New Gmail security updates should be applauded

Email has been an integral part of our culture for more than two decades now. It seems like just yesterday Tom Hanks and Meg Ryan popularized the phrase “You’ve Got Mail,” and we witnessed the rise and fall of ‘ancient’ domains like Hotmail. Nowadays, the world of email looks a bit different. For one, nearly all of our online profiles and transactions rely on our email accounts. That means now more than ever, securing these accounts is critical. That also means new Gmail security updates are worthy of some serious celebrations.

It’s always great to see big technology companies, like Google, not only create positive change, but also prioritize user safety. So, what are these new security features?

The first one prevents users from clicking on links to malicious websites. When Gmail identifies a website that might do harm to your computer, you’ll be redirected to a warning page. From there, several options are available. You can access information about the potentially harmful site, or education about protecting your device from similar risks. The ability to click the back button is always there, and for those feeling particularly confident or risky, you have the choice to proceed to the flagged site despite Gmail’s warning.

Secondly, Gmail is implementing a way to warn users of state-sponsored attacks. Google states that this only affects 0.1% of their total users, as it will likely be restricted to people doing sensitive work such as journalism, activism, or policy-making—making them prime targets of government hacks. Previously in these situations, Gmail would alert at-risk users of dangerous situations by displaying a red strip bearing a link across their screens. Now, the warning has been converted into a full page warning, which provides links to educational resources on how state-sponsored attack targets can protect themselves.

What’s more? Google and other tech giants are pushing for industry-wide email encryption standards. That’s an admirable goal, and all involved companies deserve praise for their collective effort.

While it’s great to see these advances take place, we also need to accept personal responsibility for our online safety. Online tools, products and email providers aren’t the only ones that should be getting security updates. We as individuals need to maintain up-to-date knowledge of cyberthreats and security best practices.

With that in mind, here are a couple tips for staying secure while you use email:

  • Don’t get phished. Phishing is a common cybercriminal tactic that tricks people into divulging private information, often targeting email users. For instance, a criminal might send fake emails pretending to be a customer service agent for a reputable company, in hopes that you’ll click a phony link. These malicious links may send you to a website that looks authentic, but actually steals your credit card information, or even downloads malware to your device. Some telltale signs to look for? Spelling and grammar errors, and off-putting URLs.
  • Follow email security best practices. Keep your account safe, by only sharing your email address with trusted people and businesses. Don’t open attachments from unknown senders, and be suspicious of everything that comes to your inbox. And of course, use a strong password (a combination of letters, numbers, and symbols) to protect your account.

European Commission announces Safe Harbor replacement: the EU-US Privacy Shield

 

Neil Ford 3rd February 2016

The European Union and the United States have reached a last-minute agreement on international data transfers following last October’s ruling by the European Court of Justice that Safe Harbor, the 15-year-old pact between the EU and the US, was invalid.

The Safe Harbor agreement allowed the personal information of EU citizens to be transferred to the US without abiding by the strictures of European data protection legislation, but a legal challenge brought against Facebook by Max Schrems, an Austrian privacy campaigner who was concerned about the social network’s potential sharing of Europeans’ personal data with the NSA, resulted in Safe Harbor being declared invalid.

Under the EU Data Protection Directive (95/46/EC), EU Member States may only transfer personal data to a third country for processing if that country “ensures an adequate level of protection”. The European Court of Justice found that Safe Harbor did not ensure such a level of protection.

The last few months have been confusing for data controllers and processors. Now, however, shortly after the expiration of the 31 January deadline set by the Article 29 Working Party – the body responsible for data protection in the EU – the European Commission has announced that the EU-US Safe Harbor agreement will be superseded by something called the ‘EU-US Privacy Shield’

EU-US Privacy Shield

Details are vague so far, but the new agreement will include:

Strong obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.

Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.

Effective protection of EU citizens’ rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.

It’s also not yet known when the new framework will be put in place. (Knowing EU bureaucracy, it’ll be a while yet.) Again, from the press release:

Next steps

The College has today mandated Vice-President Ansip and Commissioner Jourová to prepare a draft “adequacy decision” in the coming weeks, which could then be adopted by the College after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsman.

Schrems commented: “Judging from the mere ‘headlines’ we know so far, I am however not sure if this system will stand the test before the Court of Justice. There will be clearly people that will challenge this – depending on the final text I may well be one of them.”

