Google CEO tells investors not to worry about Europe's upcoming privacy rules*:
- Google CEO tried to quell investor fears over how Google's advertising business will be affected by Europe's upcoming privacy legislation during the company's Q1 earnings call.
- The General Data Protection Regulation, which is known as GDPR and is meant to give consumers more control of their data.
- Any company that breaches the new rules will be fined up to 4 percent of its annual global revenue.
- Google's properties revenue, which includes revenue from search as well as its other owned-sites like YouTube and Maps, makes up around 82.6 percent of its total advertising revenues.
- Google Network Members' properties revenue largely comes from third-party sites that use its AdMob, AdSense or DoubleClick ad products to put ads on their websites.
- And also Google is "committed to meeting requirements" and doesn't expect GDPR to cause a material negative change.
*Source: CNBC, April 23, 2018
SunTrust Ex-Employee May Have Stolen Data on 1.5 Million Bank Clients*:
- SunTrust Bank said a former employee may have stolen names, addresses, phone numbers, and account balances of some 1.5 million of its clients.
- The employee tried to download the client contact information six- to eight weeks ago in an attempt to provide the data to a criminal from outside the organization.
- SunTrust CEO William Rogers in an earnings call said there was no indication of fraudulant activity using the client information, and it appears the data had not been sent outside the bank.
- The bank is now offering free identity protection services to all of its customers for the "potential data threat.
- The company became aware of potential theft by a former employee of information from some of its contact lists.
- A SunTrust spokeswoman, refused to disclose the location of the branch where the employee attempted to steal data.
- SunTrust reported a 36 percent rise in quarterly profit helped by a rise in net interest income and lower expenses.
*Source: Reuters, April 20, 2018
Waze signs data-sharing deal with AI-based traffic management startup Waycare*:
- Waze has struck a data-sharing agreement with Waycare, an artificial intelligence-based traffic management startup, the two companies announced.
- The deal will allow them to combine anonymized navigation information crowdsourced from the 100 million drivers who use Waze with Waycare's proprietary traffic analytics.
- It is part of Waze's Connected Citizens Program, which gives cities around the world access to anonymized driver data to help them manage traffic and road infrastructure.
- Waycare is a cloud-based platform that enables municipalities to gather data from many sources, including on-board devices, navigation apps, sensors and road camera feeds, and analyze them.
- The new partnership means cities that use Waycare will be able to send urgent alerts to drivers through Waze, while giving Waycare a new trove of data.
- The startup has raised $2.3 million so far, according to Crunchbase, and currently has projects in Nevada, Florida, Delaware and California.
*Source: Tech Crunch, April 26, 2018
Equifax has spent $242.7 million on its data breach so far*:
- Equifax's first quarter earnings report highlighted expenses due to its September 2017 data breach and how the spending is shifting more toward IT and security.
- In its first quarter earnings report, Equifax outlined that it spent $45.7 million for the three months ended March 31 on IT and data security.
- Legal and investigative fees tied to the data breach, were $28.9 million.
- The total for the first quarter, was $68.7 million. In the fourth quarter, Equifax disclosed that it spent a net $114 million for 2017 on the data breach.
- Equifax stated it will spend heavily on IT at least through 2019 in an effort to build an industry leading data security system.
- And also it has $125 million in cybersecurity insurance and a $7.5 million deductable and Insurance has covered $60 million of the data breach costs to date.
*Source: ZD Net, April 26, 2018
Fewer Than 1 in 10 Ready: UK SMEs Need GDPR Wake-Up Call*:
- Fewer than one in 10 small businesses in the UK are fully prepared and that comes down to both complacency and a lack of understanding about its impact.
- The legislation's ambition is to encourage companies to think more proactively about data protection.
- No matter your organisation's size, you must comply with new regulations under the GDPR that governs the collection, storage and use of information about citizens, or face the EU's hefty fines.
- With GDPR overseeing the protection of that sensitive data, companies, even the smallest businesses, must ensure they put in place compliant security protocols.
