New Data Privacy Law by India Creates Nervousness Among Tech Giants
India has come into the computerized age but its policies, law and directions are still unsuited towards the same and thus to modernize them, B.N Srikrishna, and a panel headed by him is drafting a new data privacy law to manage and regulate the conduct of tech giants like Facebook and Google. This panel was constituted as a result of the landmark Supreme Court Judgement declaring right to privacy as a fundamental right after realizing the complexities in data protection.
As per present status, the data protection in India is governed by Information Technology Act 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. In addition to this there is a thin line separating the said two by regulating the processing of sensitive personal data or information like password and financial information.
The Srikrishna committee is now detailing several specifics, including defining what is fair use, and also deciding on whether tech giants can transfer data across international borders, and designing an effective enforcement mechanism. They have also told that India will walk the middle path in between US laissez faire approach and EU’s stringent privacy laws.
UK Government – Minimum Cyber Security Standard to be Maintained for Government Departments
The UK government has published the first edition of its Minimum Cyber Security Standard, which will be incorporated into the Government Functional Standard for Security. The standard is mandatory for all government departments (which includes ‘organizations, agencies, Arm’s Length Bodies and contractors’); but provides an excellent security checklist/framework for all commercial organizations.
It is a surprisingly short document (PDF); just seven pages comprising 10 sections under five categories: Identify, Protect, Detect, Respond and Recover. It largely follows the wider European approach of mandating outcomes rather than specific means to achieve those outcomes — but is not entirely devoid of specific instructions.
For example, MFA is required (where feasible), but no specific factors or methods are described (7_b). It therefor allows for, but does not mention, evolving behavioral biometric factors. This is by design. The document itself says, “As far as possible the security standards define outcomes, allowing Departments flexibility in how the standards are implemented, dependent on their local context.”
This lack of detailed prescription is welcomed by Sanjay Kalra, co-founder and chief product officer at Lacework. “This is especially important for organizations that operate workloads in the cloud,” he said. “Where change is rapid and continuous; the appropriate cloud security measures require flexibility in their approach. In some ways, the Standard is similar in structure to GDPR, where the emphasis is on the outcome, but the guidelines for implementation allow for a common-sense approach that is flexible enough to allow for what works best for the organization.”
The Minimum Security Standard is mandated for government, but also provides a valuable framework of private industry — paralleling NIST in the U.S. Kolochenko sees even further value. “The UK,” he said, “serves a laudable example on how cybersecurity can be and should be managed on a governmental level, that many other European countries can follow.”
EY Reports: CIOs Looking at Increasing Spends on Cybersecurity
Recently conducted survey by EY reports that 42 percent respondents say they are willing to invest more than 10 per cent of their annual IT budget on cyber security as they look to comply with privacy laws and protect organizations against new emerging trends.
“Onslaught” of Industry 4.0 technologies such as artificial intelligence (AI), Internet of Things (IoT) and machine learning (ML) being considered and adopted – are drastically increasing the attack surface for companies, highlights the report. “Additional challenges have been introduced, such as multiple platform interfacing, penetration testing, management of multiple devices, and so on. Privacy elements are baked into this entire gambit of concerns,” the report said.
With GDPR coming into the forefront, the respondents took stand that privacy is an important compliance requirement. 40 percent of these respondents stated that they are still aligning their organizations and technologies to meet the compliances.
61 percent of the respondents which were CIOs across different sectors like consumer products, finance, utilities, pharmaceuticals and technology among others said that they have chosen privacy and security considerations as one of the biggest factors that influences decision to invest in a disruptive technology. “Majority of companies are still in the process of recognising the importance of implementing appropriate organisational and technical controls for data privacy and potential implications of non-compliance,” the study said. “Inculcating a culture of privacy-by-design and security awareness will enable organizations to conduct business across and within borders with minimum ease”, it added.
Government Study: Facebook, Google ‘Manipulate’ Users to Share Data Despite EU Law
Facebook and Google are pushing users to share private information by offering “invasive” and limited default options despite new EU data protection laws aimed at giving users more control and choice, a government study said Wednesday.
