STE WILLIAMS

“Christine” was a pensioner in her 70s with a terminally ill husband when she got an email out of the blue: she could receive £500,000 if certain “fees” were paid, it said. Well, hallelujah.

So she began paying… And paying… And paying. Over the course of a few months, Christine spent the couple’s life savings – £108,000, or about USD $142,555. The reality of the fleecing didn’t become clear until she tried to re-mortgage their home, at which point her solicitors suggested she’d been scammed.

It took a long time to drain Christine dry, with those “fees” drip, drip, dripping away until the couple’s bank account was empty. Didn’t family or friends notice the duress the couple was under? Why did it take a solicitor to spot what might seem like a blatant fraud perpetrated on the elderly – and why did it only come after the damage was done?

Unfortunately, Christine’s plight is all too common. According to a new, joint report from Reassura, a new anti-fraud helpline for pensioners, and the University of Portsmouth’s Centre for Counter Fraud Studies (CCFS), 22% of elderly people – those aged 65 and over – are unwilling to talk about their personal finances at all, even in good times. But if the elderly have been victimized by fraudsters or scammers, that number jumps to 36% who are too embarrassed to talk about what’s gone down.

Putting that reticence together with older people’s particular vulnerabilities – for example, social isolation, cognitive impairment, bereavement and/or financial pressures – creates a perfect storm. A separate report, conducted in 2015 by Age UK, found that 53% of pensioners had been targeted by scammers.

Christine is one of multiple case studies of scam victims featured in the report from the CCFS. Embarrassed silence is a common thread among them, and it’s got to stop: people have to talk openly about these crimes, because clamming up is only making things worse. From the CCFS report:

The polling showed how victims were more concerned in the long term about being a victim and a loss of confidence than they were about monetary losses. These stigmas, sense of victimisation/taboos lead to great pain in the victims, very low levels of crime reporting and perpetuation of the crimes.

Unfortunately, polling shows that those who’ve been scammed before are even more unwilling to discuss their finances, when compared to those who’ve never been scammed.

Silence is leading to non-reporting, increased crime rates and increasingly serious consequences of victimisation.

Nobody should be embarrassed to report that they’re the victim of scammers, but that’s easy to say when you’re still young enough and capable of smelling a rat. The CCFS is working on ridding us all of the super taboo of talking about getting scammed.

At Naked Security, we know full well that our readers are often the ones who get the panicky call when, all of a sudden, grandma’s files are locked down by ransomware.

Ransomware might make the news when it hits huge companies, but it doesn’t discriminate. After all, your great-uncle’s money is just as green as that of a billion-dollar company. That means that you, dear reader, are often the ones having to rescue your vulnerable loved ones, be it from a lost password, from losing all their files to ransomware, or from getting talked into fake Microsoft tech support “your computer is crawling with malware!” calls.

But fret not. Sophos has got your back. Sophos Home lets you look after the IT security of the people you care about – or, at least, the people who tend to pester you for help fixing their computers.

There’s a free version or a premium version, depending on what you’re looking for, but both options have remote management – so you can keep your loved ones’ computers safe while you’re sat in front of your own.

If you want to throw some armor around your loved ones’ computers, Naked Security readers can get 20% off Sophos Home Premium today.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/P6v0Gm1ScWw/

Over the weekend, a computer science blogger for WonderHowTo who’s known on Twitter as @tahkion announced his revelation that makeup worn by fans of the hip hop duo Insane Clown Posse (ICP) – collectively known as Juggalos or Juggalettes – makes it very difficult for facial recognition (FR) software to figure out the wearer’s identity.

i made a breakthrough. it turns out juggalo makeup defeats facial recognition successfully. if you want to avoid su… twitter.com/i/web/status/1…

—
TAKHION (@tahkion) July 01, 2018

Tahkion says he discovered the facial recognition trickery while working on his own FR research project and was pretty surprised to find that Juggalo face paint was:

Some of the most effective camouflage I’ve found, even more effective than some styles created deliberately to fool such systems.

Of course, while Juggalo face paint may well fool automated FR, it makes the wearer far more recognizable to just about anyone else – say, humans, Tahkion said. For those who are truly devoted to avoiding facial recognition, this isn’t the answer. Rather, the surveillance-allergic would be better off with an FR-foiling disguise that still looks completely normal to the human eye.

