Connect with us

Cyber Security

Californias new data privacy law brings U.S. closer to GDPR

Published

on

Data privacy has

Companies around the world are scrambling to properly protect their customers’ personal information (PI). However, new regulations have actually shifted the definition of the term, making everything more complicated. With the California Consumer Privacy Act (CCPA) taking effect in January 2020, companies have limited time to get a handle on the customer information they have and how they need to care for it. If they don’t, they not only risk being fined, but also loss of brand reputation and consumer trust — which are immeasurable.

California was one of the first states to provide an express right of privacy in its constitution and the first to pass a data breach notification law, so it was not surprising when state lawmakers in June 2018 passed the CCPA, the nation’s first statewide data privacy law. The CCPA isn’t just a state law — it will become the defacto national standard for the foreseeable future, because the sheer numbers of Californians means most businesses in the country will have to comply. The requirements aren’t insignificant. Companies will have to disclose to California customers what data of theirs has been collected, delete it and stop selling it if the customer requests. The fines could easily add up — $7,500 per violation if intentional, $2,500 for those lacking intent and $750 per affected user in civil damages.

Evolution of personal information

It used to be that the meaning of personally identifiable information (PII) from a legal standpoint was clear — data that can distinguish the identity of an individual. By contrast, the standard for mere PI was lower because there was so much more of it; if PI is a galaxy, PII was the solar system. However, CCPA, and the EU’s General Data Protection Regulation GDPR, which went into effect in 2018, have shifted the definition to include additional types of data that were once fairly benign. The CCPA enshrines personal data rights for consumers, a concept that GDPR first brought into play.

The GDPR states: “Personal data should be as broadly interpreted as possible,” which includes all data associated with an individual, which we call “contextual” information. This includes any information that can “directly or indirectly” identify a person, including real names and screen names, identification numbers, birth date, location data, network addresses, device IDs, and even characteristics that describe the “physical, physiological, genetic, mental, commercial, cultural, or social identity of a person.” This conceivably could include any piece of information about a person that isn’t anonymized.

With the CCPA, the United States is playing catch up to the GDPR and similarly expanding the scope of the definition of personal data. Under the CCPA, personal information is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes a host of information that typically don’t raise red flags but which when combined with other data can triangulate to a specific individual like biometric data, browsing history, employment and education data, as well as inferences drawn from any of the relevant information to create a profile “reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.”

Know the rules, know the data

These regulations aren’t checklist rules; they require big changes to technology and processes, and a rethinking of what data is and how it should be treated. Businesses need to understand what rules apply to them and how to manage their data. Information management has become a business imperative, but most companies lack a clear road map to do it properly. Here are some tips companies can follow to ensure they are meeting the letter and the spirit of the new regulations.

  • Figure out which regulations apply to you

The regulatory landscape is constantly changing with new rules being adopted at a rapid rate.  Every organization needs to know which regulations they need to comply with and understand the distinctions between them. Some core aspects CCPA and GDPR share include data subject rights fulfillment and automated deletion. But there will be differences so having a platform that allows you to handle a heterogenous environment at scale is important.

  • Create a privacy compliance team that works well with others
     

Read more: https://techcrunch.com/2019/11/14/californias-new-data-privacy-law-brings-u-s-closer-to-gdpr/

Cyber Security

Johnson will defy US and allow use of Huawei, says top security adviser

Published

on

By

Chinese firm poised to help build UKs 5G phone network despite warnings about spying

Boris Johnson is likely to approve the use of Huawei technology in the UKs new 5G network against the pleas of the US government, a former national security adviser has said.

Sir Mark Lyall Grant, who was Theresa Mays national security adviser, said that the security services had repeatedly concluded over several years that they were able to mitigate any potential threats posed by the Chinese technology.

The US has warned the British government it would be madness to use Huawei technology and senior Washington officials have said numerous times that the Trump administration would reassess intelligence sharing with the UK in light of such a move.

However, UK security figures dispute the claim and Britain has already used some Huawei technology in previous mobile networks. A final decision is expected later this month.

