Facebook life. There, you can find stories and photos you’ve been tagged in, Pages you’ve liked, friends you’ve added, your photos, and photos you’re tagged in that are shared with Public.
  • Besides photos we’re tagged in without our permission, most of the stuff that’s in our Graphs is up because we put it there. To further clean up our Facebook personae, we can always remove a tag from a photo or post we’re tagged in. As Facebook outlines here, you do that by hovering over the story, then clicking and selecting Report/Remove Tag from the drop-down menu. Then, remove the tag or ask the person who posted it to take it down.
  • To further lock down your profile, take a gander at these three ways to better secure your Facebook account.
  • Don’t fall for phishing emails from creeps like Maldonado or his ilk, including those who hacked nude photos out of celebs in Celebgate. Check out our tips on how to avoid falling for phishing and spear-phishing.


(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Source: Naked Security


Warning after WannaCry sets off fake BT phishing attack

Készült: 2017. máj. 23

In one of the most predictable phishing campaigns of the year, criminals last week started sending out emails purporting to be from BT warning of “cyber breaches on an international scale”.

In pastiche English that is still the giveaway in most phishing emails, the message implores recipients to “confirm a security upgrade” because “deficiency to do so will result in limited access to your profile”.

We don’t know how many were sent but enough for the campaign to be noticed by Action Fraud, which thinks the attack was most likely hitching a ride on real emails sent out by service providers warning of the WannaCry worm-ransomware that started affecting Windows PCs on May 12.

If and when a full account of the WannaCry attack is even written, it’s unlikely its author will devote much space to what is, after all, a routine JAPE (Just Another Phishing Email), among numerous similar campaigns that wash into inboxes all the time.

And yet, in its small way, the sequence of events perfectly sums up how cybercrime events are often experienced from the public side.

Something alarming happens – the attacks on TalkTalk, the WannaCry worm, or any one of a scramble of other data breaches – and service providers feel obliged to send their customer warning emails because that’s what big companies do to look as if they’re in control of the situation.

Coincidentally, or perhaps by design, criminals jump on the back of this panic alert channel in the hope that email users will be more receptive to their phishing ruses than they might normally  be.

Nobody really knows whether this sneaky tactic works, but the end result is that a second round of warnings are sent out warning about fake warnings and so the cycle of fake and counter communications barrels onwards in an online world where people are paying less and less attention.

The notion that large companies should send people emails unbidden is the last vestige of the days when people saw the medium as novel. That world is long gone. Email these days is more often the digital equivalent of flyers pushed through the letterbox that nobody wants to read.

It’s ironic that WannaCry should set off this ripple of emails at all given that the malware itself is not now thought to have been seeded through phishing.

Click happy

The advice we’d give is simply never to click on any emails that require logging in to anything. When logging into a service of any kind, visit the address directly. Using embedded links these days is simply too risky. This includes things like LinkedIn, which by default pesters people to accept invitations sent via email when we know that some of them are fraudulent.

Somewhere out there must be a population of compulsive clickers, or nobody would ever get caught out and the phishing tricksters wouldn’t bother trying to reach them. The rest of us can choose to opt out of this pastime.

Source: Naked Security


News in brief: Bitcoin price bubbles up; Uber uses AI to boost its take; WannaCry ‘hero’ censures tabloids

Készült: 2017. máj. 22

Your daily round-up of some of the other stories in the news

Bitcoin bubbles to unprecedented highs

Bitcoin, the most widely used cryptocurrency, has been hitting unprecedented highs, with a single coin now worth more than $2,189 on Monday evening (BST).

Bitcoin hit the headlines just over a week ago as the WannaCry malware that crippled PCs around the world demanded its ransom in the cryptocurrency – although, according to a Twitter account that’s been monitoring payments to the wallets linked to the ransomware, only a fraction of the victims have actually paid the ransom.

It may not be that the WannaCry outbreak is the reason for the soaring price, however: the Economist points to the fact that all the leading cryptocurrencies are seeing soaring prices, and warns that there’s “alarm” over the high price – bubbles always eventually go pop.

Uber uses AI to boost its take

If you thought your Uber ride was going to be charged according to how far you want to go and whether surge price is in play, think again: it turns out that the ride-sharing company could be charging you what it thinks you’re willing to pay.

Bloomberg reported that Uber is using machine learning to identify customers who might be prepared to pay more: if you’re going from one expensive part of town to another in one of the 14 US cities this is in operation, you might be charged more than someone shuttling between less smart parts of the city, even if the distance is the same.

