MENTIS

Week of January 5, 2018

MENTIS
news

Week of January 5, 2018

Privacy in 2018: Expect the Unexpected*:

  • To say that the world is in turmoil is an understatement and the same is true of the world of privacy and data protection, which makes predicting the future particularly tricky.
  • On May 25, 2018 the EU General Data Protection Regulation will finally become applicable, enforceable and that's an easy prediction since that date is stated in the GDPR itself.
  • Another certain fact is that any lack of preparation for the GDPR will not be due to the amount of noise it has already generated.
  • Hundreds of pages of carefully thought out guidance have been written by the regulators, but what are the chances of understanding – let alone complying with – all of the nuances of such a monster law as the GDPR?
  • The reality is that very few will be truly and fully compliant with GDPR when the time comes.
  • The GDPR should not completely distract us from one of the biggest debates of our time: should the privacy of our digital lives prevail over the digital economy or the other way around?
  • By the end of 2017, the European Parliament had made it very clear that it would not settle for anything other than the highest standards of privacy protection; expect a fair amount of discrepancy with the Parliament and a risk-based approach along the lines of what happened with the GDPR.
  • Regulators around the world will become increasingly concerned about the direction of travel of technological innovation, so it would not be surprising to see them joining forces across continents to tackle “data maximisation” practices.
  • While regulators are more likely than ever to team up for global investigations, in the U.K. we still need to deal with the small matter of Brexit and its repercussions for data protection.
  • This year will be decisive in determining whether Brexit will happen at all.
  • The wisest move would be for the U.K. to seek some form of “adequacy by default” for transfers of data originating from the EU as the U.K. is posed to implement the GDPR in full.
  • The U.K. will probably create a U.K.-U.S. Privacy Shield, mirroring the arrangements that the U.S. already has in place with the EU and Switzerland.
  • The Court of Justice of the EU has its plate full of pending cases on crucial issues ranging from the applicability of the law to the viability of various international data transfers mechanisms.
  • As the ultimate arbiter on EU data privacy matters, the CJEU has become a powerful global guardian of rights; once a court like the CJEU makes a decision, its application is instantaneous and if that decision happens to contradict a long-held view or interpretation, the effect is spectacular.

*Source: iApp, January 04, 2018

 


Researchers Discover Two Major Flaws in the World’s Computers*:

  • Computer security experts have discovered two major security flaws in the microprocessors inside nearly all of the world’s computers.
  • The two problems, called Meltdown and Spectre, could allow hackers to steal the entire memory contents of computers, including mobile devices, personal computers and servers running in so-called cloud computer networks.
  • There is no easy fix for Spectre, which could require redesigning the processors.
  • As for Meltdown, the software patch needed to fix the issue could slow down computers by as much as 30 percent.
  • Meltdown is a particular problem for the cloud computing services run by the likes of Amazon, Google, and Microsoft.
  • Google and Microsoft said they have since updated their systems to deal with the flaw, and Amazon said it has protected nearly all instances of AWS and customers must update their own software as well.
  • To take advantage of Meltdown, hackers could rent space on a cloud service, just like any other business customer.
  • Once they were on the service, the flaw would allow them to grab information like passwords from other customers.
  • That is a major threat to the way cloud-computing systems operative because services often share machines among many customers.
  • Personal computers used by consumers are also vulnerable, but hackers would have to first find a way to run software on a personal computer (say through a malicious email or infected website) before they could gain access to information elsewhere on the machine.
  • The Meltdown flaw affects virtually every microprocessor made by Intel, which makes chips used in more than 90% of the computer servers that underpin the internet and private business operations.
  • The software patches could slow the performance of affected machines by 20 to 30%, which could become a significant issue for any business running websites and other software through cloud systems.
  • There is no evidence that hackers have taken advantage of the vulnerability yet, but once a security problem becomes public computer users take a big risk if they do not install a patch to fix the issue.
  • The other flaw, Spectre, affects more processors now in use, though the flaw is more difficult to exploit; there is no known fix for it, and it is not clear what chip makers like Intel will do to address the problem.

