Watch it, Facebook: new EU data rules may have global impact

LONDON (AP) — Facebook CEO Mark Zuckerberg is promising to do a better job protecting user data following reports that a political consultant misused the personal information of millions of the company’s subscribers. The fact is, European regulators are already forcing him to do so.A similar data breach in the future could make Facebook liable for fines of more than $1.6 billion under the European Union’s new General Data Protection Regulation, which will be enforced from May 25. The rules, approved two years ago, also make it easier for consumers to give and withdraw consent for the use of their data and apply to any company that uses the data of EU residents, no matter where it is based.The law is the latest attempt by EU regulators to rein in mostly American tech giants who they blame for avoiding tax, stifling competition and encroaching on privacy rights. European analysts say GDPR is the most important change in data privacy regulation in a generation as they try to catch up with all the technological advances since 1995, when the last comprehensive European rules were put in place. The impact is likely to be felt across the Atlantic as well.“For those of us who hold out no hope that our government will stand up for our rights, we are grateful to Europe,” said Siva Vaidhyanathan, a professor at the University of Virginia who studies technology and intellectual property. “I have great hopes that GDPR will serve as a model for ensuring that citizens have dignity and autonomy in the digital economy. I wish we had the forethought to stand up for the citizen’s rights in 1998 (the start of Google), but I’ll settle for 2018.”The U.S. has generally taken a light touch approach to regulating internet companies, with concerns about stifling the technology-fed economic boom derailing President Barack Obama’s 2012 proposal for a privacy bill of rights. But Europe has been more aggressive.EU authorities have in recent years taken aim at Google’s dominance among internet search engines and demanded back taxes from Apple and Amazon. The European Court of Justice in 2014 recognized “the right to be forgotten,” allowing people to demand search engines remove information about them if they can prove there’s no compelling reason for it to remain.Now data protection is in the crosshairs of the 28-nation bloc, where history has made the right to privacy a fundamental guarantee. Nazi Germany’s use of personal information to target Jews hasn’t been forgotten, and the new Eastern European members have even fresher memories of spying and eavesdropping by their former communist governments.In today’s world, digital commerce companies collect information on every website users visit and every video they like. This data is the lifeblood of social media sites that give users free access to their services in exchange for the right to use that intelligence to attract advertisers.But the Facebook scandal shows it can also be used for other purposes.A whistleblower this month alleged that Cambridge Analytica improperly harvested information from over 50 million Facebook accounts to help Donald Trump win the 2016 presidential election. News reports have focused on the relationship between Cambridge Analytica CEO Alexander Nix, former Trump strategist Steve Bannon and billionaire computer scientist Robert Mercer, who bankrolled the operation.Cambridge Analytica says none of the Facebook data was used in the Trump campaign. Facebook is investigating.“The regulation is trying to balance the power between ourselves as individuals and organizations that use that data for a whole variety of services,” said David Reed, knowledge and strategy director at DataIQ, a London-based firm that provides research on data issues.The EU’s new rules expand the reach of regulations to cover any company that processes the data of people living in the bloc, regardless of where the company is based. Earlier rules were ambiguous on this point, and international companies took advantage of that to skirt some regulation, the EU says.The legislation also demands that consent forms are written in plain language anyone can understand. No more legalese across pages and pages of terms and conditions that few people read before clicking “I Agree.” The regulations also require that consent must be as easy to withdraw as it is to give.To ensure compliance, there’s the potential for big fines. Under GDPR, organizations face fines of up to 20 million euros ($25 million) or 4 percent of annual global turnover – whichever is greater – for the most serious violations.Facebook reported $40.65 billion in revenue last year. That means a serious violation could cost the company as much as $1.63 billion.Even though GDPR doesn’t legally protect the data of people outside the EU, analysts expect many companies to apply the rules worldwide. Smaller firms are likely to decide it’s too expensive to run multiple compliance systems, though bigger firms like Facebook and Google may still decide to “bracket off” European operations, Vaidhyanathan said.Sarah T. Roberts, a professor of information studies at UCLA, says the EU is formulating the rules of engagement, rather than allowing internet companies to dictate. While U.S.-based platforms were created in the image of Silicon Valley, that type of bravado and no-holds barred capitalism doesn’t go down well in Europe.“Despite claims that cyberspace is not fettered to planet Earth, that is not true,” she said.Facebook, for one, has taken notice, setting aside a page of its website to explain what the company is doing to comply with GDPR. “We’ve built tools to help people manage their data and understand their choices with respect to how we use their personal data,” it says.But GDPR is not a panacea that will ensure everyone’s data is protected. Some analysts suggest the next step should be to ensure that everyone owns their own data and can sell it in exchange for services.Pressure is building for increased regulation in the U.S., where members of Congress have called on Zuckerberg to testify about the Cambridge Analytica scandal.The alleged conspiracy has captured the public imagination, focusing worldwide attention on data protection, Vaidhyanathan said.“Cambridge Analytica’s story sounds like a spy novel,” he said. “It has a bond villain in Alexander Nix. It has a secretive billionaire genius in Robert Mercer. It has the evil sidekick in Steve Bannon. It is working for right-wing interests and it claims to be able to control our minds,” he said. “We needed a few Bond villains to make the story lively.”

