Thursday Thoughts – 10th February 2022
After Data Protection Day last week came Safer Internet day this Tuesday. This is my theme for this week’s Thursday Thoughts so we can work "Together for a better internet". I’ve included details of initiatives to make the internet a safer and better place for all, and especially for children and young people.
With this in mind I start with safer internet use for us all from keeping safe on social media, setting up two factor authentication and how to recover a hacked account as well as whether we should be using WhatsApp for business. There are also warnings and tech news from around the world, including a joint warning over the Russian/Ukraine situation news of fines and rulings by the ICO and 4 Video suggestions!
Vlogs of the Week
Wizer training – Daughter kidnapped by her snapchat friend
Richard Merrygold Data Protection Diaries - Marketing emails
John Edwards UK Information Commissioner
Fieldfisher - Time to cut the cable? Discussing Google Analytics and EU-US transfers
Keeping yourself safe on the Internet
Keeping safe on Social Media
We all recognised that social media is fantastic for staying in touch with family and friends or for following the latest news. What many of us fail to do is manage the security and privacy settings on our accounts. It’s really important to keep your personal information as private and inaccessible to anyone but you as you can. The NCSC has a great advice page which collates the advice provided by the major social media platforms on how to set up privacy controls. You will find it here: https://www.ncsc.gov.uk/guidance/social-media-how-to-use-it-safely
Two-factor authentication – How to set it up
Increasingly we are seeing that just having a strong password isn't enough. The NCSC has some excellent guidance which explains how you can set up two-factor authentication (2FA) on your accounts. https://www.ncsc.gov.uk/guidance/setting-two-factor-authentication-2faDoing this makes it harder for criminals to access your online accounts, even if they know your password. For IT professionals who need advice on implementing 2FA across larger organisations there is also a multi-factor authentication for online services guide.
Recovering a Hacked Account
There are so many scams around at the moment I thought I’d share a link in case the worst happens and you discover that your account has been hacked. One of the first indications can be that you are locked out of the account but there are also more subtle signs to be aware of (logins from strange locations/at unusual times, changes security settings or messages sent that you don't recognise. To stop this happening make sure to update your devices and set up 2-factor authentication but if the worst happens contact your provider, change passwords and notify your contacts. You will find helpful guidance from the NCSC here: https://www.ncsc.gov.uk/guidance/recovering-a-hacked-account
Using WhatsApp in Businesses
WhatsApp is a great communication tool for individuals and we have seen it used by many businesses during the pandemic. There are however great risks in using WhatsApp to share personal data in businesses. Not least because it is contrary to their user agreement! There are privacy concerns for sharing personal phone numbers with everyone in the chat because not everyone has the same respect for other’s privacy. Then there is the very real temptation to cross post from one chat to another leading to confidential information getting into the wrong hands. There is also the fact that WhatsApp is inevitably on your personal phone which has safeguarding as well as privacy implications and difficulty should the business receive a Subject Access Request. So while the ICO says it may be used in limited circumstances, I’d strongly recommend you use another platform for ‘business as usual’ chat (for example instant messaging is available in Teams and Slack).
HMRC will not send you a SMS about a Tax Refund
This year there has been an extension of the deadline for tax returns (now 28 February). When you combine this with the changes to communication and cost-of-living increases the latest wheeze for the cybercriminal is to send a SMS about a Tax Refund. If you get one of these do not click on the link to get access to a ‘tax refund’ there won’t be one. If you think you are eligible for a tax refund speak to your accountant or check your tax code.
Warnings and Tech News
NCSC Warning because of the Russian/Ukraine situation
The NCSC report that “over several years, we have observed a pattern of malicious Russian behaviour in cyberspace and last week there were incidents in Ukraine which bore the hallmarks of similar Russian activity. So, although there are currently no specific cyber threats to UK organisations in relation to events in Ukraine the NCSC are “monitoring the situation closely”. As a precaution they have updated their guidance to UK organisations and produced a list of six steps to help businesses build resilience:
patch your systems
improve access controls and enable multi-factor authentication;
implement an effective incident response plan;
check that backups and restore mechanisms are working;
ensure that online defences are working as expected
keep up to date with the latest threat and mitigation information.
You will find their guidance here: https://www.ncsc.gov.uk/news/uk-organisations-encouraged-to-take-action-around-ukraine-situation
Cybersecurity authorities issue a “Joint advisory warning” about ransomware
Cybersecurity authorities in UK, US and Australia have published a joint advisory which warns of an increase in sophisticated, high-impact ransomware attacks targeting critical infrastructure. It seems no area is safe as incidents are targeting a range of sectors from agriculture to legal institutions, defence, IT emergency services, government facilities, healthcare, financial services, education, energy, charities, and public services.
In late 2021 and early 2022 criminals move away from larger targets (such as the colonial pipeline hack) and shifted their focus to medium sized organisations. Targeting them with a mixture of spear-phishing, exploiting known software flaws or using stolen or hacked Remote Desktop credentials. According to reports over 150 terabytes of data was stolen between January 2019 and January 2022.
Targeting known weaknesses (cloud infrastructure), breaching managed service providers or poisoning software supply chains allows attackers to get into the "victim network". Often this happens at weekends or during holidays. The criminals then typically threaten to publish the stolen information, disrupt the victim's access or threaten to inform others about the incident. There is guidance in the advisory on how to mitigate and reduce the likelihood and impact of a ransomware attack.
Microsoft Patch Tuesday
This month’s Patch Tuesday has 51 fixes for vulnerabilities in Windows, Office, Teams, Azure Data Explorer, Visual Studio Code, Kernel and Win32k. Unusually there are no Critical-rated vulnerabilities this month but 50 are rated Important. A further 19 flaws in the Chrome-based Edge browser have also been patched.
