Well this last 7 days has whizzed past and here we are with the heating on and a bank holiday weekend. This week I have been running training sessions on GDPR and helping small businesses navigate the regulations. It is great to be able to share the information I have learned with others and discuss common pitfalls in an open manner, I was asked to dispel some common GDPR Myths too so I thought I’d share these here! Wizer training also have a great suggestion for smart technology providers. Why not tell your users how to keep safe while using your products … wouldn’t that be nice.
There is mixed news on the Clubhouse front. Clubhouse have apparently improved their privacy settings and no longer required contacts to be shared. However, there is news that 1.3 million Clubhouse users data has been shared on line and sadly more news of password breaches this time involving government domains. An interesting aside to this story is that Chinese and Russian passwords are compromised less often so maybe we should change the alphabet we use.
There are also more problems at Solarwinds and “Passwordstate”. But the most expensive news this week is the €1M fine for Equifax "trading, enriching and enhancing people’s personal data without their knowledge".
Videos of the Week
Dragons Den – 22 April the Gener8 pitch
Debbie Reynolds – Data Privacy and the Perception of Encryption in Courts
GDPR Myth buster
I was asked today for my top 3 GDPR Myths and thought it would be useful to share here:
GDPR is just EU nonsense and now that BREXIT has happened it is irrelevant – this is no true in layman’s terms the UK Data Protection Act made sure the UK GDPR became part of UK law on Brexit day
GDPR doesn’t apply to B2B – again wrong GDPR applies to all personal data that is used in a business context so unless it is an info@ office@ type address you still have to comply.
I am too small to register with the ICO – Sadly wrong, all businesses and charities who you process personal data in any way should register with the ICO. The registration process will tell you if it does not apply in your case. By not registering you face a potential fine of £4350 and the ICO have started to contact businesses who have not yet registered. (Remember if you get to the end of the registration process and it says you don’t need to register take a screenshot to prove it.)
4 Steps to avoid a GDPR Fine
Here are 4 simple steps that all businesses can take to avoid fines:
Step 1 - Identify what personal data you process
Step 2 - Record your Processing Activities
Step 3 – Check/Update your ICO registration
Step 4 – Communicate with your data subjects
Using Smart devices safely
Some great advice for smart device manufactures came from Wizer training this week. Why not add simple guide to their packaging to let users understand the steps they can take to keep themselves safe. The most important steps you can take are:
Change the default password from 0000
Disable streaming services that you aren’t using
Don’t put them anywhere that makes you uncomfortable like the bedroom
Keep your smart devices on a separate wifi network
Update software regularly
Use 2FA
Clubhouse Privacy Settings
Clubhouse has made some recent changes to their privacy settings which mean that sharing contact lists is no longer a requirement and that you can delete your account via e-mail. These are welcome changes. However the personal data of 1.3 million Clubhouse users was apparently part of a list shared online on a popular hacker forum (including users includes names, social media profile names, and other details) so you should check if your SM accounts have been compromised. If you are not doing so already set up 2FA on all your accounts.
This Weeks’ Phishing
This week I’ve seen phishing emails purporting to come from the DVLA (note @DVLA.gov is not a DVLA email address) saying that payment for car tax has been declined twice and there will be a £1000 fine if you don’t click their link.
There are also texts and emails from shipping carriers, DVLA such as FedEx, UPS, and DHL informing users that their package is being held due to BREXIT and urging them to click on any attachment or link. Another one from Hermes saying we missed you and please pay £1.45 to reschedule the delivery and providing a link.
Both of the messages I received were reported on the national phishing reporting line (report@phishing.gov.uk and the text was forwarded to 7726). It was easy enough to do as this is not the first time so the addresses are in my contacts. The great thing is that the NCSC uses all the data sent to those addresses to investigate and stop the scammers.
Massive data dump includes breached usernames and passwords
In February “COMB21”, one of the largest data dumps of passwords and usernames, was published in an online cybercrime forum. More than 3.28 billion passwords linked to 2.18 billion unique email addresses were leaked and more 1.5 million of these were linked to government domains across the world (625,505 in the US, 205,099 in the UK with Australia, Brazil and Canada136,025, Brazil 68,535, and Canada 50,726). The leak isn’t linked to a breach of public systems but techniques like password hash cracking, phishing attacks and eavesdropping are all thought to have been used. Interestingly only a tiny fraction (less than 10,000) of the leaks related to Russian or Chinese domains this is thought to be because most passwords use the “local alphabet” and Chinese or Russian characters are less targeted by hackers.
Emotet turned on itself
Following joint work by law enforcement authorities in Europe, UK and North America the email-based Windows malware “Emotet” which has been behind several botnet-driven spam campaigns and ransomware attacks has been automatically wiped from infected computers. The action follows "Operation Ladybird" which seized control and neutered about 700 servers which were being used to run and maintain the malware network.
SolarWinds problems persist
An investigation is taking place into new back door into SolarWinds (Supernova is a .NET web shell). This time rather than try to exploit a vulnerability the threat actor was able to masquerade as a legitimate teleworking employee. The US CISA recommends that organizations take steps to secure their remote access systems such as strong password policies, MFA on privileged accounts and firewalls.
Passwordstate Update Hijacked
IT you use the Australian software Passwordstate as your password manager and updated your system between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC, the company recommend you to reset your passwords. The company were subject to a supply chain attack which will only affect customers who carried out In-Place Upgrades between the times stated above. Manual Passwordstate upgrades were not compromised.
Equifax Fined €1M
Equifax have been fined a million euros by the Spanish regulator for "trading, enriching and enhancing people’s personal data without their knowledge". This is a prime example of using data other than for its original purpose as well as being less than transparent with individuals. The credit agency were also sanctioned for not keeping their records up to date. Apparently they didn’t know that people had paid their debts!
Videos of the Week
Dragons Den – 22 April – “The Gener8” pitch
If you haven’t seen it I recommend you watch the Gener8 Pitch on dragons den. Many have strong opinions on whether data should or should not be monetized. But whatever your view about monetising data like this but as many privacy professionals point out data is already being monetized. There some very interesting discussion on use of tracking cookies and the system has both a privacy or earning mode. So maybe we should ask how best to stop the monetisation or how can we benefit from monetizing our own data rather than letting others reap the rewards. An interesting watch and one which I think may have different reactions depending on the age of the audience. https://www.youtube.com/watch?v=8usz6i07qYs&t=2s
Debbie Reynolds – Data Privacy and the Perception of Encryption in Courts
This video discusses what encryption is and is not, how an encrypted chat app works. It is necessary because there is a risk of misunderstandings about technology in court cases which could lead to precedents that are at best “concerning” and at worst “incorrect”. Debbie’s video is a result of a recent U.S. court case in which a judge interpreted the use of an encrypted chat app by individuals as them having a private thought and ruling that such a chat was more akin to “telepathy”. The result was that terrorism charges against 2 individuals who were using an encrypted app to plot to kidnap the Michigan Governor were dropped. There is clearly more to do to explain to lawmakers how technology works before a precedent is based on inaccurate information. https://www.linkedin.com/feed/update/urn:li:activity:6792255825546104832/?updateEntityUrn=urn%3Ali%3Afs_feedUpdate%3A%28V2%2Curn%3Ali%3Aactivity%3A6792255825546104832%29
Comments