STE WILLIAMS

A new research project will look into whether the perceived link between cyber crime and “autistic-like personality traits” really exists. The joint University of Bath’s Centre for Applied Autism, National Crime Agency (NCA) Cyber Crime Unit and Research Autism project, which is nicely summarized here, will assess the characteristics of known offenders then compare them with those of non-cyber offenders and the general public.

The perception that the link is real is quite evident. The Independent reports:

Autism and traits of the condition appear to be more prevalent among cyber criminals than for other types of crime but the link remains unproven.

The paper also notes that “there is a perception among law enforcement agencies that a significant number of those being arrested in connection with cybercrime may be on the autism spectrum”. Reading the Police Professional article on the topic, I got a sense that law enforcement has already drawn its own conclusions:

By investigating potential connections between the developmental disorder, computer skills and offending, the researchers hope to better understand the motivations and characteristics of potential criminals.

I am actually quite saddened to see individuals who are, as Parent Herald describes, not only “very good at coding and recognizing patterns” but being “exploited by gangs who organize crimes over the internet” described as potential criminals. You might even say they should be seen instead as potential victims. For any parent with an autistic child, the possibility that their child could become a victim of exploitation can be very worrying, as the Parent Herald notes:

It is very challenging for the parents of children with autism because [the] computer, technology, and [the] internet are among the “best friends” of most of their kids.

After all, as Richard Mills, the research director at Research Autism and co-author of the preliminary study, which found “no empirical evidence to suggest a prevalence or an over-representation of autistic individuals committing cyber crime offences”, commented in the Parent Herald:

The majority of those who get involved with this are not the so-called mastermind hackers, they are people who are very good at coding.

The images chosen by both the Independent

and Computerworld

to portray their stories show a lack of understanding. I find them quite disturbing.

While Research Autism’s summary shows that the research is focused on understanding “the motivations and characteristics of people likely to commit cybercrime and how they became involved”, the media prefers to focus its attention on the crimes, implying that it is these that are being investigated. According to The Stack:

The cyber-dependent crimes to be investigated will include hacking, malware, DDoS attacks and illegal activities on the ‘dark web’.

I’m hoping that the research will take an interesting paper published by the NCA last year one step further. While this paper looks at why young people get involved in cybercrime and how to prevent it, I’d like to see it expanded to specifically look at the motivations and pathways of autistic youngsters. After all, they view and understand the world differently, which makes for very different risk profiles.

Let’s remember, on the autism spectrum or not, only a small percentage of youngsters are drawn into cybercrime. And while the pathways and motivations will be different for each individual, any research that helps prevent youngsters being exploited by professional criminals is a good thing in my book.

Follow @NakedSecurity

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vj_EXcV7tKM/

When Best Buy customers need to retrieve lost data, stores from around the US send their computer equipment to a giant Best Buy repair shop in Brooks, Kentucky, for its Geek Squad techs to work on…

…and, apparently, to search for child abuse imagery on behalf of the FBI.

Unbeknown to customers, recent federal court documents claim, the Geek Squad techs have been in a “cozy” secret relationship with the FBI, which over a few years has trained and paid them to search for child abuse imagery on computer equipment. Geek Squad employees have gone so far as to search unallocated space on hard drives – ie the place where forensics specialists use specialized software to find and retrieve deleted files.

That’s what happened to Mark Rettenmaier, a California gynaecologist, who took his HP Pavilion computer to Best Buy for repair in 2011 because it wouldn’t boot. When Geek Squad techs ran a search, they retrieved a deleted image of a young girl.

His house was subsequently searched, and Rettenmaier was indicted in November 2014 by a federal grand jury on two counts of possessing child abuse imagery.

But as the case has dragged on and documents have come to light, it’s looking like that image – and others like it – might not be permissible as evidence, given that the Geek Squad employees are accused of acting as government agents.

Defense attorney James D Riddet:

Their relationship is so cozy and so extensive that it turns searches by Best Buy into government searches. If they’re going to set up that network between Best Buy supervisors and FBI agents, you run the risk that Best Buy is a branch of the FBI.

Whether or not Geek Squad City technicians acted as government agents by accepting FBI payments, regularly speaking with FBI agents (on a first-name basis) and referring cases to them over the course of a few years, and working with them to create a program to search for abuse images, is core to determining whether their searches are permissible as evidence.

That’s because government agents need to first get a warrant, based on probable cause, to search a computer. Otherwise, Fourth Amendment issues around search and seizure come into play, as does the question of privacy violation, potentially turning Geek Squad technicians’ scouring of computers into warrantless searches by law enforcement.

