Information Security

Cybersecurity in Europe: Key Recommendations for The New Cyber Review

by

. These are some of the questions that Hanover’s Digital Policy team* considers relevant to be addressed for Europe’s cyber preparedness.
Indeed, the major cybersecurity overhaul, which was announced on September 13 by Commission President, Jean-Claude Juncker, at the State of the Union address in Strasbourg, set a new course for Europe’s efforts in fighting cyber vulnerabilities, notably by coming up with a new non-binding cyber strategy and a revised mandate of the ENISA agency with new competences.
Yet, Member countries should be more open to information sharing. Our survey shows that all respondents ‘agree’ with further information sharing amongst Member countries, 35 percent of which even ‘strongly agree’.
Despite these achievements, some outstanding issues need to be addressed, i.e. avoiding fragmentation, which would benefit to further operational efficiency, and preserving the integrity of encrypted communications, to avoid that backdoors for government access are used for malicious purposes.

Cybercrime wake-up call

by

. ALBUQUERQUE, N.M. — Cybersecurity experts say the massive breach of credit-reporting company Equifax Inc.’s data systems may be a needed wake-up call to galvanize business and government into much more aggressive action to protect online data in today’s hyperconnected cyber world.
Equifax faces congressional investigations, class-action lawsuits, inquiries by the Federal Trade Commission and the Consumer Financial Protection Bureau, and action by attorneys general from around the country.
Details are still scarce, but apparently hackers broke into Equifax through a flaw in the Apache Struts software package that runs one of its online web portals.
That apparently lax security, plus the immense damage cybercriminals could now inflict on consumers and businesses, may convert Equifax into a watershed event that pushes government and industry into much more aggressive efforts to fight cybercrime, according to industry experts.
Nearly 1.1 billion identities were stolen worldwide through data breaches last year, almost double the 2015 tally, according to the latest annual Internet Security Threat Report released last spring by global cybersecurity firm Symantec Corp.
“Growing hacker sophistication is a factor, but it’s the evolution in online data sharing that’s creating havoc,” said Srinivas Mukkamala, co-founder and CEO of Albuquerque-based cybersecurity firm RiskSense.
As a result, cybersecurity’s traditional focus on teaching employees what to do and not to do to protect systems is inadequate, said Jack Miller, chief information security officer for cybersecurity firm SlashNext, which created hardware to monitor all traffic on a company’s network.
It’s the interface between artificial intelligence and humans, plus the sharing of lessons learned among everybody, that will allow industry and government to get ahead of cybercrime, Mukkamala said.

Protect yourself from identity theft: An explainer

by

I want to take this space to explain a little more about the various steps one can take to guard against theft of your money or identity, because it’s been in the news so much lately, and I know it can all be confusing.
3) Someone uses your personal information to file a tax return and claim a refund.
The second possibility is what people call identity theft.
You may have seen different terms floating around: credit freeze, credit lock, fraud alert and credit monitoring.
With this form of protection, when anyone tries to open a new credit account in your name, add a new card to an existing account or raise your credit limit, the lender is supposed to verify that it’s you, for example, by calling you on the phone number you gave.
You can call any of the three credit reporting agencies to place a fraud alert for 90 days.
A credit freeze is deeper than a fraud alert. With a credit freeze, no third party can access your credit report until the freeze is lifted.
In the wake of their breach and after a public outcry, Equifax has announced that it will offer a credit freeze free of charge for all consumers until Nov. 21.
Remember that they will never demand information from you over the phone.

Will Equifax end data breach class actions?

by

The debate has hinged mostly on courts’ perceptions of the likelihood that the hack will result in identity theft. For some courts, it’s obvious that the breach of someone’s personal information materially increases the likelihood that the person will be the victim of identity theft.
If you’re one of them, your information is floating around the dark web.
Circuit held in the CareFirst case that disclosure of a plaintiff’s social security number—plus some other data, including health information—could give the plaintiff standing. The theory was that mere disclosure put the plaintiff at materially greater risk for identity theft. Because after the Equifax hack, it’s harder to see the harm from the mere disclosure of, say, social security numbers. Or at least, it’s harder for potential plaintiffs whose social security numbers already had been disclosed in the Equifax hack.
How do they certify a victim class? Do they have to authorize discovery into each victim and whether that victim’s information already has been disclosed in the Equifax hack . or some other hack?

