‘Defence and protect’ marketing gets displayed in new smartphone technologies

160531233115-solarin-flat-back-super-169

With the news of the Yahoo cyber attack on 23rd September 2016, it is worth taking a look back at new technology developments and launches in 2016, which put privacy and security at the forefront of their marketing spiel.

Solarin smartphone at a sky high price

In May 2016 Sirin Labs launched a new military-grade encrypted smartphone, the ‘Solarin’ (retailing at an eye watering £11,400 per device). It offers encrypted calls with a 256-bit AES algorithm. However the screen is 2K not 4K and runs on Android Lollipop, not Marshmallow and its Qualcomm processor is 2015’s model.

Whilst clearly targeting wealthy professionals for whom privacy and security is a driver to purchase, this ‘hostage’ price will be way beyond the pocket of most. However, businesses and consumers shouldn’t be alarmed, as putting up to date cyber security antivirus and anti-malware software on smartphone devices goes a long way to protecting the user, at less than a tenth of the price on top end devices.

You won’t find me – Snowden’s iPhone introspection machine

Meanwhile, a smartphone sleeve methodology (currently only for the iPhone 6), that tells its owner when their phone is being hacked, is being designed by US whistleblower Edward Snowden in conjunction with hardware hacker Andrew ‘Bunnie’ Huang, was revealed at a closed MIT Media Lab launch in July. The iPhone was selected as it is generally regarded as being hard to hack.

Whilst Snowden’s motivations to thwart digital surveillance may be politically motivated in seeking to protect activists from location detection by law enforcement agencies, the dual edge of their pitch highlights the trend for cyber criminals to seek to seek to install malware on smartphone devices, whilst the user is on the move (all unbeknownst to the user). The case aims to track whether or not the phones’ radios are transmitting, as trusting the phone is in airplane mode or sticking it in a ‘Faraday bag’ to block radio signals has proven insufficient. With the prevalence of clever malware which can make a smartphone appear to be off, it is daunting to users to know how well protected they and their data are from harm. Again, it’s a mixture of best practice vigilance, cyber security software and good information security management.

Yoo-hoo! – Yahoo finally discloses massive cyber breach

2000px-yahoo_logo-svg

 

Yahoo disclosed today that they have suffered what they believed to be a ‘state-sponsored’ cyber-attack. The attack itself dates back to 2014. Some 500 million users are believed to have had their personal details stolen in what is believed to be the biggest publicly disclosed cyber breach in history.

The US internet firm which at its height was worth $125bn during the dot.com boom, made a net loss of $4.4bn in 2015 and agreed a sale to global communications and tech giant, Verizon for $4.8bn earlier this Summer (Verizon’s rationale for purchase being the access to Yahoo’s core internet business, which has more than a billion active users a month, which would make it a global mobile media company).

So how does this breach compare with other large scale breaches made public in 2016?

• 2012 LinkedIn – 180 million accounts hacked
• 2010 MySpace – 360 million accounts hacked
• 2012 Dropbox – 68 million accounts hacked

There appears to be a trend of large data breaches announced which have taken place at least two years after the event, giving the hackers a comfortable period to make maximum use of any data they wish to target. The difference with the Yahoo breach revolves around the claims of it being ‘state sponsored’. For consumers this means that the motivations of the hackers could well be focused on specifically targeted individuals, not the wholesale public (not to say that the data isn’t sold on to the cyber underworld). This breach could be focused on particular individuals’ accounts concerning people who have been supressed in free speech in their source country. News of a mass data breach in August could be related to this, but Yahoo’s announcement is a formal acknowledgement versus previous dark net gossip. How this plays out and the degree of malice behind the event, we have yet to find out.

What should users do by way of best practice?

Whether or not someone believes their account has been compromised, it is always good to change passwords regularly and ensure they are strong and unique (an unbroken combination of U/L case characters, symbols and numbers). Multi step verification processes can further stiffen defences. Wrapping this with good antivirus and anti-malware software with security policies and procedures, will protect the majority of businesses.