According to the court documents in USA v. Mark Rettenmaier, the FBI has been paying Best Buy supervisors for the work, and management has been fully aware of it. The bureau has also been guiding Geek Squad technicians as they develop a program to find abusive content.

The court records don’t give many details on the frequency or amount of the payments, but according to documents and testimony, the FBI paid a number of Geek Squad employees $500 or $1,000 for the work.

The Geek Squad supervisor who alerted the FBI to the photo, Justin Meade, has denied being paid by the FBI, though prosecutors have acknowledged that the FBI paid Meade $500 in October 2011: two months before his co-worker found the photo.

According to a judge’s order, defense lawyers found that the FBI had cultivated eight “confidential human sources” in the Geek Squad between October 2008 and November 2012, with all of them receiving some payment.

The government is facing multiple problems with its case against Rettenmaier. As pointed out by the journalist who first wrote about the court case – Orange County Register’s R Scott Moxley – a few weeks before Rettenmaier was arrested, federal judges ruled in a separate case that child abuse images found in unallocated space couldn’t be used to win a possession conviction, since there’s almost no way to figure out who put them there, who viewed them, or when/why they were deleted.

FBI agent Cynthia Kayle knew that Geek Squad informants had found the image in unallocated space: a fact that, Riddet claims, the FBI failed to tell a magistrate judge who gave the investigation the go-ahead. Riddet is also claiming that the FBI falsified an official timeline to hide warrantless searches.

On Monday, Best Buy provided the Washington Post with a statement that denies the relationship between the FBI and the Geek Squad. Any employee(s) who got paid did it on their own accord and according to their own bad judgment, Best Buy said:

Best Buy and Geek Squad have no relationship with the FBI. From time to time, our repair agents discover material that may be [child abuse imagery] and we have a legal and moral obligation to turn that material over to law enforcement. We are proud of our policy and share it with our customers before we begin any repair.

Any circumstances in which an employee received payment from the FBI is the result of extremely poor individual judgment, is not something we tolerate and is certainly not a part of our normal business behavior.

At this point, a federal judge is allowing defense attorneys to probe the relationship between Best Buy and the FBI at a hearing in Los Angeles starting on Wednesday. A trial is tentatively scheduled to begin on June 6 in Santa Ana.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7zyKjQAHPPE/

Late last week, WikiLeaks dropped a third batch of documents as part of its Vault7 project, this time detailing what the CIA called the “Marble Framework“. Its purpose: obfuscate text strings within CIA malware so forensic experts can’t trace its source back to the CIA.

The Marble leak is massive, with 676 source code files. In press reports, some security experts have called it the most “technically damaging” dump so far.

WikiLeaks describes how it works on its website. Among other things, they said:

Marble forms part of the CIA’s anti-forensics approach and the CIA’s Core Library of malware code. It is “[D]esigned to allow for flexible and easy-to-use obfuscation” as “string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop.” The Marble source code also includes a deobfuscator to reverse CIA text obfuscation. Combined with the revealed obfuscation techniques, a pattern or signature emerges which can assist forensic investigators attribute previous hacking attacks and viruses to the CIA. Marble was in use at the CIA during 2016. It reached 1.0 in 2015.

The website message does note that the framework is used for obfuscation only and does not contain any security holes or exploits by itself.

UC Berkeley researcher Nicholas Weaver told the Washington Post that this could be the most “technically damaging” document drop since Vault7 was launched, “as it seems designed to directly disrupt ongoing CIA operations and attribute previous operations”.

In the Post article, the CIA vented its anger over the ongoing leaks. Spokesman Dean Boyd told the publication:

Dictators and terrorists have no better friend in the world than Julian Assange, as theirs is the only privacy he protects. The American public should be deeply troubled by any WikiLeaks disclosure designed to damage the intelligence community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize US personnel and operations but also equip our adversaries with tools and information to do us harm.

The Vault7 leaks

This was the third release in WikiLeak’s Vault7 operation. The second dump a couple weeks ago outlined a program called “Dark Matter” in which the agency created tools to bypass devices from Apple for at least a decade.

The first leak announced Vault7 and gave a “Year Zero” overview introducing the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of zero-day weaponized exploits against a wide range of US and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which were apparently turned into covert microphones.

Helping or hurting?

After the first leak, Naked Security asked security experts if they thought WikiLeaks was doing a valuable public service or doing serious damage to US security.

