Posts tagged " security "

GDPR: how to email data securely to comply with the new regulations

April 5th, 2018 Posted by Industry Focus, IT Services No Comment yet

The European Union’s General Data Protection Regulation (GDPR), which comes into force on May 25, will govern the storage and processing of data rather than its collection. It also includes some very important consumer rights. The most important are the right to be informed, the right of access, the right to correct errors, the right to erase data, the right to restrict processing, and the right take it elsewhere (data portability). How useful these will be in practice remains to be seen, with the help of our loan associates, https://Loansjar.co.uk will help you.

Emails are like plain text postcards because they can, in theory, be read at any of the many servers through which they pass, or by someone tapping a line. Of course, “read by” is unlikely to mean “read by a human being.” However, software can look for things like passwords and credit card numbers.

A more likely problem is sending emails to the wrong address, either because users have got their own email addresses wrong (this happens surprisingly often), or through human error. Pick the wrong address from a list of auto-complete suggestions and you could send personal data to the wrong recipient. This would be a data breach that might have to be reported.

It would obviously be good thing if all emails were encrypted by default so that only the intended recipient could read them. Three decades of history says this isn’t going to happen soon even though it would help secure investments and asset protection information, if at all. Public key encryption is too hard for people who just want to send normal emails.

Some large organisations do have encrypted email services, such as the NHS, but that doesn’t help the rest of us.

Some people do choose secure email services, such as ProtonMail in Switzerland and Tutanota in Germany. However, you also have to send external recipients a password – for example, in an SMS text message – to decrypt the email.

Tutanota users get an email that says “you have an encrypted email” and you click a link to read it, and reply to it, in a browser. You have to export the email if you want to keep a copy.

There are also plug-ins for Gmail and the Microsoft Outlook email program that provide secure email services. If one of your employers is using a secure system, they might let you join in.

If there’s no other alternative, you should encrypt and password-protect your images and documents before sending them as email attachments. Again, you must send the password separately, either via a different messaging service or in the post.

Fotolia_40957727_XS1

Online storage locations

It’s a good idea to upload attachments and then send people a link. However, bear in mind that you are uploading documents to the company that probably runs the biggest surveillance operation on the planet. Encrypt your documents before you upload them.

Encryption protects data if an online storage service is compromised – it has happened – or if your email is hacked.

Unfortunately, using Google Drive brings up an extra complication. If you are using Gmail, then you can assume that your data is being held in, or passing through by arizona bus company, or accessible from the USA.

GDPR does not oblige users to store data on servers inside the EU. However, there are extra requirements if servers are outside the EU. First, you need to have a legitimate reason for transferring personal data outside the EU. Second, you must have the consent of the person whose data is being exported. Third, you must give that person the option to opt out.

In another post, the aforementioned Liz Henderson explains how to create a GDPR Privacy Notice, and you could adapt her sample to cover Gmail storage outside the EU.

You could switch to using an email service that operates wholly within the EU (see above), if only for any people who opt out, or you could upgrade to Google’s paid-for service.

Google claims that its G Suite and Google Cloud Platform (GCP) services are fully compliant with GDPR, because it offers to sign EU Model Contract Clauses and a Data Processing Amendment. The fine print notes that “the parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the processing of Customer Personal Data” and that “Google will not process Customer Personal Data for Advertising purposes or serve Advertising in the Services”.

 

Perfect online privacy?

March 23rd, 2018 Posted by News No Comment yet

True internet privacy could finally become possible thanks to a new tool that canfor instancelet you prove you’re over 18 without revealing your date of birth, or prove you have enough money in the bank for a financial transaction without revealing your balance or other details. That limits the risk of a privacy breach or identity theft.

The tool is an emerging cryptographic protocol called a zero-­knowledge proof. Though researchers have worked on it for decades, interest has exploded in the past year, thanks in part to the growing obsession with cryptocurrencies, most of which aren’t private.

Zero Knowledge Protocol (or Zero Knowledge Password Proof, ZKP) is a way of doing authentication where no passwords are exchanged, which means they cannot be stolen. This is cool because it makes your communication so secure and protected that nobody else can find out what you’re communicating about or what files you are sharing with each other like pornskill.com bryci pussy.

