GDPR: Don’t Get Caught Out By Your Logfiles
With all the focus on the more visible elements of GDPR compliance ahead of the Regulation’s introduction of May 25th, one EU Working group is warning businesses not to forget what’s stored in the logfiles of their Internet-facing servers.
What Are Logfiles and Why Should We Care?
Logfiles record either events that occur in an operating system or other software, or messages between different users of communication software.
As well as being useful to an organisation e.g. for providing clues about hostile activity affecting the network from within and without, and providing information for identifying and troubleshooting equipment problems, logfiles on Internet-facing computers can also potentially provide information to hackers and cyber-criminals that could compromise your system and data security.
Report Suggestions
A draft report by the Internet Engineering Task Force’s Internet Area Working Group (IETF’s INTAREA) says that changing data regulations have meant that what were established best practices have now become poor practices. The draft, therefore, offers a checklist as a set of updates to RFC6302 designed to help plug this potential GDPR compliance black spot. The “Recommendations for Internet-Facing Servers” draft suggests that sysadmins adopt a data minimisation approach to configuring their server logs, and suggestions include:
- Full IP addresses should only be stored for as long as they are needed to provide a service;
- Logs should only include the first two octets of IPv4 addresses, or first three octets of IPv6 addresses.
- Inbound IP address logs shouldn’t last longer than three days, because that lets logging cover a weekend before it’s flushed.
- Unnecessary identifiers should not be logged e.g. source port number, timestamps, transport protocol numbers, and destination port numbers,
- The logs should be protected against unauthorised access.
It should be said that any legally-mandated logging e.g. to comply with local telecommunications data retention laws, isn’t covered by the draft.
Cookie Consent Pop-Ups
We are all used to seeing cookie consent pop-ups when we arrive at websites, but the “implied consent” website owners have assumed existed once people clicked “I Agree” to cookies may no longer apply under GDPR. This is because GDPR is consent specific, and there is no way “implied consent” can get you water-tight compliance. What this means is that cookie consent pop-ups may soon be on legally shaky ground when it comes to GDPR compliance.
What makes this issue more complicated is the fact that the EU had intended to publish an updated ePrivacy Regulation, with the commencement of GDPR, to relax the cookie popup requirements, but didn’t do so. This means that data privacy rules on this matter will be governed by the old ePrivacy Directive and GDPR at the same time, with GDPR having the precedence.
What Does This Mean For Your Business?
This story shows that with GDPR just around the corner, some of the finer areas of compliance are starting to come under the spotlight. Yes, data protection, data security and privacy are the responsibility of all of us, not just the ‘technical people’, but when it comes to having to deal with server-logs, there clearly is a need for a technical focus to ensure all-round general compliance. Hackers, by nature, are generally technically proficient, and can employ multi-level and sophisticated attack techniques. It makes sense, therefore, that companies make attempts to plug known technical weak-spots such as those highlighted in this draft.
The cookie consent pop-up issue highlights the complicated area of consent that many companies have anticipated with the introduction of GDPR. The important point to remember is that GDPR is consent specific. Consent can’t simply be implied, and consent must also be unambiguous, informed, a statement or clear affirmative action, and freely given. Also, under GDPR, a data subject has the right to withdraw their consent at any time.
Tech Tip – Send Different File Types With WhatsApp
These days, many of us use the WhatsApp messaging service as part of our business communications. Thanks to functionality introduced last year, you can now send multiple file types e.g. APK’s, Zip and RAR files using WhatsApp. Here’s how:
- Open your WhatsApp chat thread and tap the Attachment icon.
- Tap on Document from the list of the options.
- Select your file and send it.
- This sends the file in its original size, thereby keeping the quality. If you select Gallery in the WhatsApp attachment option, it compresses the size of media (but this can adversely affect its quality).
Russia Suspected of Hacking Campaign
The UK’s National Cyber Security Centre (NCSC), the FBI and the US Department of Homeland Security have warned that Russia may be behind a broad hacking offensive targeting millions of machines that direct data around the net.
Networking Equipment Targeted
US and UK security agencies have issued a joint internet security alert warning and have been reported as suggesting that a surge in global hacks targeting the networking equipment used to move traffic across the net is the result of a Russian state-sponsored campaign.
Why?
Some commentators have suggested that the deterioration between the relationship between Russia and the West resulting from issues like accusations of election meddling, the poisonings in Salisbury, and arguments over the Syrian conflict may have contributed to an online revenge offensive.
As well as the disruption caused, the aim appears to be espionage / the theft of information (which actually dates back at least to the late 1990s), and the threat (so far) of destructive acts of sabotage e.g. disabling parts of the electricity grid. These kinds of suspicions have arisen because many recent hacks appear to be pre-positioning in networks that are part of the critical national infrastructure.
Cyber War Ahead?
While we are being told that we have returned to another ‘Cold War’ situation, some commentators have suggested that we may be on the brink of a cyber-war with Russia, even though there has not been any real significant cyber-attack or change of behaviour from Russia.