Facial recognition relies on the distances between different landmarks placed on the face. Even though Juggalo makeup manages to “spoof” or replace these landmarks, this change is extremely visible. Ideally, one would want to use makeup or masks to be able to shift significant parts of the face – the jawline, nose, and eyes in particular. There isn’t really anything which has proven this possible yet, but it’s definitely the way these facial recognition evasion techniques are going to try to go.

There have been plenty of attempts to foil facial recognition technology over the years, be it makeup and hair styles a la CV Dazzle; reflective glass nanosphere clothing that ruins flash photography by turning the wearer into a “thermonuclear photobomber!”; creepy T-shirts printed with distorted celebrity likenesses designed to give the technology a migraine; and various iterations of the Privacy Visor: a wraparound, semi-transparent plastic sheet fitted over eyewear frames.

Tahkion noted that Juggalo makeup – a highly contrasted black and white clown mask – succeeds where such other, subtler facial-recognition-foiling techniques fail because it involves a radically redrawn jaw line.

for anyone wondering why some face changes evade facial recognition and others don’t, here’s a visualization of how… twitter.com/i/web/status/1…

—
TAKHION (@tahkion) July 01, 2018

As you can see, Juggalo makeup typically involves putting dark face paint below the mouth and stopping short before it hits the chin, which screws up automated facial recognition (AFR) software’s ability to locate the person’s jaw.

Commenters suggested that Juggalo makeup would only fool “really, really stupid software,” but that humans can easily look at such a face and tell that yup, there’s a jaw below the Joker-esque face paint. That misses the point, Tahkion said.

The power of facial recognition technology is that it’s automated and can churn through hundreds of thousands of faces and instantaneously slap identities on them. He explained that AFR neural networks are trained on contrast levels on normal facial landmarks – such as where a nose is located, or where chin turns into neck. That means that “you’d need to either have a user set the landmarks manually or train a network just on Juggalo facepaint.”

@ozaed @MalwareTechBlog i don’t know why i’m replying to this with a serious answer, but to summarize it’s because… twitter.com/i/web/status/1…

—
TAKHION (@tahkion) July 01, 2018

AFR is already in wide use by law enforcement: last week, the FBI used the technology to identify the suspect who allegedly opened fire on the offices of Maryland newspaper Capital Gazette, killing five journalists.

While it is obviously understandable that law enforcement around the globe is eagerly adopting AFR technology, civil rights advocates are calling for caution and regulation around its mass use.

In the US, for one, the FBI had nearly half of the population’s likenesses in a massive face database as of March 2017, though lawmakers have raked it over the coals for doing so illegally, without regulation. The photos have come from civil and criminal mugshot photos, the State Department’s visa and passport databases, the Defense Department’s biometric database, and the drivers’ license databases of 18 states.

The database’s scope, plus the fact that it’s been unregulated, means that nearly half of all Americans are in a facial recognition database that the FBI can get at without warrants or without even having to prove they have reasonable suspicion that we’ve done anything wrong.

All this, in spite of the fact that AFR often screws up and misidentifies people.

Studies have found that black faces are disproportionately targeted by facial recognition, for one thing. According to a study from Georgetown University’s Center for Privacy and Technology, in certain states, black Americans are arrested up to three times their representation in the population, thus meaning they’re overrepresented in face databases. And just as African Americans are overrepresented, so too is their misidentification multiplied. Adding to this, FR technology algorithms have been found to be less accurate at identifying black faces.

During a March 2017 House oversight committee hearing, it emerged that 80% of the people in the database don’t have any sort of arrest record. Yet the system’s recognition algorithm inaccurately identifies them during criminal searches 15% of the time, with black women most often being misidentified.

Although AFR does make mistakes, Maryland police are convinced that the technology helped them identify the suspect in the Capital Gazette murders. Tim Altomare, Anne Arundel county police chief, from a 29 June press conference:

We would have been much longer in identifying and being able to push forward in the investigation without that system.