At the time, Eric Cowperthwaite, former VP of strategy for Core Security and now director of managed risk services for Edgile, said he was torn. He was reminded of the Chelsea Manning case. Manning was a United States Army soldier convicted by court-martial in 2013 for violating the Espionage Act and other offenses, after giving WikiLeaks nearly three-quarters of a million classified and/or sensitive military and diplomatic documents. Cowperthwaite said:

There is good and bad in this. We know that some of the Manning leaks had impacts on military operations. That was part of Manning’s trial. I also found it interesting that Wikileaks alleges that the US Intelligence Community has a problem keeping its cyberwar tools off the black market. And if the CIA, NSA, etc. can’t keep these things under control, that is something that citizens should know.

As to the extent of the damage these releases will mean for the CIA in the longer term, the jury is still out. Experts have determined that it’ll take some time for the CIA to assess. It’s unclear how the agency will adjust its techniques as a result.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NUuhgMFNn64/

+Comment Prominent next-gen antivirus vendor Cylance has confirmed a wide-ranging restructure involving job cuts.

In response to queries based on an anonymous tip to El Reg on Tuesday that as many as one in five workers had been shown the door, Cylance confirmed it was restructuring its business without commenting on the job cut numbers that were the focus of our question.

Yes, the company did realign some resources to balance skill sets and focus on our strongest growth areas. Given the rapid growth over the past few years we had to move some resources and redeploy in other areas and this will enable us to continue expanding product lines and customer base globally.

The statement followed an earlier response that painted a rosy picture of Cylance’s business performance.

Cylance has experienced unprecedented growth and each fiscal year we have realigned our resources to support our strategic direction. These changes are a normal part of balancing business needs and company capabilities that we carry out each year. Our focus remains on our customers and removing legacy antivirus and weak protection layers to protect the world from cyber attacks. Cylance is on pace to more than double revenues year over year in FY17.

Cylance was founded in 2012 and aims to differentiate itself in the crowded anti-malware market by emphasising its use of machine learning techniques.

The firm closed a $100 million Series D funding round last June. Insight Venture Partners and funds managed by Blackstone Tactical Opportunities led the round. Cylance counts Dell Ventures as an investor and Dell Inc as a technology partner.

The firm boasted 425 employees as well as more than 1,000 customers, including 50 of the Fortune 500, at the time, as well as worldwide launches. Cylance was positioned as a visionary in the 2016 Gartner Magic Quadrant for Endpoint Protection Platforms.

+Comment

It sounds very impressive. And at Black Hat and other tech conferences, we have seen Cylance’s booth drawing in the sysadmin and CISO crowd for cut-down demos of its technology (the full fat Cylance Unbelievable presentations to media last a bladder-challenging two hours plus). Potential customers are interested in the ability of the technology to offer a much smaller footprint and greater agility in defending against new threats compared with competitors such as Symantec and McAfee.

But significant false positives appear to be a fly in the ointment. Cylance is said to flag up everything from software deployment packages to Office365 automatic updates as potentially malign, although it contests this claim (PDF).

Resolving this might involve whitelisting and other measures, we are told, contrary to claims of easy deployment. This issue may explain why pilot programs in Fortune 500 firms are not graduating to prime time at the rate Cylance’s investors would hope for.

This could be a teething problem but it shows yet again that the computer malware problem is a tough nut to crack, despite frequent and long-standing marketing claims to the contrary. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/05/cylance_restructuring/

Bradford is to share the “de-identified” medical data of half a million patients from 88 GP surgeries across the region, in a bid to improve treatments for frailty and childhood obesity.

Under the Connected Health City project, the data will be shared across two trusts, three clinical commissioning groups Bradford Council and the Sue Ryder charity for palliative care.

It will be accessed by primary, secondary and community services, research teams across the city, with the findings to be shared across other Northern cities through the Connected Health Cities network.

Professor John Wright, director of the Connected Yorkshire Connected Health City said: “We will be working with clinicians and patients to develop cutting edge approaches to how linked data can improve the quality and safety of health care we provide in the NHS.”

According to the release, data used in Bradford will be safely stored and analysed at Bradford Teaching Hospital and will only be accessed by approved professionals. All personal information like name and full date of birth will be removed before analysis.

However, last month it was revealed that medical records of 26 million patients could be subject to a security breach amid warnings that the IT system used by thousands of GPs is not secure.

