Category Archives: Internet Security
Local third grader earns national recognition in poster contest – NEWS10 ABC
Image of Sahana's award winning poster via Center for Internet Security
EAST GREENBUSH, N.Y. (NEWS10) Sahana, a third-grader from Genet Elementary School, was one of 10 students recognized in a national poster contest, highlighting dangers children can face online. Sahanas poster was picked from hundreds of submissions across the country.
Sahanas submission will be made into a poster and featured in the Center for Internet Securitys 2023 Kids Safe Online activity book. She will receive an award for her artwork at the welcome ceremony at the New York State Plaza Cybersecurity Conference taking place at the Empire State Plaza Convention Center on Tuesday, June 6.
The contest was open to all students in public and private schools and youth organizations from kindergarten through 12th grade in all 50 states.
Students of all ages are connected across a variety of devices, like phones, tablets, school laptops, and gaming systems, said Karen Sorady, Vice President, MS-ISAC Member Engagement at the Center for Internet Security. The Kids Safe Online poster contest is a terrific way to not only educate our kids about making smart choices and protecting their personal information, but it also empowers them to identify and report potential online dangers to keep their friends and communities safer.
Follow this link:
Local third grader earns national recognition in poster contest - NEWS10 ABC
The value of Internet Security Services – theleader.info by The … – The Leader Newspaper
In a world where info breaches are cyber security services common, cybersecurity is more important than ever before. The resulting damage to businesses can be disastrous, and the reduction in buyer trust can easily have long lasting effects.
Cybersecurity is a large discipline that involves everything from guarding hardware and software against viruses to providing tragedy recovery companies. It also may include educating employees method stay safe on line. Managing web security requires a team of execs who can determine and manage the risks, dangers and weaknesses of your institution.
Todays business operations rely on networks of computers and smart products. They shop vast amounts of data, including Personally Identifiable Details (PII) just like passwords, fiscal information and intellectual property. This is a target with regards to criminals that can use the data for extortion, blackmail, or other offences. In addition , significant infrastructure including hospitals, ammenities and banking companies are dependent on these kinds of devices to function, which makes them vulnerable.
The average company engages dozens of staff and includes thousands of clients. Every one of these individuals may be targeted by cybercriminals, and it is important that businesses protect their particular systems from being breached.
In addition to ensuring that all equipment, software and data is certainly protected via malicious problems, cyber reliability solutions includes regular revisions to prevent bugs from exploiting holes in the system. Additionally , companies should teach their personnel on how to continue to be secure over the internet, including steering clear of clicking shady links and downloading untrustworthy applications. This can help reduce the risk of an information breach and maintain the company in good standing with its customers.
The value of Internet Security Services - theleader.info by The ... - The Leader Newspaper
What challenges do we face five years after the launch of the … – Open Access Government
On 25th May, the EU implemented the General Data Protection Regulation shortened to GDPR which ultimately changed the way we deal with data.
The European data protection law gives individuals more control over their personal information and enforces any company collecting the personal data of EU citizens to reframe how they think about data privacy. Ultimately, it forced organisations to make privacy by design paramount.
Failure to comply with the law can lead to severe consequences. GDPR gave the EU power to levy harsh fines against businesses that violate its privacy and security standards, with penalties reaching into the tens of millions of Euros.
Some of the largest companies in the world, including Apple, Amazon, British Airways, Google and Meta, have incurred significant penalties for failing to meet GDPR standards.
The influence of GDPR has been so far-reaching that countries, including Japan, Brazil and South Korea, have all introduced their own data privacy law modelled on GDPR. In 2018, California adopted the Californian Consumer Privacy Act (CCPA), which had many similarities with the GDPR.
The European Commission is criticised for many things, but GDPR is the one thing where it can hold its head up high and say, weve led the world in this
The European Commission is criticised for many things, but GDPR is the one thing where it can hold its head up high and say, weve led the world in this, said Paul Brucciani, Cyber Security Advisor at WithSecure.
As regulatory milestones go, its the equivalent of climbing Everest. And it seems to be working as other jurisdictions are following suit.
Michael Covington, VP of Strategy at Jamf, also agrees on the impact and importance of GDPR.
The EUs GDPR has had a tremendous impact on how organisations around the globe handle personal user data since the regulation went into effect five years ago, said Covington.
The threat of substantial fines including the almost 3 billion that have been levied since the regulation went into effect has forced companies to take privacy and security more seriously. And the impact is not just contained within Europe; GDPR has inspired over 100 other regional privacy standards, including those in many of the individual US states.
Now that we have arrived at the fifth anniversary of GDPR, it is a perfect time to reflect on what can be improved. Businesses and the cybersecurity industry shouldnt just be asking themselves how they comply with GDPR but how they go above and beyond to ensure that data is secure and protected.
