Archive for Data Security

£15K Fine For Ignoring Data Access Requests

SCL Elections, the parent company of the now defunct Cambridge Analytica which was famously involved in the Facebook profile harvesting scandal, has been fined £15,000 for failing to respond to a data access request from a US citizen, and for ignoring an enforcement notice by the UK’s Information Commissioner’s Office (ICO).

Data Protection Act

The fine was made for a breach of the Data Protection Act which was in force for all at the time of the data request, which was originally made back in 2017.  GDPR, which came into force on 25th May 2018 (to replace the Data Protection Directive) covers the data protection rights of EU citizens.

The person who made the data request in this case, however, was US citizen Professor David Carroll, and SCL Elections wrongly believed that because he was not a UK citizen, he had no more right to request access to data “than a member of the Taliban sitting in a cave in Afghanistan”.

What Happened?

Professor David Carroll, who was based in New York in May 2017 at the time of his original data request under UK Data Protection Act, asked SCL Elections’ Cambridge Analytica branch in the UK to provide all the data it had gathered on him. Under that law, SCL Elections should have responded within 40 days with a copy of the data, the source of the data, and stating if the organisation had given / intended to give the data to others.

Professor Carroll, a Democrat, was reported to have been interested from an academic perspective in the practice of political ad targeting in elections and believed that he may have been targeted with messages that criticised Secretary Hillary Clinton with falsified or exaggerated information that may have negatively affected his sentiment about her candidacy.

Sent Basic Information On A Spreadsheet

Some weeks after Professor Carroll’s subject access request in early 2017, SCL Elections sent him a spreadsheet of basic information that it held about him.

However, that information contained accurate predictions of Professor Carroll’s views on some issues and had scored Carroll a nine 9 out of 10 on what it called a “traditional social and moral values importance rank”.

Wanted To Know How

This prompted Professor Carroll to submit a second request to SCL Elections, this time to find out what that ranking meant and what it was based on, and where the data about him came from. This second request was ignored by SCL.

The CEO of Cambridge Analytica at the time, Alexander Nix, told a UK parliamentary committee that his company would not provide American citizens, like David Carroll, all the data it holds on them, or tell them where the data came from, and Nix (mistakenly) said that there was no legislation in the US that allowed individuals to make such a request.

ICO Involved

The ICO then became involved with the UK’s Information Commissioner, Elizabeth Denham, sending a letter to SCL Elections (Cambridge Analytica) asking where the data on Professor Carroll came from, and what had been done with it.  A section 40 enforcement notice was also issued in May 2018 to SCL Elections, thereby making it a criminal matter if they failed to comply by responding to the request and by providing the full records as requested by Carroll. No records were forthcoming, which resulted in the recent prosecution, the first against Cambridge Analytica.

During the case at Hendon Magistrates Court, it was revealed that SCL Elections had a turnover of £25.1m and profits of £2.3m in 2016.  The judge fined SCL Elections £15,000 for failing to comply with the section 40 enforcement notice from the ICO and ordered the company (whose affairs are being handled by administrators, Crowe UK) to pay a contribution of £6,000 to the ICO’s legal costs, and a victim surcharge of £170.

Some Mitigating Circumstances

Although Counsel for SCL Elections’ administrators acknowledged that SCL elections had failed to respond to the section 40 enforcement notice, they did highlight some mitigating circumstances, such as the company’s computer servers being seized by the ICO following a raid on the SCL Elections premises in March 2018.

What Does This Mean For Your Business?

This case shows that ignorance of data protection law is not a defence and that businesses and organisations need to protect their customers, stakeholders, and themselves by making sure that they fully understand and comply with data protection laws. This is particularly relevant in the UK since the introduction of GDPR.

As pointed out by Information Commissioner Elizabeth Denham in this case, companies and organisations that handle personal data need to respect people’s legal privacy rights and to understand that wherever a person lives in the world, if their data is being processed by a UK company, UK data protection laws apply. This case has also highlighted the fact that where there is no compliance with the law, and where ICO enforcement notices are ignored, action will be taken that could be very costly to the subject of that action.

Reddit Locks Out Users Over Security Concerns

Online community Reddit shut some users out of their accounts and forced password resets due to “unusual activity” which may have been a ‘credential stuffing’ attempt by hackers.