Although Russia has been accused of launching destructive attacks against Ukraine, which had a negative effect on businesses there, and despite the apparent reported increase in cyber-attacks from Russia, it is still difficult for many to say whether Russia has the capability to carry out very destructive cyber attacks. Cyber attacks are often harder to trace and easier to deny than military attacks.
UK’s Own Offensive
It is worth remembering too, that as well as having defences in place, the UK has its own offensive cyber-capability, honed for over a decade, starting in the conflict in Afghanistan. Recently, for example, the UK and the US are reported to have targeted the Islamic State group with cyber attacks, with some degree of success. It would be naive to assume, therefore, that the UK is not planning / undertaking its own activities in Russia e.g. pre-positioning in Russian networks to be able to respond to any Russian cyber aggression.
What Does This Mean For Your Business?
At the moment, it is simply a case that a warning has been issued. If a cyber-conflict does start in a noticeable way, as in real war, it is likely to be individuals, businesses, and other organisations and other services that suffer e.g. service providers, firms running critical infrastructure, government departments and large companies first, followed by other UK businesses. The Internet plays an essential role in modern business and disruption of vital network infrastructure could damage UK businesses and their competitiveness in the home and global market.
UK businesses also face the threat of foreign state-sponsored attacks designed to spy on / steal data, and undermine firewalls and intrusion detection systems used to spot malicious traffic before it reaches users. It has never been more important, therefore, for businesses to configure security systems correctly, apply patches and address any hardware vulnerabilities, and to make sure that their cyber resilience is at its best across all possible channels.
UK Launched Major Cyber Attack Against ISIS
GCHQ’s new director has revealed that last year, the UK has conducted a large-scale cyber-attack against ISIS that was designed to suppress online terrorist propaganda and hinder ISIS’s ability to coordinate attacks.
Growing For A Decade
Confirmation that the attack took place came as part of the first public speech by GCHQ’s new director and former MI5 agent, Jeremy Fleming. During his speech at the National Cyber Security Centre’s (NCSC) flagship event in Manchester, Mr Fleming said that the cyber attack is just the latest part in what have been GCHQ’s efforts to grow its online counterterrorism capabilities over more than a decade.
The outcomes of cyber attacks as weapons against any enemy can range from denying online services, disrupting a specific online activity, and deterring individuals or groups, to effectively destroying equipment and networks.
Degraded Infrastructure
The UK’s cyber-attack against ISIS is reported to have degraded the terror group’s online infrastructure, made a significant contribution to coalition efforts to suppress any Daesh propaganda, hindered the terror group’s ability to coordinate attacks, and provided more protection for coalition forces on the battlefield.
Over-Achievers
It seems that this latest big cyber-attack success is only the tip of the iceberg, as a report by Parliament’s Intelligence and Security Committee (ISC) has said that GCHQ spies had “over-achieved” in 2017, and that GCHQ had delivered on the first of three stages in its mission to bolster its cyber capabilities thanks to staging almost twice as many potential hacks than its targets.
Russia In The Spotlight
The recent deterioration of the relationship between the West and Russia means that its cyber-behaviour, as well as that of ISIS, is now reported to be more of a focus for GCHQ. In the director’s speech in Manchester, Mr Fleming said that the Russian state should be held accountable for what it does, and that the UK will continue to respond to malicious cyber-activity in conjunction with international partners such as the United States.
Helpful Tool
Another helpful tool that could be used to combat terrorist propaganda online could include the auto-blocker for extremist content that was mentioned by Home Secretary Amber Rudd. The tool, which Home Secretary Rudd would like to see adopted by ISPs can be configured to detect 94% of extremist video uploads.
What Does This Mean For Your Business?
It stands to reason that the UK is launching its own cyber-attacks against what it sees as legitimate targets elsewhere in the world. Cyber-attack and security capabilities are now being used worldwide to support military operations, damage enemy communications and infrastructure and thereby degrade the threat they pose, as well as protecting home infrastructure and vital networks.
Attacks by other states, criminal and terror groups e.g. hacks, DDoS attacks and viruses, can end up impacting many UK businesses, so its good to hear that GCQH, MI5 and other actors are ‘over-achieving’ in their efforts to protect the UK, and reduce the threats that we face in a time of shifting geopolitical and technological landscapes. We can assume, therefore, that the successful actions of our security agencies must be indirectly protecting many of the interests of UK businesses.
Phishing Attack Simulator : Microsoft Goodies
Microsoft has announced a set of business security tools, including a phishing attack simulator, that make it easier and more affordable for businesses to identify and fix vulnerabilities before they become an issue.
Attack Simulator
One of the key tools announced to coincide with the annual RSA conference in San Francisco, is the Attack Simulator. This tool is included in Office 365 Threat Intelligence, and is currently still in preview.