The Information Commissioner is investigating concerns that records held by 2,700 practices that a facility that allows GPs to switch on “enhanced data sharing” on their computers would mean they can also be accessed by hundreds of thousands of workers across the country.

The head of the British Medical Association’s IT committee has written to all GPs who use SystmOne, owned by TPP, urging them to take “urgent action”.

“This is a serious issue with potentially huge implications for patients, GPs and TPP. At the moment GPs are at risk of complaints being made against them,” he told The Telegraph.

Coordinator of medConfidential Phil Booth said: “Patients should know how their records are used, what their consent choices are, and be able to see the claimed outcomes for them and their communities – it’s the patients who will know if this is real.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/05/bradford_to_share_half_a_million_deidentified_patients_records_across_region/

‘Operation Cloud Hopper’ reveals China-based attackers allegedly targeted IT service providers in 15 countries.

In what is described as “one of the largest ever sustained global cyber espionage campaigns,” China-based hacking group APT10 is suspected of orchestrating a well-planned attack on companies across 15 countries, says The Telegraph, quoting a new report. Managed IT service providers (MSPs) and other firms in countries including the UK, Japan, France, and the US have been targeted since 2016; in some cases, possibly as early as 2014.

The report, by the National Cyber Security Centre (NCSC), BAE Systems, and PwC, points to China as the perpetrator because of the pattern of attacks. It says the attackers are using malware and spear phishing methods to infiltrate MSPs, which Dr. Adrian Nish of BAE described as crucial. “Organisations large and small rely on these providers for management of core systems and as such they can have deep access to sensitive data.”

The purpose behind the unmasking operation, codenamed Cloud Hopper, is to spread awareness. The investigators believe attackers are after companies for the “sensitive information they hold, whether that’s intellectual property, or personal information on people or a whole realm of other areas.”

Click here for more.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/chinese-apt10-hacking-group-suspected-of-global-campaign-targeting-msps/d/d-id/1328563?_mc=RSS_DR_EDT

Sir Tim Berners-Lee, recipient of the Turing Award, criticizes moves to undermine encryption and promises to fight for net neutrality.

Sir Tim Berners-Lee, inventor of the World Wide Web, has voiced concerns over recent Internet policies adopted by the US and UK, and vows to fight them, BBC News reports. Sir Tim will be conferred with the Turing Award, the most prestigious recognition in computing world, in June 2017.

Criticizing the UK’s recent decision to weaken encryption, Sir Tim says: “Now I know that if you’re trying to catch terrorists it’s really tempting to demand to be able to break all that encryption but if you break that encryption then guess what – so could other people and guess what – they may end up getting better at it than you are.”

He belittled the recent Investigatory Powers Act in the UK, saying it’s “appaling” to think all ISPs should be required to spy on citizens and store their data for six months. In the US, he added, if the Federal Communications Commission attempted to reduce net neutrality, he would fight it.

Sir Tim expressed shock at US legislators’ vote to scrap laws preventing the sale of user data by ISPs, saying, “We’re talking about it being just a human right that my ability to communicate with people on the web, to go to websites I want without being spied on is really, really crucial.”

Read the full story on BBC News.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/web-inventor-slams-us-uk-internet-plans-cites-privacy-concerns/d/d-id/1328562?_mc=RSS_DR_EDT

Businesses, not individuals, are more frequently targeted with scams as cybercriminals try to cash in on tax season.

Every year, cybercriminals cash in on tax season by targeting individuals, but this year it’s a little different. It’s businesses that must be extra careful when filing, because businesses are experiencing a rise in tax-related scams, specifically W-2 fraud.

Researchers at IBM X-Force, the tech giant’s security research division, discovered more than 1400% growth in general tax-themed spam between December 2016 and March 2017.

“On top of all the usual activity — consumer tax fraud, filing on others’ behalf — we began to see that businesses are being targeted a lot more,” says Limor Kessem, executive security advisor for IBM Security.

In the past, she says, tax fraud on businesses were the purview of only advanced attackers. This year, they saw a rise in social engineering attacks on smaller organizations like schools, non-profits, and restaurants as fraudsters start to aim for the “low-hanging fruit” of the corporate world.

Cybercriminals often collect W-2 data by pretending to be a company exec and emailing HR or payroll for employee information, which is used to file fraudulent returns and collect refunds. In addition, they may also request a wire transfer to a specific bank account.

Attackers who are more technically inclined may bypass the fake emails and breach an organization’s servers to steal data directly, says Kessem.

