Thursday, 17 August 2017

GDPR - Are You Ready?

May 25th 2018 is one of the most important dates on any marketer’s calendar. This is the date the new laws regarding data protection and usage comes into effect and, more worryingly for smaller businesses, the date where email marketing and the practices behind it changes forever.
Awareness of GDPR may be rising, but awareness of what it takes to be compliant is still seriously amiss, according to a new study which claims that only 2% of businesses which claim to have met their obligations under the data protection reforms have actually achieved the necessary standards.
According to the Veritas 2017 GDPR Report, which covers the UK, US, France, Germany, Australia, Singapore, and Japan, almost one-third (31%) of businesses believe that their company already conforms to the legislation's key requirements. However, when they were asked about specific GDPR provisions, a whopping 98% fell way short.


Companies must now focus on five high priority areas to ensure they won't be part of that 98%.  
Determining exactly how GDPR affects them
Any organisation that decides on what personal data is processed, for what reason and by what means, is essentially a “data controller.” The GDPR applies not only to businesses in the EU, but also to all organisations outside the EU that are processing personal data for the offering of goods and services to the EU, or that are monitoring the behaviour of data subjects within the EU. 
If any of these criteria are met, then these organisations should appoint a representative to act as a point of contact for the data protection authority (DPA) and data subjects. This leads onto the next priority for companies impacted by GDPR. 
Appoint a data protection officer
When GDPR is introduced, a number of companies will have to employ a data protection officer. The role of a data protection officer is to oversee data protection strategy. They must also educate those within the company on what they must do in order to comply with requirements, provide staff involved in data processing with the necessary training, and perform privacy audits.  
Operate transparently and demonstrate accountability
When processing data, companies should operate transparently and illustrate that they are accountable for their actions. An organisation cannot demonstrate accountability without proper data subject consent acquisition and registration. In the past, companies might have been able to get away with implied consent and pre-checked boxes, but this will no longer be the case. They will now have to introduce - if not in place already - measures that enable them to both obtain and record consent and the withdrawal of consent.  
People must know exactly what they are agreeing to, so companies should be clear on what the data is and how and why it is processed. 
Manage cross-border data flows correctly 
Following residency requirements, data can be transferred to any of the 28 EU member states, along with EEA members Norway, Liechtenstein and Iceland. Data transfers can also be made to any of the 11 jurisdictions considered to have an adequate level of protection by the European Commissions. This is judged through an adequacy decision, which is a decision taken by the Commission establishing that a third country provides a proportional level of protection of personal data to that in the European Union, through its domestic law or its international commitments. When it comes to transfers that do not fall within these set areas, companies should ensure that they are using the appropriate precautions. Examples of such measures include Binding Corporate Rules (BCRs) and standard contractual clauses, i.e., “EU Model Contracts”. 
Anticipating data subjects exercising their rights 
The introduction of the GDPR creates new rights for individuals and also strengthens some of the existing rights. Some of the rights provided by the GDPR include the right to data portability, the right to be forgotten, and the right to be informed. The latter concerns incidents such as a data breach, or if data subjects wish to receive an explanation around machine learning systems’ automated decision making, for instance.  
Ideally, businesses should already have measures and plans in place to deal with the European GDPR coming into effect. However, if a business is not prepared to suitably address data breaches and people exercising their rights, then it is imperative that they start implementing additional controls as soon as possible. 

There have been many reasons given for the current malaise over GDPR implementation, from conflicting advice from the Information Commissioner's Office and confusion, to Brexit and sheer ignorance, but a worrying new factor has emerged - many marketers simply do not have the experience to deal with the changes.
We understand that these new regulations could require drastic changes to many SMEs marketing tactics and budgets, so here at Virtual Subsidiary we want to help take the stress away from your marketing team by giving you all the GDPR facts. 

Monday, 13 July 2015

Voat is being kicked by a botnet right now.

Reddit-rival, Voat announced today that it is currently being hit in a DDoS (Distributed Denial of Service) attack by hackers unknown.  For those who are unfamiliar with the sites; both Reddit and Voat act, in essence, as online bulletin boards.  Users can post images, text and direct links, which are then voted up or down to determine their position on the board.  The main selling point of Voat is that, unlike its Reddit counterpart, in it maintains no censorship. 
The Swiss company posted on Twitter at midnight this morning that it is being hit by an ongoing “layer 7 DDoS attack”, adding on its website that this is the indirect reason for the halt in functionality of most of third party apps for Voat. 
They have “bumped up CloudFlare security settings...in order to keep Voat at least somewhat responsive”.  Unfortunately this “essentially breaks most Voat third party apps currently on the market.”  They ended with the question “What doesn't kill you - makes you stronger, right?". 

Currently the website is loading temperamentally; however some users still see the message "Voat is being kicked by a botnet right now.”  
Read the original articles here:  

Wednesday, 8 July 2015

The Hackers Become The Hacked

Milan-based “digital mercenar[ies]”, Hacking Team, have fallen victim to their own sword in a hack that has revealed documents that allege that the company did business with various repressive regimes.  The outfit use vulnerabilities and malware to access the networks of their clients’ target in a legal offensive, which they offer to law enforcement services and national security organisations. 

