Archive for GDPR

Growth in Threats To Apple Compared To Windows Machines

In a trend that appears contrary to popular perceptions, the latest Malwarebytes (annual) State of malware report has revealed that the growth in attacks on Apple endpoints is outpacing the threats targeting Windows machines.

11 Threats Per Mac Endpoint

The report shows Mac threats were up (2019) four-fold year on year with 11 threats per Mac endpoint on average for Apple compared with only 5.8 threats per Windows endpoint.  An ‘endpoint’ refers to an Internet-capable computer hardware device on a TCP/IP network e.g. desktop computers, laptops, smartphones, tablets, printers etc.

Why?

It is likely that the growth in the average number of threats to Apple machines isn’t just down to the fact that there are now more Apple users, but also because Apple may not be taking enough measures that are tough enough to tackle adware and pups (potentially unwanted programmes) compared to efforts made to tackle more traditional malware.

Kaspersky Figures

Figures from Kaspersky this month also show increasing dangers for Mac users as it reports that two years on from its detection, Shlayer Trojan malware attacks one in ten macOS users, and it accounts for almost 30% of all detections for the macOS.

Criminals More Creative and Persistent

As well as the increasing danger for Mac users, in the report, Malwarebytes CEO Marcin Kleczynski highlights how adware, pre-installed malware and multi-vector attacks all show how cybercriminals appear to be heading in a direction where they are “more creative and increasingly persistent with their campaigns”.

Even though threats to Apple endpoints are growing at a faster rate, it is still Windows and Android devices that face the most threats from annoying and hard to uninstall adware and malware (including ransomware).

Business-Focused

The report highlighted the 13 per cent rise in global business threats last year, and how Trojan-turned-botnets Emotet and TrickBot have been targeting businesses and organisations with ransomware new families, like Ryuk, Sodinokibi and Phobos. Also, businesses are facing new risks from hack tools and registry key disablers.

What Does This Mean For Your Business?

As pointed out in the report, those in the online security industry are having to work hard to protect users and businesses from programs that violate user privacy, infect devices, or turn their own infrastructure against them. Businesses and organisations, whether they use Apple or Microsoft Operating Systems need to be acutely aware of (and make sure they are protected against) the threats outlined in the report (malware, ransomware, adware, credit card skimmers and skimmer scripts), as well as phishing and the increasing use of social engineering in attacks.

Mac users may want to check the advice on Apple’s website about features (found in System Preferences) that help protect Macs and the personal information of users from malicious software/malware e.g. protection from malware embedded in harmless-looking apps.  See: https://support.apple.com/en-gb/guide/mac-help/mh40596/mac

Also, Apple advises that MacOS users should exercise caution when accessing scripts, web archives and Java archives, which all pose potential threats.

Featured Article – Proposed New UK Law To Cover IoT Security

The UK government’s Department for Digital, Culture, Media and Sport (DCMS), has announced that it will soon be preparing new legislation to enforce new standards that will protect users of IoT devices from known hacking and spying risks.

IoT Household Gadgets

This commitment to legislate leads on from last year’s proposal by then Digital Minister Margot James and follows a seven-month consultation with GCHQ’s National Cyber Security Centre, and with stakeholders including manufacturers, retailers, and academics.

The proposed new legislation will improve digital protection for users of a growing number of smart household devices (devices with an Internet connection) that are broadly grouped together as the ‘Internet of Things’ (IoT).  These gadgets, of which there is an estimated 14 billion+ worldwide (Gartner), include kitchen appliances and gadgets, connected TVs, smart speakers, home security cameras, baby monitors and more.

In business settings, IoT devices can include elevators, doors, or whole heating and fire safety systems in office buildings.

What Are The Risks?

The risks are that the Internet connection in IoT devices can, if adequate security measures are not in place, provide a way in for hackers to steal personal data, spy on users in their own homes, or remotely take control of devices in order to misuse them.

Default Passwords and Link To Major Utilities

The main security issue of many of these devices is that they have pre-set, default unchangeable passwords, and once these passwords have been discovered by cyber-criminals, the IoT devices are wide open to being tampered with and misused.

Also, IoT devices are deployed in many systems that link to and are supplied by major utilities e.g. smart meters in homes. This means that a large-scale attack on these IoT systems could affect the economy.

Examples

Real-life examples of the kind of IoT hacking that the new legislation will seek to prevent include:

– Hackers talking to a young girl in her bedroom via a ‘Ring’ home security camera (Mississippi, December 2019).  In the same month, a Florida family were subjected to vocal, racial abuse in their own home and subjected to a loud alarm blast after a hacker took over their ‘Ring’ security system without permission.

– In May 2018, A US woman reported that a private home conversation had been recorded by her Amazon’s voice assistant, and then sent it to a random phone contact who happened to be her husband’s employee.

– Back in 2017, researchers discovered that a sex toy with an in-built camera could also be hacked.

– In October 2016, the ‘Mirai’ attack used thousands of household IoT devices as a botnet to launch an online distributed denial of service (DDoS) attack (on the DNS service ‘Dyn’) with global consequences.

