Only a Third of Indian IT Companies Ready for EU Privacy Laws*:
- Only a third of India’s IT services firms are compliant with a European data protection law to be effective in May, and damages from a breach could cost companies as much as four percent of their revenue.
- The sweeping new-data protection law, GDPR, being rolled out on May 25 is the most comprehensive set of rules being put forward globally to strengthen data protection and privacy of users.
- The policy enforces rules and responsibilities for corporations to be more transparent in acquiring user data, stick to unambiguous ways to seek consent and allow the user to withdraw consent.
- For technology services companies, newer policies will conflict with decades-old technologies where their client and record-keeping systems need rework.
- For instance, a legacy application that does not support any kind of login, will need to put in place a login interface to keep a record of the people who accessed it.
- Almost 30 percent of revenue for Indian IT services comes from European clients with multiple centres in the region.
- Industry analysts suggest even though the GDPR norms will be applicable across all industries, firms that deal with BFSI, retail, utilities, and healthcare are likely to invest in greater compliance as they deal with user data to provide services.
- The cost of technology compliance could be as much as $500,000.
*Source: Economic Times, March 26, 2018
Hackers Are Holding the City of Atlanta Hostage*:
- On March 22, a remote ransomware attack trapped the city’s data behind an encrypted wall that will only be lowered if the city coughs up a $51,000 ransom.
- The city is working to come up with a solution to get past the attack without paying the ransom, but five days in the effects are profound – crippling some of the city’s critical functions.
- As of March 27, city employees remain without email or internet access; residents cannot pay their electric bills; Wi-Fi is shut down at the Atlanta International Airport; and many departments are running on pen and paper while there is no access to electronic records.
- The mayor warned Atlanta city employees and residents to keep an eye on their bank accounts, and to shore up the security around their personal information, just in case.
- Experts have warned that cybersecurity is likely the next great security threat for governments and companies around the world, and that most systems are simply not prepared.
- Indeed, Atlanta isn’t the first U.S city to be hit by ransomware – the Colorado Department of Transportation has already been hit twice in 2018.
- It seems that most cities aren’t adapting their security before an attack happens, and that’s bad news because cities will likely be at particular risk moving forward.
- Many are seeking to automate processes that humans used to do, and more city systems are connected via the Internet of Things.
- These future “smart cities” plan to digitize huge portions of city infrastructure – street lights, traffic systems, pollution monitoring, water systems, and even city residents’ vehicles.
- The potential attack surfaces of a city is a huge challenge because the digital pathways between all of the entities and organizations in a city are often not well managed.
- It’s not clear at what point Atlanta will give in and pay the ransom to get its data back.
*Source: Futurism, March 27, 2018
The Web Will Soon be a Little Safer With the Approval of This New Security Standard*:
- The Internet Engineers Task Force has just unanimously approved a security framework that will make encrypted connections on the web faster and more resistant to snooping.
- It’s called Transport Layer Security version 1.3, and while it’s not a big flashy event, it very much is the kind of iterative improvement that keeps the web working in the face of malicious actors everywhere.
- The IETF is a body of engineers from all over the world who collaborate on standards like this, and their approval of TLS 1.3 has been long in coming (more than four years and 28 drafts).
- Without going too deep into the technical details, TLS 1.3 makes a few prominent changes that should keep you safe.
- The “handshake” between client and server has been streamlined and encryption initiated earlier to minimize the amount of data transmitted in the clear.
- “Forward secrecy,” meaning hackers can’t skim decryption keys from one exchange and use it to decrypt others later.
- “Legacy” encryption algorithms have been removed as options, as these could occasionally be forced into use and their shortcomings leveraged to break the cipher on messages.
- A new “0-RTT,” or zero round-trip time, mode in which the server and client that have established some preliminaries before can get right to sending data without introducing themselves to each other again.
- The whole standard is 155 pages long, and really only other engineers will want to dig in.
- It doesn’t magically take effect, of course – but the IETF approval is a big step towards the standard being adopted by big companies, web services, and other, higher-level standards.
- You probably won’t even notice when it does come into play, but that’s how it’s supposed to happen.
*Source: Tech Crunch, March 23, 2018
Grindr Security Flaws Puts User Privacy at Risk, Bombshell Report Claims*:
- The queer dating and social networking app Grindr reportedly has two major security flaws that put the personal data of its more than 3 million daily users at risk.
- The CEO of a property management company discovered the issues after creating a new site that allowed Grindr users to discover who blocked them on the app.
- After entering a Grindr username and password, the creator was able to access data not publicly seen on profiles, including unread messages, email addresses, deleted photos, and location of individual users.
- Some of the information sent to the company’s servers was not encoded, meaning that user locations would be exposed even if they chose to opt out of sharing their location information.
- Grindr officials told NBC that they were aware of the security issues that were uncovered and that they had changed their system to prevent access to data regarding blocked accounts.
*Source: Huffington Post, March 29, 2018
How Hackers Are Hijacking Your Cell Phone Account*:
- Fraudsters have figured out how to break in to online accounts protected by two-factor authentication, where the authenticating device is your mobile phone.
- They don’t steal the phone; they simply hijack the phone number.
- This enables them to intercept those one-time verification codes sent to that mobile number by text, email, or phone call.
- Armed with their victim’s personal information, such as date of birth and last four digits of their Social Security number – information that is available on the dark web – these identity thieves trick the wireless carriers into transferring their target’s phone number to a new account they control.
- Mobile phone hijacking is on the rise; reports of this crime to the Federal Trade Commission more than doubled between 2013 and 2016, from 1,038 incidents to 2,658.
- Port-out scammers can take over any account where that smartphone is the verification device.
- Most victims find out about the scam when they go to use their cell phone and it won’t work, but by the time they contact their carrier to find out what’s happened the scammer may have already drained their bank account.
- The port-out scam can take place at a wireless store or online, but in both cases, the impostors have enough information to convince the phone company that they are who they claim to be, and have that person’s phone service transferred to their mobile device.
- The wireless industry is well aware of the port-out scam.
- One cybersecurity expert believes better authentication procedures are needed before cellphone service can be switched.
- One suggestion is a security protocol that requires the phone company to text or call the phone of the registered owner before service is ported to another phone.
- If you haven’t already done so, call your wireless carrier and ask for PIN authentication for your accounts.
- For those who want to go one step further, Fraud.org recommends seeing if your accounts that use two-factor authentication offer an app-based way to receive that one-time verification code.
*Source: NBC news, March 27, 2018