The suspect wasn’t carrying identification when he was apprehended. Initial attempts to use fingerprints didn’t work, given a “lag” on the computer system, Altomare said. Police came up with a likeness after running the suspect’s image through the Maryland Image Repository System (MIRS), which compares photos to millions of driver’s license pictures and mug shots. But some question whether the use of AFR was necessary in this case.

The suspect – 38-year-old Jarrod Ramos – allegedly sent three letters threatening to kill “every person present”: one to a lawyer, one to the Maryland Court of Special Appeals and one to a Baltimore City judge, according to The Baltimore Sun. Police told the Sun that the letters had Ramos’s return address on them. CNET quoted ACLU Legislative Counsel Neema Singh Guliani:

It’s extremely questionable that the police actually needed facial recognition technology to identify this shooter, who had made multiple prior threats, was in custody and was already fingerprinted. The public has a right to more answers and an informed debate before any mass surveillance capable technologies, like facial recognition, are acquired or utilized.

According to a national report from Georgetown University’s Center on Privacy Technology, Maryland has some of the most aggressive facial recognition policies in the nation: using MIRS, Maryland police can search 7 million driver’s license photos, 3 million state mug shots, and 24.9 million mug shots contained in the FBI’s database.

In 2016, the ACLU accused the state of using MIRS without a warrant to identify protesters in Baltimore following the death of Freddie Gray while he was in police custody …which brings us back full circle to the Juggalo’s use of AFR-baffling makeup. In September, Juggalos marched on Washington in an effort to draw attention to a 2011 FBI Gang Task Force report that labeled the fans as a “loosely organized hybrid gang.”

The protestors, many wearing what now turns out to be makeup that may well baffle police’s identification of protestors and suspects alike, claimed that the label had a “devastating effect” on Juggalo lives, “ranging from denial of military service to loss of child custody to – the most common consequence – being added to a local and/or state gang list for wearing Juggalo-related merchandise or tattoos.”

Clearly, the facial recognition lines are being drawn more clearly every day, both literally and figuratively: police are claiming success in using AFR to quickly apprehend suspects, while protesters are literally drawing lines on their faces that baffle the technology allegedly used by police to surveil them. Readers, which side of the fence does your support fall on?

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nxrSRibTR6o/

Book review The Register has read the The President Is Missing by Bill Clinton and James Patterson so you don’t have to. Don’t say we never do anything for you…

Bill Clinton’s foray into co-authoring a novel is an awkward hybrid of cyber thriller and reflections on the loneliness and responsibility of high political office.

The President Is Missing, co-written with prolific potboiler author and Stephen King botherer James Patterson, plays with a familiar trope: the leader of the free world as an action hero.

In the book, the fictional President Jon Duncan is given five days to prevent a cataclysmic cyber attack that would erase financial records, disable the power grid, break water purification systems and disable mobile phone networks.

It’s Russian hackers, FBI and Wikileaks wot won it – Hillary Clinton on her devastating election loss

READ MORE

Yes that’s right: it’s a cyber Pearl Harbour.

As if that’s not enough, President Duncan is also facing impeachment proceedings while coping with a long term health condition and fending off a pregnant would-be assassin and her cohorts.

Phew.

The fictional president, a former governor of a southern US state (remind you of anyone?) and widower, responds to all this stress by going off-grid to sort things out.

According to former Clinton Secret Service man Gary Byrne, the former president was allegedly able to give his Secret Service protectors the slip several times. This possibility of ditching the detail gives The President Is Missing one of its central plot elements.

The fictional prez, a former Army Ranger and Gulf War veteran, adopts his disguise before making his way out of the White House through a secret tunnel and meeting a hacker who, having helped to make and plant a devastating wiper strain of malware, has second thoughts about bringing down western civilisation.

The book meshes elements of the Kiefer Sutherland-starring jeopardy series 24 plot with elements of Die Hard 4 and themes of betrayal from House of Cards. The prose is as pedestrian as Stephen King might expect, and best compared to the Da Vinci Code.

The plot is functional enough but the characters, including female Bosnian assassin Bach, are mere ciphers that don’t linger in the imagination after reading the book. There is quite a lot of reflection on the people who enter politics and Democratic talking points that would sit more naturally in a memoir or political diary.