And why is Uber doing this? To increase its take, according to Bloomberg: this is part of the company’s “upfront pricing”, where it provides an upfront fare rather than an estimate. The driver gets the amount based on time and distance, and Uber pockets the difference.

WannaCry ‘hero’ condemns ‘super-invasive’ tabloids

The security researcher who identified the “kill switch” in the WannaCry ransomware that halted the outbreak has condemned UK tabloids as “super-invasive” after his identity was revealed without his consent.

Marcus Hutchins, 22, who uses the Twitter handle @MalwareTech, had been hailed as a hero for identifying the domain the ransomware was checking in with and registering it, causing the worm to shut down before it started encrypting its victims’ PCs.

But despite wanting to remain anonymous, Hutchins found his name and photograph all over the front pages and said that he feels that his life is in danger and said he’d have to move.

Hutchins told the Guardian that he preferred to stay anonymous “because it just doesn’t make sense to give out my personal information. Obviously we’re working against bad guys and they’re not going to be happy about this.”

Catch up with all of today’s stories on Naked Security

Source: Naked Security


Yes, Geek Squad can search your files and hand you over to the police

Készült: 2017. máj. 22

The government’s case against an alleged trafficker in child abuse images is on shaky ground after a California judge last week said that:

  1. An image found on his PC when it was in for repairs with Best Buy’s Geek Squad didn’t show a prepubescent girl’s genitals or that she was having sex. The image launched the case, a raid on his house in 2012, and the arrest of California gynecologist Mark Rettenmaier. Even though the still was taken from a well-known child abuse video, it doesn’t meet the legal definition of child porn, the judge said.
  2. FBI agents were disingenuous when they applied for a search warrant, leaving out a crucial detail of where Geek Squad employees had found the image that triggered the investigation.

According to OC Weekly, District Court Judge Cormac J Carney announced on May 15 that the FBI’s tainted search warrant required him to suppress alleged evidence collected during a raid on Rettenmaier’s house in 2012.

It all began in 2011, when Rettenmaier took his HP Pavilion computer to Best Buy for repair because it wouldn’t boot. When Geek Squad techs ran a search, they retrieved the deleted image of a young girl.

At issue is how the Geek Squad employees found that image. As the case has dragged on and documents have come to light, it turns out that the FBI has been in a relationship with Geek Squad workers that defense attorney James D Riddet has called “cozy” and “so extensive that it turns searches by Best Buy into government searches”.

In fact, unbeknownst to customers such as Rettenmaier, for years, the FBI has trained and paid Geek Squad employees to search for child abuse imagery on computer equipment. Those searches have been extensive: Geek Squad employees have gone so far as to search unallocated space on hard drives – ie, the place where forensics analysts use specialized software to find and retrieve deleted files.

Judge Carney last week called agents “dishonest” because when they were applying for a search warrant, they neglected to mention just where, exactly, on the PC that the image in question came from. In fact, it came from unallocated space: a problem for the prosecutors in their case against Rettenmaier.

As it is, a few weeks before Rettenmaier was arrested, federal judges had ruled in a separate case that child abuse images found in unallocated space couldn’t be used to win a possession conviction, since there’s almost no way to figure out who put them there, who viewed them, or when/why they were deleted.

Even a technical expert for the prosecutors conceded in court that dozens, if not hundreds or thousands, of sex images can be uploaded without the knowledge of those surfing the internet. Those images can be discovered only with special software, the expert said in a hearing with Judge Carney, according to OC Weekly.

In addition, whether or not Geek Squad City technicians acted as government agents by accepting FBI payments, regularly speaking with FBI agents (on a first-name basis) and referring cases to them, and working with them to create a program to search for abuse images, has been core to determining whether their searches are permissible as evidence.

That’s because government agents need to first get a warrant, based on probable cause, to search a computer. Otherwise, Fourth Amendment issues around search and seizure come into play, as does the question of privacy violation, potentially turning Geek Squad technicians’ scouring of computers into warrantless searches by law enforcement.

According to the court documents in USA v. Mark Rettenmaier, the FBI has been paying Best Buy supervisors for the work, and management has been fully aware of it. The bureau has also been guiding Geek Squad technicians as they develop a program to find abusive content.

Although Judge Carney’s ruling that evidence was inadmissible was a win for Rettenmaier’s defense lawyer, the judge didn’t go along with Riddet’s contention that his client had a legal expectation of privacy from Geek Squad employees searching his computer.