ZKP allows you proving that you know some secret (or many secrets) to somebody at the other “end” of communication without actually revealing it. The very term “zero knowledge” originates from the fact that no (“zero”) information about the secret is revealed, but the second party (called “Verifier”) is (rightfully) convinced that the first party (called “Prover”) knows the secret in question. Why would you need to prove you know the secret without telling it? When you don’t trust the other person, but still need to persuade them that you know it. 

Much of the credit for a practical zero-knowledge proof goes to Zcash, a digital currency that launched in late 2016. Zcash’s developers used a method called a zk-SNARK (for “zero-knowledge succinct non-interactive argument of knowledge”) to give users the power to transact anonymously.

That’s not normally possible in Bitcoin and most other public blockchain systems, in which transactions are visible to everyone. Though these transactions are theoretically anonymous, they can be combined with other data to track and even identify users. Vitalik Buterin, creator of Ethereum, the world’s second-most-popular blockchain network, has described zk-SNARKs as an “absolutely game-changing technology.”

For banks, this could be a way to use blockchains in payment systems without sacrificing their clients’ privacy. Last year, JPMorgan Chase added zk-SNARKs to its own blockchain-based payment system.

For all their promise, though, zk-SNARKs are computation-heavy and slow. They also require a so-called “trusted setup,” creating a cryptographic key that could compromise the whole system if it fell into the wrong hands. But researchers are looking at alternatives that deploy zero-knowledge proofs more efficiently and don’t require such a key. 

Hakers using Starbucks cafe’s wi-fi made computers mine crypto-currency

December 14th, 2017 Posted by News No Comment yet

Starbucks has acknowledged that visitors to one of its branches were unwittingly recruited into a crypto-currency mining operation.

The wi-fi service provided by one of the coffee chain’s Buenos Aires outlets surreptitiously hijacked connected computers to use their processing power to create digital cash smâlân.com.

Starbucks said that it had taken “swift action” to address the problem.

But one expert said it highlighted the risks of using public wi-fi.

It is not clear how long the malware involved was active or how many customers were affected.

The issue was identified only when the chief executive of a New York-based technology company logged into the service and noticed the problem.

Noah Dinkin was alerted to the issue by a delay he experienced before being able to start using the net, and posted his discovery to Twitter.

Although he initially believed the code had been designed to force his laptop to try to create bitcoins, other users noted that it had in fact been designed to mine another digital currency, Monero.

Mining involves solving complicated mathematical equations to verify crypto-currency transactions,visit mrlån.se for more.

Those involved are attracted by the promise of being rewarded with newly minted “coins” if their computer is first to solve a challenge.

But because lots of processing power is required to have a good chance of success, some people have tried to infect other people’s computers with mining code to boost their chances.

Victims’ computers are normally targeted via infected websites, but it is relatively unusual for a wi-fi hotspot to be involved.

“As soon as we were alerted of the situation in this specific store last week, we took swift action to ensure our third-party support provider resolved the issue and made the changes needed in order to ensure our customers could use wi-fi in our store safely,” a spokeswoman for Starbucks told the BBC.

The company had earlier told the Motherboard news website that it did not “have any concern that this is widespread” across its other stores.

Richard Howard, Microcomms Cyber-Security expert said “people need to be careful when using public WiFi. When connecting ensure you have up to date security software and be on the lookout for suspicious activity. Public WiFi does offer a useful service  and the abuse is definitely the exception not the rule. Also, as applications and websites move towards encryption by default – overall security improves and makes life much harder for hackers.”

Uber concealed huge data breach

November 22nd, 2017 Posted by News No Comment yet

Uber concealed a hack that affected 57 million customers and drivers, the company has confirmed.

The 2016 breach was hidden by the ride-sharing firm which paid hackers $100,000 (£75,000) to delete the data.

The company’s former chief executive Travis Kalanick knew about the breach over a year ago. The hackers found 57 million names, email addresses and mobile phone numbers, Uber said.