However, the key factor in any security stance is education; this should be at the heart of all security themes no matter the size of the business. I recommend all Security professionals look to enhance their awareness to be able to educate end users and if you are an end user push for security education if you have not received it. Your security perimeter extends beyond you as an individual to your company and also on to your customers and suppliers.

Super charged Russian data breach


rambler-copy

A supersized cache of over 98 million users’ login names and passwords of Russian ‘Rambler.ru’ email service (equivalent of Yahoo offering email services, news and content), dating from 2012, has just been posted online for sale, with copies of the list offered at one bitcoin (£456).

Notice of the leak was first flagged in 2014 and Rambler forced users to change passwords and embargoed any previously used ones.   However, the cyber attack revealed by Leaked Source which was verified with the help of Russian journalists, showed a complete lack of encryption or hashing.  Instead the data was just listed in plain text.

Analysis of the long list of passwords showed that the character sequence “asdasd” was the most popular string used by more than 723,000 people, followed by “asdasd123”.   This current revelation follows June’s public disclosure of another major breach suffered by more than 100 million users of the Russian VK.com service whose details were shared online.

We have often talked about an organisation’s ‘crown jewels’ being their data and safeguarding your data and that of your customers is a hugely important responsibility.  There is also no ‘one size fits all’ remedy, as what may be appropriate security measures for one organisation will be different to another.

However, companies focus their strategy by adopting a risk based approach to deciding what level of security is required and where – and to ask pertinent security questions from any third party contractors and suppliers used.

ISO 27001 Information Security Management System (ISMS) provides a risk based approach to data security.  When rolled out through an organisation it can push down through the supply chain to raise standards with third party contractors and suppliers.  Whilst no organisation can be guaranteed to remain 100% free from threat 24×7, any company large or small that creates a robust and regularly monitored cyber security posture, will be better prepared to fend off, or respond quickly and effectively through regularly tested policy to a breach.   What this means for the firm’s customers and stakeholders are higher levels of assurance, as well as enabling you to meet growing legal and regulatory data protection obligations.

Microsoft announces launch of new UK datacentres

microsoft-uk-data-center-provision-832x333

Microsoft have announced their launch of new data centres in London, Durham and Cardiff amid mounting commercial concerns about the growing need to ring-fence the location of where data resides in Europe.

Back in June 2015, we blogged about the EU’s frustration around multiple legislative barriers inter-country which were stifling off-premise cloud technologies due to disparate data protection laws.  The EC’s Head of Software, Services & Cloud Computing, Pearse O’Donohue spoke then of this desire to create a centralised EC Digital Single Market.  Post Brexit and with no EU exit Clause 50 triggered yet, the UK can, with this news, demonstrate it remains in demand by being able to attract such heavyweight attention and become an important datacentre hub this side of the Pond.  The news is also a flip for Microsoft as it steals a march on its main rival AWS which is due to open its UK datacentres early in 2017.

Microsoft commented: “Built on Microsoft’s Trusted Cloud principles of security, privacy, compliance, transparency and availability, this creates new opportunities for innovation, with the intent to spark local economic growth for Microsoft UK’s 25,000-plus partners and support local technology advancement”.

There will no doubt be further rationalisation and stitching of new laws around UK data, however, this news will create confidence for UK organisations and businesses in meeting regulatory obligations and as well as creating greater productivity opportunities with Microsoft’s products.   Whether this will get backed up by positive, joined-up thinking and innovation with our EU counterparts when it comes to the negotiating table is one crystal ball too far at present.  However, in this increasingly digital age for consumers and business alike, it would be of benefit to everyone that sovereignty and neighbourliness could share the stage as we seek to look after our customers and citizens.

“The investment by Microsoft shows their continued commitment to the UK Economy and may encourage a post Brexit UK Data Protection Act that is essentially a nationalisation of the General Data Protection Regulation. With significant support from the Ministry of Defence and the NHS I am certain the UK datacentres will prove very popular. With our years of proven history working in regulated sectors and our long standing relationship with Microsoft Amicus ITS is ideally placed to assist existing and new customers migrating to Microsoft CloudJP Norman, Director of Technology, Security & Governance Amicus ITS.