In addition to using W-2 data for their own scams, fraudsters will sell it on the dark web, the report states. The most valuable bundles of information are called “Fullz” and contain the victim’s address, contact info, Social Security and driver’s license numbers, plus all W-2 and W-9 information. Each record runs for $40-$50 in Bitcoin on the Dark Web.

With all this data for $50 per record, harmful activity doesn’t have to stop at tax fraud, Kessem notes. Cybercriminals can buy and use this data for other scams like identity theft or online loan applications.

Tax-related risks increase as the filing deadline approaches. One-third of Americans (54 million people) filed their taxes after April 1 in 2016, giving fraudsters a larger window of opportunity to strike. Tax-related cybercrime won’t stop after April 18, 2017.

“There are a number of people filing after the deadline,” says Kessem, noting the popularity of extensions. “Criminals don’t have to stop then. There are millions who will still be interested in tax-themed emails.”

However, their tax scam strategies will shift after the deadline as cybercriminals move from stealing data to infecting machines with malware. Because victims may expect messages indicating problems with their returns, they are more likely to open potentially malicious attachments, Kessem explains.

Researchers believe data sets sold on the Dark Web are a sign that fraudsters are stealing tax info from employer databases — meaning they get it before the taxpayers. Here are a few steps consumers and businesses can take to protect themselves:

• Don’t delay: File as soon as you receive the paperwork. It can take a while to discover if your data has been compromised. Waiting gives cybercriminals more time to use your information.
• Ask for verification: Phishing attacks often pretend to come from popular tax filing software vendors. If you plan to file your own taxes online, access the vendor’s site directly, and don’t click links or open attachments in vendor messages.
• Don’t answer online requests: Fake IRS-themed emails use logos and subject lines to trick taxpayers into responding. The IRS never contacts taxpayers via email, text message, or social media to ask for personal data, so don’t reply to requests through these channels.
• Get an IP PIN: Set up an Identity Protection PIN (IP PIN), which is a 6-digit number the IRS gives to taxpayers to prevent the misuse of their Social Security number on fraudulent tax returns. Check your eligibility here.  

Related Content:

• As Cloud Use Expands, So Do Security Blind Spots, Studies Show
• ADP CISO Offers Tips to Leverage Security to Grow the Business
• Half of Security Pros Ignore Some Important Alerts

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/businesses-hit-by-more-w-2-fraud-as-cybercriminals-shift-tax-season-targets/d/d-id/1328564?_mc=RSS_DR_EDT

These 10 steps will ease the pain of compliance with the General Data Protection Regulation, the EU’s new privacy law that goes into effect in a little over a year.

If your organization does business with Europe, or more specifically does anything with the personal data of EU citizens, you’re going to be living the dream (or perhaps nightmare) that is preparing for the General Data Protection Regulation (GDPR).

For many organizations, this is going to be a tedious exercise; even if you have implemented processes and technologies to meet current regulations, there is still work to be done to steer clear of penalties. And, as you might expect, infringement carries heavy fines: €20 million or 4 percent of your worldwide annual gross revenue, depending on the violation.

The regulation comes into effect on May 25, 2018, at which point organizations will be held accountable –  immediately. It’s hard to say exactly how organizations are doing, but depending on which news you choose to read, it doesn’t appear that too many are ready. And for good reason.

For one thing, preparing for GDPR is likely to be a cross-functional exercise, as legal, risk and compliance, IT, and security all have a part to play. Some organizations will need to adopt new roles and responsibilities, such as appointing a data protection officer and nominating representatives within the EU to be points of contact.

So, with just over a year to get this sorted, what do you need to do?

If you’re just beginning your GDPR compliance quest, start by having employees attend a training to learn about the best practices for implementing GDPR. Training can also save you from the costly fines down the line, which, depending on the level of GDPR infringement, can amount to 4% of your organization’s worldwide annual gross revenue for the previous year.

You’ll also need to determine where the personal data of EU citizens physically resides, the categories of personal data you control or process, how and by whom it is accessed, and how it is secured. In addition, processes for access control, incident detection and response, and breach notification will also need review or implementation.

To help get you started, I’ve put together a list of 10 steps your company can take toward becoming GDPR-compliant:

Step 1: Encrypt data both at-rest and in-transit. Why? If you are breached but the personal data is rendered unintelligible to the attacker, then you do not have to notify the person whose data has been breached.

Step 2: Limit access. The idea of a “need-to-know-basis” has been around in the military for eons. The same process now needs to apply to personal data. Review who has access to personal data and why they have access, then revoke rights as necessary. When gaining consent to process personal data you will need to state the reasons for processing the data, and identify people who have access to the data. Shared admin accounts and overinflated user privileges are generally bad practices, but with GDPR they become totally unacceptable.