For some organisations, GDPR can be seen a bit like taking an exam. Instead of ensuring compliance and improving overall cyber resilience throughout the year, businesses are scrambling to ensure compliance just in time for quarterly or annual audits.
Sylvain Cortes, VP of Strategy at Hackuity, believes that organisations cannot continue this mad cycle of exam cramming.
He urges companies to take the opportunity to test systems for compliance specifications, like those in GDPR article 32, to improve their overall cyber resilience.
Compliance is essential, but we urge organisations to take the opportunity to think beyond baseline requirements to develop a culture of continuous cyber improvement, said Cortes.
Its important to remember that achieving compliance shouldnt be treated like exam-cramming with last-ditch efforts to achieve annual or quarterly audits.
Cortes also said that GDPR was not a one-off compliance tick box in 2018, and nor is it today: The goal is to achieve more than the minimum requirements and move away from the tick-box mindset. GDPR compliance is necessary, but it is far from sufficient for modern organisations.
Even though organisations are still facing plenty of the same challenges when it comes to GDPR compliance, there are new challenges as well. In 2018, terms such as generative AI, ChatGPT and biometrics were not even in the minds of people when GDPR was introduced; however, five years later, they are at the forefront of every conversation when it comes to technology and IT.
As organisations introduce these new technologies to the workplace, the importance of GDPR compliance does not waver. Brucciani believes the rise of AI is one of the biggest challenges facing the EU from a regulatory standpoint.
Internet fragmentation, driven by the quest for digital power, is creating regulatory complexity, and the EU has an important role in leading the world through this, said Brucciani.
For example, AI is the next big field that will need regulating, and the EU has again made a head start on this with its proposed AI Act, a legal framework that is intended to be innovation-friendly, future-proof and resilient to disruption.
Eduardo Azanza, CEO at Veridas, also argues that trust in new technology, such as biometrics, is built by ensuring that standards in regulations are met.
With the rise of biometrics and AI, the focus on data protection and privacy has never been more important, said Azanza. Questions should be asked of biometric companies to ensure they are following GDPR laws and are transparent in how data is stored and accessed.
Trust in biometric solutions must be based on transparency and compliance with legal, technical, and ethical standards. Only by doing this can we successfully transition to a world of biometrics that protects our fundamental right to data privacy.
Ultimately, five years on from GDPR, many organisations still face plenty of challenges when it comes to compliance. However, regulations, such as GDPR, are essential. Organisations should not look to just comply with them but go above and beyond them.
When we see the rise of the likes of ChatGPT, our first question is always, Is our data safe? Lets not forget that GDPR is just as, or even more important now, than it was five years ago when the EU implemented the revolutionary law.
This piece was written and provided by Robin Campbell-Burt, CEO of Code Red.
Editor's Recommended Articles
Go here to see the original:
What challenges do we face five years after the launch of the ... - Open Access Government
AI could be ‘more important development’ than internet – RTE.ie
The Director of the National Cyber Security Centre (NCSC) has warned that artificial intelligence could prove to be a more important development than the internet.
Appearing before the Oireachtas Foreign Affairs and Defence Committee, the director of the NCSC, Dr Richard Browne, said that a year ago he would likely have been warning the committee about the challenges posed by cryptography and the shift to cloud computing.
"All of these are still factors today but are entirely overshadowed by the first public outings of generally available Artificial Intelligence", he told members.
Separately the committee was told of the "largely inconsequential" impact of cyber-attacks in terms of the overall Russian military effort.
Whilst telling TDs and Senators that cyber remains a "key tool in the armoury of any state", Dr Browne added that Ukraine had been prepared for such attacks due to years of "similar offensive actions" and because of "massive external support from public and private sector organisations".
Dr Browne also updated members of the committee on efforts to expand the NCSC.
Following the cyber-attack on the Health Service Executive, a capacity review of the NCSC was launched.
Dr Browne said that the organisation has increased its staff numbers from 25 staff to 52 today, adding that there is scope to grow to 62 this year.
Matt Carthy, Sinn Fin's Foreign Affairs and Defence spokesperson, asked if the NCSC would have concerns about other public bodies that could be vulnerable to cyber-attack.
Dr Browne told members that there were always risks, but that the NCSC acts quickly when issues arise, so at this point he did not have such concerns.
Separately, the committee was told that Government employees are generally advised not to have any applications on their phone that they do not need for business.
"Simply because every single application has some degree of risk", Dr Browne explained.
Following an assessment by the NCSC earlier this year, Government workers were asked to remove the TikTok app from official devices.
Dr Browne told members that the risks posed by different apps are kept under constant review.
AI could be 'more important development' than internet - RTE.ie
Proton users can now secure all their family members with one … – TechRadar
New and existing Proton users can now secure the digital life of all their family members with just one subscription.
Proton Family is an all-in-one plan that gives access to its premium VPN service, secure email, encrypted cloud storage and calendar to up to six users.