Within that number, 600,000 drivers had their names and licence details exposed.

Drivers have been offered free credit monitoring protection, but according to Uber’s statement, affected customers will not be given the same.

‘None of this should have happened’

“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,” Uber’s chief executive Dara Khosrowshahi said.

“None of this should have happened, and I will not make excuses for it,” he added.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

In the wake of the news, Uber’s chief security officer Joe Sullivan has left the company.

Uber did not confirm precise details of the hack – and it is not known which countries were affected – but according to Bloomberg’s report, two hackers were able to access a private area of Github, an online resource for developers.

From there it is understood they found Uber’s log-in credentials to Amazon Web Services. AWS is a cloud computing service used by companies to store data.

As is often the case, it will likely be the cover up that proves more bothersome for Uber than the hack itself.

Companies are required to disclose significant data breaches to regulators, something it has by its own admission failed to do in this case.

Uber has form. In January it was fined $20,000 for failing to disclose a considerably less serious breach in 2014.

With the impending legislation of GDPR coming in to place in May 2018 – the firm could have been liable for fines of £20m or 4% of it’s worldwide turnover. It’s time companies started taking data security seriously.

Warning that UK digital economy may be ‘at risk’ from Brexit

September 14th, 2017 Posted by News No Comment yet

Businesses have warned the UK’s £240bn data economy could be at risk unless a suitable Brexit transition deal is established by the Government.

Under EU regulations, businesses are only allowed to move data from within the bloc to countries outside of it if those countries meet the EU standards for data protection. This is intended to stop corporations laundering data to jurisdictions where they could use it for purposes that would not be allowed in the EU.

Although, as part of the EU, the UK is currently compliant with EU data protection law, it will become a separate jurisdiction after Brexit and will require an “adequacy” agreement in terms of its data protection laws.

To meet these requirements the Government has introduced a Data Protection Bill, which will enshrine the EU’s new General Data Protection Regulations in UK law, but businesses are concerned this may not be enough.

Josh Hardie, deputy director-general of the Confederation of British Industry, said the bill shows the Government “has taken the right steps… but in the long-term, we need an ‘adequacy decision’ with the EU, where the UK can prove our data laws and business environment meet EU standards”.

“Unless the Brexit negotiations find another way, getting such a deal would mean first becoming a ‘third country’. In other words, we’d need to leave the EU before that process could even begin.”

Edward Snowden leaked information about intelligence programmes.
Edward Snowden leaked information about intelligence programmes

The legal uncertainty of the UK being a “third country” would “affect jobs, growth and prosperity across the UK” he said.

“The last major data deal between the EU and a third country was with New Zealand and that took four years,” he added.

One of the most controversial adequacy agreements in recent years was made by the European Commission at the turn of the millennium, when it quickly asserted US legal principles complied with EU ones.

It stood by this decision even after Edward Snowden provided documentary evidence to the contrary, and would not concede the “Safe Harbor” arrangement was invalid until a legal challenge was escalated to the European Court of Justice.

Safe Harbor – the adequacy decision which allowed Facebook, Microsoft and others to transfer EU citizens’ data to the US – was declared void, and those data transfers became illegal overnight. However, they continued anyway.

Using contractual arrangements, US-based corporations continued to process EU citizens’ data while the commission quickly worked on putting together a new agreement.

 

Original story written by  Alexander J Martin, Technology Reporter at Sky News.

‘Dolphin’ attacks fool Amazon, Google voice assistants

September 8th, 2017 Posted by Latest News No Comment yet

Voice-controlled assistants by Amazon, Apple and Google could be hijacked by ultrasonic audio commands that humans cannot hear, research suggests.

Two teams said the assistants responded to commands broadcast at high frequencies that can be heard by dolphins but are inaudible to humans. They were able to make smartphones dial phone numbers and visit rogue websites. Many smartphones feature a voice-controlled assistant that can be set up to constantly listen for a “wake word”.

Google’s assistant starts taking orders when a person says “ok Google”, while Apple’s responds to “hey Siri” and Amazon’s to “Alexa”.

