New EU data laws threaten huge fines

By Cyber SecurityNo Comments

Companies could face fines of up to 4% of their global annual turnover under new European rules on data protection.

Companies could face fines of up to 4% of their global annual turnover under new European rules on data protection
The European Union has approved significant changes to data laws, aimed at putting individuals back in charge of their information.

It is the biggest shake up to privacy regulation for 20 years, according to experts. The changes would make privacy “a board-level issue”, one lawyer said.

Peter Church, a technology lawyer at Linklaters, said it would make businesses “start taking these issues a lot more seriously”.

US technology companies already have problems with European regulators, with both Google and Facebook facing big fines – Facebook over its use of cookies and Google over its privacy policy.

Although this new law will not come into force until 2018, the changes meant the tech giants would have to “pay more attention to what regulators are saying”, said Mr Church.

The new draft policy, in discussion since 2012, will need to be ratified by the European Parliament next year.

Other changes include:

  • Firms will have to report serious data breaches to regulators within 72 hours
  • Consumers’ right to be forgotten will be extended beyond search engines to all aspects of their web history – so, for example, a user could request to have his or her Facebook profile removed
  • Consumers have the right to transfer their data from one company to another – so, for example, a user could request all data relating to shopping purchases be sent to them so they can transfer their preferences to a rival supermarket
  • Companies that handle significant amounts of data will have to employ a data protection officer

Jan Philipp Albrech, chief negotiator, said of deal: “This would be a major step forward for consumer protection and competition and ensure Europe has data protection rules that are fit for purpose in the digital age.”

 “The scale and breadth of the EU’s changes to privacy rules will deliver unprecedented challenges for business and every entity that holds of uses European personal data both inside and outside the EU.”

“Most companies will be shocked at the scale of the new rules and the work that needs to be done before the laws take effect in two years – it is not much time for the magnitude of the internal changes that will be required.”

Facebook’s data tracking issues in trouble

By Cyber SecurityNo Comments

Facebook is in trouble from the Belgian privacy commission-  which is cross that it tracks internet users who are not members of the social network.

Facebook is in trouble from the Belgian privacy commission- which is cross that it tracks internet users who are not members of the social network
A court has ruled that it is unacceptable that every time someone clicks a “like” button on a website, their browsing activity is collected, regardless of whether they are Facebook users or not.

The controversy centres around a cookie – a simple text file which can track a number of user activities – which Facebook has used for the last few years.

Researchers found that even non-members who visited any page that fell under the facebook.com domain would have what Facebook calls its datr cookie – which has a two-year lifespan – installed on their browser.

They conducted a series of tests including one where they did a Google search for the term “facebook data policy”. It led them to the Facebook data policy page which placed the datr cookie on their browser.

They then visited a Belgian website related to prostate cancer treatment which includes a Facebook like button and found that the datr cookie was sent to Facebook.

There was no formal Facebook privacy notice regarding any cookie being stored.

It’s tracking functionality has led the Belgian court to, rather dramatically, give Facebook 48 hours to stop using it or face a fine of £176,000 per day.

Investigators were drawn to the details of how Facebook’s cookies worked when the social network rolled out new terms and conditions in January, authorising it to track its users across websites and devices, use profile pictures for both commercial and non-commercial purposes and collect information about its users’ locations.

Users could agree to the changes or they could leave Facebook.

One of the things that the Belgian privacy commission did in response to the changes was commission a report from the Universities of Leuven and Brussels.

It concluded that tracking non-users was in breach of EU law.

Its findings were handed to the Belgian authorities who, after initial talks with Facebook failed to reach agreement, decided to take the case to court.

The judge agreed with the Belgian privacy commissioner, ruling that the information collected by the social network was personal data “which Facebook can only use if the internet user expressly gives their consent”.

Advertising revenue is Facebook’s biggest source of income, jumping 45% this year, with mobile ad sales accounting for 78% of that. Being able to track web browsing habits, even anonymised ones, allows it to better target that advertising.