Judge Carney ruled that the Geek Squad search was legitimate since the defendant had signed a contract that contains a warning that illegal material will be reported. The doctor also verbally consented to an engineer checking his hard drive, The Register reports.

Riddet said his client would be contesting the legality of the search, but that it’s now up to prosecutors to decide whether the case will proceed. OC Weekly quotes him:

We’re going to have to wait until January or February 2018 to see what the government is going to do.

Source: Naked Security


After WannaCry, EternalRocks digs deeper into the NSA’s exploit toolbox

Készült: 2017. máj. 22

Shortly after the WannaCry outbreak began to ebb last weekend, security experts warned that this wasn’t over. Copycats would surely cook up new malware using NSA tools leaked by Shadow Brokers. In recent days, we’re seeing some evidence of that.

Miroslav Stampar – a member of the Croatian Government CERT and author of the sqlmap tool used to detect and exploit SQL injection vulnerabilities – detected a new worm that exploits Windows Server Message Block (SMB) vulnerabilities. He named it EternalRocks and said it uses six SMB-specific NSA tools to spread, whereas WannaCry used only two to infect hundreds of thousands of computers across the globe.

WannaCry spread with the help of the NSA’s EternalBlue and DoublePulsar exploits. Stampar said EternalRocks exploits EternalBlue, EternalChampion, EternalRomance and EternalSynergy – all SMB exploits – as well as SMBTouch and ArchiTouch, NSA tools used for SMB spying operations. His full analysis is posted on GitHub.

At this point, the malware doesn’t appear to be dropping ransomware or any other payload. But it could be paving the way for a future attack.

Defensive measures

With the return of old-school worm outbreaks, it’s worth reviewing steps users can take to avoid infection. Unfortunately, some of those steps have proven unpopular, as Naked Security’s John Dunn wrote. Admins can block services or ports at firewall level but not often indefinitely. Suspending email is another tactic that works until everyone complains.

The best advice remains the same as it did when the outbreak began:

To guard against malware exploiting Microsoft vulnerabilities:

  • Stay on top of all patch releases and apply them quickly.
  • If at all possible, replace older Windows systems with the latest versions.

Source: Naked Security


Judge demands cellphone passwords from social media star

Készült: 2017. máj. 22

It’s one of the decade’s quintessential civil liberties questions: can the government force you to hand over your cellphone’s password? Depending on where you are, the law’s still very much in flux, but one thing seems clear: At the moment, you don’t want to be a defendant in Florida.

We’ll follow the Miami Herald’s description of the latest case. (Uncharitable followers of “Florida Man” lore might be unsurprised to hear that it happened in the Sunshine State.)

A reality TV actress accused in an extortion case involving sex videos must give up her iPhone password to police, a Miami judge ruled on Wednesday. In a case being closely watched in legal and tech circles, Miami-Dade circuit judge Charles Johnson ruled that Hencha Voigt, and a man charged with being her accomplice, must unlock phones police believe were used in a plot to extort a social-media celebrity.

This isn’t a case about whether government can demand to take or search your cellphone. In the US, if law enforcement can “show probable cause that a crime was committed and that items connected to the crime are likely to be found” on your device, they have the legal right to take it and attempt to search it. That’s what happened here.

(Visit Justia for want a bit more plain English detail on the legal requirements for warrants in the US, and visit the Electronic Frontier Foundation for a solid high-level summary of the broader issues involved in search and seizure of electronic devices.)

But what if a device is encrypted, and the police can’t find what they want on a device after they’ve taken it? Can courts require the owner to provide the password? Or does that violate the Fifth Amendment’s rule against requiring defendants to incriminate themselves? Or maybe, as some have argued, a First Amendment right to “not speak”?

To make his decision, Miami-Dade County judge Charles Johnson went looking for precedent – and he found what he needed right in his home state. In another recent Florida case (State v. Stahl), a defendant was charged with taking upskirt cellphone photos, and refused to turn over his password after his cellphone was taken under a duly authorized warrant. A Florida state appeals court ruled he had no choice: he was not being asked to testify against himself, but only to do the equivalent of turning over the key to a strongbox – something a court can indeed demand.

The defendant, Stahl, didn’t appeal this decision to the Florida Supreme Court. So, for the time being, that’s Florida law.

