As we know, the UK voted to leave the EU on 23rd June 2016.
The UK is required to serve notice under Article 50 of the Lisbon Treaty and this carries a two year notice period.
The General Data Protection Regulation is due to be implemented in less than two years – 25th May 2018. GDPR applies not just to organisations established within the EU but to any organisation which processes the data of EU citizens. Or an organisation which offers goods and services to EU members. It also serves to monitor online behaviour.
Even standing outside the EU, the long arm of GDPR will apply to any UK organisation handling the data of EU citizens. The UK will need to prove ‘adequacy’ for data protection.
Countries globally are preparing now for GPDR.
For full details of the 12 steps your organisation is guided to take to prepare for GPDR, Amicus ITS invites you to read the ICOs PDF white paper “Preparing for the General Data Protection Regulation (GDPR) attached here: ico-preparing-for-the-gdpr-12-steps
I strongly recommend all organisations to be actively researching what they need to do to comply with GDPR, as once released it automatically becomes law in all EU Member states.
The world’s third largest airline, United Airlines has been a dealt a serious blow today as a reported ‘systems issue’ has delayed flights worldwide this morning.
At 8.15am London time, United said: “As of 3 am ET [Eastern Time], the system issue has been resolved. Any delayed flights are resuming”.
As we reported in our blog of 6 September, the previous month, Delta, the world’s largest carrier experienced a worldwide ‘systems failure’ and in September, BA passengers suffered long delays after what was described as ‘a problem with our check-in system’.
So what was to blame? Cyber security experts remain sceptical about the public attributions of the airlines to causes other than cyber attack, however with airlines heavily dependant on their computer systems for almost every aspect of their operations there still remain a number of possibilities . Yes, cyber attack by a malicious actor could be one possibility, however it could also have been a patching issue; a lack of immediate failover to their back up system; or even a third party to blame in the chain. Yet, Delta is huge – and an organisation of its size is going to have pretty substantial IT systems and robust security measures in place to protect its infrastructure and passenger safety.
Ultimately, we may have suspicions but will have to wait and see if any further details come to light about these incidents. In the end it is unlikely that the airlines themselves will choose to disclose the root cause for fear of giving anyone any insight into any potential system vulnerabilities.
The ICO has revealed this week that it has fined communications company TalkTalk £400,000 (out of a maximum £500,000) for its poor web security following the theft of nearly 157,000 customer account details in October 2015. As we reported in our blog of 13th May 2016, the company’s profits were deeply hit also as a direct result of the attack and the firm lost 101,000 subscribers in the first quarter after the attack.
The report by the ICO was scathing, with Information Commissioner Elizabeth Denham commenting, “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action”, she added.
In nearly 16,000 cases, the attacker was able to steal bank account details. Additionally, legacy software dating back from when TalkTalk took over rival Tiscali was found to be out of date enabling vulnerable web pages to be attacked using SQL injection. TalkTalk had been unaware of the problem, which could have been readily fixed if its security measures were kept up to date.
The ICO explained that TalkTalk had been very lax in enforcing proper security on its own website. Ms Denham added, “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting. Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue”. These comments completely echo the advice Amicus ITS has consistently given to its customers and shared with the wider business community at its regional thought leadership cyber security roadshows.
The next Amicus ITS cyber security event will be held on 24th November 2016. Further details will be posted on the main Amicus ITS events page
Dutch multinational banking and financial services organisation, Ing, reported recently that a fire extinguisher test in one of its Romanian branches, had set off an unprecedented and disastrous chain of events, resulting in cash machines, online banking and its website going down for over ten hours on Saturday 10th September 2016.
The bank, which has over 48 million individual and institutional clients in over 40 countries, could not explain the situation to its customers as the outtage had affected the bank’s main communication systems as well.
Ironically, it was not the fire extinguisher’s gases that caused the problem, rather, the loud sound emitted by the inert gases released at over 130 decibels which destroyed dozens of hard drives, according to tech magazine Motherboard.
A Siemens report in 2015 warned of the risk of fatal damage to hard drives through sound wave vibrations which concluded:
• above 110dB, most hard disks would deliver a degraded performance
• above 130dB most disks would stop delivery data
• above 140dB, most disks would suffer permanent damage and there could also be other unpredictable faults
Whilst it may have been unprecedented for Ing, it is not unknown. In 2013, French media reported that accountancy software used by the French Government became temporarily ‘unavailable’ after a fire protection system was accidentally triggered at a data centre issuing a loud noise and causing an outage there. Whilst more locally, in Glasgow in December 2015, a fire suppression system triggered by an air conditioning unit was blamed for bringing Glasgow City Council to its knees for several days affecting council tax and benefits systems, disabling MS Outlook email services and the Cisco telephone switchboard system.
For any organisation therefore, there are some easy precautions to check and apply:
1. Review the physical security of your server systems and their environment.
2. Protect the full integrity of your data by scrutinising all your equipment
3. Ensure you have failover availability with full back up and replication systems in place to keep your business up and running.
With the news of the Yahoo cyber attack on 23rd September 2016, it is worth taking a look back at new technology developments and launches in 2016, which put privacy and security at the forefront of their marketing spiel.
Solarin smartphone at a sky high price
In May 2016 Sirin Labs launched a new military-grade encrypted smartphone, the ‘Solarin’ (retailing at an eye watering £11,400 per device). It offers encrypted calls with a 256-bit AES algorithm. However the screen is 2K not 4K and runs on Android Lollipop, not Marshmallow and its Qualcomm processor is 2015’s model.
