11 Ways to Keep Information Safer in the Cloud*:
- With data breaches everywhere these days, it seems harder and harder to keep information safe.
- It seems like we’re hearing of a new data breach each month, giving companies transitioning to the cloud plenty reason to feel vulnerable.
- Fortunately, there are steps you can take to be a bit safer online:
- Use two-factor authentication
- Get cybersecurity insurance
- Perform annual security assessments
- Encrypt data locally
- Invest in online security protection
- Rely on a good cloud provider
- Change your passwords frequently
- Keep your circle small
- Test your backups
- Make security part of your ongoing training
- Try a moving-target defense
*Source: The Next Web, June 22, 2018
‘Hidden Tunnels’ Help Hackers Launch Financial Services Attacks*:
- Hackers are using the infrastructure, meant to transmit data between applications, for command and control.
- The security tools and strategies financial services organizations use to protect their data could be leveraged by cybercriminals who sneak in undetected via "hidden tunnels" to conceal their theft.
- Ironically, financial firms have the biggest non-government security budgets in the world.
- Bank of America invests more than $600 million in cybersecurity each year, while JPMorgan Chase spends $500 million. Equifax, while smaller than both, spends an annual $85 million on security.
- Yet, in Equifax's case – despite budget, staff, and a security operations centre – in 2017 it took 78 days for it to detect a massive breach of its network, in which attackers accessed 145.5 million Social Security numbers, 17.6 million driver's license numbers, 20.3 million phone numbers, and 1.8 million email addresses.
- Could the same thing happen at another financial firm?
- Equifax's breach started when a Web server was exploited to access the corporate network.
- The attackers installed more than 30 Web shells with different addresses to burrow into Equifax and, once inside the network, customized their hacking tools to exploit Equifax software, evade firewalls, and exfiltrate information.
- What stood out most is the use of hidden tunnels in HTTP, HTTPS, and DNS traffic, which threat actors use to get into networks protected with strong access controls.
- When enterprise security defences are strong, threat actors have to seek new ways to break through them.
- Financial firms have stronger security than most, securing Web applications with layers upon layers of access controls.
- Because apps are locked down, data has to be sent through "hidden tunnels" to move across an organization.
- There are legitimate use cases for this: Specific stock-tickers commercial apps and internal financial services use tunnels to communicate.
- The high volume of traffic flowing to and from enterprise Web applications creates an ideal place for attackers to hide.
- Hidden tunnels are tough to detect because communications are hidden within connections that use normal, permitted protocols.
- Attackers could leverage tools purchased on the Dark Web to exfiltrate data and bypass access controls.
- The tools are out there, and attackers have a great ecosystem for sharing them.
*Source: Dark Reading, June 21, 2018
What Your Web Browser’s Incognito Mode Really Does*:
- This tool can be useful, as long as you understand its limitation.
- You don’t have to be a computer whiz to grasp the value of private web browsing.
- All of today’s major web browsers – Chrome, Edge, Firefox, and Safari – offer a feature that provides a private browsing window and deletes the browsing history on your computer after you close it.
- These windows can help reduce the amount of information collected on you by retailers and advertising companies.
- However, recent research indicates that many people overestimate the protection provided.
- Private browsing mode does some useful things, but you’re absolutely not anonymous, you’re not ‘incognito,’ and your secrets are not necessarily safe from hackers or marketers.
- How Does Incognito Mode Work? At the end of each session your cookies go away and you get a whole new set the next time you start.
- The most obvious change you’ll notice after a privacy browsing session is that it doesn’t show up under the History tab in your browser.
- Firefox adds a layer of tracking protection to its private browsing mode to help protect against a technique known as fingerprinting, in which data collectors track you around the web.
- Why Is Incognito Mode Useful? If you just want a brand new session that doesn’t remember anything about who you are, then incognito mode will work really well for that.
- If you’re shopping for a gift on the family laptop, using incognito mode will prevent anyone else who might use the laptop from seeing your search history or getting targeted ads revealing what you’ve shopped for.
- Incognito mode could come in handy when you’re visiting a friend and want to chick your email on his computer without opening his email account – simply launch and incognito window, then close the window when you’re done.
- Don’t let incognito mode lull you into a false sense of security, though – guard your passwords, and close that window when you’re done.
- What Doesn't It Do? Once you close an incognito window, most of the data about your web session will be deleted, but only the pieces that were stored on your own computer.
- The data stored on company serves as a result of your online activity is another story altogether.
- A private browsing window can’t erase the records of your visit from a website’s servers, or from any networks you went through to get to a site.
- Incognito mode also doesn’t do anything to protect you from malware.
- Any bookmarks you make or files you download while in incognito mode will persist after you close the browser.
*Source: Consumer Reports, June 20, 2018
Even After Multiple Cyberattacks, Many Business Fail to Bolster Security. Here’s What You Need to Do*:
- Small businesses suffered a barrage of computer invasions last year but most took no action to shore up their security afterward.