The Swiss-based privacy company seeks to fight back today's growing cyber threats, making it easier to protect the most vulnerable members of the household.
"As a parent, I am eager to teach my children the proper ways to approach email, cloud storage, and internet security from the beginning. I know I am not alone in this," said Proton's Product Lead David Dudok de Wit.
Recent data shows, in fact, that about 7 out of 10 families have experienced cyber threats in some forms. The great majority of parents (90%) are worried for the safety of their children's online identity, too. Such concerns are understandable being that kids are increasingly surfing the web from a very young age nowadays.
Downloading and correctly using a virtual private network or any other security tools is something that might be tricky also for the eldest of the family who may not fully understand the risks of such an ever-changing online world.
"The Proton Family plan takes us one step closer to our mission of making privacy the default for everyone,"said Dudok de Wit.
An all-in-one plan to protect all your loved ones, Proton Family gives premium access to all the products and features under the company's belt for up to six members of your family.
At the time of writing, this includes its Proton VPN, Proton Mail, Proton Calendar and Proton Drive coming with a 3TB of shared storage space and a 20GB bonus to be added every year. Proton Pass, the provider's very own password manager now available in beta, will also be included once made available to all users.
Starting from what works out to be a monthly fee of $19.99, users can sign up directly or simply upgrade their existing subscription.
Dudok de Wit said: "A family plan has been among our most sought-after services, and I am delighted to announce its launch today."
Compare today's best overall VPNs
Originally posted here:
Proton users can now secure all their family members with one ... - TechRadar
Interview With a Crypto Scam Investment Spammer Krebs on … – Krebs on Security
Social networks are constantly battling inauthentic bot accounts that send direct messages to users promoting scam cryptocurrency investment platforms. What follows is an interview with a Russian hacker responsible for a series of aggressive crypto spam campaigns that recently prompted several large Mastodon communities to temporarily halt new registrations. According to the hacker, their spam software has been in private use until the last few weeks, when it was released as open source code.
Renaud Chaput is a freelance programmer working on modernizing and scaling the Mastodon project infrastructure including joinmastodon.org, mastodon.online, and mastodon.social. Chaput said that on May 4, 2023, someone unleashed a spam torrent targeting users on these Mastodon communities via private mentions, a kind of direct messaging on the platform.
The messages said recipients had earned an investment credit at a cryptocurrency trading platform called moonxtrade[.]com. Chaput said the spammers used more than 1,500 Internet addresses across 400 providers to register new accounts, which then followed popular accounts on Mastodon and sent private mentions to the followers of those accounts.
Since then, the same spammers have used this method to advertise more than 100 different crypto investment-themed domains. Chaput said that at one point this month the volume of bot accounts being registered for the crypto spam campaign started overwhelming the servers that handle new signups at Mastodon.social.
We suddenly went from like three registrations per minute to 900 a minute, Chaput said. There was nothing in the Mastodon software to detect that activity, and the protocol is not designed to handle this.
One of the crypto investment scam messages promoted in the spam campaigns on Mastodon this month.
Seeking to gain a temporary handle on the spam wave, Chaput said he briefly disabled new account registrations on mastodon.social and mastondon.online. Shortly after that, those same servers came under a sustained distributed denial-of-service (DDoS) attack.
Chaput said whoever was behind the DDoS was definitely not using point-and-click DDoS tools, like a booter or stresser service.
This was three hours non-stop, 200,000 to 400,000 requests per second, Chaput said of the DDoS. At first, they were targeting one path, and when we blocked that they started to randomize things. Over three hours the attack evolved several times.
Chaput says the spam waves have died down since they retrofitted mastodon.social with a CAPTCHA, those squiggly letter and number combinations designed to stymie automated account creation tools. But hes worried that other Mastodon instances may not be as well-staffed and might be easy prey for these spammers.
We dont know if this is the work of one person, or if this is [related to] software or services being sold to others, Chaput told KrebsOnSecurity. Were really impressed by the scale of it using hundreds of domains and thousands of Microsoft email addresses.
Chaput said a review of their logs indicates many of the newly registered Mastodon spam accounts were registered using the same 0auth credentials, and that a domain common to those credentials was quot[.]pw.
The domain quot[.]pw has been registered and abandoned by several parties since 2014, but the most recent registration data available through DomainTools.com shows it was registered in March 2020 to someone in Krasnodar, Russia with the email address email@example.com.
This email address is also connected to accounts on several Russian cybercrime forums, including __edman__, who had a history of selling logs large amounts of data stolen from many bot-infected computers as well as giving away access to hacked Internet of Things (IoT) devices.
In September 2018, a user by the name (phonetically Zipper in Russian) registered on the Russian hacking forum Lolzteam using the firstname.lastname@example.org address. In May 2020, Zipper told another Lolzteam member that quot[.]pw was their domain. That user advertised a service called Quot Project which said they could be hired to write programming scripts in Python and C++.