Reddit

California-based Reddit, founded in 2005, is a kind social network / online community.  Reddit, which is the fifth most popular site in the United States (Alexa figures), is split into over a million communities called “subreddits,” each one covering a different topic.  Reddit allows registered members to submit content to the site, and that content is voted up and down by other members.

What Happened With The Lockdown?

According to Reddit’s own reports, a large group of accounts had to be locked down due to a security concern which took the form of account activity that resembled someone using very simple passwords or the reuse of credentials across multiple websites or services – in other words, a credential-stuffing attempt.

Reddit’s admin known as “u/Sporkicide” reported that it appeared likely that a list of usernames and passwords, possibly taken from another compromised site, were being tried against other popular sites, including Reddit, to see if they work e.g. if a user had used the same username and password for multiple websites.

Reddit advised customers, those with locked accounts would be allowed to reset their passwords and thereby unlock and restore their accounts. Reddit said that the notification to do so would be a notification to the account (affected customers could still log in to get it) and/or an email to any support ticket raised by affected users.

Not The First Time

Back in August 2018 Reddit reported that between a June 14th and June 18, an attacker compromised some employee accounts through their cloud and source code hosting providers and was able to access some user data, including email addresses and a complete 2007 database backup containing old passwords and early Reddit user data from the site’s launch in 2005 through May 2007.

Advice

As well as announcing that it was conducting a “painstaking investigation” of the incident, Reddit advised users to make sure that they choose strong passwords that are unique to Reddit, update their email addresses to enable automated password resets, and add two-factor authentication their accounts to make them more secure.

What Does This Mean For Your Business?

This story highlights the importance of not using the same username and password across many websites.  The danger is that, if hackers can steal login credentials in a hack on one website, they or other attackers who have purchased / acquired the stolen data may well try to use that login data on many other popular websites to try and gain access.

Also, where other security measures such as two-factor authentication are available, it is worth using it as an extra obstacle to the kind of simple, opportunistic credential-stuffing attempts that are all-too-frequent.

Businesses / organisations should always encourage users to use login details that are unique to their website, give visual guidance on password strength on set-up, and specify a certain number of required characters for passwords e.g. including a capital letter, numbers, other special characters, and making the password a certain length.  As well as being a bit more secure, this can also help to stop people from using exactly the same password between multiple sites.

Windows 7 Activation Errors A Coincidence Says Microsoft

Just after the January update on 8th January, Windows 7 users began to experience activation errors, but Microsoft put the issues down to coincidence, despite admitting that it had reverted changes made to activation servers in the update in order to fix the problem.

What Is An Activation Error?

Windows Activation Technologies are used by Microsoft to help confirm that the copy of Windows 7 that is a user is running on their computer is genuine.  For example, the activation key is a 25-character code that is located on the Certificate of Authenticity label or on the proof of license label, and validation feature of Activation Technologies is the online process where users must verify that the copy of Windows 7 they’re running on their computer is activated correctly and is genuine.

An activation error, therefore, is when a user’s system wrongly notifies them that their copy of Windows is not genuine.

Which Update?

On 8th January, there was a monthly ‘Rollup’ security update for Windows 7 Service Pack 1, and Windows Server 2008 R2 Service Pack 1.  The update was designed to improve and fix certain issues with Windows 7 e.g. fixing a vulnerability known as ‘Speculative Store Bypass’, and adding security updates to Windows Kernel, Windows Storage and Filesystems, Windows Wireless Networking, and the Microsoft JET Database Engine.

Coincidence?

According to Microsoft, the fact that users received “Windows is not genuine”, and “Your computer might be running a counterfeit copy of Windows” notification at the same time as the January updates (KB4480960 and KB4480970) were introduced was simply a coincidence. Despite describing it as such, the problems were listed a table of “known issues in this update” on Microsoft’s support pages.

Reverted The Change

Microsoft announced on 9th January that it has fixed the issue by reverting the change that was made to Microsoft Activation and Validation servers.

What Does This Mean For Your Business?

For many Windows 7 users, the change meant a day of disruption on the Tuesday of the first full week back after the Christmas and New Year break.  For many of these users however, this appears to be one more in a long line of incidents, nudges and pointers that look like they’re designed to encourage them to finally make the switch over to Microsoft’s Windows 10 and its SaaS model. Microsoft ended its mainstream support for Windows 7 on January 13th, 2015, and the extended support will only continue until January 14th, 2020, after which time Microsoft says on its website that users can “keep the good times rolling by moving to Windows 10”.

