6.4.17

Millennials and GDPR ‘pose increased cybersecurity risk to companies’

By Editor
Businesses need to better prepare their data security systems in order to deal with the digital habits of millennials and the measures outlined by the upcoming GDPR regulations.
This is according a new survey released by the Ponemon Institute in conjunction with Citrix, which canvassed the opinions of over 4,000 IT, security and enterprise professionals.
Over half (55%) of respondents said millennials currently pose the greatest risk of “circumventing” IT security policies, while a further 39% said they were also more likely to use unauthorized apps in the workplace.
However, the survey findings suggest that different generations have their own issues when it comes to data security.
For example, 33% of survey respondents claimed that Baby Boomers (those born between 1946-1964) were more likely to fall victim to phishing and social engineering scams.
Another 30% said the same group displayed a lack of knowledge in how best to protect sensitive and confidential information.
Generation Xers (those born between 1965-1980) were also found to have weaknesses, with 32% of respondents stating they were the most likely to use unapproved apps and devices in the workplace.
While companies will need to take action to try and address these inter-generational issues, those dealing with organizations in the European Union are also facing the prospect of dealing with the upcoming GDPR regulation, which is set to be introduced in May 2018.
According to the survey, 74% of professionals believe the new rules will have a negative impact on business operations, while another 65% are concerned about the harsher penalties that will be introduced for non-compliance.
Another 52% said their security infrastructure did not facilitate compliance, suggesting that many companies need more information on the ramifications of GDPR.  
Stan Black, chief security officer at Citrix, said: “While these more strict regulations are being put into place, take a strategic approach, look at the big picture, educate your workforce to create a security-aware culture, and find comprehensive solutions that adhere to the unique needs of your business.”

5.4.17

Don’t pay for what is for free: Malicious Adobe Flash Player app found on Google Play

By Peter Stancik posted 4 Apr 2017 - 02:00PM

Based on ESET’s notice, Google has removed another malicious app from its official Android app store. It had received 100,000-500,000 downloads since November 2016.
Unlike typical downloaders, ransomware and similar nasty stuff, this app – named F11 – did not contain any harmful code. Instead, it relied purely on social engineering, tricking users into paying €18 ($19) for Adobe Flash Player.
Yes, Flash Player for Android, which has always been available for free and which was discontinued back in 2012, amid wide criticism of its security vulnerabilities.
 “Factually, this is a scam,” explains Lukáš Štefanko, ESET malware researcher who led the investigation.
“Legally, the crooks behind this operation tried to avoid the scam label. However, because of how they implemented their trick, it’s safe to call it a scam.”
How the scam works
Once downloaded (the app’s takedown from Google Play hasn’t disrupted the scam itself), the app displays a tutorial with detailed instructions on how to download Flash Player. On that page, the user is directed to PayPal to pay €18 to buy Flash Player.
 “The authors of this scam have gone a long way to make it appear as a legitimate business,” highlights Štefanko. “For example, the app was listed in the educational section of the Play store. However, the shopping basket at PayPal reveals the true nature of the operation: the item in it is called Flash Player 11.”
This is exactly where the operation turns from an aggressive practice of providing users with overpriced and unnecessary advice to a pure scam of selling an item without having any right to do so. Only Adobe, the maker of Flash Player and owner of all rights associated with it, could officially sell it (if they haven’t made it available for free).
After the payment is made, the scam once again pretends to provide “something” in exchange for the victim’s money. Along with a link to a Flash Player installation tutorial – which is a set of several obvious tips – victims are prompted to install Firefox or Dolphin browser. These browsers support Flash Player by default as they contain the plugin for playing Flash content.
“At the end of the whole operation, victims end up being able to play Flash content on their devices,” explains Štefanko. “However, it’s thanks to either browser the user chooses to install. In another words, the user did not install what they had paid for. And – by the way – both Firefox and Dolphin are free.
How to stay safe
ESET Mobile Security detects the malicious F11 app as Android/FakeFlash.F and prevents it from getting installed.
Aside from advice to avoid suspicious apps, in this particular case it must be noted that it’s a bad idea to have Flash Player installed on an Android device. Because of its countless vulnerabilities, Flash has proven to compromise any device’s security.
Those who want to have Flash installed at any cost on their mobile device should follow the recommendations by Adobe security experts requested by WeLiveSecurity:
Adobe strongly advises that users only install and update the Flash Player via one of the following means:
·         By downloading it from the Adobe Flash Player Download Center at https://get.adobe.com/flashplayer/
·         By updating it only via the update mechanism within a genuine installation of the Adobe Flash Player that was installed via the Adobe Flash Player Download Center
·         By installing/updating genuine versions the Adobe Flash Player installed with Google Chrome for Windows, Macintosh, Linux and Chrome OS, and/or Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1
How to get your money back
Those who have fallen victim to the scam and made the “purchase” via PayPal have a full 180 days to open a dispute in the PayPal’s Resolution Center. We at WeLiveSecurity made the payment, will seek the refund and will raise legal action with the goal of taking down the whole scheme and bring those behind it to justice.
Author Peter Stancik, ESET