Accordingly, fitness model and Instagram star Hencha Voigt and her boyfriend Wesley Victor were given two weeks to turn over passwords to devices that prosecutors believe contain text messages related to their alleged conspiracy. Victor claims he’s forgotten his Blackberry password, but a few days ago, Voigt provided an iPhone password. According to the Miami Herald, police thereupon brought her iPhone to court, cradled in its Faraday box to protect against someone’s external message to wipe. They entered Voigt’s password – and the iPhone stayed locked.

On May 30, Voigt and Victor have to explain why they can’t provide working passwords – and if they don’t satisfy the judge, they could be imprisoned for contempt of court.

They might be wishing they’d been in Pennsylvania, where courts have so far decided that demanding a cellphone password may violate the constitution’s rules against self-incrimination. Inconsistencies like these often find their way to the US Supreme Court, but that could be years off. (Nobody rushes the US Supreme Court.)

If this isn’t confusing enough, there are important legal distinctions between requiring someone to “use their mind” to tell you their password vs. demanding a fingerprint or voice sample for biometric identification. So far, as we told you back in 2014, American law enforcement is on far firmer ground if it demands something you have, not something you know. And that itself might be good to know.

Source: Naked Security


GDPR is just a year away: here’s what you need to know

Készült: 2017. máj. 22

May 25 2018 is a date that should be etched in red on the calendars of any company that does business in the European Union (EU).

That’s the day companies must be in full compliance with the EU’s General Data Protection Regulation (GDPR), which requires them to take specific steps to more securely collect, store and use personal information.

For companies still at the beginning of their efforts, that’s not much time. This paper is to help them get on track.

Companies ignore GDPR at their peril

First, a dose of reality: companies not in compliance this time next year face brutal fines for violations.

For example, NCC Group came up with a model that extrapolated from the fines actually imposed for breaches by the UK’s Information Commissioner’s Office and calculated what they might be under GDPR.

Under the model, British companies that were penalized for breaches last year could have faced fines totaling £69m under GDPR, rather than the £880,500 they collectively had to pay up. Talk Talk, which last year was slapped with the biggest fine ever in the UK for a data breach – of £400,000 – would have faced a bill of £59m, calculated NCC, while Pharmacy2U, which was fined £130,000, would have faced a bill of £4.4m.

Those are sobering numbers, especially in light of a January report from (ISC)2’s EMEA council, which covers issues concerning Europe, the Middle East and Africa. According to the report, organizations aren’t doing too well, having accomplished precious little in the first year they had to get things in order. The council warned of what it sees as poor acceptance of accountability across organizations and an apparent belief that the task ahead is one for the specialists – either legal or technical.

Meanwhile, a recent report by Crown Records Management found that nearly a quarter of UK businesses surveyed said they had stopped preparing for GDPR, with 44% saying they didn’t think GDPR would apply to them once the UK leaves the EU in March 2019 as a result of last year’s Brexit vote.

Since the UK will still be in the EU when GDPR comes into effect, and presumably will continue to do business in the EU after Brexit, that’s an unfortunate and potentially costly assumption.

Size matters not

Another point of confusion for companies is about size. Specifically, do small businesses face the same requirements under GDPR as the big enterprises?

GDPR requires that any company doing business in the EU – no matter the size – more securely collect, store and use personal information. Like the big guys, smaller companies face fines for violations that might occur.

But the regulation accounts for the fact that smaller businesses lack the same resources as larger enterprises. UK-based data protection consultancy DataHelp makes note of the differences on its website:

Under the current law, as contained in the Data Protection Act, (DPA), the same rules apply, regardless of the size of an organization. However, the General Data Protection Regulation (GDPR) … recognizes that SMEs require different treatment from both large and public enterprises.

One area of concern for small businesses is the GDPR requirement that companies hire a data protection officer. But that part is for firms with more than 250 employees. Though smaller firms may still need to employ someone in this role if handling personal data is core to their operations, it may not have to be a full-time employee, but rather a consultant, which could be less costly.

Daunting as it all may seem, small businesses can take comfort in this: as long as they can demonstrate that they’ve put their best foot forward to meet the requirements of GDPR, regulators will work with them on any problems that might arise.

The key is to bring in the right consultants and document all actions taken.

Now what?

Now that we’ve outlined what’s at stake, let’s look at some concrete steps companies must take to be taking to be ready for May 2018.

Naked Security recently reviewed a 12-point checklist published by Ireland’s Office of the Data Protection Commissioner. The compliance practitioners we talked to have repeatedly cited that list as particularly helpful.