I make Telegram bots and other rubbish cheaply, reads one February 2020 sales thread from Zipper.
Quotpw/Ahick/Edgard/ advertising his coding services in this Google-translated forum posting.
Clicking the open chat in Telegram button on Zippers Lolzteam profile page launched a Telegram instant message chat window where the user Quotpw responded almost immediately. Asked if they were aware their domain was being used to manage a spam botnet that was pelting Mastodon instances with crypto scam spam, Quotpw confirmed the spam was powered by their software.
It was made for a limited circle of people, Quotpw said, noting that they recently released the bot software as open source on GitHub.
Quotpw went on to say the spam botnet was powered by well more than the hundreds of IP addresses tracked by Chaput, and that these systems were mostly residential proxies. A residential proxy generally refers to a computer or mobile device running some type of software that enables the system to be used as a pass-through for Internet traffic from others.
Very often, this proxy software is installed surreptitiously, such as through a Free VPN service or mobile app. Residential proxies also can refer to households protected by compromised home routers running factory-default credentials or outdated firmware.
Quotpw maintains they have earned more than $2,000 sending roughly 100,000 private mentions to users of different Mastodon communities over the past few weeks. Quotpw said their conversion rate for the same bot-powered direct message spam on Twitter is usually much higher and more profitable, although they conceded that recent adjustments to Twitters anti-bot CAPTCHA have put a crimp in their Twitter earnings.
My partners (Im programmer) lost time and money while ArkoseLabs (funcaptcha) introduced new precautions on Twitter, Quotpw wrote in a Telegram reply. On Twitter, more spam and crypto scam.
Asked whether they felt at all conflicted about spamming people with invitations to cryptocurrency scams, Quotpw said in their hometown they pay more for such work than in white jobs referring to legitimate programming jobs that dont involve malware, botnets, spams and scams.
Consider salaries in Russia, Quotpw said. Any spam is made for profit and brings illegal money to spammers.
Shortly after email@example.com registered quot[.]pw, the WHOIS registration records for the domain were changed again, to firstname.lastname@example.org, and to a phone number in Austria: +43.6607003748.
Constella Intelligence, a company that tracks breached data, finds that the address email@example.com has been associated with accounts at the mobile app site aptoide.com (user: CoolappsforAndroid) and vimeworld.ru that were created from different Internet addresses in Vienna, Austria.
A search in Skype on that Austrian phone number shows it belongs to a Sergey Proshutinskiy who lists his location as Vienna, Austria. The very first result that comes up when one searches that unusual name in Google is a LinkedIn profile for a Sergey Proshutinskiy from Vienna, Austria.
Proshutinskiys LinkedIn profile says he is a Class of 2024 student at TGM, which is a state-owned, technical and engineering school in Austria. His resume also says he is a data science intern at Mondi Group, an Austrian manufacturer of sustainable packaging and paper.
Mr. Proshutinskiy did not respond to requests for comment.
Quotpw denied being Sergey, and said Sergey was a friend who registered the domain as a birthday present and favor last year.
Initially, I bought it for 300 rubles, Quotpw explained. The extension cost 1300 rubles (expensive). I waited until it expired and forgot to buy it. After that, a friend (Sergey) bought [the] domain and transferred access rights to me.
Hes not even an information security specialist, Quotpw said of Sergey. My friends do not belong to this field. None of my friends are engaged in scams or other black [hat] activities.
It may seem unlikely that someone would go to all this trouble to spam Mastodon users over several weeks using an impressive number of resources all for just $2,000 in profit. But it is likely that whoever is actually running the various crypto scam platforms advertised by Quotpws spam messages pays handsomely for any investments generated by their spam.
According to the FBI, financial losses from cryptocurrency investment scams dwarfed losses for all other types of cybercrime in 2022, rising from $907 million in 2021 to $2.57 billion last year.
Update, May 25, 10:30 a.m.: Corrected attribution of the Austrian school TGM.
Read more here:
Interview With a Crypto Scam Investment Spammer Krebs on ... - Krebs on Security
Radiation from the cell phone devices has been linked to cancer – Daily Mail
The FCC says the radiation coming from your cellphone is no big deal. A cancer surgeon friend told me he begs to differ.
While public health experts continue to debate the issue and the public's own worries may be overblown, perhaps the best approach is 'better safe than sorry.'
That's certainly been the approach of the attorneys for the manufacturers, who have helped craft their mobile phone's manuals and legal notices.
Modern iPhones, including the 14 Pro Max and the iPhone SE, recommendthat their customers 'use a hands-free option, such as the built-in speakerphone, headphones or other similar accessories' to 'reduce exposure to RF [radio frequency] energy.'
