Virtual Subsidiary UK
Wednesday 23 August 2017
Thursday 17 August 2017
GDPR - Are You Ready?
May 25th 2018 is one of the most important dates on any marketer’s calendar. This is the date the new laws regarding data protection and usage comes into effect and, more worryingly for smaller businesses, the date where email marketing and the practices behind it changes forever.
Awareness of GDPR may be rising, but awareness of what it takes to be compliant is still seriously amiss, according to a new study which claims that only 2% of businesses which claim to have met their obligations under the data protection reforms have actually achieved the necessary standards.
According to the Veritas 2017 GDPR Report, which covers the UK, US, France, Germany, Australia, Singapore, and Japan, almost one-third (31%) of businesses believe that their company already conforms to the legislation's key requirements. However, when they were asked about specific GDPR provisions, a whopping 98% fell way short.
Companies must now focus on five high priority areas to ensure they won't be part of that 98%.
Determining exactly how GDPR affects them
Any organisation that decides on what personal data is processed, for what reason and by what means, is essentially a “data controller.” The GDPR applies not only to businesses in the EU, but also to all organisations outside the EU that are processing personal data for the offering of goods and services to the EU, or that are monitoring the behaviour of data subjects within the EU.
If any of these criteria are met, then these organisations should appoint a representative to act as a point of contact for the data protection authority (DPA) and data subjects. This leads onto the next priority for companies impacted by GDPR.
Appoint a data protection officer
When GDPR is introduced, a number of companies will have to employ a data protection officer. The role of a data protection officer is to oversee data protection strategy. They must also educate those within the company on what they must do in order to comply with requirements, provide staff involved in data processing with the necessary training, and perform privacy audits.
Operate transparently and demonstrate accountability
When processing data, companies should operate transparently and illustrate that they are accountable for their actions. An organisation cannot demonstrate accountability without proper data subject consent acquisition and registration. In the past, companies might have been able to get away with implied consent and pre-checked boxes, but this will no longer be the case. They will now have to introduce - if not in place already - measures that enable them to both obtain and record consent and the withdrawal of consent.
People must know exactly what they are agreeing to, so companies should be clear on what the data is and how and why it is processed.
Manage cross-border data flows correctly
Following residency requirements, data can be transferred to any of the 28 EU member states, along with EEA members Norway, Liechtenstein and Iceland. Data transfers can also be made to any of the 11 jurisdictions considered to have an adequate level of protection by the European Commissions. This is judged through an adequacy decision, which is a decision taken by the Commission establishing that a third country provides a proportional level of protection of personal data to that in the European Union, through its domestic law or its international commitments. When it comes to transfers that do not fall within these set areas, companies should ensure that they are using the appropriate precautions. Examples of such measures include Binding Corporate Rules (BCRs) and standard contractual clauses, i.e., “EU Model Contracts”.
Anticipating data subjects exercising their rights
The introduction of the GDPR creates new rights for individuals and also strengthens some of the existing rights. Some of the rights provided by the GDPR include the right to data portability, the right to be forgotten, and the right to be informed. The latter concerns incidents such as a data breach, or if data subjects wish to receive an explanation around machine learning systems’ automated decision making, for instance.
Ideally, businesses should already have measures and plans in place to deal with the European GDPR coming into effect. However, if a business is not prepared to suitably address data breaches and people exercising their rights, then it is imperative that they start implementing additional controls as soon as possible.
There have been many reasons given for the current malaise over GDPR implementation, from conflicting advice from the Information Commissioner's Office and confusion, to Brexit and sheer ignorance, but a worrying new factor has emerged - many marketers simply do not have the experience to deal with the changes.
We understand that these new regulations could require drastic changes to many SMEs marketing tactics and budgets, so here at Virtual Subsidiary we want to help take the stress away from your marketing team by giving you all the GDPR facts.
Monday 13 July 2015
Voat is being kicked by a botnet right now.