Lyall Grant told the Observer: This has been gone into now by three different administrations, and I think the outcome is quite likely to be the same that the intelligence agencies are expressing confidence that they can sufficiently mitigate any potential security threat to allow Huawei to continue to provide at least the non-core telecommunications equipment for 5G rollout. The government has developed an oversight mechanism which they are confident will work.

Combine that with the fact that Huawei has more advanced technology than the alternatives, I think it is relatively likely that Boris Johnson will come to the same conclusion.

Two of Britains biggest telecoms companies, BT and Vodafone, are understood to be drafting a letter to Johnson, setting out their support for Huaweis involvement in 5G.

Last night, a senior Huawei executive, Victor Zhang, said there was simply no justification for banning the company on cyber security grounds.

After looking at the facts, we hope the government agrees so that our customers can keep the UKs 5G roll-out on track and meet the prime ministers promise of gigabit connectivity for all, he said.

Giving Huawei the go-ahead to continue supplying equipment will mean telecoms companies have access to the best technology and the breadth of suppliers they need to build secure, resilient and reliable networks.

The dispute was a sign that Britain would be repeatedly asked to take a side in disputes between the US and China, Lyall Grant added. The interesting thing about Huawei is that it is the first, but by no means the only issue on which the risk is over the next decade, we are going to be pressured to choose, he said. And that is a choice that on some issues the UK government is not going to want to make.

Read more: https://www.theguardian.com/technology/2020/jan/18/boris-johnson-defy-us-allow-5g-huawei

Continue Reading

Cyber Security

Now It’s Really, Truly Time to Give Up Windows 7

Published

on

By

Two days ago, I finally gave up Windows 7. I don't dislike Windows 10, but there's just always been something special about Windows 7. It was svelte. It actually ran faster and took up less hard drive space than its predecessor, the much-maligned Windows Vista. It looked great. We Windows users could finally hold our heads a little higher around Mac users. And, well, I didn't know how well Windows 10 would work on that old Windows 7 laptop, or how much time it would take to make the transition.

But Microsoft forced my hand. Tuesday is the last day that Microsoft will support Windows 7. "If you continue to use Windows 7 after support has ended, your PC will still work, but it will become more vulnerable to security risks and viruses," the company says. In other words, if you don't want to leave your computer open to ransomware and other threats, you better upgrade.

I was far from alone in my procrastination. A poll of IT professionals last year by Spiceworks, a social and online network for the IT industry, found that 79 percent of respondents still had at least one Windows 7 machine in their organization. About 25 percent said they didn’t expect to finish upgrading by now. Updates are always painful for large organizations. Many companies, nonprofits, and government agencies probably will keep running Windows 7 despite the risks and despite having had years to plan for the transition.

Organizations tend to overestimate how quickly they'll migrate to newer operating systems. In a 2013 poll by Spiceworks, 26 percent of respondents projected that they wouldn't migrate away from Windows XP before Microsoft ended support for that operating system in 2014. But Spiceworks found that about 32 percent of respondents were still running at least one machine with Windows XP last summer.

Fortunately for me, my upgrade to Windows 10 was pretty easy. And Microsoft says it will fix particularly important security issues for users who shell out for "extended support"; the company has been known to release security fixes even after it has officially stopped supporting a product.

IT departments can take steps to protect systems that are no longer supported. But they need to be proactive. "If organizations put their heads in the sand, they're going to get bit," says Chris Tillett, senior security engineer at information security company Exabeam. "You could be reading that your local hospital is sending your data to some criminal enterprise."

Why Companies Don't Update

Windows 7 was released in 2009. It was followed by Windows 8 in 2012 and Windows 10—the current version—in 2015 (there was no Windows 9). That might sound like plenty of time for organizations to migrate, but it’s never that simple. Some organizations may not want to—or be able to—shell out for new hardware and software. Plus, Windows 8 was notoriously unpopular because it didn’t have the traditional "Start" button. Many IT departments didn't want to support the operating system for fear that their help desks would be flooded by questions from confused users, says Peter Tsai from Spiceworks. That means PCs purchased as recently as 2015 may still be running Windows 7.