Those reading the novel for insights into the US political process or what it’s like to be president will find points of interest. Parts of the book, such as a passage relating the telephoning the mother of a dead soldier, have the mark of authenticity.

The literary running mates – Clinton and Patterson – have read the Cliff Notes but they don’t really know a great deal about cyber, elements of which are used to season the pot of what in essence remains a would-be airport blockbuster. The book is 513 pages in hardcover but split into 10 page chapters for easy digestion.

 

Manchester airport billboard for Clinton cyberthriller

To Russia, with love…

Unsurprisingly, the Russians are the cyber antagonists in the book. The real-life Russian government hacking crew, Fancy Bear (APT28, a unit of Russian military intelligence or GRU), even gets a name-check. The Russians act through a proxy group called the Sons of Jihad, who (despite their name) are nationalists rather than jihadists.

Duncan’s impeachment proceedings stem from a phone call to the leader of the group, during which he uncovers a plot to unleash a virus so horrible it is called the Dark Ages.

The cyber attack itself is rather pedestrian – a wiper. Even university security operation centre staff these days train on simulations with multiple attack vectors (hacking, malware, DDoS etc). The malware-based “McGuffin” at the centre of the action does have advanced (not to say almost magical cloaking) abilities that make it hard to defuse.

It’s a bit better than CSI: Cyber, but then what isn’t? There are already plans from Showtime to turn the book into a 16 part series.

For those that can’t wait, The President is Missing is already half-price on Amazon for £10 or $15. The official website is here. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/04/clinton_cyberthriller_book_review/

Huawei has rolled patches to various enterprise and broadcast products to fix a cryptography bug.

In late 2017 (inferred from the bug’s Common Vulnerabilities and Exposures entry, CVE-2017-17174, which was reserved in December), the company discovered some products had an insecure encryption algorithm.

The flaw could allow a person-in-the-middle to decrypt a session key and recover the content of the session.

The products affected are: the RSE6500 recording and streaming engine (version V500R002C00); the now-deprecated SoftCo unified communications software (version V200R003C20SPCb00), the VP9660 videoconferencing multipoint control units (version V600R006C10); and multiple versions of its eSpace U1981 IP telephony and enterprise communications universal SIP gateway.

If any of these are using RSA encryption in TLS, they’re potentially vulnerable.

Huawei’s advisory rates the vulnerability as a 5.3 (medium), because traffic interception and decryption are non-trivial activities.

Fixed versions are available for all products except SoftCo, whose owners are advised to upgrade to the eSpace U1981.

The optics of the disclosure are delicious, given the USA and Australia consider Huawei a danger to national security. Knowing the company is also a danger to its users – and over the kind of security matter you’d hope an alleged espionage ally would nail every time – looks like a very fortunate blunder. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/04/huawei_enterprise_comms_kit_has_tls_crypto_bug/

Interview “Plane Hacker” Chris Roberts has called for countries to pressure manufacturers into improving the lamentable state of transportation security.

Cars are turning into computers on wheels and airplanes have become flying data centres, but this increase in power and connectivity has largely happened without designing in adequate security controls.

Improving transportation security was a major strand of the recent Cyber Week security conference in Israel. A one-day event, Speed of Light, focused on transportation cybersecurity, where Roberts served as master of ceremonies.

El Reg caught up with the larger-than-life Highland Games participant at the conference to get a sitrep on the threats to transportation systems and the response from vendors. Progress is inconsistent and successes in the field are as much the result of countries, such as Israel, actively grappling with the issue as switched-on vendors.

Feds: Bloke ‘HACKED PLANE controls’ – from his PASSENGER seat

READ MORE

“Israel was here, not just a couple of companies. Israel is going, ‘We as a state, we as a country, need to understand [about transportation security]’,” Roberts said. “We need to learn.”

“In other places it’s the companies. GM is great. Ford is good. Some of the Germany companies are good. Fiat-Chrysler Group has got a lot of work to do.”

Some industries are more advanced than others at understanding cybersecurity risks, Roberts claimed. For example, awareness in the automobile industry is ahead of that found in aviation.

“Boeing is in denial. Airbus is kind of on the fence. Some of the other industries are better.”