Reddit-rival,
Voat announced today that it is currently being hit in a DDoS (Distributed
Denial of Service) attack by hackers unknown.
For those who are unfamiliar with the sites; both Reddit and Voat act,
in essence, as online bulletin boards.
Users can post images, text and direct links, which are then voted up or
down to determine their position on the board.
The main selling point of Voat is that, unlike its Reddit counterpart,
in it maintains no censorship.
The
Swiss company posted on Twitter at midnight this morning that it is being hit
by an ongoing “layer 7 DDoS attack”, adding on its website that this is the indirect
reason for the halt in functionality of most of third party apps for Voat.
They
have “bumped up CloudFlare security settings...in order to keep Voat at least
somewhat responsive”. Unfortunately this
“essentially breaks most Voat third party apps currently on the market.” They ended with the question “What doesn't
kill you - makes you stronger, right?".
Currently
the website is loading temperamentally; however some users still see the
message "Voat is being kicked by a botnet right now.”
Read the original articles here:
Wednesday 8 July 2015
The Hackers Become The Hacked
Milan-based “digital mercenar[ies]”, Hacking Team, have
fallen victim to their own sword in a hack that has revealed documents that
allege that the company did business with various repressive regimes. The outfit use vulnerabilities and malware to
access the networks of their clients’ target in a legal offensive, which they
offer to law enforcement services and national security organisations.
A Reporters Without Borders report released in 2013 named
Hacking Team as a “corporate enem[y] of the internet”. Hacking Team has frequently denied selling
their software to repressive administrations and the firm responded to this
with a statement claiming that they go “to
great lengths to assure that [their] software is not sold to governments that
are blacklisted by the EU, the USA, NATO and similar international
organisations or any ‘repressive’ regime.” They repeat this on their website; yet the
400GB of documents purport that they have been providing services for several
repressive authorities including those from Azerbaijan, Bahrain, Kazakhstan, Russia,
Saudi Arabia, the UAE and Uzbekistan.
The integrity of these documents, which were communicated using
the official Twitter feed of the firm, have not yet been independently verified. The hackers posted to the feed for hours
after the initial deluge until the company regained control on Monday
morning. The posts, which highlighted
particular documents (including emails, invoices and screenshots of employee
computers), have since been removed. The
organisation’s Twitter name, which has also been changed back, was changed to
Hacked Team.
One of these tweets asserts that negotiations between Hacking
Team and a third-party reseller took place in the context of exporting their
software to Nigeria. Such a sale may
have circumvented the export controls put in place by Italy. Another such tweet, shows an internal debate
about a course of action after attacks by the University of Toronto averred
that they had sold hacking software to Ethiopia with the purpose of attacking
US journalists. These allegations have
never been confirmed or dismissed publically by the company; however, in March,
they were dismissed by a spokesperson who suggested that they were “based on
some nicely presented suppositions”.
January 2015 saw the company denying any current business
relations with the national intelligence service for Sudan to the Italian
representative of the UN. Despite this
one of the documents supposedly leaked from the company, contains an invoice
for 480,000€ received from the Sudanese.
The answer to the UN’s follow-up question, “whether there have [been]
any previous business arrangements”, is not recorded.
The organisation’s website specifically state that they “provide
[their] software only to governments or government agencies” and not to “individuals
or private businesses”. However another
invoice suggests that they had dealings with the private Brazilian company,
YasNiTech, to whom three months access to their remote access tool was
sold. This allowed the organisation to
hack into Android, Blackberry and Windows devices. It is unknown as to whether this was part of
a larger contract with the Brazilian state government, if not it is in clear
breach of their policy.
The hacker who has now claimed responsibility for the
Hacking Team hack, also claimed responsibility for the hack of their “wannabe competitor”,
Gamma Group International. GGI were best
known for their FinFisher surveillance software, 40GB of which was leaked in
2014, giving details of their clients, capabilities and pricing.