Contactless Card Fraud Has Doubled

The UK’s fraud reporting service, Action Fraud, has reported that contactless card fraud doubled in 2018 to £1.8m stolen compared with £711,000 in 2017.

Average Theft Amount Increased

The latest Action Fraud figures have also revealed that the average theft through contactless fraud in 2018 rose to was £657, compared with £493 in 2017.

Back in February 2017, figures from UK Finance showed that contactless card fraud had already overtaken cheque fraud, prompting finance experts to warn banks against raising the £30 limit for payments, to avoid incentivising more criminals to steal them.

Contactless Technology

Contactless cards incorporate a special chip that can be read quickly and easily read by a payment terminal (without making direct contact), meaning that entering a PIN is not necessary, thereby speeding up transactions.

How Can Hundreds Be Stolen? I Thought It Was Only Up To £30?

Current rules mean that only payments of up to £30 can be made using contactless technology, and as such, many of the contactless thefts have involved the thieves taking multiple small amounts using the same card so that users don’t notice immediately.

Why The Doubling of Contactless Card Fraud?

Many commentators believe that the simple fact that contactless is overtaking chip and PIN as the most popular way of paying for goods and services now, and that a PIN is not required to use a stolen card are the main reasons why contactless card fraud levels have soared.

Worldpay figures, for example, show that more card payments were made using contactless technology than chip and PIN in the UK over the year from June 2017 to June 2018, and that after increasing by 30% on the previous year, contactless payments are now the most used card payments in shops.  Yolt figures show that 76% of Britons have used contactless payments, and 40% make half or more of their card payments using contactless.

Secure?

Even though UK Finance, the body which represents many banks, is quick to point out that no contactless fraud has been recorded on cards still in the possession of the original owner, contactless cards have robust security features built-in, and that customers are fully protected against any losses from contactless card fraud, the Action Fraud figures still appear to show a security problem.

This problem has not gone unnoticed by consumers.  For example, even though many of us are now used to having and using contactless technology, MoneySuperMarket research from as recently as last September showed that 55% of those surveyed had concerns about the security of tap-and-go technology.

What Does This Mean For Your Business?

For businesses, contactless payments offer the chance to reduce the cost and hassle of having to handle cash, cut queues, increase the speed and hopefully the frequency of transactions (increase footfall), increase average transaction values (ATV), provide a clear audit trail and assured payment, and even (for some types of businesses) the chance to change to better business models e.g. card / contactless only cafes and bars in cities.  For customers, contactless offers a better, more convenient and faster retail experience for the majority of their purchases (£30 and under), which in turn has a positive rub-off value for retailers.

The prevailing trend in developed countries is a move away from cash to cards, and particularly contactless. For example, UK Finance projects that in Britain cash will be used in just one-fifth of all sales by 2026, and Paymentsense has reported the removal of 4,735 cash machines in the last year.

Even though customers may be protected (i.e. re-reimbursed later) if their card is stolen and used by fraudsters, it is still an unpleasant experience to have money removed from their account that can cause financial hardship in the short term and can affect their ability to pay important bills and could have a negative impact on their credit rating.  The Action Fraud figures appear to show, therefore,  that there is a growing problem with contactless card fraud that banks are not yet fully tackling.

Warning – TV Licensing Scam Operating

Action Fraud, the UK’s Cybercrime reporting centre, has warned that fake TV licence payment scam emails have generated 5,247 complaints between 1st October and the end of December, with 1,983 complaints in December alone.

What Emails?

According to Action Fraud, the highly convincing scam involves sending people emails that use headlines such as “correct your licensing information” or “your TV licence expires today”.  In some cases, the email title and contents suggest that the recipient is eligible for a TV Licensing refund.  On opening the email, recipients are encouraged to click on a link to a fake version of the TV Licensing website.

When the victim visits the fake site, they are asked for their personal payment details – account number, sort code, and card verification value (CVV) code.