WordPress users beware if the PHP Everywhere plugin
WordPress users are being warned of a critical security vulnerability in the WordPress plugin “PHP Everywhere” (used by more than 30,000 websites worldwide to manage content). If this is on your website you’d be advised to download the latest updates.
Microsoft disables VBA macros by default
Microsoft has announced that it is taking steps to disable Visual Basic for Applications (VBA) macros by default for documents downloaded from the web in all of its products. This includes Word, Excel, PowerPoint, Access, and Visio all of which criminals have used to send macros which automatically download malware when users open the file. As part of the change, when a user opens an attachment or downloads from the internet an untrusted Office file containing macros, the app displays a security risk banner stating, "Microsoft has blocked macros from running because the source of the file is untrusted."
A new FritzFrog botnet is on the loose
Researchers have uncovered a new "FritzFrog" campaign which is targeting the healthcare, education, and government sectors worldwide. The infection drops malware that crypto mines as well as gathering system information and files and sending them back to server.
Multi Factor Authentication can be breached
There is a new phishing campaign that can to steal credentials and session cookies to bypass Multi Factor Authentication. Proofpoint have advised that “phish kits” are adapting to the use of Multi Factor Authentication (MFA) adding a “transparent reverse proxie” which intercepts the communication between user and a genuine website and allows the user to access the genuine page and copies their credentials and MFA as they use them usual in essence stealing their session cookie and credentials.
Are Facebook and Instagram shutting their European Operations
This week in their own “Fake News” story, Meta have said that contrary to some reports Facebook and Instagram are unlikely to shut down in Europe. The possibility raised it’s head in the Meta annual report which stated that the company could shut down its European service due to “GDPR regulations” – particularly if EU user data is stored on U.S. servers. The only advantage for Meta pulling out of Europe is that might face fewer European antitrust lawsuits but the financial impact of such a decision would be astronomical. Last autumn Meta’s daily active user base dipped by 1 million users for the first time in history and it’s stock nosedived (more than $200 billion was wiped of the stock value).
The draft UK Online Safety Bill
The Parliamentary Joint Select Committee has published its recommendations on the draft OSB and we expect the revised Bill to be published shortly. We can expect to see closer regulation of the online world, especially services that pose a risk to children, and the use of algorithms but we also should get a better idea of how risk might be assessed, what is proportionate action and Ofcom Codes of Practice which will be absolutely key to compliance (they are expected to be made binding with no "opt out"). What also is proposed are the need for an Online Safety Policy, a Safety Officer and safety risk assessments akin to GDPR Privacy Impact Assessments.
Crypto Criminals arrested in USA
United States authorities have seized $3.6 billion in cryptocurrency which was stolen during the 2016 Bitfinex hack and arrested a couple for conspiring to launder $4.5 billion worth of cryptocurrency. The couple have been charged with conspiracy to commit money laundering (which has a 20 year maximum prison sentence), and conspiracy to defraud the U.S (potentially a further 5 years). Authorities managed to trace the stolen funds through a “labyrinth of cryptocurrency transactions," Interestingly the couple have not been changed for the hack itself, but rather for receiving the stolen bitcoin into a digital wallet that they owned.
Russian government takes action against cybercriminals
A law enforcement operation in Russia has led to the seizure and shutdown of four online bazaars trading in stolen credit cards. The domains Ferum Shop, Sky-Fraud, Trump's Dumps, and UAS. State-owned news agency TASS announced 6 Russian individuals were being charged with "the illegal circulation of means of payment."
UK Fines
Since the beginning of the year the ICO has issued the following fines or advisories:
Tempcover Ltd - £85,000 for sending a total of 29,970,419 unsolicited direct marketing messages between 26 May 2019 and 26 May 2020 without valid consent.
A home improvement firm - £200,000 and issued an enforcement notice on the company for making more than half a million unsolicited marketing calls.
Energy Suite - £2,000 for making over 1,000 unsolicited direct marketing calls to subscribers who were registered with the TPS and who had not notified Energy Suite that they were willing to receive such calls.
The Ministry of Justice (enforcement notice) - after it was revealed that it had a significant backlog of outstanding subject access requests (in excess of 7000). Some of these had a partial response while other (372) dated back to 2018. The Ministry of Justice faces a potential fine of £17,500,000 should it fail to put steps in place to recover the situation and inform data subjects of the reasons for the delay.
Videos of the Week
Wizer training – Daughter kidnapped by her snapchat friend
This video by Wizer features the true story of Lisa and tells how her 13 year old daughter was kidnapped by the daughter’s snapchat friend. The video or the Linked In Live conversation between Gabriel and Lisa are something that parents of teenagers will find thought provoking and troubling in equal measure. Lots we could all learn even those working in the cyber security field from not least the need to listen to what is going on in the lives of those we are advising about keeping safe! - https://www.wizer-training.com/blog/my-daughter-was-kidnapped-by-her-snapchat-friend
Richard Merrygold Data Protection Diaries - Marketing emails
For another real-world insight into data protection from the perspective of an experienced and engaging Data Protection Officer you will find the latest Data Protection Diaries vlog on Marketing emails how not to annoy those you’re sending them to. Some great ideas on how to do it “right” because done well, you can be compliant and build a good database of prospects without annoying anyone. https://www.youtube.com/watch?v=a-a9h3JU-qI
John Edwards UK Information Commissioner discusses his listening exercise
The new ICO commissioner wants to give businesses certainty in what the law requires of them and what the regulator does. https://lnkd.in/dpUskDFM
Fieldfisher - Time to cut the cable? Discussing Google Analytics and EU-US transfers
Last week I spoke about the Austrian DPA declaring the use of Google Analytics illegal this webinar is really informative for those who want to understand the issues in greater detail. https://lnkd.in/g9RHtqBe
Comments