Cyber attacks and airline DR fiasco create rude wake up call signalling the end of Summer 2016

viper_code2

Two cyber attacks and a Disaster Recovery nightmare for a major international airline have caught our eye in recent weeks, reflecting the urgent need for business to pay attention to the smaller details as well as what lies in front of you.

Firstly, the matter of the Delta airlines DR fiasco in early August 2016.  What started as a small fire and power outage created a painful chain reaction, leading to 2,000 flight cancellations, millions of dollars of lost income and significant reputational damage.  At the technical heart of the story, 300 of the airline’s 7,000 servers were not connected to the backup power system. Remarkably, despite spending “hundreds of millions of dollars in technology infrastructure upgrades and systems, including backup systems”, Delta CEO Ed Bastian advised they were not aware of the vulnerability.  Huge comfort for Delta customers.  From a backup point of view, this omission is a basic error which belies lack of preparedness by Delta for business continuity and disaster recovery planning and testing.  Gartner’s data centre recovery and continuity analyst Mark Jaggers commented:  “A lot of people do disaster recovery testing around moving a workload between different sites, but once they have done that, do they go back and look for defects in the design of the systems that are there? I don’t know that many companies are doing that sort of testing after the fact or as part of a disaster recovery test”.  Added to this, the complexity of IT environments creates intricate interdependencies and it only takes one fault or human error to trip up.

Secondly, mid August produced the news that FTSE 100 accounting software firm Sage had suffered a data breach following unauthorised access of a login. Whilst unknown as to whether the source was internal and external, the result caused exposure of personal details and bank accounts relating to around 300 UK companies. The cost:  Sage’s share price tumbled in the early days by 4.3%.  The remedy – due diligence around access privileges to logins if an internal attack, or more complex credentials across different sites and systems used if a ‘reluctant insider (ie. a user whose individual user username and password(s) have been breached unwittingly).

Finally, the end of August 2016 drove a chill through the spine of the cloud storage market with news of the true extent of a breach by hackers believed to have originated in 2012, where account details of over 60 million Dropbox users was reported.  Dropbox’s remedy of forced password resets has now completed.  However, whilst the data dump did not appear to be listed in the main dark web marketplace where the data would be traded, reports are being made that the data is already in the possession of 3rd parties.  The remedy secure complex passwords which are changed regularly.

Assurance derives from MSPs with connected thinking on data security services.  Amicus ITS MD, Steve Jackson commented: “Organisations should review their mission critical business areas and processes to ensure they have up to date and tested security policies, procedures, staff education and strategy.  Annexing cyber security services like FoxcatcherTM and Amicus ViperTM with our Data Backup & Replication service and an analytics driven approach, creates Cyber DRaaS. This will be the future direction for companies to consider and a service which we are currently developing”.  Failure to take such positive steps mean that companies which might have sought to rely on remediation and recovery alone, will realise that the fallout from capital value from loss of brand confidence, trust, plus financial penalty is just too heavy a burden.

Blog – Safe Harbour 2.0 Gets The Greenlight

Privacy_Shield_Datenschutz-595x440   ansip-b-001

The next major raft of data legislation kicked into effect on 12th July 2016, with the European Commission’s official adoption of the EU US Privacy Shield framework.  These measures will ensure the protection of EU citizen data in its transfer to the United States.

“We have approved the new EU-US Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses,” said Andrus Ansip, the EC’s Digital Single Market VP.

“We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions”.

Known as Safe Harbour 2.0, this agreement will help firms to move personal data either side of the Pond without breaking strict EU data transfer rules.  After many re-drafts, the EC believes the new framework is now robust enough to protect the data of European citizens.

Obligations and compliance overseer
The US Department of Commerce will be the body responsible for checking that those companies participating who have signed up to the framework, are duly following the rules.  Failure to do so will result in them facing sanctions and being struck off the list.  Additionally, the same levels of protection will apply to any personal data that is forwarded by third parties.