There have also been reports that victims who have submitted personal details to the fraudsters via the website are contacted a week or two later by the fraudsters who claim to be from the fraud department of the victim’s bank, claim that the victim’s bank account has been compromised, and ask the victim to transfer their money to a new, so-called ‘safe account’.

Some media reports put the amount of cash stolen by fraudsters using this scam in the region of £230,000+.

Official TV Licensing Never Email Customers Unprompted

The spate of fraudulent emails has prompted the real TV Licensing authority to confirm that they never email customers unprompted to ask for personal or payment details or to inform customers of eligibility to any refunds.

Real Glitch Last Year

Some of us may remember that a real security risk involving the genuine TV licensing website was identified back in September 2018 when an Infosec blogger noticed that Google Chrome was flagging the TV Licensing website as insecure.  The blogger estimated that as many as 130,000 people may have been affected by the breach.  TV Licensing then notified customers who accessed its website between 29th August and 5th September 2018 that their personal details may have been stolen but maintains that there was a very small risk of the information having been accessed.

What Does This Mean For Your Business?

This latest scam is one of many convincing scams that use phishing to steal payment details and other personal information. Phishing is one of the most popular cybercrime methods.

Action Fraud advice for avoiding falling victim to this scam includes:

  • Check the sender’s email address – does it look like one TV Licensing would use?
  • Check the subject line and treat any requests such as “action required” or “security alert” with suspicion.
  • Check the Spelling and grammar, as grammatical errors are often signs of scam emails.
  • Look at the style of the emails.  If it appears too familiar or casual, this could be a sign that it is a scam.
  • Check where the link goes – is it the official TV Licensing website?  It is worth remembering that the official TV Licensing authority never emails customers unprompted to ask for personal or payment details.

If you think that you may have fallen victim to this scam, the advice is to report it to Action Fraud by calling 0300 123 2040 or report it through the website here: https://www.actionfraud.police.uk/report-phishing.

Ways to help protect your company against the threat of phishing attacks include education and training of staff to help them spot and deal with phishing, and even using phishing attack simulator tools (such as ‘Attack Simulator’ in Office 365) to help sharpen your organisation’s defences

Concerns Over Huawei and ZTE Equipment and Software

A statement from the Czech National Cyber and Information Security Agency (NCISA) has warned network operators that using software or hardware made by Chinese telecom equipment suppliers Huawei and ZTE could represent a security threat.

Why?

Huawei, which the world’s biggest producer of telecoms equipment, is based in China, and according to the NCISA, private companies residing in China are required by law to cooperate with intelligence services.  This could mean that the products and services of those companies could, in theory, become part of the Chinese state security systems e.g. Huawei and ZTE could be used for spying on behalf of China.

Global Suspicion & Action

According to the Wall Street Journal, espionage chiefs from Australia, Canada, New Zealand, the U.K. and the U.S. (the so-called ‘Five-Eyes’), agreed at a meeting in July this year to try to contain the global growth of Chinese telecom Huawei because of the threat that it could be spying for China.

The US, Australia and New Zealand have barred Huawei Technologies Ltd. as a supplier for fifth-generation networks, and Japan also looks set to ban government purchases of equipment from Huawei and ZTE.

The U.S. government is also reported to have been putting pressure on Deutsche Telekom, the majority owner of T-Mobile US, to stop using Huawei equipment, although the head of Germany’s Federal Office for Information Security (BSI) Arne Schoenbohm is reported to have told German news outlet Der Spiegel that proof is required to substantiate the accusations.

Detained

Meng Wanzhou, the chief financial officer of Huawei, was recently detained in Vancouver at the request of U.S. authorities for violating US sanctions on Iran. The arrest of Meng Wanzhou happened on the same night that President Trump was dining with Chinese President Xi Jinping during the G20 summit in Argentina.  China’s state-run media, and some other commentators have suggested that Meng’s detention appears to be politically or economically motivated.

Response

The response by a Huawei spokesperson to the NCISA warning has been to deny any suggestion that a national security threat is posed by Huawei to the Czech Republic, and to call for NCISA to provide proof of its claims.

What Does This Mean For Your Business?

If the ‘Five-Eyes’ are to be believed, Huawei’s products and network software could have backdoors built-in to them which could, in theory, allow covert surveillance or control, or destruction of phone networks (which are accessible via the internet).  The fear is that those acting for the Chinese state could gain access to the data stored / routed through Huawei devices, telecoms equipment and software, and could even, perhaps, monitor the conversations on mobile phones.