Bitcoin Developers Reveal Roadmap for ‘Dandelion’ Privacy Project

by

. The developers behind a bitcoin privacy solution called Dandelion have unveiled a new roadmap that addresses previously discovered code issues.
It does this by breaking that transaction into two parts, nicknamed the “stem” and the “fluff.” The “stem” is the single transaction itself, while the “fluff” is an obfuscation method that occurs after the fact.
The proposal was originally opened up for scrutiny as a Bitcoin Improvement Protocol (BIP) back in June, but issues were discovered that ultimately delayed the project. As pointed out by Bitcoin Core contributor Greg Maxwell, various faults in Dandelion could lead to its deanonymization over time.
Now, the Dandelion team has come forward to present a strategy for addressing those problems. “We have not yet completed a reference implementation, so this update does not include a new BIP. Instead, we’re just outlining the steps we plan to take before an updated BIP,” one of the developers, Giulia Fanti, said in an email.

The European Union Is Preparing to Get Tough on Data Protection

by

. The EU’s inclination to act as the world’s corporate enforcer is likely to be expanded into the realms of privacy and data protection through a new law coming into effect early next year. Experts say that law could have big ramifications for the travel industry.
Companies will need to be clearer in their requests for information.
“The new law makes it clearer that if organizations are relying on someone’s consent to process their personal information, the consent should be valid – i.e. it should have been given unambiguously,” said Baines.
“The travel industry is considered one of the most vulnerable sectors to data threats, because they process such high volumes of personal data, passports and credit card information on behalf of their clients,” said Milton.

Equifax Data Breach

by

. Equifax says it will mail information to the roughly 200,000 people whose credit card information was also stolen. The others will have to find out for themselves if they were impacted by going to the Equifax site noted below.
Equifax allows protected public access to its data to individuals seeking information about their own credit reports.
Check to see if you are an Equifax victim.
Start checking your banking and credit information regularly.
Go to www.AnnualCreditReport.com to get your totally free copy of your credit report — from each of the three bureaus.
It will cost you a small amount to freeze, and later “un-freeze” your credit report. But it will protect against someone using your personal information to open new accounts.
In just one month, we’ve found that we can’t control Mother Nature, and apparently we are also vulnerable to compromise of our digital dependence.

How to protect yourself from identity theft

by

DAVENPORT– Almost 143 million Americans had their personal information exposed after a data breach from Equifax.
That’s almost half the population and the chances of those affected being in Iowa and Illinois are very likely.
During a presentation on what to do if you’ve been hacked at the Davenport Library, many Quad Citians shared their concerns. “We have to be aware in this age of technology,” says attendee Mona Martin.
Although Martin wasn’t hacked, she’s looking for answers on how to make sure it stays that way. Her questions were answered by Certified Public Accountant Douglis Reiling of CPA Oelerich and Associates.
If your personal information has been hacked, Reiling recommends signing up for free Identity theft protection with Equifax.
But Reiling says if you are still a little skeptical to try a different website.

SEC admits data breach, suggests illicit trading was key

by

. By specifically targeting this system, the threat actors may have gained access to information which had the power to change the market, which in turn could be used to trade illicitly thanks to the stolen, “insider” information contained therein, whether they were company financial statements or merger announcements.
In a statement, SEC said the Edgar filing system data breach took place in 2016, but it is not yet known which companies may have been affected — or how much the hacker profited.
Edgar processes roughly 1.7 million electronic filings per year.
Once discovered, the problem was immediately patched, and an investigation has now begun into the data breach.
Clayton said the review of the incident is ongoing with help from “appropriate authorities,” but it is not so far believed that the hack went any further and compromised any other SEC systems. “We must be vigilant.
The breach was discovered as part of an audit ordered by the chairman.
Equifax then blamed an Apache Struts security hole for the incident.

Risks in the common practice of sending technical data outside the U.S. — New Jersey company penalized $400,000 Blog Trade and Manufacturing Monitor

by

Does your company source components or parts outside the U.S.? When doing so, you need to be careful about sending unlicensed export controlled technical data like drawings, blueprints and manufacturing instructions as part of an RFQ or production process.
Yes, technical data export issues are more difficult to address in the same systematic way that product export issues are handled. Decision making about what data is shared and how it is shared (email, express mail, uploading to a vendor’s website, data sharing sites, cloud-based platforms, etc.) is often up to individual engineering and procurement personnel. Because human beings are involved, export control training on technical data issues is key, as is implementing a fail-safe process to classify and control data. Many companies are still guessing about data classification, getting it half right, or otherwise don’t have a good handle on what kind of information they are exporting.
That case involved 11 alleged violations of the International Traffic in Arms Regulations (ITAR) related to exports of technical data. Allegedly, a senior employee and people under his supervision would ‘cut and paste’ information from export-controlled drawings and use the relabeled drawing to obtain quotes from overseas vendors, often without export licenses.