- A recent survey found that 47 percent of small businesses reported that they had one attack in 2017, and 44 percent said they had two to four attacks.
- The invasions included ransomware, which makes a computer's files unusable unless the device's user or owner pays a ransom, and phishing, in which emails that look legitimate are used to steals information.
- The invasions also include what are called drive-by attacks, which infect websites and in turn the computers that visit them.
- Despite the prevalence of the data invasions, only about half of small businesses said they had a clear cybersecurity strategy.
- And nearly two-thirds said they didn't bolster their security after an attack.
- The surveyor estimates that seven out of 10 businesses aren't prepared to handle cyber-attacks, although they can cost a company thousands of dollars or more and ransomware can shut down operations.
- Cybersecurity tends to get pushed to the back burner while owners are busy developing products and services and working with clients and employees, or owners may see it as an expense they can't afford right now.
- Some basic cybersecurity advice:
- Back up all of a company's data securely. This means paying for a service that keeps a duplicate of all files on an ongoing basis.
- Install software that searches for and immobilizes viruses, malware and other harmful programs. Also install firewalls and data encryption programs.
- Make sure you have all the updates and patches for your operating systems for all your devices. They often include security programs.
- If you have a website, learn how to protect it from hackers, using software including firewalls. But you might be better off hiring a service that will monitor your site with sophisticated tools that detect and disable intruders.
- Tell your staffers, and keep reminding them, about the dangers of clicking on links or attachments in emails unless they're completely sure the emails are from a legitimate source.
- Educate your employees about phishing attacks and the tricks they use. Phishers are becoming increasingly sophisticated and are creating emails that look like they really could have come from your bank or a company you do business with.
- Hire an information technology consultant who will regularly look at your systems to be sure you have the tools you need to keep your data safe.
*Source: Inc, June 19, 2018
Amazon, Microsoft and Uber are Paying Big Money to Kill a California Privacy Initiative*:
- As data-sharing scandals continue to mount, a new proposal in California offers a potential solution: the California Consumer Privacy Act would require companies to disclose the types of information they collect, like data used to target ads, and allow the public to opt out of having their information sold.
- In recent weeks, Amazon, Microsoft, and Uber have all made substantial contributions to a group campaigning against the initiative, according to state disclosure records.
- Facebook, Google, AT&T, and Verizon have also contributed to block the measure.
- The campaign to pass the California Consumer Privacy Act is almost wholly funded by Bay Area real estate developer Alastair Mactaggart.
- He started working on the initiative about four years ago and has spent more than $3 million on the campaign.
- The initiative recently submitted 600,000 unverified signatures to qualify for a place on the November ballot.
- The state is currently sorting through those signatures to determine whether there are 366,000 legitimate ones, the required threshold for a ballot spot.
- The measure is polling well, and he expects the constant drip of data-sharing scandals to further buoy the effort.
- But tech companies have been the most visible antagonists and have cast the proposal as anywhere from frustrating to an existential threat to their business models.
- A spokesperson for Amazon commented, “While we share the initiative’s overarching goal of protecting consumer privacy, we are concerned by unworkable requirements that would hinder our ability to innovate on behalf of our customers.”
- Supporters of the proposal are waiting to hear whether they make the ballot and are challenging tech companies to stop funding the countermeasure.
*Source: The Verge, June 16, 2018
EU Politicians Tell European Commission to Suspend Privacy Shield Data Transfer Framework *:
- A couple of months ago, we wrote about an important case at the Court of Justice of the European Union (CJEU), the region's highest court.
- The final judgment is expected to rule on whether the Privacy Shield framework for transferring EU personal data to the US is legal under EU data protection law.
- Many expect the CJEU to throw out Privacy Shield.
- One of the European Parliament’s powerful committees, which helps determine policy related to civil liberties, has just issued a call to the European Commission to suspend the Privacy Shield agreement unless the US tries harder:
- The data exchange deal should be suspended unless the US complies with it by 1 September 2018, say MEPs, adding that the deal should remain suspended until the US authorities comply with its terms in full.
- There are a couple of reasons why the European Parliament's committee has taken this unusual step.
- One is the recent furore surrounding Cambridge analytica’s use of personal data collected by Facebook, which the EU politicians incorrectly call a "data breach".
- However, as they correctly point out, both companies were certified under Privacy Shield, which doesn't seem to have prevented the data from being misused.
- The other concern is the recently-passed Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which grants the US and foreign police access to personal data across borders.
- This undermines the effectiveness of the privacy protections of the data transfer scheme, since it would allow the personal data of EU citizens to be accessed more easily.
- The head of the civil liberties committee stated, “While progress has been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR.”
- The mention of the new GDPR there is significant, since it raises the bar for the Privacy Shield framework's compliance with EU data protection laws.
- A greater stringency makes it more likely that the European Commission will suspend the deal, and that the CJEU will strike it down permanently at some point.
*Source: Techdirt, June 15, 2018