These radio frequency exposures, according toGermany's Federal Office for Radiation, can be exceptionally high from some mobile devices with a few energetic Android phones topping the list.
You have to wonder: What do the manufacturers know that we don't?
'People are addicted to their smartphones,' according toJoel Moskowitz, a researcher in the University of California Berkeley's School of Public Health.
'We use them for everything now, and, in many ways, we need them to function in our daily lives,' Moskowitz said. 'I think the idea that they're potentially harming our health is too much for some people.'
As the director of Berkeley's Center for Family and Community Health, Moskowitz has made studying the biological effects of the radio frequency energy on the human body a research priority since 2009.
Kim Komando hosts a weekly call-in show where she provides advice about technology gadgets, websites, smartphone apps and internet security.
Listen on 425+ radio stations or get the podcast. And join over 400,000 people who get her free 5-minute daily email newsletter.
But he's picking up where US federal regulators, in his view, dropped the ball.
'Cellphones, cell towers and other wireless devices are regulated by most governments,' said Moskowitz, with one caveat. 'Our government, however, stopped funding research on the health effects of radiofrequency radiation in the 1990s.'
In 2020, Moskowitz and his colleagues published a review of 46 case-control health studies on the issue of cell phones and health, which they published in the International Journal of Environmental Research and Public Health.
'Our main takeaway,' Moskowitz says, 'is that approximately 1,000 hours of lifetime cellphone use, or about 17 minutes per day over a 10-year period, is associated with a statistically significant 60 percent increase in brain cancer.'
Not every researcher on the topic takes Moskowitz's grim view, of course. And the UN's World Health Organization currently maintains that, as yet, 'no adverse health effects have been established as being caused by mobile phone use.'
So, what do I do?
I play it safe and keep my phone away from my body and head as much as possible. (Yes, I'm that person taking calls on my AirPods or speakerphone.)
And I take my cues from overseas agencies, likeGermany's Federal Office for Radiation(Bundesamt fr Strahlenschutz) which lists data on each mobile phone'sspecific absorption rate (SAR).
Some phones, it turns out, emit more radiation than others. But what exactly are we measuring with the specific absorption rate?
SAR, which is calculated inwatts per kilogram of body weight, quantifies how muchenergy is absorbed per unit mass by the human body when it's exposed to a radio frequency.
Typically, it's based on an absorption value recorded when when you make a call with the phone up to your ear. In the US, theFederal Communications Commission (FCC) even uses a dummy head to calculate SAR values for cell phones.
But, really you don't need to know all the details, just that the legal limit is 1.6 watts/kg here in the US.
See where your cell phone falls on the list, compiled by Digital Information World.
These five models emit some of the strongest radiation on the market: Motorola Edge ( 1.79 w/kg); OnePlus 6T (1.55 w/kg); Sony Xperia XA2 Plus (1.41 w/kg) Google Pixel 3 XL (1.39w/kg); and the Google Pixel 4a (1.37w/kg) in a tie with theOppo Reno5 5G (1.37 w/kg).
Men, don't store your phone in your pant pockets. Ladies, keep it out of your bra.
Not far behind, were the Google Pixel 3 (1.33 w/kg), Huawei's P Smart (1.27 w/kg) and the OnePlus 9 (1.26 w/kg).
If you're concerned about your SAR risks, but don't feel like the hassle of keeping your phone at a distance all the time, these are the phones known to emit the least radiation: the Samsung Galaxy Note10+ 5G (0.19 w/kg); Samsung's Galaxy Note10 (0.21w/kg); the Samsung Galaxy A80 (0.22 w/kg); LG G7 ThinQ (0.24 w/kg); and the Motorola Razr 5G (0.27w/kg).
And given the warnings in the manuals, whatabout the iPhone?
Well, it falls somewhere in the middle. That iPhone SE with that warning gives off a SAR or 0.98w/kg.
It'scomparableto other popular models: iPhone 11 (0.95w/kg); iPhone 12 (0.98w/kg); iPhone 13 (0.99w/kg); and iPhone 14 (0.98w/kg).
Radiation from the cell phone devices has been linked to cancer - Daily Mail
Data Protection Standards For Cross Border Data Transfers In India: Suggestive Approaches And Way Forward – Live Law – Indian Legal News
Global data flows have substantially risen in recent years, along with trade in digital services across borders. As per the Report published by the World Bank, in 2020, global internet traffic was estimated to be approximately three zettabytes which counts to one GB per day per person. This volume is expected to double fold itself in the coming years. Such a huge amount of data flow is pushing the growth of International trade. Cross-border data flows facilitate trade in goods, enhancing productivity and reducing costs; it also serves as the primary means of transacting in digital services. Cross-border data flows, and international trade are interdependent, and cross-border data transfer is one of the key contributors to the exponential growth of international trade. In todays world, electronic payment systems, internet-based advertising and retailing, and cloud computing have become integral parts of almost all businesses, irrespective of the sector they operate in. In fact, it is difficult to envision an international trade transaction that does not involve data transfer.