There does, however, appear to be a lack of clear proof for the allegations, and bearing in mind that Huawei is the world’s biggest producer of telecoms equipment, and that its products are popular (this year it overtook Apple in terms of the number of handsets it was shipping worldwide) and that UK stores are still stocking and selling its handsets, the warnings of various governments look unlikely to be heeded for now.  It is worth noting that BT uses Huawei systems as part of its network, but is now is removing Huawei systems from the core of the mobile network EE, which it purchased in 2016.

The advice as part of the recent Czech warning is that system administrators in critical information infrastructure should take ‘adequate measures’ against the threat.  This advice appears a little vague, and until conclusive proof can be produced, many people and businesses will feel that they can decide for themselves what, if any, action to take.

London Police Facial Recognition Trial

It has been reported that the police are conducting a trial of a facial recognition system in Soho, Piccadilly Circus and Leicester Square over two days in the run-up to Christmas in a bid to identify people among the Christmas shoppers who are wanted by the police or the courts.

Overt

Far from being used secretly, the Metropolitan Police are reported to be publicly announcing the use of the system using knee-height signs on pavements leading up to the surveillance areas, along with A4 posters on lamp posts and leaflets handed-out to members of the public by uniformed officers.

The actual surveillance using the facial recognition link-up to the police database of wanted offenders is reported to have been carried out (on Monday and Tuesday) by a green van with cameras mounted on the top. It has been also been reported that for this London trial of facial recognition, the Metropolitan Police will have been studying the crowds for 8 hours per day over the two day period, and have been specifically using a target list of 1,600 wanted people in the hope that crime and violence can be more effectively tackled.

Criticism

Criticism from privacy and freedom campaigners such as Big Brother Watch and Liberty has focused on mixed messages from police about how those who turn away from the van because they don’t want to be scanned will be treated.  For example, it has been claimed that some officers have said that this will be treated as a trigger for suspicion, whereas a Metropolitan Police press release has stated that those who decline to be scanned (as is their right) during the deployment will not be viewed as suspicious by police officers.

Concern has also been expressed by Big Brother Watch that, although the police may believe that the deployment of the system is overt and well publicised, the already prevalent signs and advertisements in the busy central London areas where it is being deployed could mean that people may not notice, thereby allowing the police to blur the line between overt and covert policing.  It has also been pointed-out by privacy groups that the deployment involves an unmarked van and plainclothes officers, which are normally associated with covert activity.

Doesn’t Work?

Big Brother Watch and Liberty are currently taking legal action against the use of live facial recognition in South Wales (the site of previous trials) and London, and ICO head Elizabeth Dunham is reported to have launched a formal investigation into how police forces use facial recognition technology (FRT) after high failure rates, misidentifications and worries about legality, bias, and privacy.

Serious questions have been raised about how effective current facial recognition systems are.  For  example, research by the University of Cardiff, which examined the use of the technology across a number of sporting and entertainment events in Cardiff for over a year, including the UEFA Champion’s League Final and the Autumn Rugby Internationals, found that for 68% of submissions made by police officers in the Identify mode, the image had too low a quality for the system to work. Also, the research found that the locate mode of the FRT system couldn’t correctly identify a person of interest for 76% of the time.

Google Not Convinced

Even Google (Cloud) has announced recently that it won’t be selling general-purpose AI-driven facial recognition technology until it is sure that any concerns over data protection and privacy have been addressed in law, and that the software is accurate.

Fooled With A Printed 3D Head!

The vulnerability of facial recognition software to errors and inaccuracy has been further exposed by a journalist, Thomas Brewster, from Forbes, who claimed that he was able to fool the facial recognition on four Android phones by using a model 3D head with his own face printed on it!

What Does This Mean For Your Business?

For the retail businesses in the physical area of the trial, anything that may deter criminal activities like theft and violence and may also catch known criminals is likely to be a good thing.