EPL Predictions: Picks, Top Players for Week 32 Premier League Fixtures

Chris Brunskill Ltd/Getty Images

Manchester City can take a step closer to winning the Premier League title on Saturday, provided they win at Everton. Meanwhile, Chelsea host Tottenham Hotspur at Stamford Bridge on Sunday in a match set to have huge implications for the race to finish fourth and qualify for next season’s UEFA Champions League.

Windows IRC Bot in the Wild, (Mon, Mar 26th)

Last weekend, I caught on VirusTotal a trojan disguised as Windows IRC bot. It was detected thanks to my ‘psexec’ hunting rule which looks definitively an interesting keyword (see my previous diary[1]). I detected the first occurrence on 2018-03-24 15:48:00 UTC. The file was submitted for the first time from the US. The strange fact is that the initial file has already a goods code on VT (55/67) and is detected by most of the classic antivirus tools. 

I had a quick look at the sample. First interesting point, the PE header has been changed. The standard ‘This program cannot be run in DOS mode’ has been replaced by a funny string to mimic a GIF file: ‘GIF89a Adobe Photoshop Elements®’. Probably to defeat simple regular expressions used to filter files to be analyzed:

00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ.............. 00000010: b800 0000 0000 0000 4000 0000 0000 0000 ........@....... 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000030: 0000 0000 0000 0000 0000 0000 e800 0000 ................ 00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 4749 ........!..L.!GI 00000050: 4638 3961 2041 646f 6265 2050 686f 746f F89a Adobe Photo 00000060: 7368 6f70 2045 6c65 6d65 6e74 73ae 2031 shop Elements. 1 00000070: 313a 3532 2e0d 0d0a 2400 0000 0000 0000 1:52....$....... 00000080: 667f 0021 221e 6e72 221e 6e72 221e 6e72 f..!".nr".nr".nr 00000090: 5902 6272 211e 6e72 4d01 6572 231e 6e72 Y.br!.nrM.er#.nr 000000a0: 4d01 6472 7d1e 6e72 a102 6072 361e 6e72 M.dr}.nr..`r6.nr 000000b0: a116 3372 2f1e 6e72 221e 6f72 be1e 6e72 ..3r/.nr".or..nr 000000c0: 763d 5f72 231e 6e72 5269 6368 221e 6e72 v=_r#.nrRich".nr 000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000000e0: 0000 0000 0000 0000 5045 0000 4c01 0400 ........PE..L…

I took 3 samples and they look quite similar based on ssdeep:

default viper 59dcab059d5935f3fd21c4c976e89e7c470b1e565191590792baad33393de5fd.exe > fuzzy [*] 2 relevant matches found +-------+----------------------------------------------------------------------+------------------------------------------------------------------+ | Score | Name | SHA256 | +-------+----------------------------------------------------------------------+------------------------------------------------------------------+ | 88% | 84636926f88d11ae4ba43be7052a7def4bf1f6005f92315171fde31e54ff7378.exe | 84636926f88d11ae4ba43be7052a7def4bf1f6005f92315171fde31e54ff7378 | | 93% | 62881d728709d31d628d165d993adc605e4b84d0d9a795f2748939f406185eaa.exe | 62881d728709d31d628d165d993adc605e4b84d0d9a795f2748939f406185eaa | +-------+----------------------------------------------------------------------+------------------------------------------------------------------+

The Facebook Privacy Breach: What It Can Teach Us About Privacy Threats Before GDPR

The Facebook/Cambridge Analytica situation has almost everyone re-evaluating several important cybersecurity issues. What constitutes a data breach? How do we exert more control over third parties and their access to data? How do we approach privacy concerns that deal with weaponizing data versus financial gain? What does this mean for those of us who regularly use social media? And what are the GDPR implications?

Hacked.

Im a really secure person but today I was compromised. The full story starting from the beginning is that I used to play Roblox, but I gave it up to my little brother. He now plays on the account and I supervise his sessions because my account had a hefty item in it. Now on the 25th of March I come and log in and it’s gone, and I now have builders club which you need to buy to trade items. How the fuck did this happen? The hacker bought builders club on my account to trade my item, they also added someone to my account which I believe is just a proxy account. The money they used to buy the membership was probably from a stolen credit card on the deep web. I already messaged support. Do you guys know anything that I should be doing? My end goal is getting my item back, securing my account, and if I can, fuck over the hacker.

Uber CEO says there will be no more global exit deals

Uber has exited three global markets by selling to rivals, but enough is enough after its deal with Grab so says CEO Dara Khosrowshahi.