El Reg offered all the firms cited by Roberts an opportunity to respond to his comments. We’re yet to hear back from any of them.

“The challenge is in the US, the DHS [Department of Homeland Security] is saying [to the industry], ‘Hey you’ve got problems’,” Roberts told El Reg. “[Other regulators are] saying you need to listen. They are starting to listen and they are doing some of the work.

“But when you get a country [Israel] that is basically under threat 24/7 – saying that we as a country want to understand the state of security of systems that are transporting our citizens. It’s a huge message. It makes a difference.”

A country can apply pressure on manufacturers, Roberts said. The question should be how other governments follow the Israeli example.

Roberts said some European authorities are pushing positive cybersecurity improvements; others elsewhere are yet to step up.

Schneier warns of ‘perfect storm’: Tech is becoming autonomous, and security is garbage

READ MORE

“The port of Rotterdam is starting to take a more active look at shipping as a cybersecurity risk… that will start to push it.

“On the flip side, in the US the Association of American Railroads is saying we can’t interfere, all we can do is broker discussions. Regulators are saying, well, we have to take a lead from the railroad association. Regulators need to get involved. C’mon, guys: stop the finger pointing. This is a problem that we all have to solve.”

Transportation security threats collectively amount to a “clusterfuck”, Roberts said.

DHS and NCISC have put out warnings on air security – ground control, satellite control and some other telemetry.

A 20-year evolution

During the course of our interview, Roberts offered the following John Oliver-esque monologue on the automobile information security mess we find ourselves within.

“There’s a 20-year evolution in cars, so we’ve seen it coming along down the road. The phone has become an entire multipurpose device. It’s the same thing with cars.

“The car has become a multipurpose system. It’s moved on from being a single-function device that takes us from point A to B.

“It’s now a multi-function system that will read us an email, tune into whatever blasted system we want across the globe. It’ll tell us to stop off at Tesco and pick up a packet of biscuits and a pint of milk. It’ll be monitoring traffic flow and navigation. And it’ll do 25 other things at the same time, in theory while we’re either driving or not driving them.

“And, by the way, you may not even own the thing. You might be just leasing the time and the space on it. That’s been a 20-year evolution where we’ve had time to get used to it.

“With aviation and trains we don’t interact with them at the same level. We use a plane to go from point A to point B once a week, once a month or once a year.”

As with telephones, automobile technology has crept up on us.

“Cars are better than most, which is scary because there’s still a lot of work to be done,” Roberts said. “It has obviously been in the media more.

“There’s almost nothing you can do [as a user] to improve car security. The only thing you can do is go back to the garage every month for your Microsoft Patch Tuesday – updates from Ford or GM.

“You better come in once a month for your patches because if you don’t, the damn thing is not going to work.”

What about over-the-air updates? These may not always be reliable, Roberts warned.

“What happens if you’re in the middle of a dead spot? Or you’re in the middle of a developing country that doesn’t have that? What about the Toyotas that get sold to the Middle East or Far East, to countries that don’t have 4G or 5G coverage. And what happens when you move around countries?”

The Roberts family owns a mixture of modern and classic cars. Roberts said his awareness of cybersecurity hasn’t much influenced his buying decisions but it has affected some of the things that he’s done with his cars.

“I put a network sniffer on the big truck to see what it was sharing. Holy crap! The GPS, the telemetry, the tracking. There’s a lot of data this thing is sharing.

“If you turn it off you might be voiding warranties or [bypassing] security controls,” Roberts said, adding that there was also an issue about who owns the data a car generates. “Is it there to protect me or monitor me?” he mused.

Some insurance firms offer cheaper insurance to careful drivers, based on readings from telemetry devices and sensors. Roberts is dead set against this for privacy reasons. “Insurance can go to hell. For me, getting a 5 per cent discount on my insurance is not worth accepting a tracking device from an insurance company.”

Three years ago the FBI questioned Roberts over suspicions he had hacked into the controls of a United Airlines plane midair via the inflight entertainment system. Roberts tweeted about airplane network security during a UA flight to Syracuse, New York, back in April 2015. He was questioned on landing and some of his equipment was temporarily seized.