A Reporters Without Borders report released in 2013 named Hacking Team as a “corporate enem[y] of the internet”.  Hacking Team has frequently denied selling their software to repressive administrations and the firm responded to this with a statement claiming that they go  “to great lengths to assure that [their] software is not sold to governments that are blacklisted by the EU, the USA, NATO and similar international organisations or any ‘repressive’ regime.”  They repeat this on their website; yet the 400GB of documents purport that they have been providing services for several repressive authorities including those from Azerbaijan, Bahrain, Kazakhstan, Russia, Saudi Arabia, the UAE and Uzbekistan. 

The integrity of these documents, which were communicated using the official Twitter feed of the firm, have not yet been independently verified.  The hackers posted to the feed for hours after the initial deluge until the company regained control on Monday morning.  The posts, which highlighted particular documents (including emails, invoices and screenshots of employee computers), have since been removed.  The organisation’s Twitter name, which has also been changed back, was changed to Hacked Team. 

One of these tweets asserts that negotiations between Hacking Team and a third-party reseller took place in the context of exporting their software to Nigeria.  Such a sale may have circumvented the export controls put in place by Italy.  Another such tweet, shows an internal debate about a course of action after attacks by the University of Toronto averred that they had sold hacking software to Ethiopia with the purpose of attacking US journalists.  These allegations have never been confirmed or dismissed publically by the company; however, in March, they were dismissed by a spokesperson who suggested that they were “based on some nicely presented suppositions”. 

January 2015 saw the company denying any current business relations with the national intelligence service for Sudan to the Italian representative of the UN.  Despite this one of the documents supposedly leaked from the company, contains an invoice for 480,000€ received from the Sudanese.  The answer to the UN’s follow-up question, “whether there have [been] any previous business arrangements”, is not recorded. 

The organisation’s website specifically state that they “provide [their] software only to governments or government agencies” and not to “individuals or private businesses”.  However another invoice suggests that they had dealings with the private Brazilian company, YasNiTech, to whom three months access to their remote access tool was sold.  This allowed the organisation to hack into Android, Blackberry and Windows devices.  It is unknown as to whether this was part of a larger contract with the Brazilian state government, if not it is in clear breach of their policy. 

The hacker who has now claimed responsibility for the Hacking Team hack, also claimed responsibility for the hack of their “wannabe competitor”, Gamma Group International.  GGI were best known for their FinFisher surveillance software, 40GB of which was leaked in 2014, giving details of their clients, capabilities and pricing. 

One of the employees of Hacking Team, Christian Pozzi, tweeted saying that the documents are “false lies” and that “a lot of what the attackers are claiming regarding [their] company is not true”.  He stated that they “are currently working closely with the police” and that he “can’t comment about the recent breach”.  Later his feed was hacked and then the entire account was deleted. 

The rare chance to allegedly look inside the workings of a cyber-surveillance firm, like Hacking Team, is being welcomed by numerous privacy groups.  Privacy International released a statement, stating that the “tools [Hacking Team are selling] are [being] used to target human rights activists and pro-democracy supporters at home and abroad.  Surveillance companies like Hacking Team have shown they are incapable of responsibly regulating themselves, putting profit over ethics, time after time. Since surveillance companies continue to ignore their role in repression, democratic states must step in to halt their damaging business practices.”

The veracity of these documents has not yet been confirmed but many are calling for the initiation of a full investigation among them Marietje Schaake, a Dutch MEP who’s been dealing with issues in surveillance tech for years, who is calling for an “urgent, thorough investigation” into the legality of the alleged sales and whether or not they are in contravention of the European sanction against Russia and Sudan.  Whether or not the documents turn out to be genuine many people are asking who’ll be the hacker’s next target. 


In a previous post we discussed the exploitation of zero-day vulnerabilities in Adobe Flash Player, specifically in regards to the flaw, CVE-2015-3113.  The data dump from the Hacking Team hack revealed another zero-day vulnerability in the Flash Player and Windows software: a patch for which is expected to be released today.  Remember to update with this patch as soon as possible to avoid attacks on your system.  

Tuesday, 30 June 2015

Targeted Contact Data: Freshly Made, 100% Pure

Handcrafted data specialise in providing you with 100% accurate and reliable data to your target audience requirements.  We faced the age old marketers’ problem of contact data quality.  Our hungry sales team constantly needed feeding with new, targeted leads and to provide them with these we needed contacts. And lots of them. 

Going out to buy a bunch of contact data struck us as the best option and, after consulting lots of data brokers, we realised that no matter how much, or how little we spent, the data was mostly terrible.  We came across IT Directors who had left years ago or were never IT Directors at all. 

After a while of this we realised that the only way to get the good quality, fresh contacts we needed was to find them ourselves.  Contact-by-contact, we manually entered their details into our CRM and soon we found we were getting really good at this. So good, that we decided to start offering this manual data crafting as a service for you. 

Whatever your unique target audience requirements, we can find and assemble quality contact information quickly.  We can also provide fully-tailored, lead-generating email campaigns to these fresh contacts.  Either feeding these leads directly to your sales team or pre-qualifying them first by our own experienced sales crew.  And, if your target audience should change week-to-week we can shift the focus of our search to accommodate this. 