IETF Approves TLS 1.3

The Internet Engineering Task Force (IETF) last week announced the approval of version 1.3 of the Transport Layer Security (TLS) traffic encryption protocol. The Internet standards organization has been analyzing proposals for TLS 1.3 since April 2014 and it took 28 drafts to get it to its current form.

Bill Belichick Explains How He Talked Josh McDaniels into Staying with Patriots

Elsa/Getty Images

Josh McDaniels appeared set to become head coach of the Indianapolis Colts before instead deciding to remain offensive coordinator with the New England Patriots. Apparently, it was the extended talks with Bill Belichick after Super Bowl LII that caused him to stay.

‘T&T Facebook users beware’

Stephen King, CEO, Ixanos, is advising T&T nationals to be cautious while they use Facebook and other forms of social media.

Facebook denies it collects call and SMS data from phones without permission

After an Ars Technica report that Facebook surreptitiously scrapes call and text message data from Android phones and has done so for years, the scandal-burdened company has responded that it only collects that information from users who have given permission.

How to make sure Facebook isn’t scraping your call data – CNET

An Ars Technica investigation discovered Sunday that Facebook has been gathering phone and message metadata from Android phones. Facebook claims it does not sell this data and that it was always an “opt-in” feature. Regardless, if you want to make sure Facebook isn’t collecting this data, it’s a fairly easy process and there’s no real good reason to leave those permissions on.

Facebook was tracking your text message and phone call data. Now what? (ZDNet)

More security news

While Facebook boss Mark Zuckerberg was stumblingly apologizing for giving Russian-linked Cambridge Analytica access to over 50 million US Facebook users’ personal data, news broke that Facebook had been scraping call and text message data from Android phones for years.

3 Emerging Innovations in Technology that Will Impact Cyber Security

The war between security experts charged with the responsibility of protecting information and cyber-criminals who threaten to compromise the integrity of data for different entities has become a cat and mouse game.For instance, as soon as white hats counter one form of malicious behavior using encryption tools, there is the almost immediate development of yet another malevolent form of threat for information systems.The increasing digital connectivity and the automation of virtually all processes in the world of business throughout the whole value chain have led to the creation of agility. This has also led to the development of extremely high levels of threat and significantly raised the risk of cybersecurity.The building of cyber-security into applications is critical in addressing such risks, as well as all the devices that are interconnected from the very beginning. In this article, we are going to highlight the emerging technologies that will boost the security of information systems from being compromised by hackers.Hardware authenticationIt is a well-known fact that passwords and usernames used by a majority of data users are weak. This makes it easy for hackers to get access to the information systems and compromise sensitive data of a business entity or government agency.In turn, this has exerted pressure on experts of systems security to come up with authentication methods that are more secure. One of the ways that has been used is the development of user hardware authentication.Tech gurus have developed a solution in the user authentication process with a new Core vPro processor that belongs to the sixth generation of processors. The core vPro can combine different hardware components with enhanced factors simultaneously for user identity validation purposes.The tech company Intel has built on previous experiences and mistakes and dedicated a portion of the processor for security reasons to make a device part of the entire process of authentication.Hardware authentication can be especially important when it comes to the Internet of Things (IoT) where the network of connected devices ensures that any device that seeks to be connected has the rights for connectivity to that particular network.Cloud technologyThe cloud is set to have a significant impact on the transformation of systems security technology. More business enterprises and government agencies have embraced cloud technology to store the vast amounts of information that they generate on a daily basis.There will be more approaches to information systems security that will be developed for use in the cloud. Techniques for on-premise data storage will be migrated to the cloud. Components such as virtualized intrusion detection and prevention systems, virtualized firewalls and virtualized systems security will now be used from the cloud as opposed to the traditional forms.For instance, both private and public entities have doubled up their data center security by the use of IaaS services, such as Firehost and Amazon. Another perfect example of certified secure enough services that are based on the cloud is the GSA FedRAMP, which makes it easier for the small- to medium-sized business enterprises to have a data security center that is above average.Deep learningSome technologies are encompassed in deep learning, such as machine learning and artificial intelligence. There is a significant deal of interest for purposes of systems security in these technologies.Deep learning, just like behavior analytics, focuses on anomalous behavior. Whenever AI and machine learning systems are fed with the right data regarding potential systems security threats, they can make decisions on how to prevent hacks depending on their immediate environment without any human input.The system scrutinizes entities instead of users that have access to the information system. The most recent developments in machine learning technology and exact business analytics means that we can now be able to analyze the different entities that are found in the enterprise at both the macro and the micro levels. Business organizations and government agencies can now be able to stamp out any persistent or advanced cyber threats using artificial intelligence and machine learning.As you can see, attacks can come from any loose end. It is important to keep up with the latest technologies as to not only stay updated but safe, as well. This isn’t to say that out current security procedures are for naught, however.We should be leveraging these new technologies with the existing fundamentals that are in place. It is important to remember that 85 percent of breaches come from not securing the first 6 critical security controls. By combining new technologies with fundamental security controls, you will have the confidence that your information is safe and out of reach.