This week marks the second anniversary of the worldwide launch of Microsoft Teams, and the second year in a row winning the Enterprise Connect Best in Show award. Today, we are celebrating how our customers are using Teams as well as announcing eight new capabilities that make collaboration more inclusive, effective, and secure.
In late February, the notorious cryptojacking script engine called Coinhive abruptly announced the impending end to its service. The stated reason: it was no longer economically viable to run.
I honestly did not see this happening, but I do understand. It is reasonable to think that Coinhive didn’t intend for their creation to be abused by criminals. However, they have still kept 30 percent of ALL the earnings generated by their script, one that was often found running illegally on hijacked sites. Most of that profit came from illicit mining, which has earned Coinhive a lot of negative press.
Additionally, 2018 was a terrible year in terms of the US-dollar value of Monero (XMR), which means their service is significantly less profitable now, relative to what it once was. Combined with the fact that the XMR development team hard-forked the coin and changed the difficulty of the hashrate, this means Coinhive is making very little money from legitimate miners.
Coinhive created this service so legitimate domain owners could host their script and generate enough revenue to replace ads. Ads are annoying and I believe this innovation was aimed at attempting to fix that problem. But the ultimate result was a bunch of criminals breaking into other people’s domains and injecting them with Coinhive scripts that essentially stole from visitors to that domain. Without consent, millions of victims’ computers were subject to maximum hardware stress for extended periods of time, all so some criminals could make a few pennies worth of cryptocurrency per computer.
Would you continue to operate a startup business in which most of the money you earned was a cut of criminal activity—stealing from victims in the form of an increased power bill? Maybe a year ago, when the hashing difficulty was easier (you earned more XMR) and XMR was worth 10 times what it’s worth now, it might have been easier to “sleep at night” but now it probably just isn’t worth it.
Even before this news, there were plenty of other copy cats—Cryptoloot, JSEcoin, Deepminer, and others—so criminals have plenty of similar services to choose from. At the time of its shutdown, Coinhive had about around 60% share of all cryptojacking campaigns, though we saw this market dominance reach as high as 80% last year. I anticipate these other services stand to take larger shares of cryptojacking revenue now that the largest player has left. We might even see a new competitor service emerge to challenge for cryptojacking dominance.
Stay tuned to the Webroot blog for future developments in cryptojacking.
Georgia County Pays Six Figure Ransom to Restore IT Systems
Following a ransomware attack earlier this month, officials in Jackson County, Georgia decided to pay a $400,000 ransom in order to obtain a decryption key and return their systems to normal operations. While it’s not normally recommended to pay ransoms, but instead to keep proper backups of critical files, the county decided that it would cost significantly more to restore the systems on their own. It is still unclear how the breach unfolded or how long the hackers had access to the network.
Michigan Healthcare Group Compromised
Sensitive information on over 600,000 patients was recently exposed after the Wolverine Solutions Group (WSG) suffered a data breach. The WSG initially suffered a ransomware attack in September of last year, and has been working to decrypt many of their systems since then. Due to Michigan’s lax laws regarding the announcement of a data breach, customers who may have been affected were contacted only within the last month.
Redirect Tags Found on Fortune 100 Sites
Hundreds of third-party redirect tags have been found hidden on the websites of Fortune 100 companies. These tags could allow attackers to access user data from any of the compromised sites and also degrade the performance of sites with multiple hidden tags. Many site owners even expressed concern over possible customer data loss, but did little to clear the tags from their sites.
Asian Gaming Companies Infiltrated by Backdoors
Several Asia-based gaming companies have discovered hidden backdoors within main executables of some games attracting tens of thousands of players. Fortunately, after identifying the malicious code two of the three companies immediately pushed updates to their software, and the command & control servers for the backdoors were taken offline soon after. The backdoors appear to have originated from a malicious Chinese hacker group that has committed these types of attacks multiple times in recent years.
Info on 1.8 Million Women Found on Unprotected Chinese Database
An unprotected database was recently found which contains extremely sensitive data for nearly 1.8 million women in China. Amongst the personally identifying information was GPS coordinates, political affiliations, and even available video of specific individuals. Unfortunately, while the owners of this one database were successfully contacted, there are still thousands of similarly unprotected databases on Chinese networks.
The post Cyber News Rundown: Georgia County Pays for Ransomware Threat appeared first on Webroot Blog.