The checklist is as follows:

  1. Be aware. It’s not enough for CEOs, IT staff and compliance officers to be aware of what GDPR requires. Employees from the top to the bottom of an organization need to be extensively educated on the regulation’s importance and the role they have to play.
  2. Be accountable. Companies must make an inventory of all personal data they hold and ask the following questions: why are you holding it? How did you obtain it? Why was it originally gathered? How long will you retain it? How secure is it, both in terms of encryption and accessibility? Do you ever share it with third parties and on what basis might you do so?
  3. Communicate with staff and service users. This is an extension of being aware. Review all current data privacy notices alerting individuals to the collection of their data. Identify gaps between the level of data collection and processing the organization does and how aware customers, staff and service users are.
  4. Protect privacy rights. Review procedures to ensure they cover all the rights individuals have, including how one would delete personal data or provide data electronically.
  5. Review how access rights could change. Review and update procedures and plan how requests within new timescales will be handled.
  6. Understand the legal fine print. Companies should look at the various types of data processing they carry out, identify their legal basis for carrying it out and document it.
  7. Ensure customer consent is ironclad. Companies that use customer consent when recording personal data should review how the consent is sought, obtained and recorded.
  8. Process children’s data carefully. Organizations processing data from minors must ensure clear systems are in place to verify individual ages and gather consent from guardians.
  9. Have a plan to report breaches. Companies must ensure the right procedures are in place to detect, report and investigate a personal data breach. Always assume a breach will happen at some point.
  10. Understand Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default. A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organizations to identify potential privacy issues before they arise, and come up with a way to mitigate them.
  11. Hire data protection officers. The important thing is to make sure that someone in the organization or an external data protection advisor takes responsibility for data protection compliance and understands the responsibility from the inside out.
  12. Get educated on the internal organizations managing GDPR. The regulation includes a “one-stop-shop” provision to assist organizations operating in EU member states. Multinational organizations will be entitled to deal with one data protection authority, or Lead Supervisory Authority (LSA) as their single regulating body in the country where they are mainly established.

Making it your own

Those approached for the Naked Security piece cited in the main article noted how they’ve taken the guidelines of Ireland’s Office of the Data Protection Commissioner and put their organizations’ stamps on it. One of them was Craig Clark, information security and compliance manager for IT services at the University of East London.

From a project point of view, he suggested the following be completed or nearly completed by mid 2017:

  • C-Suite Awareness
  • User Awareness
  • DPO Appointment
  • Information Identification
  • Updated Privacy Notices
  • Updated Data Protection Policies
  • Updated Information Sharing Agreements
  • Approved Data Privacy Impact Assessments
  • Identification of any cross-border transfers
  • Establishment of Data Subject Rights Management protocols
  • Privacy by Design implemented into the Project Methodology

Clark said:

A lot of guidance is still to be written by the ICO [UK Information Commissioner’s Office] but I’d want at least the above to be implemented.

Brexit doesn’t exempt UK companies

As mentioned, some assume they are free of GDPR because the UK is leaving the EU. That is not true. The following facts apply:

  1. British prime minister Theresa May sent a letter to the president of the European Union officially triggering Brexit in late March 2017. The exit process will take at least two years to complete, meaning those UK companies will still be a part of the EU on the day GDPR takes effect.
  2. Once the UK is no longer part of the EU, many of those companies will still do business with companies that are in the EU. That alone will keep UK businesses on the hook for compliance.

Therefore, companies should approach GDPR as they were before Brexit happened.

Source: Naked Security


What does Twitter think you’re interested in? Now you can find out

Készült: 2017. máj. 22

I’ve got a swarm of advertisers buzzing around me. You do, too, if you’re a Twitter user.

Twitter believes that I have 68 “interests”. Those interests are like sweet pheromones drawing in the marketers. The delicious aromas include my interest in (and, of course, my potential inclination to click on advertising related to) network security, mobile, tech shows, politics, current events, celebrities, sci-fi, and “amazing”.

Which is a-MAZ-ingly vague!

I know all this because Twitter has revamped its privacy settings so that now users can see what Twitter thinks their interests likely are, based on our profiles and what we do on the site.

Curious to know what marketing odors you’re giving off? You can see your own interests here.

You can now also download a list of who’s targeting you based on your Twitter interests, by hitting a button to request your advertiser list.

Twitter says I’m currently part of 7,062 audiences – as in, tailored audiences that are often built from email lists or our browsing behaviors – from 1,460 advertisers. I’d love to see who’s on that plump list, but it evidently takes some time for Twitter to regurgitate it.