No charges ever followed the incident, which increased Roberts’ profile within the infosec community. Fellow hackers were quick to come to his defence and he has since become a trusted partner and expert consultant to various parties in the aviation industry, even though others seemingly remain reluctant to take his research on board. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/04/plane_hacker_roberts_interview/

Spanish Web form and survey company Typeform has announced a data breach in June, affecting data dated May, after someone gained access to one of the company’s backup files.

The company said the intruder accessed files “from a partial backup dated May 3rd, 2018”, and said it will contact all affected customers. “We identified the breach at 14:00 CET on June 27th, and remedied the apparent cause of the breach at 14:30 CET on June 27th”, the company said.

We’ve had a data breach. If you were affected, you will have received an email from us. Click here to learn more: https://t.co/dFVhn1nAht

We’re here to support you ❤️

— Typeform (@typeform) June 29, 2018

The company has not identified what it called “partial information”, but affected customers have detailed the extent of the issue.

British high-end nosh outlet Fortnum Mason wrote to customers saying “Approximately 23,000 of our data entries have been affected” with “email addresses, survey/vote responses and for a smaller number of contacts, postal address and social handles” exposed.

The store added “All other personal information and/or purchase information is safe and protected. We can assure you that no bank or payment details have been involved, and your money and accounts are safe.”

In Australia, the Electoral Commission for State of Tasmania was impacted. In this media release the Commission warned voters that if they had applied for an express vote in the state’s March election, their “name, address, email and date of birth information” was potentially breached. The commission says it used Typeform to host five forms used by citizens.

“The Electoral Commission will be contacting electors that used these services in the coming days to inform them of the breach”, the statement continued.

Clients of other customers might have less – or more – exposure, depending on the information gathered using Typeform.

The service says its customers’ payment details were not compromised, client passwords were not exposed, and all data collected since May 3rd, 2018, is safe.

End-user payment information is another matter. Typeform said that payment data is safe “If you [that is, the Typeform customer – El Reg] collected payments via our Stripe integration”. It doesn’t mention what might happen if a customer stored data like credit card info in a form. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/02/typeform_breach/

The list of organisations notifying customers that they’re affected by the Typeform data breach continues to grow – and at least one victim has publicly claimed the breached backup data was unencrypted.

Australian bakery chain Bakers Delight, “beyond banking” outfit Revolut, the Australian Republican Movement, data platform Ocean Protocol, evaluation software company DevResults, digital transformation software vendor PostShift, and England’s Shavington-cum-Gresty Parish Council have all told users they’ve been caught up in the breach.

In the main, affected organisations are using Typeform’s template, which it prepared “for you to use as part of your communications strategy”, so most of the announcements are close to identical.

However, the folk at Ocean Protocol departed from the template to include this detail in their breach post: “TypeForm has confirmed that the data was stored in an unencrypted manner which means that the data is accessible.”

In Ocean Protocol’s case, the attacker obtained “email, birthdate, place of birth, ID number, nationality, wallet address, scans of identity documents, proof of residence, proof of accreditation and for our US participants, SSN”.

Because of the breadth of its breach, Ocean Protocol is offering credit monitoring to affected customers. Its further advice included:

• Set up 2-factor authentication on your critical online accounts, such as email and social media; and
• Call your phone company and ask that a password be added to your account to prevent unauthorised SIM-porting.

The company also published this handy risk-assessment table about the types of data caught in the breach.

Click to enlarge

Digital banking company Revolut said it’s affected, but in the main, the only exposure was e-mail addresses and possibly Twitter handles. “For a smaller number of people, it was pre registration details for our business product”, the post added.

PostShift said only 230 of its customers were impacted, because only one public-facing survey was hosted on Typeform.

Shavington-cum-Gresty Parish Council said only 304 of its citizens were breached, but most of those only had their e-mail address leak (in a few cases, name, postal address and postcode were included). The post added that the council will consider ending its relationship with Typeform at a July 6 communications committee meeting.

The Australian Republican Movement is also reviewing its use of Typeform.

Australian bakery chain Bakers Delight told Australian publication IT News the breach affected a customer competition, “Win a Decor Pack”. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/04/typeform_breach_continued/

Others should boost their security controls to get in sync with AB 375… or get ready to be sued hundreds of dollars for each personal record exposed in a breach.