A well-formulated legal framework for cross-border data transfer is essential for the economic growth of any country and should be the top priority looking at the ever-increasing rate of global data flows and its potential misuse in terms of national security, data breaches, and privacy concerns. The aim of such a framework is to ensure that personal data is adequately protected during the transfer process and not subject to misuse or abuse.
Currently, there are several models for cross-border data transfers, including the European Unions General Data Protection Regulations (GDPR), the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, and the United States (US) - European Union (EU) Privacy Shield Framework.
The GDPR is one of the most comprehensive frameworks for cross-border data transfers. It applies to all businesses that process the personal data of EU citizens, regardless of where the business is located. The GDPR requires businesses to obtain explicit consent from individuals before collecting their personal data and to provide clear information about how that data will be used. The APEC Privacy Framework is a voluntary framework that provides guidelines for protecting personal data in the Asia-Pacific region. It is based on nine privacy principles, including the collection limitation principle, the data quality principle, and the security safeguards principle. The US-EU Privacy Shield Framework is a framework that allows businesses to transfer personal data between the EU and the US. It is based on the principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse.
Despite these frameworks, there is still a need for a more comprehensive legislative framework for cross-border data transfers. This is because many countries do not have laws that adequately protect personal data, and there is a lack of consistency between different frameworks.
Such as in India, there is a lack of a comprehensive legislative framework for cross-border data transfer. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, under the Information Technology Act, 2000, require companies to obtain the individuals consent before transferring their sensitive personal data. Additionally, the Reserve Bank of India has issued guidelines for the outsourcing of financial services that require companies to ensure that the outsourcing of services does not result in a compromise of customer data.
India will soon introduce the Digital Personal Data Protection Bill 2023 (DPDP Bill) before the parliament this year. Clause 17 of the DPDP Bill talks about the transfer of personal data outside India. It states that The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified. It appears that Central Government. may come up with certain rules under Clause 17 of the DPDP Bill, which lays down data protection standards that must be maintained by any country that intends to indulge in data transfer with India.
While framing the data protection standards under the rules, the following approaches and suggestions may be taken into consideration
A mature approach to regulating the cross border data transfers:
Among the three models for regulating cross-border data transfers, namely, the open model, the conditional model, and the control model, India may consider adopting a mid-approach between the open model and the conditional model, which is neither too stringent nor too loose, aiming to build a maintain a balance between countries growth and data privacy. Efforts should be made to promote international trade while safeguarding data subjects rights and national security and not hindering innovations and the financial growth of the economy. The best example of a conditional model is the EUs GDPR which majorly focuses on data subjects rights and safeguarding the privacy of the data subjects and, side by side, keeping mediocre compliances for the businesses. A similar approach is opted for by South Africa, Singapore, Japan, and various other countries in framing their cross-border data transfer regulations. Indian Government may also form their baselines in line with GDPR especially adopting their principles such as data localization with regard to cross-border data transfers and providing a comprehensive set of rights to the data subjects where they have full ownership and access to their data in every situation whatsoever and whenever. As India is a developing country aiming to become a five trillion-dollar economy by 2025, it wont be possible without fostering international trade, so India must keep its cross-border data compliance requirements flexible and relaxed that prioritizing business needs over individual rights. The US has a slacken data privacy standards for cross borders data transfers and keeps its country more open for ease of doing business for the entities.
Collective actions by the stakeholders for developing a culture of Data Free Flow with Trust:
No matter how stringent or loose a regulatory framework may be for cross-border transfers, it is more dependent on the foreign countries involved in the transfer arrangements to make their responsibility and duty-bound themselves to take all relevant technical, administrative, or social measures that the data they collect from the other country is safe and protected, and they adhere to all the due diligence requirements of the other countries law. This responsible behavior of the foreign country may develop bricks of trust among the countries so that they can indulge in international trade more and more with each other without any fear of the data of their country being misused or compromised. For this, India may conduct engagement programmes with communities of stakeholders that may help in understanding their interests and the challenges they may face while cross-border data transfers. This approach will increase the potential of the other stakeholders while dealing with the protection of the data transferred and enable a broader, more open, and more inclusive environment for cross border data transfers between stakeholders.
A modern and updated consent mechanism in case of data transferred outside India:
The Rules must provide a stricter approach to the consent mechanism in case of cross-border data transfer rather than following the traditional method of taking consent from the data subjects. As India has a low digital literacy rate, it is a challenge to take the actual consent of such digitally illiterate citizens who do not understand the terms and conditions, purpose, and type of data for which their consent is taken. The rules must provide what explicit consent means, and additional and separate consent must be taken in case the data is transferred outside India. The consent taken must be explicit, such as while ticking the consent checkbox; the terms and conditions and other relevant information regarding the data transfer must be in a text-to-speech format where the data subject is given the option to listen to the relevant information in their chosen language.