When I do get the list, I predict that I, like many of us, will be irked enough by inane targeting inaccuracies to opt out of internet-based advertising altogether, which you can do here with Twitter’s new personalization and data settings.

Fat lot of good it will do us, though. Twitter says that opting out will change the ads we see on Twitter, but it won’t remove us from those tailored advertiser audiences.

But you can also just uncheck whatever interests Twitter got wrong about you, or those that you’d prefer not to be associated with your Twitter personage.

In an announcement last week about the new data controls and an updated privacy policy, Twitter said that the new, more granular data controls are part of its push toward ever greater transparency.

Another new tool is personalization across devices. Twitter says that when we log in, it’s going to associate our devices with our accounts so as to authenticate us and personalize our experience. To do so, it might reach beyond whatever device we’re using to corral data from all the devices we use to get on to Twitter.

An example of how that might be used: if you visit websites with sports content on your laptop, Twitter will sports-up your interest list. You can use the personalization and data settings to tell it to knock that off if you like.

As far as the privacy policy tweaking goes, these are the changes that will take effect on June 18:

Web data: Twitter’s expanded how it uses and stores data from other websites that integrate Twitter content, like embedded Tweets. The company says that this will allow it “to further improve and personalize our services, connecting you with the stories, brands and organic content you care about most.”

Twitter says it doesn’t track browsing data for users in the European Union and EFTA states. It’s also planning to participate in the Swiss-US Privacy Shield. That’s the program that enables data transfer between the US and the EU and which replaced the Safe Harbor agreement, which the top EU court declared invalid in 2015. Twitter will also be adhering to the Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising. (PDF)

Data sharing: Twitter’s updated how it shares non-personal, aggregated, and device-level data, including through some select partnership agreements that allow the data to be linked to our names, emails, or other personal information with our consent.

All in all, these changes sound positive. It’s not like we can squirm out from under advertising altogether, but we can’t fight without knowing who we’re fighting against.

Knowledge is power, and it’s been a very interesting month when it comes to learning about who’s targeting us, how they’re targeting us and what they hope to get out of it.

I’m eagerly awaiting my list of Twitter advertisers. Maybe I can’t swat all these marketers, but at least I can know who they are and thereby surmise what they want with me, thanks to Twitter’s new tools.

Source: Naked Security


ATM heists: 27 arrested as police move against ‘black box’ attacks

Készült: 2017. máj. 22

Europol has confirmed the arrests of 27 people accused of being connected to a growing spate of “black box” attacks on bank ATMs.

The suspects were picked up in a number of countries in the last 18 months, with 11 arrests in France, four in Estonia, three each in Norway and the Czech Republic, and two each in Spain, Romania and the Netherlands, the organisation said.

At a time when global cybercrime’s attention has shifted to spectaculars such as the recent WannaCry Worm-ransomware, ATM heists in which criminals siphon money from hole-in-the-wall cash machines might seem like a relic from a bygone age.

In fact, ATM attacks have been a constant menace over the last decade, initially using card skimmers and fake keypads and even cameras designed to record PIN numbers.

As this tactic’s effectiveness waned with better physical security, thieves moved on to hacking into remote ATM management, targeting machines directly using malware.

This brings us to extraordinary fact number one – it seems that many ATMs still run Windows XP. Finding vulnerabilities to use against such vulnerable and (in the case of ATMs) rarely patched software wasn’t exactly hard.

Attackers had two options, the more involved of which was to intercept card details and PINs entered by customers, allowing hackers to clone cards which could be used to withdraw funds.

The second and most brazen option was simply to remotely instruct the ATM to start spitting cash at a given moment to a waiting money mule.

But as ATM vendors have started implementing software countermeasures, European criminals have gone back to old-style physical attacks with a twist. Instead of skimming cards, the new trend has been to cut physical holes in ATMs (the location of which varies by vendor), connecting the dispenser to an external “black box” that tells the machine to dispense money.

Europol’s arrest announcement includes two images of this.  The technique is both alarmingly simple – the external black box can be an ordinary smartphone so no complicated hardware is required – but also surprisingly sophisticated.

In one incident, the criminals even set the black box up to spoof the connection between the dispenser and the ATM’s controller so that everything would appear to be normal from the machine’s side.

It’s been apparent for years that there is a developed criminal underworld that specialises in targeting ATMs. But the black box attacks suggest it’s one that has put in the research hours to find weaknesses that can bypass every new defence.