California’s newly enacted Consumer Privacy Act should have little impact for US organizations that have already implemented measures for complying with the requirements of the European Union’s General Data Protection Regulation. But for most others the mandate will likely necessitate a thorough review of their data security controls and in many cases potential updates to them. If not, they risk expensive litigation from their own customers. 

California governor Jerry Brown June 28 signed into law, AB 375, the California Consumer Privacy Act (CCPA) of 2018. The statute – widely seen as one of the toughest privacy laws in the country – will give consumers in the state unprecedented control over any personal information about them that a company might have collected.

Starting Jan. 1, 2020, CCPA confers upon California residents the right to ask a business for all data on them that the business might have collected. It will give consumers the right to ask companies not to sell their personal data to third parties or to ask them to delete all of their personal data.

The bill requires organizations to disclose exactly what categories of personal information it collects about a consumer – before the organization can actually begin to collect the data. Organizations will have to disclose their information collection sources, and the business purpose for collecting personal data and of any changes to those reasons.

Businesses will also have to disclose the categories of third parties with whom they share the information and obtain explicit opt-in consent for collecting data belonging to individuals that are younger than 16 years of age. Importantly, organizations that collect personal data on California residents cannot refuse service or provide lower service quality to individuals that don’t want their personal data to be shared or sold to others.

The biggest concern with the new law is the section pertaining to data disclosures resulting from security control failures. CCPA gives individuals the right to sue companies that violate the statute or suffer a data breach because of their failure to implement and maintain reasonable security controls and processes.

“This seems more problematic to the majority of businesses as they struggle to defend themselves against the constant barrage of cyberattacks seeking the very data that the CCPA enumerates,” says Chris Prevost, vice president of solutions at Prevoty.

CCPA allows any consumer whose personal data is exposed to sue the breached entity for damages ranging from $100 to $750 or more per exposed record. “Add in all the other breach-related costs – IT response, forensics and recovery, legal, notification, etc. – and this could push a breach into the realm of an existential threat for many businesses.”

The law, which privacy rights groups such as the Electronic Privacy Information Center (EPIC) has called  the “most comprehensive consumer privacy state law ever enacted” is the result of a ballot initiative in California that garnered over 660,000 signatures from residents. California’s Attorney General’s office will have the authority to enforce the law when it goes into effect in 2020.

In intent and in requirements, the California statute is very similar to GDPR. The goal is to give consumers ownership of their personal data; more control over what organizations can do with the data; and the ability to hold businesses liable for failing to adequately protect the data. With California taking the lead many expect it is only a matter of time before other states implement identical statutes.

Some organizations and individuals have criticized the law as being rushed through the state legislature without adequate debate or a chance for organizations to weigh in on the measures.  Robert Callahan, vice president of state government affairs at the Internet Association, describes the law as creating a “massive new regulatory regime” on companies. “The bill was written in a hurried and ill-considered process, and received very little input from those affected by the legislation,” Callahan says. “Changes will be necessary as businesses of all types look at implementation.” Others have called the bill’s language vague and open to interpretation.

However, for enterprise security teams that have implemented practices such as strong access control, data encryption, data anonymization, data minimization, and formal incident response capabilities, CCPA should have relatively little impact.

“It may seem a big demand on organizations, but in reality, it shouldn’t be,” said Terry Ray, chief technology officer at Imperva. Many global organizations have already implemented similar requirements for GDPR over the last few years. So organizations that want help implementing CCPA requirements have plenty of existing materials, practices, and products to get started, he said. “Whether it’s serendipitous or planned by California, following GDPR might have helped get organizations ready for CCPA.”

 

Related Content:

• A Data Protection Officer’s Guide to the GDPR Galaxy
• GDPR Requirements Prompt New Approach to Protecting Data in Motion
• Privacy: Do We Need a National Data Breach Disclosure Law?
• 8 Things Every Security Pro Should Know About GDPR

 

 

 
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/californias-new-privacy-law-gives-gdpr-compliant-orgs-little-to-fear/d/d-id/1332217?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Free third-person slaughter-fest Fortnite has attracted more than 100 million players – but many of them are falling foul to malware infections as they try to beat other players.