Time period for data breach notification:
Entrusting the business entities engaged in the cross border data transfers with a higher level of due diligence with regard to notification in case of any data breach. Once a determination of a data breach has been made by the business entity, it should immediately inform the Governments of the respective countries whose citizens data has been targeted and the data subjects whose personal data has been compromised as well so that instant measures can be taken from both ends. The term immediately implies that once the business entity has verified the existence of the breach or has reasonable certainty that it has occurred. In compliance with this, an electronic notification may be sent to the aggrieved data subjects clearly stating that a data breach has occurred and the appropriate measures to be taken further to protect their personal data or any other information in their online accounts.
Right to data portability:
One of the significant data subject rights in case of data transferred abroad is the right to data portability that ensures that the data subject can obtain, reuse, move, copy, or transfer its personal data from one internet infrastructure to another hassle-free. Especially when the personal data of the data subjects are shared with a foreign entity, the data subject should have the right to data portability and receive its personal data in a machine-readable and structured manner and can further transmit to another entity. Take an instance where a data subject has taken consultation from a hospital in Germany, and he now wants to move to a hospital in Australia. In such cases, the personal data shared by the data subjects in Germany must be provided to the data subjects in a well-structured manner so that such data can be further used by the data subject without any hindrance and fear of losing the data.
Additional due diligence requirements on the entities involved in cross-border data transfers-
Foreign entities indulging in cross-border data transfers must be obliged to adopt best practices for safeguarding the personal data of the data subjects. For this, requirements such as enhanced cyber security measures and infrastructure that protects against the misuse of data, easy complaint and grievance redressal mechanisms for the data subjects, conducting regular cyber security audits and data privacy impact assessments and risk assessments, regular monitoring and tracking of the different modus operandi of the bad actors for hampering the data privacy and taking immediate steps in case of risk detected. Foreign entities must adopt data protection by design and by default.
The future of global trade is highly dependent on how a countrys domestic regulations are framed and whether these regulations provide a wide scope for ease of doing business and lesser compliance requirements on the part of foreign countries. It wont be a cakewalk for a country like India, which has the largest population in the world, to frame regulations for cross-border data transfers as they have to put at stake the data of such a huge population and simultaneously ensure the data subjects rights, protecting national security, and promoting the countrys economic growth. The above-laid-down suggestive approaches may help the central Government while framing the rules for cross-border data transfer under the DPDP Bill and act as a foundational guideline for the policymakers.
Details of the Authors
Present Position Senior Legal Associate, Data Privacy and Cyber Security, PriceWaterhouseCooper Services Ltd.
Former Assistant Legal Manager, Cyberlaw Division, Ministry of Electronics & Information Technology, Govt. of India
Contact - 9717490199
Present Position Director, Public Policy, Chase India
Former Scientist E, Cyberlaw Division, Ministry of Electronics & Information Technology, Govt. of India
Present Position Assistant Section Officer, Policy & Administration, Department of Fertilizer, Ministry of Chemical and Fertilizers, Govt. of India
Go here to read the rest:
Data Protection Standards For Cross Border Data Transfers In India: Suggestive Approaches And Way Forward - Live Law - Indian Legal News
NordLayer’s new browser extension offers all its top VPN tools in … – TechRadar
NordLayer - one of our picks for the best business VPN - has launched a new browser extension that incorporates the features found in the desktop version of the network access security solution.
Formerly known as NordVPN Teams, NordLayer is part of the NordSec group, which includes among its products one of the best VPNs, NordVPN, and the best password manager for security, NordPass. NordLayer is B2B focused, providing a cybersecurity service that is scalable.
NordLayer claims that the extension, which is compatible with Google Chrome, Mozilla Firefox, and Microsoft Edge browsers, "introduces a new way of working for teams operating with hybrid-cloud resources while retaining stable and fast connection speeds and robust security."
The company also claims that it offers a lightweight alternative for firms to maintain the same security standards offered by the desktop app, as well as offering fast web browsing speeds. In addition, users can access multiple private gateways at the same time.
The NordLayer Browser Extension defines a simple, intuitive, and effective security approach developed by NordLayer. This add-on is an alternative solution for enriching existing ways to secure online activities, noted Artras Bubokas, a product manager atNordLayer.
The company claims access to web-based company resources if quick and easy with the new extension, as well as solving potential problems with OS compatibility that may occur using the NordLayer desktop app, as only the browser is used. Bubokas claims that "its a perfect solution for those who have devices without the usual operating systems, like ChromeOS."
It also only encrypts data at the browser level, which is something to take into consideration. However, this does mean that internet usage is reduced, which improves speeds and performance as compared to the desktop version.