New Legislation

The proposed new legislation will be intended to put pressure on manufacturers to ensure that:

– All internet-enabled devices have a unique password and not a default one.

– There is a public point of contact for the reporting of any vulnerabilities in IoT products.

– The minimum length of time that a device will receive security updates is clearly stated.

Challenges

Even though legislation could make manufacturers try harder to make IoT devices more secure, technical experts and commentators have pointed out that there are many challenges to making internet-enabled/smart devices secure because:

  • Adding security to household internet-enabled ‘commodity’ items costs money. This would have to be passed on to the customer in higher prices, but this would mean that the price would not be competitive. Therefore, it may be that security is being sacrificed to keep costs down-sell now and worry about security later.
  • Even if there is a security problem in a device, the firmware (the device’s software) is not always easy to update. There are also costs involved in doing so which manufacturers of lower-end devices may not be willing to incur.
  • With devices which are typically infrequent and long-lasting purchases e.g. white goods, we tend to keep them until they stop working, and we are unlikely to replace them because they have a security vulnerability that is not fully understood. As such, these devices are likely to remain available to be used by cyber-criminals for a long time.

Looking Ahead

Introducing legislation that only requires manufacturers to make relatively simple changes to make sure that smart devices come with unique passwords and are adequately labelled with safety and contact information sounds as though it shouldn’t be too costly or difficult.  The pressure of having to display a label, by law, that indicates how safe the item is, could provide that extra motivation for manufacturers to make the changes and could be very helpful for security-conscious consumers.

The motivation for manufacturers to make the changes to the IoT devices will be even greater if faced with the prospect of retailers eventually being barred from selling products that don’t have a label, as was originally planned for the proposed legislation.

The hope from cyber-security experts and commentators is that the proposed new legislation won’t be watered-down before it becomes law.

Police Images of Serious Offenders Reportedly Shared With Private Landlord For Facial Recognition Trial

There have been calls for government intervention after it was alleged that South Yorkshire Police shared its images of serious offenders with a private landlord (Meadowhall shopping centre in Sheffield) as part of a live facial recognition trial.

The Facial Trial

The alleged details of the image-sharing for the trial were brought to the attention of the public by the BBC radio programme File on 4, and by privacy group Big Brother Watch.

It has been reported that the Meadowhall shopping centre’s facial recognition trial ran for four weeks between January and March 2018 and that no signs warning visitors that facial recognition was in use were displayed. The owner of Meadowhall shopping centre is reported as saying (last August) that the data from the facial recognition trial was “deleted immediately” after the trial ended. It has also been reported that the police have confirmed that they supported the trial.

Questions

The disclosure has prompted some commentators to question not only the ethical and legal perspective of not just holding public facial recognition trials without displaying signs but also of the police allegedly sharing photos of criminals (presumably from their own records) with a private landlord.

The UK Home Office’s Surveillance Camera Code of Practice, however, does appear to support the use of facial recognition or other biometric characteristic recognition systems if their use is “clearly justified and proportionate.”

Other Shopping Centres

Other facial recognition trials in shopping centres and public shopping areas have been met with a negative response too.  For example, the halting of a trial at the Trafford Centre shopping mall in Manchester in 2018, and with the Kings Cross facial recognition trial (between May 2016 and March 2018) which is still the subject of an ICO investigation.

Met Rolling Out Facial Recognition Anyway

Meanwhile, and despite a warning from Elizabeth Denham, the UK’s Information Commissioner, back in November, the Metropolitan Police has announced it will be going ahead with its plans to use live facial recognition cameras on an operational basis for the first time on London’s streets to find suspects wanted for serious or violent crime. Also, it has been reported that South Wales Police will be going ahead in the Spring with a trial of body-worn facial recognition cameras.

EU – No Ban

Even though many privacy campaigners were hoping that the EC would push for a ban on the use of facial recognition in public spaces for up to five years while new regulations for its use are put in place, Reuters has reported that The European Union has now scrapped any possibility of a ban on facial recognition technology in public spaces.

Facebook Pays

Meanwhile, Facebook has just announced that it will pay £421m to a group of Facebook users in Illinois, who argued that its facial recognition tool violated the state’s privacy laws.

What Does This Mean For Your Business?

Most people would accept that facial recognition could be a helpful tool in fighting crime, saving costs, and catching known criminals more quickly and that this would be of benefit to businesses and individuals. The challenge, however, is that despite ICO investigations and calls for caution, and despite problems that the technology is known to have e.g. being inaccurate and showing a bias (being better at identifying white and male faces), not to mention its impact on privacy, the police appear to be pushing ahead with its use anyway.  For privacy campaigners and others, this may give the impression that their real concerns (many of which are shared by the ICO) are being pushed aside in an apparent rush to get the technology rolled out. It appears to many that the use of the technology is happening before any of the major problems with it have been resolved and before there has been a proper debate or the introduction of an up-to-date statutory law and code of practice for the technology.