Researchers in China set up a loudspeaker to broadcast voice commands that had been shifted into ultrasonic frequencies. They said they were able to activate the voice-controlled assistant on a range of Apple and Android devices and smart home speakers from several feet away. A US team was also able to activate the Amazon Echo smart speaker in the same way. The US researchers said the attack worked because the target microphone processed the audio and interpreted it as human speech.

“After processing this ultrasound, the microphone’s recording… is quite similar to the normal voice,” they said.

The Chinese researchers suggested an attacker could embed hidden ultrasonic commands in online videos, or broadcast them in public while near a victim.

In tests they were able to make calls, visit websites, take photographs and activate a phone’s airplane mode. However, the attack would not work on systems that had been trained to respond to only one person’s voice, which Google offers on its assistant.

Apple’s Siri requires a smartphone to be unlocked by the user before allowing any sensitive activity such as visiting a website.

Apple and Google both allow their “wake words” to be switched off so the assistants cannot be activated without permission.

“Although the devices are not designed to handle ultrasound, if you put something just outside the range of human hearing, the assistant can still receive it so it’s certainly possible,” said Dr Steven Murdoch, a cyber-security researcher at University College London.

“Whether it’s realistic is another question. At the moment there’s not a great deal of harm that could be caused by the attack. Smart speakers are designed not to do harmful things. “I would expect the smart speaker vendors will be able to do something about it and ignore the higher frequencies.”

The Chinese team said smart speakers could use microphones designed to filter out sounds above 20 kilohertz to prevent the attack.

A Google spokesman said: “We take user privacy and security very seriously at Google, and we’re reviewing the claims made.”

Amazon said in a statement: “We take privacy and security very seriously at Amazon and are reviewing the paper issued by the researchers.”

GDPR will change data protection – here’s what you need to know

August 18th, 2017 Posted by News, Uncategorized No Comment yet

General Data Protection Regulation, or GDPR, will overhaul how businesses process and handle data. Wired’s GDPR guide explains what the changes mean for you.

 

What is GDPR exactly?

The GDPR is Europe’s new framework for data protection laws – it replaces the previous 1995 data protection directive, which current UK law is based upon. After publication of GDPR in the EU Official Journal in May 2016, it will come into force on May 25, 2018. The two year preparation period has given businesses and public bodies covered by the regulation to prepare for the changes.

Don’t we already have data protection laws?

Each member state in the EU operates under the current 1995 data protection regulation and has its own national laws. In the UK, the current Data Protection Act 1998 sets out how your personal information can be used by companies, government and other organisations.

GDPR changes how personal data can be used. Its provisions in the UK will be covered by a new Data Protection Bill, which has been announced by the government.

Is my company going to be impacted?

In short, yes. Individuals, organisations, and companies that are either ‘controllers’ or ‘processors’ of personal data will be covered by the GDPR. “If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR,” the ICO says on its website.

Both personal data and sensitive personal data are covered by GDPR. Personal data, a complex category of information, broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address… you name it. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.

These definitions are largely the same as those within current data protection laws and can relate to information that is collected through automated processes. Where GDPR differentiates from current data protection laws is that pseudonymised personal data can fall under the law – if it’s possible that a person could be identified by a pseudonym.

GDPR2

So, what’s different?

In the full text of GDPR there are 99 articles setting out the rights of individuals and obligations placed on organisations covered by the regulation. These include allowing people to have easier access to the data companies hold about them, a new fines regime and a clear responsibility for organisations to obtain the consent of people they collect information about. Here’s the low-down:

Accountability and compliance

Companies covered by the GDPR will be more accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed.

Under GDPR, the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data has to be reported to a country’s data protection regulator – in the case of the UK, the ICO – where it could have a detrimental impact on those who it is about. This can include, but isn’t limited to, financial loss, confidentiality breaches, damage to reputation and more. The ICO has to be told about a breach 72 hours after an organisation finds out about it and the people it impacts also need to be told.

For companies that have more than 250 employees, there’s a need to have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place.