One of the employees of Hacking Team, Christian Pozzi,
tweeted saying that the documents are “false lies” and that “a lot of what the
attackers are claiming regarding [their] company is not true”. He stated that they “are currently working
closely with the police” and that he “can’t comment about the recent breach”. Later his feed was hacked and then the entire
account was deleted.
The rare chance to allegedly look inside the workings of a
cyber-surveillance firm, like Hacking Team, is being welcomed by numerous privacy
groups. Privacy International released a
statement, stating that the “tools [Hacking Team are selling] are [being] used
to target human rights activists and pro-democracy supporters at home and
abroad. Surveillance companies like
Hacking Team have shown they are incapable of responsibly regulating
themselves, putting profit over ethics, time after time. Since surveillance
companies continue to ignore their role in repression, democratic states must
step in to halt their damaging business practices.”
The veracity of these documents has not yet been confirmed
but many are calling for the initiation of a full investigation among them Marietje
Schaake, a Dutch MEP who’s been dealing with issues in surveillance tech for
years, who is calling for an “urgent, thorough investigation” into the legality
of the alleged sales and whether or not they are in contravention of the
European sanction against Russia and Sudan.
Whether or not the documents turn out to be genuine many people are asking
who’ll be the hacker’s next target.
In a previous post we discussed the exploitation of zero-day
vulnerabilities in Adobe Flash Player, specifically in regards to the flaw,
CVE-2015-3113. The data dump from the
Hacking Team hack revealed another zero-day vulnerability in the Flash Player and
Windows software: a patch for which is expected to be released today. Remember to update with this patch as soon as
possible to avoid attacks on your system.
Tuesday 30 June 2015
Targeted Contact Data: Freshly Made, 100% Pure
Handcrafted data specialise in providing you with 100% accurate
and reliable data to your target audience requirements. We faced the age old marketers’ problem of
contact data quality. Our hungry sales
team constantly needed feeding with new, targeted leads and to provide them
with these we needed contacts. And lots of them.
Going out to buy a bunch of contact data struck us as the
best option and, after consulting lots of data brokers, we realised that no
matter how much, or how little we spent, the data was mostly terrible. We came across IT Directors who had left
years ago or were never IT Directors at all.
After a while of this we realised that the only way to get
the good quality, fresh contacts we needed was to find them ourselves. Contact-by-contact, we manually entered their
details into our CRM and soon we found we were getting really good at this. So
good, that we decided to start offering this manual data crafting as a service
for you.
Whatever your unique target audience requirements, we can
find and assemble quality contact information quickly. We can also provide fully-tailored,
lead-generating email campaigns to these fresh contacts. Either feeding these leads directly to your
sales team or pre-qualifying them first by our own experienced sales crew. And, if your target audience should change
week-to-week we can shift the focus of our search to accommodate this.
We can guarantee that your data is up-to-date, of good
quality and accurate. We can guarantee
that your data won’t bounce, be stagnant or be just plain crazy as it can be
from a typical data broker.
Why not learn a little more by visiting our micro-site: www.handcrafteddata.com
Cybercriminals exploit Flash zero-day flaw
Last Tuesday Adobe Systems released a patch for the Flash
Player vulnerability, CVE-2015-3113. However
just four days later a malware researcher, who goes by Kafeine, spotted the
Magnitude exploit kit being used for a drive-by download attack, exploiting the
vulnerability.
The Common Vulnerabilities and Exposures database tracked
the flaw known as CVE-2015-3113. It
turns out that CVE-2015-3113 had zero-day status and had been targeted for
several weeks by a China-based cyberespionage group prior to the patch being
released. These attacks were targeted
against organisations in a broad range of industries from aerospace, defence
and technology to construction, transportation, engineering and telecommunications.
The goal of the exploiters is to compromise sophisticated defence
systems and to remain undetected for as long as possible. For this reason it is not uncommon for Flash
Player and other popular applications to be targeted in zero-day exploits.
