Europe's GDPR: Don't Get Lost in Translation*:
- In May 2018 the General Data Protection Regulation (GDPR) will come into effect and will unify data protection for all individuals within the European Union as well as EU citizens traveling abroad.
- The term personal data is growing in scope, relating to any private or professional data including names, addresses, photos, email addresses, bank details, social postings, medical information, or even his or her IP address.
- At a high level, the GDPR will have a major impact on the kind of data that can be collected and recorded, and how that data is handled and stored.
- In the transition, on-premises and private cloud architectures will probably be the easiest to handle, but the public cloud will require more effort.
- There is a conundrum for many: the need for widespread visibility while also obfuscating sensitive information in private, public, and hybrid environments.
- Fortunately, there are tools and methods that can make the process much easier; for instance, data masking is ideal for GDPR compliance.
- Encryption is another tool that protects, and organizations can mask any sensitive data that they do not want encrypted.
- Outside the EU, things get interesting, since any organization touching data belonging to EU citizens must offer the same protection.
- Processes and technology that comply with the GDPR must be used as a result of the difficulty in segregating customer data so that it corresponds with individuals.
- Compliance will require up-front infrastructure and process planning that ends in data protection by design and by default.
- Everyone is implicated, from data controllers collecting data to processors that process the data on behalf of the controller.
*Source: Light Treading, July 07, 2017
Flawed WordPress Plugin Allows Hackers to Steal Your Database*:
- A critical flaw in the WP Statistics plugin used by more than 300,000 WordPress sites can be exploited by thieves out for your database.
- Site administrators using an outdated plugin are at risk.
- An attacker with at least a subscriber account could leak sensitive data and under the right circumstances/configurations compromise your WordPress installation.
- After learning of the flaw, the team behind WP Statistics was quick to patch the weakness in WP Statistics version 12.0.8.
- Users maintaining a WordPress site with a lower version of the WP Statistics plugin are urged to install the latest iteration pronto.
*Source: Hot for Security, July 04, 2017
NIST Officially Recommends Password Pasting*:
- The National Institute of Standards and Technology (NIST) is heavily involved in setting security standards and recently published Digital Identity Guidelines.
- The four-volume series of documents outlines how systems should handle account security, including passwords, two-factor authentication, and related policies.
- NIST publishes similar documents on all types of security topics with the goal of assisting engineers who need to implement these systems.
- One of the topics it commented on was ‘password pasting,’ the practice of allowing users to paste their passwords into login forms – the NIST says it’s acceptable.
- Being able to paste passwords facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.
- The NIST’s new guidelines included a number of other best-practice recommendations for passwords including support for 64-character passwords, and that periodic password changes should not be used.
*Source: The SSL Store, July 06, 2017
Reckitt Benckiser Warns Sales Took a Hit from the Petya Ransomware Attack*:
- Household goods firm Reckitt Benckiser is still feeling the burn from the Petya ransomware attack.
- The company said the attack was now “materially contained”, but it warned that the cyber-attack did disrupt its ability to manufacture and distribute products to consumers in multiple markets.
- Consequently, they were unable to ship and invoice some orders to customers prior to the close of the quarter.
- Some factories are currently still not operating normally, but plans are in place to return to full operation.
- Second quarter like-for-like revenue growth was estimated to be two percent lower mainly as a result of the ransomware attack.
- RB is one of the first companies to put a price tag on the cost of a global cyber-attack after the ransomware significantly hit output at many of its more than 60 factories as well as crippling its global supply chain.
- Other companies affected by the Petya ransomware attack included London-based advertising giant WPP, Danish shipping group Maersk, Cadbury’s owner Mondelez, and a number of Ukrainian and Russian businesses..
*Source: City A.M., July 06, 2017
AA Shop Investigating 13 Gigabyte Data Breach*:
- The AA has been criticised over the way it has handled a data breach involving 13 gigabytes of data.
- The huge cache was viewable online for a few days, but the motoring organisation informed that it contained no “sensitive” information.
- A security researcher who analysed the leak said he found details like email addresses, names and parts of payment card numbers.
- A server “misconfiguration” was blamed for giving access to two back-up files that contained information about orders for maps and other products from retailers.
- The AA said it investigated, sampled the data and, because it was not sensitive and only accessed a few times, ended the investigation.
- Another researcher said they found 117,000 unique email addresses in the data as well as names, net addresses as well as credit card types, expiry dates and the final four digits of the card.
- The company’s statement does not acknowledge the severity of the exposed data nor that they failed to notify customers when learning of the exposure.
- The AA was forced to apologise after a mistake led to it issuing emails telling some members to update their passwords.
*Source: BBC, July 03, 2017
Diseases Infect People but Cyber-Attacks Infect X-Rays and MRIs Machines*:
- To prevent cyber-attacks from taking down hospital systems and infecting life-saving machines, the same block chains used to decentralize crypto currencies like bitcoin could be used to safeguard patients both past and present.
- The WannaCry cyberattack was a wakeup call for healthcare providers.
- Earlier this year, WannaCry’s ransomware spread across the world, infecting as many as 300,000 computer systems in 150 countries, including at 48 hospital trusts in the UK.
- The attack forced many hospitals to cancel or delay treatment, and should be a warning to the healthcare industry that patient care can be compromised if computer systems suffer a security breach.
- Many people don’t realize that hospital hardware such as MRI and x-ray machines are computers, which means their software can become vulnerable to cyberattacks.
- Many devices in hospitals often do not use traditional security mechanisms because they do not have enough memory or processing power.
- By using a distributed, permanent digital ledger to disseminate updates – such as a blockchain – medical devices can update security software directly.
- Disseminating security updates such as malware signatures and intruder addresses can equip endpoints to handle emergent threats.
- The blockchain has many more applications in helping to prevent damaging cyber-attacks on critical healthcare infrastructure.
- One of its key characteristics is immutability; the use of sequential hashing, cryptography, and its decentralized structure make it near impossible to unilaterally alter data.
- A hacker would need to take control of more than 51% of the processing power of the blockchain to change the ledger – a difficult feat.
- Another problem faced by hospitals is that data needs to be accessed by multiple parties, and the blockchain can secure communication protocols by requiring dual-factor identification.
- There is no silver-bullet solution to combatting cybercrime in healthcare, but the blockchain can improve endpoint security make systems more secure in the face of the cyber-attacks.
*Source: Quartz, July 07, 2017