Whilst clearly targeting wealthy professionals for whom privacy and security is a driver to purchase, this ‘hostage’ price will be way beyond the pocket of most. However, businesses and consumers shouldn’t be alarmed, as putting up to date cyber security antivirus and anti-malware software on smartphone devices goes a long way to protecting the user, at less than a tenth of the price on top end devices.
You won’t find me – Snowden’s iPhone introspection machine
Meanwhile, a smartphone sleeve methodology (currently only for the iPhone 6), that tells its owner when their phone is being hacked, is being designed by US whistleblower Edward Snowden in conjunction with hardware hacker Andrew ‘Bunnie’ Huang, was revealed at a closed MIT Media Lab launch in July. The iPhone was selected as it is generally regarded as being hard to hack.
Whilst Snowden’s motivations to thwart digital surveillance may be politically motivated in seeking to protect activists from location detection by law enforcement agencies, the dual edge of their pitch highlights the trend for cyber criminals to seek to seek to install malware on smartphone devices, whilst the user is on the move (all unbeknownst to the user). The case aims to track whether or not the phones’ radios are transmitting, as trusting the phone is in airplane mode or sticking it in a ‘Faraday bag’ to block radio signals has proven insufficient. With the prevalence of clever malware which can make a smartphone appear to be off, it is daunting to users to know how well protected they and their data are from harm. Again, it’s a mixture of best practice vigilance, cyber security software and good information security management.
Yahoo disclosed today that they have suffered what they believed to be a ‘state-sponsored’ cyber-attack. The attack itself dates back to 2014. Some 500 million users are believed to have had their personal details stolen in what is believed to be the biggest publicly disclosed cyber breach in history.
The US internet firm which at its height was worth $125bn during the dot.com boom, made a net loss of $4.4bn in 2015 and agreed a sale to global communications and tech giant, Verizon for $4.8bn earlier this Summer (Verizon’s rationale for purchase being the access to Yahoo’s core internet business, which has more than a billion active users a month, which would make it a global mobile media company).
So how does this breach compare with other large scale breaches made public in 2016?
• 2012 LinkedIn – 180 million accounts hacked
• 2010 MySpace – 360 million accounts hacked
• 2012 Dropbox – 68 million accounts hacked
There appears to be a trend of large data breaches announced which have taken place at least two years after the event, giving the hackers a comfortable period to make maximum use of any data they wish to target. The difference with the Yahoo breach revolves around the claims of it being ‘state sponsored’. For consumers this means that the motivations of the hackers could well be focused on specifically targeted individuals, not the wholesale public (not to say that the data isn’t sold on to the cyber underworld). This breach could be focused on particular individuals’ accounts concerning people who have been supressed in free speech in their source country. News of a mass data breach in August could be related to this, but Yahoo’s announcement is a formal acknowledgement versus previous dark net gossip. How this plays out and the degree of malice behind the event, we have yet to find out.
What should users do by way of best practice?
Whether or not someone believes their account has been compromised, it is always good to change passwords regularly and ensure they are strong and unique (an unbroken combination of U/L case characters, symbols and numbers). Multi step verification processes can further stiffen defences. Wrapping this with good antivirus and anti-malware software with security policies and procedures, will protect the majority of businesses.
However, the key factor in any security stance is education; this should be at the heart of all security themes no matter the size of the business. I recommend all Security professionals look to enhance their awareness to be able to educate end users and if you are an end user push for security education if you have not received it. Your security perimeter extends beyond you as an individual to your company and also on to your customers and suppliers.
A supersized cache of over 98 million users’ login names and passwords of Russian ‘Rambler.ru’ email service (equivalent of Yahoo offering email services, news and content), dating from 2012, has just been posted online for sale, with copies of the list offered at one bitcoin (£456).
Notice of the leak was first flagged in 2014 and Rambler forced users to change passwords and embargoed any previously used ones. However, the cyber attack revealed by Leaked Source which was verified with the help of Russian journalists, showed a complete lack of encryption or hashing. Instead the data was just listed in plain text.
Analysis of the long list of passwords showed that the character sequence “asdasd” was the most popular string used by more than 723,000 people, followed by “asdasd123”. This current revelation follows June’s public disclosure of another major breach suffered by more than 100 million users of the Russian VK.com service whose details were shared online.
We have often talked about an organisation’s ‘crown jewels’ being their data and safeguarding your data and that of your customers is a hugely important responsibility. There is also no ‘one size fits all’ remedy, as what may be appropriate security measures for one organisation will be different to another.
However, companies focus their strategy by adopting a risk based approach to deciding what level of security is required and where – and to ask pertinent security questions from any third party contractors and suppliers used.
ISO 27001 Information Security Management System (ISMS) provides a risk based approach to data security. When rolled out through an organisation it can push down through the supply chain to raise standards with third party contractors and suppliers. Whilst no organisation can be guaranteed to remain 100% free from threat 24×7, any company large or small that creates a robust and regularly monitored cyber security posture, will be better prepared to fend off, or respond quickly and effectively through regularly tested policy to a breach. What this means for the firm’s customers and stakeholders are higher levels of assurance, as well as enabling you to meet growing legal and regulatory data protection obligations.