Avast Anti-Virus Is To Close Subsidiary Jumpshot After Browsing Data Selling Privacy Concerns

Avast, the Anti-virus company, has announced that it will not be providing any more data to, and will be commencing “a wind down” of its subsidiary Jumpshot Inc after a report that it was selling supposedly anonymised data to advertiser third parties that could be linked to individuals.

Jumpshot Inc.

Jumpshot Inc, founded in 2010, purchased by Avast in 2013, and operated as a data company since 2015 essentially organises and sells packaged data, that has been gathered from Avast, to enterprise clients and marketers as marketing intelligence.

Avast anti-virus incorporates a plugin that has, until now, enabled subsidiary Junpshot to scrape/gain access to that data which Jumpshot could sell to (mainly bigger) third party buyers so that they can learn what consumers are buying and where thereby helping with targeting their advertising.

Avast is reported to have access to data from 100 million devices, including PCs and phones.

Investigation Findings

The reason why Avast has, very quickly, decided to ‘wind down’ i.e. close Jumpshot is that the report of an investigation by Motherboard and PCMag revealed that Avast appeared to be harvesting users’ browser histories with the promise (to those who opted-in to data sharing) that the data would be ‘de-identified,’ ( to protect user privacy), whereas what actually appeared to be happening was that the data, which was being sold to third parties, could be linked back to people’s real identities, thereby potentially exposing every click and search they made.

When De-Identification Fails

As reported by PCMag, the inclusion of timestamp information and persistent device IDs with the collected URLs of user clicks, in this case, could, in fact, be analysed to expose someone’s identity.  This could, in theory, mean that the data taken from Avast and supplied via subsidiary Jumpshot to third parties may not be de-identified, and could, therefore, pose a privacy risk to those Avast users.

What Does This Mean For Your Business?

As an anti-virus company, security and privacy are essential elements of Avast’s products and customer trust is vital to its brand and its image. Some users may be surprised that their supposedly ‘de-identified’ data was being sold to third parties anyway, but with a now widely-reported privacy risk of this kind and the potential damage that it could do to Avast’s brand and reputation, it is perhaps no surprise that is has acted quickly in closing Jumphot and distancing itself from what was happening. As Avast says in its announcement about the impending closure of Jumpshot (with the loss of many jobs) “The bottom line is that any practices that jeopardize user trust are unacceptable to Avast”.  PCMag has reported that it has been informed by Avast that the company will no longer be using any data from the browser extensions for any other purpose than the core security engine.

£100m Fines Across Europe In The First 18 Months of GDPR

It has been reported that since the EU’s General Data Protection Regulation (GDPR) came into force in May 2018, £100m of data protection fines have been imposed on companies and organisations across Europe.

The Picture In The UK

The research, conducted by law firm DLA Piper, shows that the total fines imposed in the UK by the ICO stands at £274,000, but this figure is likely to be much higher following the finalising of penalties to be imposed on BA and Marriott.  For example, Marriott could be facing a £99 million fine for data breach between 2014 and 2018 that, reportedly involved up to 383 million guests, and BA (owned by IAG) could be facing a record-breaking £183 million for a breach of its data systems last year that could have affected 500,000 customers.

Also, the DLA Piper research shows that although the UK did not rankly highly in terms of fines, the UK ranked third in the number of breach notifications, with 22,181 reports since May 2018.  This equates to a relative ranking of 13th for data breach notifications per 100,000 people in the UK.

Increased Rate of Reporting

On the subject of breach notifications, the research shows a big increase in the rate of reporting, with 247 reports per day over the six months of GDPR between May 2018 and January 2019, which rose to 278 per day throughout last year. This rise in reporting is thought to be due to a much greater (and increasing) awareness about GDPR and the issue of data breaches.

France and Germany Hit Hardest With Fines

The fines imposed in the UK under GDPR are very small compared to Germany where fines totalled 51.1 million euros (top of the table for fines in Europe) and France where 24.6 million euros in fines were handed out.  In the case of France, much of the figure of fines collected relates to one penalty handed out to Google last January.

Already Strict Laws & Different Interpretations

It is thought that businesses in the UK having to meet the requirements of the already relatively strict Data Protection Act 1998 (the bones of which proved not to differ greatly from GDPR) is the reason why the UK finds itself (currently) further down the table in terms of fines and data breach notifications per 100,000 people.

Also, the EU’s Data Protection Directive wasn’t adopted until 1995, and GDPR appears to have been interpreted differently across Europe because it is principle-based, and therefore, apparently open to some level of interpretation.

What Does This Mean For Your Business?

These figures show that a greater awareness of data breach issues, greater reporting of breaches, and increased activity and enforcement action by regulators across Europe are likely to contribute to more big fines being imposed over the coming year.  This means that businesses and organisations need to ensure that they stay on top of the issue of data security and GDPR compliance.  Small businesses and SMEs shouldn’t assume that work done to ensure basic compliance on the introduction of GDPR back in 2018 is enough or that the ICO would only be interested in big companies as regulators appear to be increasing the number of staff who are able to review reports and cases.  It should also be remembered, however, the ICO is most likely to want to advise, help and guide businesses to comply where possible.