The Norwegian Consumer Council found that the US tech giants’ privacy updates clash with the new General Data Protection Regulation (GDPR), which forces companies to clarify what choices people have when sharing private information.
“These companies manipulate us into sharing information about ourselves,” the council’s director of digital services, Finn Myrstad, said in a statement. “(This) is at odds with the expectations of consumers and the intention of the new Regulation,” the 2018 study, entitled “Deceived By Design”, concluded.
But Facebook on Wednesday denied covering up the options for users and said they had prepared for 18 months to meet the GDPR requirements.
“We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information,” the company’s spokesman told Norwegian public broadcaster NRK.
The EU has billed the GDPR as the biggest shake-up of data privacy regulations since the birth of the web. Companies can be fined up to 20 million euros ($24 million) or four percent of annual global turnover for breaching the strict new data rules for the European Union, a market of 500 million people.
Many Organizations hit by Typeform Data Breach
On June 27, Typeform, a Spain based software-as-a-service (SaaS) company specializing in online forms and surveys has suffered a security breach resulting in the data collected by its customers getting stolen. Company stated that an attacker has managed to download a backup file dated May 3 from one of its servers. The data included names, e-mail addresses and other pieces of information submitted by users through Typeform forms.
UK based mobile banking service Monzo is one of the impacted organizations and it says that this breach roughly affects 20,000 individuals. In some cases, information such as postcode, name of the old bank, Twitter username, university, age, and salary range and employer was also compromised. Monzo says it has ended its relationship with Typeform. The Tasmanian Electoral Commission was also hit by this breach. Other organizations include Thriva, Birdseye, HackUPC and Ocean protocol.
Typeform has formally assured its customers that source of the breach has been identified and its taking significant measures to prevent such incidents from occurring in future.
Twitter: New Processes for Fighting Spam, Bots
Twitter this week shared some details on new processes designed to prevent malicious automation and spam, along with data on the positive impact of the measures implemented in the past period. Spam and bots are highly problematic on Twitter, but the social media giant says it has rolled out some new systems that have helped its fight against these issues. The company claims that last month it challenged more than 9.9 million potentially spammy or automated accounts every week, up from 6.4 million in December last year.
Twitter says it now removes 214% more spam accounts compared to 2017. It also claims that recent changes have led to a significant drop in spam reports received from users, from 25,000 daily reports in March to 17,000 in May. The company also reported suspending over 142,000 apps in the first quarter of 2018, more than half of which were shut down within a week or even within hours after being registered.
“We also display a warning on read-only accounts and prevent new accounts from following them to help prevent inadvertent exposure to potentially malicious content,” Twitter’s Yoel Roth and Del Harvey said in a blog post.
The company has also made some changes to its sign-up process to make it more difficult to register spam accounts. This includes requiring new accounts to confirm an email address or phone number. Existing accounts are also being audited to ensure that they weren’t created using automation.
Finally, Twitter says it has expanded its malicious behavior detection systems with tests that can involve solving a reCAPTCHA or responding to a password reset request. Complex cases are passed on to Twitter employees for review.
18 Flaws Patched in Firefox 61 by Mozilla, also Adds Warming Feature
Mozilla, on 26 June 2018, announced Firefox 61 with new features and patches for 18 security vulnerabilities. The updated feature also includes improved performance capabilities that build on the speed gains that the Firefox 57 Quantum release told in November 2017.
Another new feature added is of Tab Warming, promising faster response time when switching between tabs, as Firefox preemptively loads tabs as a mouse is hovered over the tab.
With the Parallel CSS Parsing capability, the speed has also improved and Mozilla has added default support for the TLS 1.3 web encryption specification, providing improved cryptographic security for data traveling across the web.