The biggest reason organizations hold on to older operating systems, Tsai says, is the need to run older "legacy" software that might not run correctly on newer operating systems. Backwards compatibility has long been a big priority for Microsoft, but it's not possible to guarantee everything that ran on older versions of Windows will work on a new version. Marc Capellupo, another Exabeam security engineer, says security improvements in Windows 10 might prevent some older applications from working correctly if they try to access parts of the operating system that are now locked down. The only way to be sure that old software works with new systems is to test it, and that takes time and resources. Even if an application will work flawlessly on Windows 10, an organization might delay an upgrade until it's been thoroughly tested. At large companies, with hundreds of thousands of users, an update from one version of an operating system to another can take years, Tillett says.

Advertisement

It’s getting easier to migrate applications from one operating system to another, Tsai says, because newer software is often web-based or built with cross-platform tools like the Java programming environment. But many industries, such as utilities, manufacturing, or financial services, still use decades-old software that can't easily be replaced, says Jason Christopher, principal cyber risk adviser at the industrial technology security company Dragos.

When millions of dollars, or people's lives, are on the line, companies are reluctant to replace software that still works, even if that means having to run outdated operating systems. Some companies still have ancient IBM mainframes, and others might run MS-DOS in virtual machines.

In cases where organizations have to run old, unsupported software and operating systems, IT departments typically do their best to secure systems in ways that don't depend on getting security updates from Microsoft. One of the most common strategies, Christopher says, is to isolate outdated systems from the internet or from other parts of the network.

For many companies looking to keep their systems safe, one answer will be still more software. According to Spiceworks, 59 percent of IT pros expect to use artificial intelligence or machine learning to detect security threats.


Read more: https://www.wired.com/story/time-give-up-windows-7/

Continue Reading

Cyber Security

Microsoft Warns of Unpatched IE Browser Zero-Day That’s Under Active Attacks

Published

on

By

internet explorer zero day vulnerability

Internet Explorer is dead, but not the mess it left behind.

Microsoft earlier today issued an emergency security advisory warning millions of Windows users of a new zero-day vulnerability in Internet Explorer (IE) browser that attackers are actively exploiting in the wild — and there is no patch yet available for it.

The vulnerability, tracked as CVE-2020-0674 and rated moderated, is a remote code execution issue that exists in the way the scripting engine handles objects in memory of Internet Explorer and triggers through JScript.dll library.

A remote attacker can execute arbitrary code on targeted computers and take full control over them just by convincing victims into opening a maliciously crafted web page on the vulnerable Microsoft browser.

“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” the advisory says.

“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Microsoft is aware of ‘limited targeted attacks’ in the wild and working on a fix, but until a patch is released, affected users have been provided with workarounds and mitigation to prevent their vulnerable systems from cyberattacks.

The affected web browsing software includes — Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11 running on all versions of Windows 10, Windows 8.1, and the recently-discontinued Windows 7.

Workarounds: Defend Against Attacks Until A Patch Arrives

According to the advisory, preventing the loading of the JScript.dll library can manually block the exploitation of this vulnerability.

To restrict access to JScript.dll, run following commands on your Windows system with administrator privileges.

For 32-bit systems:

takeown / f% windir% system32 jscript.dll
cacls% windir% system32 jscript.dll / E / P everyone: N

For 64-bit systems:

takeown / f% windir% syswow64 jscript.dll
cacls% windir% syswow64 jscript.dll / E / P everyone: N
takeown / f% windir% system32 jscript.dll
cacls% windir% system32 jscript.dll / E / P everyone: N

When a patch update is available, users need to undo the workaround using the following commands:

For 32-bit systems:

cacls %windir%system32jscript.dll /E /R everyone

For 64-bit systems:

cacls %windir%system32jscript.dll /E /R everyone
cacls %windir%syswow64jscript.dll /E /R everyone

To be noted, some websites or features may break after disabling vulnerable JScript.dll library that relies on this component, so therefore, users should install updates as soon as they become available.

Source: http://feedproxy.google.com/~r/TheHackersNews/~3/v0UAaoV7kvM/internet-explorer-zero-day-attack.html

Continue Reading

Trending