The first post-GDPR report from the Data Protection Commission makes for interesting reading. The data breach statistics understandably got plenty of coverage, but there were also many pointers for good data protection practice. I’ve identified five of them which I’ll outline in this blog.
Between 25 May and 31 December 2018, the DPC recorded 3,542 valid data security breaches. (For the record, the total number of breaches for the calendar year was 4,740.) This was a 70 per cent increase in reported valid data security breaches compared to 2017 (2,795), and a 56 per cent increase in public complaints compared to 2017.
1. Watch that auto-fill!
By far the largest single category was “unauthorised disclosures”, which was 3,134 out of the total. Delving further, we find that many of the complaints to the DPC relate to unauthorised disclosure of personal data in an electronic context. In other words, an employee at a company or public sector agency sent email containing personal data to the wrong recipient.
A case study on page 21 of the report illustrates this point: a data subject complained to the DPC after their web-chat with a Ryanair employee “was accidentally disclosed by Ryanair in an email to another individual who had also used the Ryanair web-chat service. The transcript of the webchat contained details of the complainant’s name and that of his partner, his email address, phone number and flight plans”.
It’s a common misconception that human error doesn’t count as a data breach, but in the eyes of GDPR, this isn’t the case. The most common reason for breaches like this comes from the auto-fill function in some software applications like email clients.
Where an organisation deals with high-risk data like healthcare information (because of the sensitivity involved), best practice is to disable auto-fill. I recommend this step to many of my clients. Many organisations don’t like doing this because it disrupts staff and makes their jobs a little bit harder. In my experience, employees soon get used to the inconvenience, while organisations greatly reduce their chances of a breach.
2. Encrypted messaging may not be OK
Another misconception I hear a lot is that it’s OK to use WhatsApp as a messaging tool because it’s encrypted. The case study on page 19 of the DPC report clarifies this position. A complainant claimed the Department of Foreign Affairs and Trade’s Egypt mission had shared his personal data with a third party (his employer) without his knowledge. A staff member at the mission was checking the validity of a document and the employer had no email address, so they sent a supporting document via WhatsApp.
In this case, the DPC “was satisfied that given the lack of any other secure means to contact the official in question, the transmission via WhatsApp was necessary to process the personal data for the purpose provided (visa eligibility)”.
My reading of this is that although the DPC ruled that WhatsApp was sufficient in this case, this was only because no other secure means of communication was available.
3. Do you need a DPO?
The report tells us that there were 900 Data Protection Officers appointed between 25 May and 31 December 2018. My eyes were immediately drawn to some text accompanying that graph (below). “During 2019, the DPC plans to undertake a programme of work communicating with relevant organisations regarding their obligations under the GDPR to designate a DPO.” This suggests to me that the DPC doesn’t believe there are enough DPOs, hence the outreach and awareness-raising efforts.
Private and public organisations will need to decide whether they should appoint a full-time DPO or avail of a service-model from a third-party data protection specialist.
4. A data protection policy is not a ‘get out of jail free’ card
Case study 9 from the report concerns an employee of a public-sector body who lost an unencrypted USB device. The device contained personal information belonging to a number of colleagues and service users. The data controller had policies and procedures in place that prohibited the removal and storage of personal data on unencrypted devices. But the DPC found that it “lacked the appropriate oversight and supervision necessary to ensure that its rules were complied with”.
The lesson I take from this is, “user error” is not a convenient shield for all data protection shortcomings. Many organisations expended effort last year in writing policies, and some think they’re covered from sanction because they did so. But unless they implement and enforce the policy – and provide training to staff about it – then it’s not enough.
5. Email marketing penalties may change
My final point is more of an observation than advice. Between 25 May and 31 December, the DPC prosecuted five entities for 30 offences involving email marketing. The reports detail those cases. A recurring theme is that the fines were mostly in the region of a couple of thousand euro. However, all of these cases began before GDPR was in force; since then, the DPC has the power to levy fines directly rather than going through the courts. This is an area I expect the DPC to address. Any organisation that took a calculated risk in the past because the fines were low should not expect this situation will continue.
There are plenty of other interesting points in the 104-page report, which is free to download here.
The post Five data protection tips from the DPC’s annual report appeared first on BH Consulting.
New Microsoft 365 Government capabilities help agencies deliver on collaboration, security, and compliance commitments.
The post New teamwork and security capabilities for Microsoft 365 Government appeared first on Microsoft 365 Blog.