Most businesses and members of the public would probably agree that CCTV systems have a real value in helping to deter criminal activity, locating and catching perpetrators, and providing evidence for arrests and trials.  There are, however, several concerns, particularly among freedom and privacy groups, about how just how facial recognition systems are being and will be used as part of policing e.g. overt or covert, issues of consent, possible wrongful arrest due to system inaccuracies, and the widening of the scope of its purpose from the police’s stated aims.  Issues of trust where our personal data is concerned are still a problem as are worries about a ‘big brother’ situation for many people, although the police, in this case, have been clear that it is just a limited trial that has been conducted as overtly as possible with the support of literature and posters / literature to make sure the public is informed.

Smart Botnet Detection Needed

For businesses to maintain an effective cyber defence, the ability to prevent, detect and stop smart botnets in real-time is now an important consideration.

What Is A Botnet?

A botnet is a term for multiple malicious mini-programs working together to take over large numbers of computers and digital devices for different purposes e.g. stealing data and / or launching attacks, or in the case of DDoS attacks, shutting down servers (and the websites on them) by bombarding them with requests (a flood).  Botnets also sap electricity and computing power as they work.

How Big Is The Problem?

According to DDoS protection provider Link11, DDoS attacks (launched using botnets) on e-commerce providers showed an increase of more than 70% on Black Friday compared with other days in November this year, and Cyber Monday attacks showed a massive increase of 109% compared with the November average. Botnets have also shown a move towards the Internet of Things (IoT).

Last year saw a huge growth in the use of botnets.  For example, Spamhaus figures showed that the number of command and control (C&C) servers used for managing IoT botnets more than doubled, going from 393 in 2016 to 943 in 2017.

The increase in the use of botnets has been driven by factors such as the availability to cyber criminals of very cheap and easy to operate rent-a-botnet services booter or stresser botnet services, and the proliferation of IoT device with sub-standard security that can be used in attacks. Cyber criminals also use various amplification techniques to increase the impact of their attacks.

Characteristics Of Botnets

The characteristics of botnets and how they are made can provide the key to detecting them and preventing them. For example:

  • Some have a long ‘dwell time’ (the time the malicious program sits on a device before it’s activated), and they need to communicate to work. Communication often involves the use of command and control servers. Disconnecting communications between bots and their botnet command and control servers has, therefore, been a way of stopping them.  New smart bots, which create peer-to-peer networks, can be more difficult to stop.
  • Botnets use processing power.  If suspicious processes that take up a lot of memory are spotted, and / or if devices appear to slow down, this can be an indicator that the device has been compromised and a botnet is awake and active.

Turned To Crypto-Mining

A recent security bulletin from Kaspersky Labs states that botnets are now increasingly being used to distribute illicit crypto-mining software, and that the number of unique users attacked by crypto-miners grew significantly in the first three months of 2018. The malware used for mining is designed to secretly reallocate an infected machine’s processing power to mine cryptocurrencies, with all the proceeds going to the attacker.

What Does This Mean For Your Business?

With cyber-crime, prevention is better than cure, and being able to detect signs of attacks early is vitally important. Security commentators suggest a focus on security measures that prevent initial infection and lock-down unnecessary trust permissions. Businesses may also benefit from using security technologies that can detect, alert or block botnet activity in real-time, and by continually analysing network traffic and local system logs.

Inspecting devices and checking for any suspicious processes that appear to be taking up taking up a lot of memory may also be a way to detect botnets that have already slipped through the net and are active.

Google Chrome’s ‘Incognito’ Mode Not So Incognito

Research by Internet Privacy Company DuckDuckGo is reported to have produced evidence that could show that even in Incognito mode, users of Google Chrome can still be tracked, and searches are still personalised accordingly.

Incognito Mode

Going incognito (private browsing mode) in Google Chrome means launching a separate ‘Incognito’ browser window by going to top right (the 3 stacked vertical dots icon), > New Incognito Window.  According to Google, by using this browser window Chrome won’t save your browsing history, cookies and site data, or information entered in forms, any files you download and bookmarks you create will be kept, but your activity isn’t hidden from websites you visit, your employer or school, or your internet service provider.

The DuckDuckGo Research

In the DuckDuckGo research, several volunteers were given controversial topics, such as gun control, vaccinations and immigration to search for using an Incognito browser window in Google Chrome. The searches were made both logged in to their Google accounts with Incognito Mode activated and logged out.

The Assumption

The assumption that many users may have is that being logged out of Google and using Incognito mode will keep searches totally private.