Part of the problem is simply that ATMs were designed long before specially written malware and powerful smartphones existed. The once-hailed standardisation on operating systems such as XP turned out to have downsides.

Vendors have responded to black box attacks by encrypting internal ATM communication channels and retrofitting physical protection and alarms to make it harder to attack the physical interfaces.

Nevertheless, the message from the latest arrests is that even the best physical and software security is only ever a stopgap. It turns out that cybercrime is like old-world crime after all – the answer is to catch the people stealing stuff.

Source: Naked Security


News in brief: twins fox bank’s voice security; FCC moves on net neutrality; torrent site closes

Készült: 2017. máj. 19

Your daily round-up of some of the other stories in the news

Twins thwart bank voice recognition

A bank has said it will review its security procedures after a reporter and his twin brother tricked its voice authentication service.

HSBC claimed last year when it launched its voice recognition system that it was secure, saying that “just like your fingerprint, your voice print is unique”.

However, BBC reporter Dan Simmons set up an account with HSBC and then tried the voice authentication with his non-identical twin, Joe. Joe was able to log in, get balances and he was offered the chance to transfer money between accounts.

Joe told the BBC: “What’s really alarming is that the bank allowed me seven attempts to mimic my brother’s voiceprint and get it wrong before I got in at the eighth time of trying.”

HSBC said that it would review the system after the twins told them what had happened.

FCC votes to undo net neutrality

Net neutrality suffered a blow as the Federal Communications Commission voted to overturn the Obama-era rules that require ISPs to treat all data as equal.

FCC chairman Ajit Pai argued that the rules placed a “bureaucratic straitjacket” on the telecoms industry as the commission voted by two to one to start undoing the rules that were put in place in 2015.

A furious campaign has sprung up to protest at the moves to overturn net neutrality, with HBO’s John Oliver among the high-profile supporters of the Obama rules. Earlier this month Oliver posted a heartfelt 19-minute rant urging his fans to tell the FCC to leave the rules alone.

However,  those supporting Pai’s call to overturn the rules unleashed their own robot army to bombard the submissions to the FCC with comments backing the commission’s plans.

Pai, Donald Trump’s choice as regulator, said: “Today’s notice is the start of a new chapter in the public discussion about how we can best maintain a free and open internet while making sure ISPs have strong incentives to bring next-generation networks and services to all Americans.”

Torrent site goes dark

Those who look to non-official ways to source their video entertainment found one fewer torrent site functioning as ExtraTorrent became the latest to pull down the shutters.

The closure follows KickAss Torrents and, which have already gone offline in the face of pressure from regulators.

ExtraTorrent, which went live in November 2006, became the largest torrent site after The Pirate Bay, which remains online via a shifting landscape of mirrors and proxy sites.

ExtraTorrent said on its site that it had permanently erased all its data, and warned would-be users to “stay away from fake ExtraTorrent websites and clones”.

Catch up with all of today’s stories on Naked Security

Source: Naked Security


WannaCry: could something similar happen to Android?

Készült: 2017. máj. 19

In the week since WannaCry hijacked hundreds of thousands of computers in 150 countries, we’ve been asked if Android devices are vulnerable. The answer is no, for a simple reason: WannaCry targets Windows.

But don’t be lulled into comfort by that. SophosLabs researcher Rowland Yu said Android is a huge ransomware target. WannaCry’s payload was merely one stripe of countless ransomware varieties. Yu explained:

A big difference between Windows and Android is that the foundation of Android is Linux kernel. Moreover, Android has removed unnecessary and potentially insecure parts of the kernel.

WannaCry exploited a Windows vulnerability Microsoft had released a patch for in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. The SMB function isn’t built into Android.

Furthermore, he said, WannaCry uses an NSA EternalBlue exploit and DoublePulsar backdoor to silently install and execute the payload. But installing apps in Android generally depends on users to install them or click on them. This also reduces the speed and chance of massive infection in wild.

SophosLabs has determined that WannaCry probably didn’t start the way a typical ransomware attack does – as a phishing email carrying a malicious attachment or link that the user is tricked into opening. It also appears the first infections were in south-east Asia. (Sophos CTO Joe Levy gave a webinar outlining the technical details of the attack, which you can access on the Sophos webinar page.)

Researchers assumed early on that the outbreak began with an email link or attachment, but SophosLabs VP Simon Reed identified it as a worm from start to finish.