4.4.17

The right to privacy in the digital era


Discussions around personal data protection in the European Union have drawn attention to the right of citizens to secure their privacy, a right that has been a constant concern over the years.
This is especially the case in the digital era, as the emergence of new technologies has changed things in ways that previous legislators could never have imagined. In Europe, the General Data Protection Regulation is intended to be a robust – and up to date – response to that.
Although personal data protection does not currently determine all aspects of privacy, it has nevertheless become a fundamental element in taking care of our information in the context of new technologies. This is especially the case with our online activities, as well as our digital identities.
Privacy has been a human right for some time
The idea of privacy, as we understand it today, has been around for quite some time (many see Samuel Warren and Louis Brandeis’ article from 1890, The Right to Privacy, as the first real intellectual argument for it, but, arguably, its history goes back further).
Defining privacy is not a simple task. It includes aspects like the right not to be harassed and the right to control one’s own information – how and when it can be shared, for example.
Our understanding of it changes with time and the concept can be subjective. Accordingly, achieving consensus can be difficult. However, few can argue with the following definition – privacy involves the right of individuals to separate aspects of their private life from public scrutiny. So we all have a right to it, without distinction.
Needless to say, in the 21st century, the topic of privacy has taken on a new level of vigor, with new technological developments creating all sorts of new challenges. We are currently overwhelmed with countless new digital tools that increasingly expose our activities, both with our – sometimes tacit – consensus and without our knowledge.
Data protection as a basis of online privacy
Digital identity can be defined as information associated with the activities that we carry out in cyberspace, as a result of the interaction with other users, organizations, or online services, where it generally involves personal data that is often given out to third parties.
Third parties often process, store, or transmit our data, even to the point of making a profit from our information. There are currently many online services that know a lot about our activities, likes, preferences, and identification data, which in their own right are used for commercial purposes. Protection of this information helps to safeguard our private lives.
Rights in the new data protection laws
In Europe, in the context of legislation for the protection of personal data, we have the upcoming General Data Protection Regulation. The aim is to ensure that new privacy rights are in line with current issues, such as the right to be forgotten online.
To expand – people now have the power to request that companies erase their personal data in certain circumstances, for example when it is no longer needed for the initial purposes for which it was collected or when its owner withdraws their agreement.
The right to object to profiling is also being considered, meaning that people may object to their personal data being processed or used for profiling in certain circumstances.
Profiling means tracking people online and targeting them with advertising based on their behavior. In other words sending out ads based on users’ browsing habits and likes. This activity should become more difficult for companies to carry out, as they will have to implement appropriate consent mechanisms in advance.
A third element being considered by this law is the right to data portability. Individuals have the right to obtain a copy of their personal data from the company that processes their information in a common and understandable format.
Although the implementation of these directives within organizations may prove complex – and how it will work in practice has not yet been defined – companies within and outside the EU should begin to consider the ways in which they will be able to put these rights into effect.

This is not expected to be a simple task. Besides having an impact on companies, it may also create changes in individuals, giving them better control and rights over their personal information. We hope that they are able to exercise these rights.