The Results

The reported results essentially showed that each person got different results.  This could indicate that Google is still able to still personalise searches in Incognito mode, which could mean that Google still has some access to searches which the user may believe are private.

The results may be seen to support the fact that even when signed out, and using Incognito / private browsing mode, websites can use IP addresses and browser fingerprinting to identify people.

Vanderbilt University Research In August

This latest DuckDuckGo research appears to support the findings of previous research from August by Vanderbilt University in Nashville (organised by Digital Content Next). This research found that if users sign into a website while using a private browsing window, the details of that login are still sent to Google, and Google could retroactively identify it from the username and other account data used during the session.  Also, the results of this research suggested that adverts served up by Google’s advertising can be linked to the cookies created both in and out of Incognito mode.

It must be said that Google reportedly described the findings of the Digital Content Next / Vanderbilt University research as misleading.

What Does This Mean For Your Business?

For Google, as a business that wants to sell and maximise revenue from targeted advertising, which is something that could be significantly improved with refined data and targeting technology, it is conceivable that it would want to collect detailed information from many sources, perhaps including that from Incognito searches.  The results of the DuckDuckGo research and previous research could be interpreted as showing that this is happening, and that Incognito mode may not be as secret as many users had imagined.  For advertisers using Google’s services, it is obviously in their interest that Google can offer highly targeted advertising services, but it is up to advertisers to decide whether they think Incognito mode search data should be a legitimate source of targeting data.

It is also worth noting that, in this case, DuckDuckGo is an Internet privacy company that has its own search engine to promote, which it describes as “the search engine that doesn’t track you”.  See https://duckduckgo.com/.

70% Increase In DDoS Cyber Attacks On Black Friday Prompts Christmas Warning

Cyber security experts are warning companies with online shops to have adequate protection against DDoS attacks in place after a 70% increase in that kind of cyber-attack was recorded on Black Friday.

What Is A DDoS Attack?

A denial-of-service attack is a cyber-attack on that is intended to make a computer or network unavailable to users, and a distributed denial-of-service attack (DDoS) is one that uses multiple compromised systems, sometimes thousands, that are often infected with a Trojan virus to launch a single attack on one system. The sheer number of requests that the target receives (called a ‘flood’) typically overload the resources and memory and render the targeted computer or network unavailable.

Black Friday – 70% Increase!

According to DDoS protection provider Link11, DDoS attacks on e-commerce providers showed an increase of more than 70% compared with other days in November, and Cyber Monday attacks showed a massive increase of 109% compared with the November average.

Up To 100 Gbps

Gbps, which stands for billions of bits per second, is a measure of bandwidth on a digital data transmission, and is the level used to gauge the intensity of DDoS attacks. When you consider that Link 11 have reported that attacks of around 6 Gbps are more than enough to exceed the capacity of most websites, the Black Friday and Cyber Monday recordings of levels of up to 100 Gbps in some attacks were extremely high.

The Cost of DDoS Attacks

Bitkom research found that cyber-attacks can cost retailers an average of €185,000.  This total includes costs of IT repair, loss of sales revenue and reputational damage to the business.

Research from Corero, in April this year, found that (DDoS) attacks typically cost enterprises up to £35,000 per attack in lost business and productivity, as well as mitigation costs. The research revealed that 69% of respondents said their organisation experiences anywhere between 20 and 50 DDoS attack attempts a month – about one attack per day!  78% of respondents in the Corero research said that the loss of customer trust and confidence was the most damaging effect on business of DDoS attacks.

Christmas Warning

Based on the huge increase in DDoS attacks on Black Friday and Cyber Monday, cyber security professionals are warning businesses to prepare now in order to protect themselves against an expected high level of DDoS attacks over the Christmas shopping period.

What Does This Mean For Your Business?

Businesses trying to simply expand their own infrastructure to absorb peak loads with their own resources may not have enough resources to stop determined attackers who may decide to deliver ever greater attacks to overwhelm services completely.

One of the best ways that businesses can prepare themselves for a possible increase in DDoS attacks is by investing in scalable, cloud-based protection solutions that can counteract the kind of targeted overloads caused by DDoS attacks.

Making sure that the business has an updated and workable Business Continuity Plan and Disaster Recovery Plan in place are also important elements of preparing for the possibility of the aftermath of a successful DDoS attack.