Despite this, incidents of non-selective, widespread attacks
using zero-day exploits are uncommon; predominantly due to the value of
zero-day vulnerabilities to the attackers.
Financially it is not sensible for such brash campaigns to be used as
this draws attention to the vulnerability and makes it more likely for it to be
discovered and patched quickly.
Instead the exploiters usually prefer to integrate their
exploits into already patched vulnerabilities, working on the principle that
many users will not install patches speedily enough. The creators of these exploit kits, however,
are dramatically reducing the time they need to incorporate the attack. As such, users are being left with a much
shorter time frame to deploy the patch in before the exploits are
integrated. In the case of the
CVE-2015-3113 vulnerability this was only 4 days. This causes issues in organisations who
typically install updates in schedules often separated by more than a
week.
Another Flash Player exploit occurred earlier this year by
the Nuclear EK exploit kit. This was
integrated a mere week after the patch was released. A decreasing
trend in patch window size is emerging.
Currently the Magnitude attacks on the CVE-2015-3113
vulnerability install the Cryptowall ransomware, if successful. This could be changed at any time by the
attackers.
Tuesday 3 March 2015
Hackers can use Blu-Ray discs to breach networks.
An innocent-looking Blu-ray disc can be used by malicious actors to get a foothold in a targeted network, a researcher has warned.
According to Stephen Tomkinson of the NCC Group, both hardware and software Blu-ray players are plagued by vulnerabilities that can be leveraged to execute arbitrary files stored on the disc.
The advanced features provided by Blu-ray discs, such as dynamic menus and Web access, are built using BD-J (Blu-ray Disc Java). The specification is used to create interfaces and embedded applications called Xlets. Xlets are similar to Java applets, but they are specially designed for digital TV environments.
Xlets run in a Java VM and they use the SecurityManager class to implement security policies. Tomkinson noted that, in general, these security policies prevent discs from accessing elements outside of the virtual file system and prevent interaction with the underlying operating system.
In his tests, Tomkinson targeted PowerDVD, a popular Blu-ray player application developed by CyberLink. The researcher has found a way to disable the SecurityManager developed by CyberLink and gain access to methods that can be used to launch arbitrary executable files stored on the disc.
On systems where PowerDVD is installed, Blu-ray discs are automatically played with the application, which enables attackers to bypass autorun attack mitigations in Windows, the expert said.
As for physical Blu-ray players, the researcher used an exploit previously developed by Malcolm Stagg to get a shell on the device. From there, Tomkinson managed to come up with a way to execute arbitrary files located on the disc.
Both software and physical players can be targeted with a single disc, the researcher said. An attacker can create a disc that detects the player type and executes a malicious file specific to that platform. In order to avoid raising suspicion, a legitimate video file can be played right after the malicious files are launched.
“[The malicious] executables could be used by an attacker to provide a tunnel into the target network or to exfiltrate sensitive files, for example,” Tomkinson explained in a blog post.
The researcher has pointed out that in the case of physical Blu-ray players, an attacker needs to ensure that the device doesn’t go to sleep after the victim has stopped viewing the video. This can be achieved by intercepting the power off request and by switching off the power LED in order to avoid raising suspicion.
In an attack targeted at a corporate network, if the player is configured for Wi-Fi access, malicious actors can easily obtain Wi-Fi settings because the information is stored on the device unencrypted.
The NCC Group says it’s working with affected vendors to get the vulnerabilities fixed, but “with varying degrees of success.” Until the vulnerabilities are addressed, Tomkinson advises users not to utilize discs from untrusted sources, and disable the autoplay feature. In the case of hardware players, they should not be connected to the network or the Internet unless necessary.
Using removable media to distribute malware is not unheard of. The Equation Group, an entity that is believed to have ties to the NSA, reportedly replaced CD-ROMs sent out by the organizers of a scientific conference with ones containing malware.
(Article Taken from SC Magazine)
Subscribe to:
Posts (Atom)