Since last week, game streaming shop Rainway noticed an increasing number of alarms popping up on its security logs, and was at first rather puzzled by this. The only common factor to all these was that they all came from people playing Fortnite and that they followed a similar pattern.

“These are attempts to call various ad platforms; the first thing we should note is Rainway does not have ads on it which was an immediate red flag,” wrote CEO Andrew Sampson.

“The first URL, in particular, is JavaScript which is attempting to act and running into an error, triggering our logging. For security and privacy reasons we’ve always whitelisted URLs and the scope of what they can do from within Rainway – it seems now it has the unintended side effect of shining a light on a much broader issue.”

By the time the number of user incidents had risen to over 381,000 so the staff decided to do some testing. They figured that people were trying to run cheat code for the game, and that these tools were causing the issues.

Way, way back in the day, cheating at computer games was easy. Game writers created codes that could make a game radically easier after typing in a few characters. These days there are a whole host of sneaky tools that can improve your aim, fire the instant someone is in our sights, or slow rival players.

Want to know what all that Fortnite hype is about? Whoa, Android fans – mind how you go

READ MORE

The Rainway team downloaded all the Fortnite cheat tools they could find and ran some tests – and the results weren’t good: every one of them had a malicious component.

The biz found the package that was causing the issue and it was a piece of software that was billing itself as both an aiming assistant and a way to harvest V-bucks, Fortnite’ currency for in-game purchases. The cheatware also set up a man-in-the middle attack.

The app, now removed, had over 78,000 downloads and it may be hosted in multiple locations. Fornite’s publisher Epic needs to harden up its platform, Sampson suggested, and educate its users about cheatware. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/03/malware_writers_cash_in_on_fortnite_players_who_like_to_cheat/

More entities affected by the computer security breach at web form and survey company Typeform have come forward, including budget hotel chain Travelodge and UK political party the Liberal Democrats.

The survey-as-a-service biz discovered on 27 June that an intruder had accessed files from a “partial backup” dated 3 May containing what it termed as “partial information”.

The third-party supplier has contacted its customers, which include the Electoral Commission for the State of Tasmania and Fortnum Mason among many others, to detail the specific impact on them.

An email sent to Travelodge customers – seen by The Register – stated it has been “working very closely with Typeform to establish the facts”, and claimed customers’ accounts, bookings, passwords and payment details were not affected by the breach.

“However, Typeform believe that your first name, date of birth, mobile number, email address have been acquired by an unauthorised third party,” the letter from Travelodge stated.

“While we have not been made aware of any fraudulent use to date, it is possible that you could receive unwanted contact and your details may be used to find out more about you,” it added. “You should therefore remain vigilant for any unusual activity.”

The hotel chain confirmed it has contacted the Information Commissioner’s Office, as have the Lib Dems, which also wrote to its supporters confirming its Member Experience Survey had been exposed.

“This survey contained your name and email address, so please watch out for potential phishing scams or spam emails. This survey also contained information about your political opinions, such as the campaigns and policy areas most important to you,” the note stated.

A spokeswoman at Travelodge sent us a statement: “We sincerely regret any inconvenience this incident may cause.”

No financial or other sorts of data were compromised, the hotel chain assured cusotmers. The Lib Dems said that Typeform had “responded immediately and fixed the source of the breach,” but added:

We are in communication with Typerform and will be re-evaluating our relationship with them in light of this incident. We take the security of our data seriously and if we are not satisfied that sufficient steps have been taken to secure your data, we will terminate our relationship with Typeform.

Startup bank Monzo, which was caught up in the Ticketmaster hack, has also warned its customers. Again, it has assured customers that all is well.

“Our initial investigations suggest that some personal data of about 20,000 people is likely to have been included in the breach,” the bank wrote. “For the vast majority of people, this was just their email address. For a much smaller proportion of others, this may have included other data like their Twitter username or postcode.”

Monzo has also stated that “no one’s bank details have been affected, and your money and account are safe.”

We’ve also learned that subscription content platform Patreon used Typeform and has warned users their names and email addresses may have been compromised. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/03/hotel_chain_and_uk_political_party_caught_out_by_typeform_breach/