Privacy campaigners are very clear though about what they want from Facebook.

They argue that Facebook needs to be more explicit about what it is tracking and offer users the right to opt in to such tracking rather than having to search through the site to find ways to opt out.

And a court in Austria is now considering whether it will bring action against Facebook for violating privacy laws in its country.

The battle between privacy campaigners and the big tech firms is far from finished.

TalkTalk hack to cost up to £35 million

By Cyber SecurityNo Comments

The cyber attack on TalkTalk could cost it up to £35 million the company has said.

TalkTalk hack to cost up to £35 millionFollowing the hack- which divulged some users’ financial details, all customers of the telecoms group will be offered a free upgrade.

Chief executive Dido Harding said that despite the hack, TalkTalk was “well positioned to deliver strong and sustainable long-term growth”.

The firm expects still full year results to be in line with market expectations.

TalkTalk shares had jumped more than 13% by the close of trade on Thursday- but were still down more than 20% compared with their pre-hack value.

Speaking to the BBC, Ms Harding said: “The estimated one-off costs are between £30 million and £35 million – that’s covering the response to the incident, the incremental calls into our call centres, obviously the additional IT and technology costs, and then the fact that over the last three weeks until yesterday our online sales sites have been down, so there will be lost revenue as a result.”

She added that in recognition of the uncertainty that this had caused customers, they would be offered an upgrade.

A spokesperson said the type of upgrade offered would depend on the kind of package customers already had. For example, customers with TV packages might be offered a sports channel that they did not already have.

Customers who were financially affected directly will be free to leave TalkTalk without financial penalty. They would have to be able to show they had lost money as a result of the hack.

Customers who wish to leave for a different reason – for example, if they feel their data is not secure – would still have to pay a contract termination fee.

However Talk Talk’s offer to it’s customers is very limited

Some of TalkTalk’s millions of customers might have been angry enough to try to terminate their contracts when the telecommunications company first revealed details of a major data security breach last month.

But, with contracts for mobile, fixed line, broadband and television services of up to two years (always worth looking at those few lines at the bottom of the paperwork) customers found they couldn’t leave TalkTalk without incurring hefty costs.

When Dido Harding, the chief executive, first announced that customers would only be able to leave if they could show a “direct impact” on their bank account – a pretty high bar – investors heaved a sigh of relief and TalkTalk’s share price bounced up.

More than 15,600 bank account numbers and sort codes were stolen. Four people have been arrested and bailed in connection with the hack.

Ms Harding told the BBC that it was “too early to tell” what the longer term impact of the breach would be on the business.

Heartbleed attacks US banks

By Cyber SecurityNo Comments

US banks have been the victim of hacking and attacked by the heartbleed cybervirus.

US banks have been the victim of hacking and attacked by the heartbleed cybervirus
In April 2014 the cybersecurity world was shocked by the discovery of Heartbleed- the name given to a vulnerability found in one of the systems we use to securely communicate over the internet.

In this hack – which investigators are calling the largest theft of consumer data from financial institutions ever – the Heartbleed bug was exploited to gain access to “Victim 2”, an as-yet unnamed financial firm headquartered in Boston.

But it’s just one angle to this enormous attack.

The real damage appears to have been done with some social engineering, executed in a way that shows just how difficult it is to defend against determined cybercriminals.

According to investigators, hackers gained access to various networks belonging to JP Morgan and six other financial institutions, scraping personal data they would then use to manipulate stock prices.

The three indicted men – Israelis Gery Shalon and Ziv Orenstein and American Joshua Samuel Aaron – were conducting “security fraud on steroids”, prosecutors say.

Another man, Anthony Murgio, was charged over running an illicit operation trading virtual currency Bitcoin.
Targeted mail

This is how prosecutors say Heartbleed functioned.

The hacking technique often involved using legitimate accounts belonging to Joshua Aaron.

Using this legitimate access, as if Mr Aaron was a normal customer, paved the way for the hackers to gain access to networks and systems containing reams of data about other customers – people who were investing in stocks.