*Source: New York Times, January 03, 2018

 


Data Breach Affected More Than 240,000 Homeland Security Workers*:

  • Personal information about more than 247,000 Homeland Security Department employees and other people connected with the agency was compromised in 2014.
  • In May, the Homeland Security inspector general’s office found a copy of its investigative case management system – and the reams of personal information it contained – in the possession of a former employee.
  • The case management system contained personal information on 247,167 Homeland Security employees who worked for the department when the information was removed in 2014.
  • It also contained information about non-employees who were subjects, witnesses, or complainants in inspector general investigations between 2002 and 2014.
  • The department is “implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns.”
  • The statement did not describe what personal information was compromised.
  • The department is offering free credit monitoring to employees and other people whose information was compromised.

*Source: Nextgov, January 03, 2018

 


Ancestry.com Suffers Big Data Leak - 300,000 User Credentials Exposed*:

  • Ancestry.com has confirmed that a server on its RootsWeb service exposed a file that has usernames, email addresses, and passwords of 300,000 registered users.
  • RootsWeb is Ancestry.com’s free collection of community-driven tools for sharing genealogical information such as user forums and mailing lists.
  • According to data breach tracking website HaveIbeenPwned's Troy Hunt, the stolen information was leaked and posted online in plain text.
  • The company was informed by Hunt about the file on December 20 and they have confirmed that the file does contain the login credentials of the users of RootWeb's surname list information.
  • The security team disclosed that 55,000 of the email/username and password combinations were used on both RootsWeb and Ancestry.com websites and 7,000 of those credentials belong to active Ancestry.com accounts.
  • The company stated they have no reason to believe that other Ancestry.com systems were compromised nor have they seen any activity indicating the compromise of individual Ancestry user accounts.
  • To protect its users, Ancestry has locked out the accounts of the 55,000 customers who used the same credentials on RootsWeb's surname list and Ancestry.com.
  • If you use Ancestry.com or any of its services, here’s what you can do:
    • Change your password
    • If you are using the same passwords for multiple accounts, it is important that you review and change them now as well
    • Beware of phishing emails claiming to be from Ancestry.com
    • Use a password manager to create unique and complex passwords for you

*Source: Komando, December 28, 2017

 


LightsOut: Shining a Light On Malicious Flashlight Apps on Google Play*:

  • Check Point researchers have detected a new type of adware roaming Google Play, the official app store of Google.
  • The suspicious scripts overrides the user’s decision to disable ads showing outside of a legitimate context, and then, in many of the apps, hide its icon to hinder efforts to remove it.
  • This is purely malicious activity, as it has no other possible purpose other than eluding the user.
  • Dubbed ‘LightsOut,’ the code hid itself in 22 different flashlight and utility apps, and reached a spread of between 1.5 million and 7.5 million downloads with the purpose of generating illegal ad revenue for its perpetrators.
  • Some users noted that they were forced to press on ads to answer calls and perform other activities on their device.
  • Check Point notified Google about all these apps, and they were soon removed from the Google Play store.
  • The malicious app offers the user a checkbox in which they can enable or disable additional services, including the displaying of ads.
  • If the user chooses to disable these functions, ‘LightsOut’ can override the user’s decision and continue to display ads out of context.
  • Since the ads are not directly connected to LightsOut’s activity, the user is unlikely to understand what caused them, and even if he does he won’t be able to find the app’s icon and remove it from his device.
  • LightsOut’ reminds us once again that users need to be wary of downloading from App Stores, and are advised to have an advanced mobile threat defense solution that goes beyond anti-virus.
  • Many users are still unaware of the dangers lurking for them, and continue to install apps such as fishy flashlights.

*Source: Check Point, January 05, 2018

 


Bitcoin Rises as Ripple's Allure Fades for Manic Crypto Traders*:

  • Ripple, the white-hot cryptocurrency that has more than doubled in the past week, fell as much as 39 percent from its all-high.
  • Bitcoin, which has lost some of its luster as of late to its smaller rival, was up as much as 11 percent.
  • Ripple fell to as low as $2.16 after reaching an all-time high of $3.32.
  • Ripple last week surpassed ether as the world’s second-most valuable cryptocurrency after bitcoin.
  • Coinbase, one of the largest crypto exchanges, said in a Twitter post by its chief executive officer that it had not made a decision to add new coins.
  • Coinbase currently offers trading in bitcoin, bitcoin cash, ether, and litecoin.

*Source: Bloomberg, January 05, 2018

 

Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

Image CAPTCHA
scroll top