- Larger firms might have already appointed their Data Protection Officers to oversee policy updates but GDPR governs all commercial enterprises including sole traders working from their kitchen table.
- The regulations underline the need to be more vigilant regarding data security and privacy, and that's something that should be embraced, even for small companies.
- GDPR is good for small businesses and that's because it will protect the privacy of citizens, reinforcing trust and security for consumers, but also opening up commercial opportunity.
- Article 30 of the regulations states that businesses with less than 250 employees will not be bound by the rules in the same way as large organizations.
- Government has also stated that it intends to update the 1988 Data Protection Act and will seek to mirror regulations with those of the GDPR.
- Companies that don't secure the information they process properly could see their bottom line severely damaged on top of regulators breathing down their necks.
*Source: SWNS, April 24, 2018
MICROSOFT ISSUES MORE SPECTRE UPDATES FOR INTEL CPUS*:
- Microsoft has released additional Windows 10 mitigations for the Spectre side-channel flaw revealed, with an expanded lineup of firmware (microcode) updates for Intel CPUs.
- The company released two Windows Update packages addressing Spectre, KB4091666 and KB4078407, both available as manual downloads from the Microsoft Update Catalog portal.
- These latest releases come on the heels of Microsoft's initial debut of Intel CPU microcode fixes KB4090007.
- Microsoft's decision to help distribute available Intel firmware through Windows updates adds another layer of security for Intel-based processors on top of Intel's reliance on motherboard and system vendors.
- Microsoft released operating system updates addressing Spectre for AMD in its Patch Tuesday updates.
- The Spectre and Meltdown security flaws, which were first disclosed by Google Project Zero in early January, impact a range of processors, including those from Intel, ARM and AMD.
- Intel meanwhile in January acknowledged that some companies were reporting reboot issues with both older and newer chips after they patched their devices.
*Source: Threat Post, April 26, 2018
PyRo Mine Malware Uses NSA Tool to Collect Monero *:
- Hackers are using a new crypto-mining malware they are calling PyRo Mine to quietly collect Monero.
- The Python-based malware uses an NSA exploit to spread to Windows machines while also disabling security software and allowing the exfiltration of unencrypted data.
- The malicious URL with a downloadable zip file compiled with PyInstaller is dangerous because it packages Python programs into stand-alone executable.
- So that the attacker does not need to install Python on the machine to execute the program.
- The combined attack techniques Manuel discovered in analyzing the scripts and packages let the malicious actor stay hidden while deploying additional attack vectors.
- Those who have not patched these known vulnerabilities remain potential targets as experts expect to see more of these types of attacks in the future.
*Source: Info Security, April 27, 2018
UBER TIGHTENS BUG BOUNTY EXTORTION POLICIES *:
- Uber is tightening policies around its bug-bounty program after a 2016 data breach exposed deep flaws in its policies around handling extortion.
- The ride-sharing company has updated its program to include clarity around the boundaries between researches versus blackmail.
- The changes come after a 2016 incident in which Uber paid out a ransom to hackers who stole millions of user credentials.
- Uber didn't disclose the breach which impacted 57 million global users for about a year, finally notifying impacted customers only.
- Uber CSIO stated that Uber's security team had contacted the hackers to ensure they destroyed the data before paying them $100,000.
- Uber has made additional changes to its program to offer researchers an additional $500 if they include a fully scripted proof-of-concept (PoC) in their original report.
- Uber's bug-bounty program started more than two years ago, and touts an all-time total payout of more than $1.4 million.
- Many companies are launching programs that highlight massive payouts as opposed to highlighting the actual protection of consumer data.
- And also many companies use bug bounties only for finding vulnerabilities in the moment, while they should be shaping program policies that improve their actual overall security strategies.
- Other companies have stumbled over unanticipated issues around their bug-bounty programs that escalate tensions with researchers.
*Source: CSO Online, April 27, 2018