Bubokas also adds that "the extension comes as a very handy and quick solution to provide secure internet access in a few clicks.
Read more here:
NordLayer's new browser extension offers all its top VPN tools in ... - TechRadar
Feds Dismember Russia’s ‘Snake’ Cyberespionage Operation – BankInfoSecurity.com
Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime
Federal prosecutors said Tuesday that they had disrupted a Russian intelligence cyberespionage operation by targeting malware used by Kremlin hackers to steal classified and sensitive information. The disruption occurred through the remote deployment of an FBI tool dubbed Perseus that issued commands causing the malware, known as Snake, to overwrite itself.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
A U.S. District Court judge issued a search and seizure order Thursday authorizing the FBI to use the tool to target eight U.S. systems infected by Snake as part of an effort the Department of Justice dubbed "Medusa." In Greek mythology, Perseus slayed the Gorgon Medusa after being tricked into the quest by his would-be father-in-law.
The FBI in a sworn statement tied the malware to a unit of Russia's Federal Security Service also known as Turla, a group also dubbed "Krypton," "Venomous Bear" and "Waterbug" by security researchers.
Turla regularly targets both government agencies and the private sector, and is known to have stolen documents from hundreds of systems worldwide. Its victims include NATO governments, journalists and others of interest to Moscow.
Michael J. Driscoll, assistant director in charge of the FBI's New York field office, described Snake as the Russian government's "foremost cyberespionage tool."
Most Snake infections use the host computer as a routing point in a peer-to-peer network used by Russian state hackers, the FBI said, "to make it more difficult for compromised victims to identify and block suspicious connections to Snake-compromised endpoints, among other reasons." Although Snake's code is the basis for a range of highly prolific malware including the Carbon backdoor, Kremlin hackers have not deployed Snake widely in a bid to decrease the probability of detection, the FBI also said.
Snake gains persistence on infected systems by loading a kernel driver and employing a keylogger that routinely reports back to FSB hackers, says a joint cybersecurity advisory released Tuesday by the Five Eyes intelligence alliance, comprised of Australia, Canada, New Zealand, United Kingdom and United States.
"Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets," the advisory says. "Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts."
Snake's kernel component examines inbound internet traffic to see if it contains a unique authentication code. When it does, it forwards the packets onward to another Snake node. That method of interception allows the malware to communicate without detection by ordinary intrusion detection security apps or firewalls.
Versions of Snake infect systems running Windows, as well as Linux and MacOS, and are designed to allow attackers to push modules with additional malicious capabilities onto infected endpoints. Even when victims detect the malware, it has historically been tough to eradicate.
Nevertheless, the DOJ said Snake's developers made some errors that it was able to exploit to find ways to disrupt the malware and its associated infrastructure.
Even if Snake operations are permanently disrupted, the group accused of wielding the Turla toolset has already secured its place in cybersecurity history, having been tied to one of the first known episodes of cyberespionage in the 1990s, dubbed Moonlit Maze by the FBI. Later, Turla was accused of building the malicious Agent.btz worm discovered in 2008, which successfully stole military secrets and helped birth U.S. Cyber Command.
"Turla is a Russian cyberespionage actor and one of the oldest intrusion groups we track, existing in some form as early as the 1990s when Kevin Mandia was responding to their intrusions into government and the defense industry," said John Hultquist, head of intelligence analysis at incident response firm Mandiant, which is part of Google.
Western intelligence officials say Snake began development as "Uroburos" in late 2003 and debuted in early 2004. They say it appears to be tied to a specific facility in Ryazan, Russia, backed by daily operations that run from about 7 a.m. to 8 p.m. local time.
Turla pursues "the classic targets of espionage - government, military and the defense sector - and their activity is characterized by a reliably quiet assault on these targets that rarely draws attention," said Hultquist, adding that the group has become known for its continuing innovation.
One of Turla's more innovative alleged efforts involved hijacking attack tools and command-and-control servers used by an Iranian nation-state group called OilRig - aka APT34, Crambus or Helix Kitten.
Russian-speaking attackers' use of the suborned Iranian infrastructure caused private-sector security researchers to first attribute the attacks to Iran. Later, the National Security Agency and U.K. National Cyber Security Center issued a joint alert saying that Russia had been behind a number of seeming OilRig campaigns (see: Turla Teardown: Why Attribute Nation-State Attacks?).
Turla's activities were detailed in a secret 2011 presentation by Canada's Communications Security Establishment that was leaked by ex-NSA contractor Edward Snowden in 2013.
The presentation describes the activities and infrastructure of Turla, which has the codename MAKERSMARK, as "designed by geniuses, implemented by morons." It says Turla members appeared to be using the attack infrastructure for personal browsing and that the group's development environment had been "infected by crimeware."
Read this article:
Feds Dismember Russia's 'Snake' Cyberespionage Operation - BankInfoSecurity.com