Step 3: Have a broad-based vulnerability management process in place. Make sure you’re scanning all devices on your network to maintain visibility into weaknesses in your infrastructure. If you have remote employees, don’t forget about them! Remote workers create additional risk because their devices can house sensitive data while they are connected to unsecured networks. Ensuring the ongoing confidentiality, integrity, and availability of all systems across your company is key.

Step 4: Backups. Backups. Backups. Make backups! Not just in case of a dreaded ransomware attack, but as a good housekeeping practice in case of storage failure, asset loss, natural disaster, even a full cup of coffee spilled on a laptop. If you don’t currently have a backup vendor in place, there are a number of server and database options available. Disaster recovery should always be high on your list, regardless of the regulations you are required to meet.

Step 5: Secure your web applications. Privacy-by-design needs to be built into processes and systems. If you’re collecting personal data via a web app, and still using http/clear text, then it’s likely you already have a problem.

Step 6: Pen tests are your friend. Attacking your systems and environment to understand your weak spots will tell you where you need to focus. It’s also better to go through this exercise with an opportunity to course correct, rather than wait for an attacker to point out your weaknesses by getting onto your network. You can do this internally or employ a professional team to perform regular external tests.  

Step 7: Detect attackers quickly and early. Finding out that you’ve been breached after the fact is an all too common scenario. The Verizon Data Breach Investigations Report has called out compromised credentials as a top attack vector, yet many organizations still can’t detect when these credentials are used by attackers. User behavior analytics is one way to quickly investigate and remediate anomalous user account activity within your environment. Deploying deception technologies, like honey pots and honey credentials, is another strategy for spotting attackers early.

Step 8: Don’t ignore shadow IT. You likely have some approved cloud services deployed already, but unless you’ve switched off the internet, it’s also possible that there are unsanctioned services and apps occurring in your environment with data that needs to be protected.

Step 9: Prioritize and respond to the alerts your security products generate daily. Attackers can easily take advantage of the flood of information bombarding security teams every day. It’s great if you have a SIEM in place and have the capability to respond 24/7.  (Attackers work evenings and weekends too!) But if you don’t have SIEM, or the time or budget to take on a traditional deployment, consider products or managed offerings that can offer round-the-clock protection.  

Step 10: Don’t wait for an attack to engage an incident response team. GDPR stipulates that companies report personal data breaches to a supervisory authority within 72 hours of discovery. But aside from the reporting requirements, it’s critical to contain the attack and limit damage as quickly as possible. So If you don’t have dedicated IR capabilities in-house, at least have a clear and fast route to third-party services. That means, going through the process of vetting and engaging potential vendors and partners in advance in order to know exactly who to call with the necessary expertise  should the worst happen. 

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

• Privacy Babel: Making Sense of Global Privacy Regulations
• 75,000 Data Protection Officers Needed By 2018 To Handle EU Law
• FCC Privacy Rule Repeal Will Have Widespread Security Implications

 

Samantha is responsible for that ensuring Rapid7’s international markets receive the proper solutions messaging, collateral, and information. She also trains sellers (internal and partners) on security concepts and solutions. She has nearly 20 years of employment experience … View Full Bio

Article source: http://www.darkreading.com/endpoint/gdpr-doesnt-need-to-be-gdp-argh!/a/d-id/1328568?_mc=RSS_DR_EDT

Xen has a critical bug that means Qubes 3.1 and 3.2 need an immediate patch, for Xen packages between 4.6.4 and 4.6.26.

A recent patch introduced the bug, which according to the advisory is an insufficient check on the XENMEM_exchange input, “allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays.”

As a result, a malicious 64-bit guest could see “all of system memory”, with catastrophic results – privilege escalation, host crashes, and information leaks; and other vulnerabilities (for example, in a browser, networking stack, or USB stack) would let an attacker “compromise a whole Qubes system”.

The advisory notes that it stems from the paravirtualisation (PV) system in Qubes, which is overly complex and due to be unplugged: “the upcoming Qubes OS 4.0 will no longer use PV. Instead, we will be switching to HVM-based virtualisation”.

The bug was found by Google Project Zero’s Jann Horn, and is fixed by running the qubes-dom0-update command or in the Qubes VM Manager. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/05/patch_qubes_to_prevent_pwnage_via_xen_bug/