In other words, this outbreak was a throwback to the early 2000s. Only this time, instead of mere noise and network downtime, a much more damaging payload of ransomware ground many organizations to a halt.

Android has its own problems 

Though Android escaped this outbreak, Yu warned against complacency: 

This week, Google announced the Android operating system has more than 2bn monthly active devices. Also, the growing adoption of Android has been found in the enterprise environment, in which Android devices are allowed for increased access to corporate information. Without a doubt, Android has become one of the main targets for criminal hackers. This is why SophosLabs has discovered the significant increase of Android ransomware in the last 12 months.

The SophosLabs 2017 malware forecast goes into detail about the ransomware threats against Android. SophosLabs analysis systems processed more than 8.5m suspicious Android applications in 2016. More than half of them were either malware or potentially unwanted applications (PUA), including poorly behaved adware.

And, in recent weeks, SophosLabs has uncovered a variety of questionable apps in Google Play

A big question for Android users is if Android devices could suffer a WannaCry-sized attack. Before we answer the question, SophosLabs offers this statistic of Android ransomware during the last couple of years:

The trend of Android ransomware

Since the first Android ransomware was discovered in the middle of 2014, SophosLab has recorded the significant increase in the last three years. Just in the last 12 months, its research shows a spike of between 700% and 1,000% in Android ransomware.

In general, there are two types:

  • Lock Screen ransomware
  • Crypto ransomware

The former can lock the victims’ screen but not encrypt files. It might also change the lockscreen PIN to stop accessing devices. Moreover, some ransomware contains extra malicious behaviors apart from the locking screen, such as:

  • Command and control
  • Send SMS
  • Steal sensitive information
  • Disable anti-virus software
  • Install or uninstall apps

Here is a simple example of lock screen ransomware:

The locked screen above shows users can contact the attacker via WeChat or QQ in order to unlock the screen. Luckily, this ransomware only uses a hard-coded PIN, which can be found in the source code below:

The second type of ransomware can encrypt users’ data while locking devices. Here we show an example:

This is the encryption code in the crypto ransomware:

It all needs to be taken seriously, Yu said. But in the big picture, these examples don’t have the ingredients that made WannaCry such a monster.

Defensive measures

As we’ve mentioned before, our advice to non-Sophos customers is not to download apps from Google Play without doing your homework on where they come from first.

The continued onslaught of malicious Android apps demonstrates the need to use an Android anti-virus such as our free Sophos Mobile Security for Android.

By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.


As always, the best defence against ransomware of any sort is not to get infected in the first place, so we’ve published a guide entitled How to stay protected against ransomware that we think you’ll find useful:

You might also enjoy our Techknow podcast Dealing with Ransomware:

(Audio player above not working? Listen on Soundcloud or access via iTunes.)

Source: Naked Security


1. oldal / 687

<< Első < Előző 1 2 3 4 5 6 7 8 9 10 Következő > Utolsó >>


Hacktivity 2014


Nincs esemény létrehozva még.

mySec talk #7 (ITBN)

A Facebook lecserélte az e-mail címed

A Facebook minden előzetes figyelmeztetés nélkül az összes felhasználó email címét megváltoztatta „”

Vállalatok számítógépeit figyelnék Kínában

Külföldi, köztük amerikai cégeket, vegyes vállalatokat is köteleznének Kínában arra, hogy vásároljanak meg és helyezz

Atombiztos szervezethez törtek be a hackerek

A Nemzetközi Atomenergia-ügynökség immár hivatalosan is elismerte, hogy az informatikai infrastruktúrájába ismeretlen elk

Az Internet Explorer a legbiztonságosabb?

A leggyakoribb és legnagyobb hatással bíró biztonsági fenyegetések, amelyekkel a felhasználóknak szembe kell nézniük n

Okoseszközök beépített trójaival

Kiderült, hogy egyes belépő kategóriás okostelefonok és táblagépek már előre telepített - csak bizonyos feltét

Alig egy hét múlva Hacktivity

Október 21–22-én, immáron 13. alkalommal gyűlnek össze az etikus

Az újságírója lett az „Év információbiztonsági újságírója”

A Hétpecsét Információbiztonsági Egyesület 2006-ban alap&iac

Boldog Új Évet Kívánunk! - 2016.

Az nevében Minden Kedves Olvasónknak Egészségben, siker

Ez történt 2015-ben

Nem volt eseménytelen esztendő a 2015. - sem. A legizgalmasabb incidense

mySec Információ

Cron Job Starts