Additionally, companies that have “regular and systematic monitoring” of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO). For many organisations covered by GDPR, this may mean having to hire a new member of staff. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers.

There’s also a requirement for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person’s information they have to clearly explain that consent is being given and there has to be a “positive opt-in”.

Access to data

As well putting new obligations on the companies and organisations collecting personal data, the GDPR also gives individuals a lot more power to access the information that’s held about them. At present a Subject Access Request (SAR) allows businesses and public bodies to charge £10 to be given what’s held about them.

Under the GDPR this is being scrapped and requests for personal information can be made free-of-charge. When someone asks a business for their data, they must stump up the information within one month.

The new regulation also gives individuals the power to get their personal data erased in some circumstances. This includes where it is no longer necessary for the purpose it was collected, if consent is withdrawn, there’s no legitimate interest, and if it was unlawfully processed.

GDPR fines

One of the biggest, and most talked about, elements of the GDPR is the power for regulators to fine businesses that don’t comply with it. If an organisation doesn’t process an individual’s data in the correct way, it can be fined. If it requires and doesn’t have a data protection officer, it can be fined. If there’s a security breach, it can be fined.

Smaller offences could result in fines of up to €10 million or two per cent of a firm’s global turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million or four per cent of a firm’s global turnover (whichever is greater).

 

What to do if your business Social Media account is hacked

August 16th, 2017 Posted by Uncategorized No Comment yet

Even if you’re embarrassed, it’s important to let people know that you’ve been hacked – and most importantly, set up your accounts and educate staff to avoid it happening again.

If a business’s social media accounts are hacked, it can be hugely detrimental to its reputation and relationship with the public.

Here, security experts and social media professionals share advice on how to handle a hack and restore your company’s image.

Change passwords on all accounts

First, determine whether you’re still able to log into the hacked account.

“If you can log in, change the passwords on all your social media accounts – not just the ones that have been hacked,” advises Romain Ouzeau, chief executive of Iconosquare, an Instagram analytics company. “As some social media platforms offer the ability to log in via other sites and services [Tweetdeck, for example], you may be compromised on additional networks.”

As a general rule, Rob Brown, vice president of the Chartered
Institute of Public Relations
 (CIPR), advocates the use of a different password for each social media platform. “Update passwords every two months, choosing longer passwords that contain different characters, and use two-step verification if a social media service offers it,”
he says.

If you’re not able to log in, head straight to the social media company’s contact pages and tell the relevant team that you’ve been hacked.

Clean up the mess

If you’ve been hacked, there’s a chance that communications will have been sent from your account by the offender.

“If this happens, take a screen grab of the content before removing it,” says Lee Campbell, cyber computing lecturer at the University of Gloucestershire. “Then report the breach to the social media provider.

“If the compromised social media account includes content of a threatening, or abusive nature, report it to the police via Action Fraud, the UK’s national fraud and cyber crime reporting centre.”

Communicate and take control

Even if you’re embarrassed, it’s important to let people know that you’ve been hacked.

“Post an update from the reclaimed hacked account, stating what has happened and that unauthorised changes and/or communications may have occurred,” says Blaise Grimes-Viort, chief services officer for social media business, The Social Element.

“If any private or direct messages have been sent, contact those who received them directly to tell them what happened and that they shouldn’t click on any of the links that were sent.”

It’s also worth checking to see which third-party apps (auto post tools, for example) are connected to your social media profile. Review the list and delete any that you no longer use. If you keep seeing unwanted content posted through your account, you may want to revoke access for all third-party apps.

Prevention is the best plan

“If you have a response plan in place before an attack happens it means there are clear actions for employees to take – this helps members of staff act quickly and can help with damage limitation” recommends Microcomms in-house Cyber Security expert Richard Howard.

“The majority of cyber attacks are caused by human error – deliberate or not – so employee training and communication is vital and should also cover advice on spotting suspicious activity, such as phishing emails.”

There are also some simple things that you, as a business owner, can do to improve security across your network. Use the latest antivirus software, run frequent scans for malware (malicious software) and perform a regular off-site backup of your systems.