EU General Data Protection Regulation

The EU Data Protection Directive – which informed the Safe Harbor agreement – is soon to be superseded by the EU General Data Protection Regulation, a pan-European law that will harmonise data protection across EU member states.

All organisations that collect, process or store information will have to meet the GDPR’s requirements, or face penalties of up to €20 million – or 4% of turnover, which in the case of global Internet companies could be billions.

Implementing an information security management system (ISMS), as described in the international best-practice standard ISO 27001, is the sensible route to compliance.

Information security best practice

An ISO 27001-compliant ISMS provides a risk-based approach to data security that can be applied throughout the supply chain. Once your ISMS has been certified to the Standard you can insist that third-party contractors and suppliers also achieve certification. In addition to this, the external validation offered by ISO 27001 certification is likely to improve your organisation’s cyber security posture and business efficiency while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts – as well as allowing you to meet your legal and regulatory obligations.

Achieving certification to the Standard can be a complicated and time-consuming business, though. Organisations must provide documented evidence of their compliance with ISO 27001, which in the case of larger or more complex organisations can require the creation of thousands of pages of documents. If you find yourself in this position, don’t worry: expert help is at hand.

 

Windows 10 spam Alert

Security experts are warning Windows fans not to fall for a new spam campaign designed to trick users waiting for the new version of the OS to open an attachment crammed with ransomware.

Cisco’s Talos team claimed in a blog post that the spam run was a typical attempt to coat tail a popular event in order to get the attention of as many email recipients as possible.

“The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign,” it argued.

The spammers themselves have taken several steps to make their emails appear to have been sent by Microsoft, including a spoofed “from” address of ‘update@microsoft.com’ – even though the IP address is linked to a machine in Thailand.

The color scheme used throughout the unsolicited message is also very similar to that use by the Windows team, and the attackers have added in both a disclaimer and a message claiming the email has been scanned by anti-virus.

However, they failed to spot several mistakes in the text of the message – characters which haven’t parsed properly.

“This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email,” Talos claimed.

If a user is tricked into opening the zip attachment to get their copy of ‘Windows 10’ and runs the corresponding executable, they will find their machine made unusable thanks to CTB-Locker.

This crypto-ransomware variant gives users 96 hours to pay a fee or face all of their computer files being lost forever.

It uses elliptical curve encryption – which is said to have lower overheads than other types – and hosts much of its infrastructure on Tor to avoid detection. Users must make payments in Bitcoins to make tracking even more difficult.

“The threat of ransomware will continue to grow until adversaries find a more effective method of monetizing the machines they compromise,” Talos warned. “As a defense, users are encouraged to backup their data in accordance with best practices. These backups should be stored offline to prevent them from being targeted by attackers.”

http://www.infosecurity-magazine.com/news/windows-10-spammers-hit-users/

Beware Malvertising using SSL

A new malvertising campaign attack, appearing to come from various countries, including Vietnam, Turkey, Japan, Saudi Arabia and Germany, has cranked up affecting several popular international websites .

What makes this attack unique is the use of multiple SSL directors which encrypt the traffic and make the redirection harder to follow.

According to Cyphort Labs, both AOL advertising and Microsoft cloud Azure were involved in the redirects. Popular websites infected in this campaign include readms.com – a Japanese Manga comics site, visited by 280,000 people monthly, and bisnis.com, a daily newspaper published in Jakarta, Indonesia, which primarily covers financial and business news and is visited by 4.7 million people monthly. Also, Phununet.com, the 36th most popular site in Vietnam, was affected; it is the first social network for women in Vietnam, developed, by Vietnam Online Group.

It appears related to the “Malvertising Gone Wild” campaign covered by Invincea, the firm said. In June, Invincea found that the prevalence of malvertising attempts hit a record high. Also, it found that the types of sites that delivered malware were also ones that had proportionately more visitors than other sites on the Internet.

“These malvertising campaigns were perpetrated by multiple groups of cyber criminals, delivering several variants of botnets, ransomware and click-fraud bots,” Invincea noted. “Most of the malware delivered were never seen before by AV vendors, according to VirusTotal.”

Notably, several highly popular websites delivered Adobe Flash-based malicious ads that infected victims. As usual, publishers of these websites are largely unaware that their websites were being used by malicious advertisers to drop malware on their visitors, and most have no control over this because of advertising syndication.