Spear Phishing Simulator
The tool, which simulates display name spear-phishing attacks, password-spray attacks, and brute-force password attacks, enables businesses to determine how end users behave in the event of an attack, and update policies to ensure that appropriate security tools are in place to protect the organization from threats.
A spear-phishing attack, for example, is used to gain access to users’ credentials or financial information, and often involves sending emails, purporting to be from a person of influence in an organisation to other users. The Microsoft attack simulator tool applies machine learning models and impersonation detection algorithms to incoming email messages. The AI system is trained to detect phishing messages. It also uses algorithms to protect against various user and domain impersonation attacks.
Intelligent Security Graph
Microsoft credits its ‘Intelligent Security Graph’ as being the ‘central nervous system’ that is at the heart of its tools for tracking and mitigation of attacks across platforms and services. This combines AI with data gained from analyzing web pages, emails and malware threats on Windows 10 and the cloud. This enables Microsoft to warn users of existing and new threats.
Only Access SaaS Service If Your Device Is Healthy
Another important development of Office 365’s Conditional Access service is an update (currently in preview) which combines Conditional Access Information with data from the Windows Defender Advanced Threat Protection (ATP) security scanner to ensure that a user can only access a given SaaS service if their device is healthy.
Security Score
A potentially important new tool that Microsoft has developed for IT admins is an expanded version of the Office 365 Secure Score tool, which gives a single measure for evaluating the risk profile across Office 365 service and their users’ devices.
What Does This Mean For Your Business?
For many businesses e.g. SMEs, up-to-date cyber attack simulators would be beyond their resources. These new tools from Microsoft have been ‘trained’ thanks to AI and real-world analysis via Windows 10, thereby making them an affordable, accessible, and hopefully effective and welcome addition to the security options that businesses have at their disposal.
There is no doubt that human / employee error is at the heart of many successful cyber-attacks. With a phishing attack simulator that allows the creation of a fake phishing email, companies can see, for example, which employees fall for them, and this could serve as a way of identifying who needs extra security extra security training.
The combination of these new tools from Microsoft could provide an effective way that companies of all sizes could take proactive measures to plug gaps in their cyber-security shield, and guard against the kind of breaches that could be expensive and damaging, especially with the introduction of GDPR.
Facebook … Face Recognition Woes
Facebook is in the news yet again, this time for having to face a class action lawsuit for allegedly gathering biometric information without users’ explicit consent, via facial recognition technology.
What Facial Recognition Technology?
A facial recognition technology feature in Facebook’s platform suggests who might be present in uploaded photos, based on an existing database of faces, and uses “tag suggestions” technology.
The feature works by trying to detect any faces in an uploaded photo, standardises and aligns those faces for size and direction, then, for each face, Facebook computes a face signature which is a mathematical representation of the face in that photo. Finally, the face signatures are run through a stored database of user face templates to look for similar matches
What’s The Problem?
The problem in legal terms is that the software allegedly gathers (and presumably stores) biometric information about individuals i.e. makes and stores face templates of them, without them giving their explicit consent for it to do so. This sounds as though it may breach Illinois state law – this is the state from which the class of people in the lawsuit question is made up.
The court order is reported to apply to Facebook users in Illinois for whom Facebook created and stored a face template after 7 June 2011.
What Are The Chances?
Although Facebook reportedly intends to fight the case and believes that it has no merit, the fact that the judge, James Donato, has ruled to certify a class of Facebook users, and has said that Facebook could be expecting billions in statutory damages, does not appear to bode well for Facebook.
Not Available Here
Privacy regulations mean that the facial recognition and tagging feature is not available in Europe or Canada, and can be turned off in settings for US users.
Facebook also said back in December 2017 that users would be notified if a picture of them was uploaded by someone else, even if they hadn’t been tagged in it.
Hearing In A Crowd Technology Developed By Google
Just as Facebook appears to be in trouble over voice technology, Google has announced that its research team has just developed technology that can recognise individual voices in a crowd, just as a human can.
The tech giant has made a demonstration video for the technology. The video shows how, with lots of people talking at once in a room, a user can select a particular face and hear the soundtrack of just that person. Users of this technology can also select the context of a conversation, and only references to that conversation are played, even if more than one person in the room is discussing that subject matter.
The AI technology behind the feature was developed using data collated from 100,000 videos of lectures and training videos on YouTube.
What Does This Mean For Your Business?
With GDPR on the way, the case against Facebook’s voice recognition technology is another reminder of how businesses need to get to grips with the sometimes complicated area of consent. Video images and face templates of individual faces are also likely to qualify as personal data that consent for collection and storage will be needed for under GDPR. Privacy, as well as security, is a right that is getting even greater protection in law.
The technology from Google that can recognise individual voices, and can follow individual conversations in crowds could unlock valuable business opportunities in e.g. improving the function and scope of hearing aids, or improving video conferencing tools by enabling them to take place in the middle of an office space rather than only in a separate, soundproofed meeting room (provided other visual distractions are minimised). It seems that new technology is beginning to be developed to help tackle age-old human challenges.