Over the course of several years, they stole personal data on more than 100 million people. The hackers didn’t access bank details. They didn’t need nor want them.

Investigators said the hackers used the personal details to send out information to bosses’ email addresses, promoting certain stocks that hackers had bought cheaply. The price would rise, and the hackers would then sell off their now very valuable shares.

It’s a technique known as “pump and dump”.

The hackers were said to be using a remote server in Egypt to access the network of “Victim 3” – a financial services firm based in Omaha, Nebraska.

The remote server, which covered the accused’s real location, was used to log in to Mr Aaron’s account with Victim 3.

When info-security staff at the firm noticed the odd sign-in location, it locked Mr Aaron’s account. Good security practice.

But, according to the court papers: “Aaron called Victim 3 and, upon being notified that his account had been locked and asked by a customer service representative whether Aaron had been traveling in Egypt in March 2014, Aaron lied to the representative, and claimed that he had been in Egypt.

“In truth and in fact, and as Aaron well knew, Aaron had not been in Egypt and was merely attempting to convince Victim 3 to allow Aaron and his co-conspirators to access Aaron’s account online in furtherance of their efforts to hack into Victim 3.”

For banks – indeed any big company online – there’s a constant balance between making a system as secure as possible, but not locking it down so much that its frustrating for normal customers to use.

But that’s not all these men are accused of doing. According to the court papers, the men were involved in a myriad range of online crime.

As well as the stock manipulation, and running a Bitcoin trading platform to help launder the cash, the men were said to be running illegal online casinos, selling fake antivirus software and – that age old internet scam – offering the purchase of pharmaceuticals.

All of this added up to an alleged haul of £75 million which they kept in bank accounts in Switzerland.

Faulty ransomware makes data unrecoverable

By Cyber SecurityNo Comments

Faulty coding in a ranson program that encrypts data means anyone hit by the Power Worm virus will not be able to recover files.

Faulty coding in a ranson program that encrypts data means anyone hit by the Power Worm virus will not be able to recover filesNormally, viruses known as ransomware decrypt files and data is recoverable when victims have paid a substantial fee.

But one variant of Power Worm destroys keys that could help recover any data that it scrambled.

Power Worm infects Microsoft Word and Excel files but the latest poorly written update of it goes after many more types of data files it finds on a victim’s machine.

The news comes as hackers produce new ransomware that is aimed at websites and encrypts data sitting on servers.

Malware researcher Nathan Scott discovered the variant and uncovered the mistakes its creator made when updating it.

Mr Scott believes the errors arose when the creator tried to simplify the decryption process. They tried to make it use just one decryption key but mangled the process of generating it. As a result, there is no key created for the files it encrypts when it compromises a computer.

There is unfortunately nothing that can be done for victims of this infection. If you have been affected by this ransomware, your only option is to restore from a back up.

The one consolation is that anyone attacked by the Power Worm should not pay the 2 bitcoin- about £500, ransom it asks for because they will not get any data back.

Many ransomware gangs accept payments in bitcoins and make a lot of money from each victim as Bitcoins are not traceable.

Ransomware is proving increasingly popular with hi-tech thieves and one group has now extended its list of potential targets to web servers that run Linux.

Russian anti-virus firm Dr Web has discovered a novel ransomware variant called Linux.encoder that tries to infect sites via add-ons such as shopping systems that many of them use.

Once it lands on a server, the software encrypts any files, images, pages, scripts and stored source code it finds on the machine’s main and back-up directories. Linux.encoder leaves behind a text file detailing how victims can pay the 1 bitcoin ransom required to recover their data.

Change of cyber theft approaches

“In the volume cybercrime space, ransomware is one of the most prolific problems we face,” said Greg Day, chief security officer for Europe at Palo Alto Networks.

“Credit card theft is getting to the point where the value of each card is very low. As a result ransomware has stepped into that gap and gives a higher value for each victim.”

Research by Palo Alto Networks and industry partners suggests the well-known Crypto Wall family of ransomware has generated about £215 million for the gang behind it.