You can manually adjust the settings on your [social media] account profile pages, restricting who can see your posts, photos and user profile. Also, tighten access to your mobile devices by setting a pin number of at least six digits on each.

Microcomms carry out cyber security health checks, staff training and will provide advice and recommendations to keep your business well protected from attack.

New Microsoft Bundle includes Windows 10

July 12th, 2017 Posted by IT Services, Subjects No Comment yet

Microsoft has bundled up its core products for businesses for a monthly fee, to encourage companies to upgrade to Windows 10. Its new offering, Microsoft 365, includes Office 365, Windows 10, and Enterprise Mobility + Security, for a monthly, per-user fee.

By wrapping its products into one package, the company is making it easier for businesses big and small to manage and pay for the software. It also pushes customers to the latest versions of Office and Windows and, as it’s subscription-based, ensures they’ll always have the latest version of software – something Microsoft are keen to encourage among its user base. In the recent Cyber Security attacks, Microsoft have scrambled to produce patches for their old software, but this has still left some users vulnerable. Having latest versions should help alleviate this pressure.

There are two main versions of the new package:

Microsoft 365 Business

Caters for businesses with up to 300 users. Alongside Windows, Office and the security tools, the bundle will also include Microsoft’s mileage tracking app, called MileIQ, and previews of three new SMB-focused apps: Listings, for email marketing; Connections, to help publish your business information online; and Invoicing. It will hit public preview on 2 August and be available in the autumn.

Microsoft 365 Enterprise

For larger companies, Microsoft 365 Enterprise comes in two versions E3 and E5, with both available on 1 August. The former comes with Office, Outlook and Exchange, Teams, Skype for Business, SharePoint, Yammer and Microsoft’s threat protection system, as well as analytics and management software. E5 adds further analytics and compliance tools, and Microsoft’s advanced security tools, as well as PSTN Conferencing and Cloud PBX.

Speak to Microcomms about any 365 needs – we’ve got all the packages covered. We can help you determine which is the right solution for you and your business.

 

Router hack risks

June 26th, 2017 Posted by News No Comment yet

A weakness that left thousands of Virgin Media routers vulnerable to attack also affects devices by other providers, security experts suggest.

Virgin Media’s Super Hub 2 was criticised for using short default passwords that could easily be cracked by attackers.

But experts raised concerns that older routers provided by BT, Sky, TalkTalk and others were also at risk.

They recommend users change their router password from the default.

It’s a bit unfair that Virgin Media has been singled out here. They made a mistake – but so have many other internet service providers,” said Ken Munro from security firm Pen Test Partners.

“This problem has been known about for years, yet still ISPs [internet service providers] issue routers with weak passwords and consumers don’t know that they should change them.”

The weakness in Virgin Media’s Super Hub 2 was highlighted in an investigation by consumer group Which?

The company has since advised customers using default network and router passwords to update them immediately.

However, a BT spokeswoman told the BBC: “We are not impacted by the hub issues affecting Virgin Media.”

What makes a router vulnerable?

Many routers are sent to customers with a default wi-fi password already set up.

Some use a long password with mixture of upper and lower-case letters, numbers and sometimes symbols.

But others use short passwords with a limited selection of characters, and many follow a pattern than can be identified by attackers.

The Virgin Media Super Hub 2 used passwords that were just eight characters long, and used only lower-case letters.

That gives cyber-criminals a framework to help them crack passwords quickly, using a dedicated computer.


“Because the default wi-fi password formats are known, it’s not difficult to crack them,” said Mr Munro.

Once an attacker has access to your wi-fi network, they can seek out further vulnerabilities.

Virgin Media router
Image captionDefault passwords that follow patterns are easier to crack

Mr Munro said the problem was well-known, but the Which? investigation had reignited discussion.

“It has popped up again because attention has been drawn to the fact that very few people change their wi-fi password from the one written on the router,” he told the BBC.

Experts recommend that people change the default wi-fi password and router’s admin password, using long and complex passwords to make life more difficult for attackers.