Safeguards and transparency around US government access
The EU has been assured that public authorities access for law enforcement and national security remains subject to clear limitations, safeguards and oversight mechanisms.  The US will not be allowed to undertake indiscriminate mass surveillance of personal data of EU citizens and every EU citizen will forthwith benefit from redress mechanisms.

Individual rights redress
Under the Safe Harbour 2.0, any citizen who considers that their data has been misused will be able to refer to a number of accessible and affordable dispute resolution schemes. Ideally, the complaint will be resolved by the company directly in the first instance, or free of charge Alternative Dispute resolution (ADR) solutions will be offered.

EU US annual joint review
The Privacy Shield scheme will be jointly reviewed each year annually by the European Commission and the US Department of Commerce. Their respective national intelligence experts from the US and European Data Protection Authorities will collaborate to assess all sources of information available and issue a public report to the European Parliament and the Council.

So where does this leave the rights of UK citizens post Brexit?
We need to remember that until Article 50 is signed UK citizens are still EU citizens and therefore we all benefit from these changes. In point of fact the General Data Protection Regulation (GDPR), which comes into effect in May 2018, will become law in the UK as we will still be part of the EU. Additionally, the Information Commissioners Office (ICO), has already stated that any re-draft of the UK Data Protection Act would have to take into account both the GDPR and Safe Harbour 2.0

The changes we have seen so far and the adoption of a single European Data Protection Law leads me to consider the question “Would a Global Data Protection or Global Data Transfer Regulation?” much like the International Standards help safe guard every citizen?

Law firms face increasing cyber attacks in 2016

law society of ireland

The start to Summer 2016 has seen a sizeable increase in recorded attacks on legal firms in Ireland, as reported by RTE news on 5th June 2016.  Over a dozen firms have recently suffered ransomware attacks.

Why is the legal sector a prime target?
The legal sector is a prime target for cyber criminals on one side due to the sensitivity and volume of private client data held on their computer systems and secondly, because of the large sums of money held by solicitors in their client accounts on a daily basis.

What are common ways for ransomware attacks to take place?
Computer systems can be compromised by ransomware attacks either through email or a web browser.   A user might open what to them looked like an innocuous email, which once opened immediately encrypts files across their entire network.  The message (which can be remarkably polite), then warns that immediate payment is required by a given deadline, or the files will be destroyed.  Victims will often see a timer ratchet as well, whereby any delays to settlement increase the sum demanded.  The warning is stark and often along the lines of:  “Any attempt to damage or remove this software will lead to the immediate destruction of the private key to your server.”

What kind of sums are involved in ransomware attacks?
Sums can range from a few hundred to many thousands of £pounds.  In this particular spate of attacks, the Irish legal firms had had ransom demands of between 5,000 – 30,000 Euros from the criminals to unlock their computers.

One solicitor wishing to stay anonymous commented: “The accounts system was in jeopardy, which we would be accountable for a closing balance of E4-5m every day to clients.  Trying to identify 2,500 clients whose money was actually in the account to the very cent was never going to be achievable going forwards”.

The general advice is for all organisations would be:

•      To regularly review your data security policies and procedures (and ensure they are up to date and fit for purpose reflecting the current threat landscape).
•      To regularly back up your data to mitigate any losses
•      To act expediently and deal with the issue
•      To deploy up to date antivirus software
•      Have effective web filtering
•      To utilise up to date firewalls
•      To educate staff to heighten everyone’s awareness about cyber security – what different attacks look like – and importantly what their process and actions should be should they receive something they believe to be a cyber threat.

This news comes on the heels of the annual risk management survey by Legal Business and Marsh which found that “IT security breach / data management accident or breach” was the highest risk to law firms in terms of damage it could cause and the likelihood of it occurring.

For regulated industries especially, the demand for effective and contemporary security systems and knowledgeable management teams will serve as a significant reassurance to their customers.  Amicus ITS provides specific Security as a Services offerings to protect against cyber attack. These include ‘Foxcatcher’ and ‘Amicus Viper’.  Anyone wishing to discuss any cyber security issues in confidence can ring the security team on 02380 429429.