“The return is so much better,” Mr Day said. “That’s why it’s escalated to such a level.”

He said regularly backing up data would help people and companies avoid having to pay criminals if they got caught out by ransomware.

Secure email Protonmail paid a ransom after DDOS web attacks

By Cyber SecurityNo Comments

A secure email firm Protonmail, based in Switzerland, has paid a ransom of more than £3,600 after web attacks crippled its website.

A secure email firm Protonmail, based in Switzerland, has paid a ransom of more than £3,600 after web attacks crippled its website
The criminals behind the web attacks said the payment would stop the deluge of data hitting the site. But despite paying up, the web attacks continued, leaving Protonmail struggling to operate.

It has now launched a fund raising drive to raise cash to tackle any future attacks.

In a blogpost, Protonmail said it received an email on 3 November that contained a threat to attack its website unless it paid a ransom of 15 bitcoins (£3,640).

Protonmail did not respond to the message and, soon afterwards, was hit by what is known as a distributed denial of service (DDoS) attack. This tries to knock a server offline by bombarding it with more data than it can handle.

Protonmail is a free, web-based, encrypted email service that needs its site up and running to serve customers.

The first attack knocked out Protonmail for about 15 minutes and then stopped. A second attack the next day was much bigger and overwhelmed efforts by the email firm and its ISP to stop it.

“This co-ordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just Protonmail,” it said on the blog.

In a bid to halt the attack, Protonmail said it “grudgingly” paid the 15 bitcoin ransom.

However, it said, this did not stop the attacks which continued to cause problems for many other firms.

Eventually, Protonmail’s ISP took action to remove the company’s site from the net to stem the flow of data.

Post-attack analysis suggests Protonmail was targeted in two phases, the company said. The first aided the ransom demand but the second was “not afraid of causing massive collateral damage in order to get at us”.

Switzerland’s national Computer Emergency Response Team (Cert), which helped Protonmail cope, said the attack was carried out by a cybercrime group known as the Armada Collective. This group has also targeted many other Swiss web companies over the last few weeks, the team said.

It said anyone who received ransom email should not pay up. Instead, they should talk to their ISPs about the best way to defend themselves against attacks.

Protonmail said that despite its work to harden itself against attack, it was still vulnerable to DDoS data deluges. It said it planned to sign up with a commercial service that can defend against the attacks but this would be likely to cost it more than £66,000 a year.

“We are fighting not just for privacy, but for the future of the internet,” it said.

TalkTalk hack affected 157,000 customers

By Cyber SecurityNo Comments

TalkTalk has said nearly 157,000 of its customers’ personal details were cyber hacked on it’s website.

TalkTalk has said nearly 157,000 of its customers' personal details were cyber hacked on it's websiteMore than 15,600 bank account numbers and sort codes were stolen, the company said.

This week police released a 16-year-old boy on bail who was the fourth person arrested in connection with the hack.

Since news of the cyber-attack emerged, TalkTalk shares have lost about a third of their value.

The firm said 4% of TalkTalk customers have sensitive data at risk. It confirmed that scale of the attack was “much more limited than initially suspected”.

TalkTalk said:

  • 156,959 customers had personal details accessed
  • Of those customers, 15,656 bank account numbers and sort codes were stolen
  • 28,000 stolen credit and debit card numbers were “obscured” and “cannot be used for financial transactions”.

Customers whose financial details were stolen have been contacted, and the firm will contact other affected customers “within the coming days”.

The cyber attack on TalkTalk’s website happened on 21 October, it added.

Details that TalkTalk previously said had been stolen included names, addresses, dates of birth, telephone numbers and email addresses.

In October, the firm described the attack as “significant and sustained”, but that it was too early to say which data had been stolen.

It initially said that all of its customers may have been affected, but then restated in its estimate.

Four people have been arrested over the hack so far: a boy of 15 in Northern Ireland, a 16-year-old boy from west London, a 20-year-old Staffordshire man, and a 16-year-old boy in Norwich. All four have been released on bail.