IoT Poses New Cybersecurity Threats for Cable
Cybersecurity is a critical concern for big TV distributors that give consumers access to the internet. As cybercrimes and incidents of institutional hacking increase, cybersecurity is a critical concern for big TV distributors that give consumers access to the internet. It’s also a strange topic for cable operators, though, because it’s rarely discussed in public, beyond the chorus of concern from consumer data watchdogs.
NCTA–The Internet & Television Association and the American Cable Association emphasize that “the entire cable industry takes cybersecurity very seriously” and back security and risk management practices. But details about those efforts — or the failures in the system — are scant.
Still, the scale of cyber-threats to the cable industry is significant and growing. There are constant reminders of new threats. This past May, researchers found that U.S. customers’ WiFi connections could be harvested from a cable operator’s bill or email. Comcast said it quickly disabled the vulnerability in its activation portal, established an additional layer of authentication and that no personal user info was ever accessed.
“With the constant barrage of new cyber incidents, often driven by IoT devices vulnerable to exploitation, governments at all levels are taking notice and grappling with the rapidly evolving threat,” according to a CableLabs summary of his remarks at an IoT workshop. “Cybersecurity is no longer the domain of the IT department, but rather a key area of governance for all enterprises.”
Massive Breach at Data Broker Exactis: Millions of Americans Exposed
Vinny Troia, the security researcher has discovered another sensitive database exposed on the internet which uses Elasticsearch allowing easy data search over the net. Although Elasticsearch offers security including authentication and role-based access control, many customers don’t deploy it.
According to a report in Wired, he found around 7,000. One standing out was a database owned by Florida-based data broker firm Exactis and containing personal data on both consumers and businesses.
The sheer size of the database, sensitivity of the content and complete lack of security makes this discovery exceptional. It has been estimated that it contained around 340 million records thus making it a bigger potential breach than last year’s Equifax breach.
Exactis claims the firm has consumer data on 218 million individuals and 110 million households. Eight-eight million have email addresses and matching postal addresses, and 112 million include residential phone numbers. Business data includes 21 million companies, 40 million postal addresses, 21 million records with email addresses and matching postal address, and 52 million with business phone numbers.
Troia reported the findings both to Exactis and FBI, and the database has been made inaccessible but there is no way knowing whether anyone other than Troia located or accessed the data.
Tech Mahindra Partners with LIFARS for Digital Forensics & Incident Response Cyber Security Platform
Tech Mahindra, the provider of digital transformation, consulting and business re-engineering services and solutions, announced today a strategic partnership with LIFARS, LLC, a New York City-based cybersecurity digital forensics and incident response firm, to premier an elite Advanced Managed Threat Detection and Response Service for their customers.
Tech Mahindra’s Security Operations Center (SOC) offering and LIFARS’ incident response service will be combined to innovate and create new services in specific areas of threat detection, mitigation, incident management and integrated cyber resilience.
“LIFARS and Tech Mahindra’s partnership is aimed at addressing the growing needs of customers to combat the rampantly increasing number of cyber threats. By leveraging the combination of LIFARS’ world-class team of elite cyber security specialists for incident response services, and the expertise of Tech Mahindra’s skilled SOC (Security Operations Center) analysts, we will develop an enhanced cyber breach and emergency response service offering,” said Rajiv Singh, Global Head of Enterprise Security & Risk Management, Tech Mahindra.
“We are very pleased to enter into a strategic partnership with Tech Mahindra in the cybersecurity space. This is a testament to the quality of our service and position in the US, as a leader in the field of digital forensics and cyber resiliency. This collaboration will further help us expand our capabilities and reach,” said Ondrej Krehel, CEO & Founder of LIFARS. “Today, the market clearly recognizes the immense need for companies to implement thorough cyber security measures on-site. Tech Mahindra’s operational skills and reach in SOC delivery, combined with LIFARS’ in-depth cyber security knowledge will bring robust solutions and new innovation to the cyber security marketplace”, he added.
Tech Mahindra is on a mission to develop and serve the cyber security market space across the globe. This partnership augments well with the larger Tech Mahindra strategy of delivering excellence and value in the cybersecurity space under the TechMNxt charter.