We can guarantee that your data is up-to-date, of good quality and accurate.  We can guarantee that your data won’t bounce, be stagnant or be just plain crazy as it can be from a typical data broker.  

Why not learn a little more by visiting our micro-site: www.handcrafteddata.com

Cybercriminals exploit Flash zero-day flaw

Last Tuesday Adobe Systems released a patch for the Flash Player vulnerability, CVE-2015-3113.  However just four days later a malware researcher, who goes by Kafeine, spotted the Magnitude exploit kit being used for a drive-by download attack, exploiting the vulnerability. 

The Common Vulnerabilities and Exposures database tracked the flaw known as CVE-2015-3113.  It turns out that CVE-2015-3113 had zero-day status and had been targeted for several weeks by a China-based cyberespionage group prior to the patch being released.  These attacks were targeted against organisations in a broad range of industries from aerospace, defence and technology to construction, transportation, engineering and telecommunications. 

The goal of the exploiters is to compromise sophisticated defence systems and to remain undetected for as long as possible.  For this reason it is not uncommon for Flash Player and other popular applications to be targeted in zero-day exploits. 

Despite this, incidents of non-selective, widespread attacks using zero-day exploits are uncommon; predominantly due to the value of zero-day vulnerabilities to the attackers.  Financially it is not sensible for such brash campaigns to be used as this draws attention to the vulnerability and makes it more likely for it to be discovered and patched quickly. 

Instead the exploiters usually prefer to integrate their exploits into already patched vulnerabilities, working on the principle that many users will not install patches speedily enough.  The creators of these exploit kits, however, are dramatically reducing the time they need to incorporate the attack.  As such, users are being left with a much shorter time frame to deploy the patch in before the exploits are integrated.  In the case of the CVE-2015-3113 vulnerability this was only 4 days.  This causes issues in organisations who typically install updates in schedules often separated by more than a week. 

Another Flash Player exploit occurred earlier this year by the Nuclear EK exploit kit.  This was integrated a mere week after the patch was released.  A decreasing trend in patch window size is emerging. 


Currently the Magnitude attacks on the CVE-2015-3113 vulnerability install the Cryptowall ransomware, if successful.  This could be changed at any time by the attackers.  

Tuesday, 3 March 2015

Hackers can use Blu-Ray discs to breach networks.

An innocent-looking Blu-ray disc can be used by malicious actors to get a foothold in a targeted network, a researcher has warned.

According to Stephen Tomkinson of the NCC Group, both hardware and software Blu-ray players are plagued by vulnerabilities that can be leveraged to execute arbitrary files stored on the disc.

The advanced features provided by Blu-ray discs, such as dynamic menus and Web access, are built using BD-J (Blu-ray Disc Java). The specification is used to create interfaces and embedded applications called Xlets. Xlets are similar to Java applets, but they are specially designed for digital TV environments.

Xlets run in a Java VM and they use the SecurityManager class to implement security policies. Tomkinson noted that, in general, these security policies prevent discs from accessing elements outside of the virtual file system and prevent interaction with the underlying operating system.

In his tests, Tomkinson targeted PowerDVD, a popular Blu-ray player application developed by CyberLink. The researcher has found a way to disable the SecurityManager developed by CyberLink and gain access to methods that can be used to launch arbitrary executable files stored on the disc.

On systems where PowerDVD is installed, Blu-ray discs are automatically played with the application, which enables attackers to bypass autorun attack mitigations in Windows, the expert said.

As for physical Blu-ray players, the researcher used an exploit previously developed by Malcolm Stagg to get a shell on the device. From there, Tomkinson managed to come up with a way to execute arbitrary files located on the disc.

Both software and physical players can be targeted with a single disc, the researcher said. An attacker can create a disc that detects the player type and executes a malicious file specific to that platform. In order to avoid raising suspicion, a legitimate video file can be played right after the malicious files are launched.

“[The malicious] executables could be used by an attacker to provide a tunnel into the target network or to exfiltrate sensitive files, for example,” Tomkinson explained in a blog post.

The researcher has pointed out that in the case of physical Blu-ray players, an attacker needs to ensure that the device doesn’t go to sleep after the victim has stopped viewing the video. This can be achieved by intercepting the power off request and by switching off the power LED in order to avoid raising suspicion.

In an attack targeted at a corporate network, if the player is configured for Wi-Fi access, malicious actors can easily obtain Wi-Fi settings because the information is stored on the device unencrypted.

The NCC Group says it’s working with affected vendors to get the vulnerabilities fixed, but “with varying degrees of success.” Until the vulnerabilities are addressed, Tomkinson advises users not to utilize discs from untrusted sources, and disable the autoplay feature. In the case of hardware players, they should not be connected to the network or the Internet unless necessary.

Using removable media to distribute malware is not unheard of. The Equation Group, an entity that is believed to have ties to the NSA, reportedly replaced CD-ROMs sent out by the organizers of a scientific conference with ones containing malware.

(Article Taken from SC Magazine)