Beware GDPR Scams

Standard

Yesterday, I posted What’s With All The Privacy Updates?  I was referring to all of the messages being sent this week, updating privacy policies and asking you to confirm email subscriptions as a result of GDPR going in to effect on Friday.

To no surprise, the scammers are right on top of this, sending their own messages, seeming to be related to this, but trying to trick you into revealing your credentials to sites you visit.

GDPRPhishIf you get a message from a company asking you to confirm their privacy policy or your email subscriptions or anything related to your identity, DO NOT click on the links in the message.  Go to the actual website and look for the places where you would normally update your settings and see if you are being asked to do so.  Otherwise, you may find yourself landing on a fake site that’s sole purpose is to get you to enter personal information and credentials that will compromise your identity.

What’s With All The Privacy Updates?

Standard

Is your Inbox overflowing with messages about updated privacy policies?  From the manufacturer of your computer to the publishers of all the software, apps and websites you use, you are probably receiving an undrecedented amount of privacy updates.

While you probably reflexively delete most of these messages, you may want to play closer attention to them.  Some are informing you that unless you take specific action, you will no longer receive the email messages that you have subscribed to.

So why is this happening now?  GDPR, that’s why.  The General Data Protection Regulation of the European Union goes in to effect in three short days on Friday, May 25, 2018.  This new legislation mandates more transparency when it comes to data privacy and requires that individuals be made aware of what personal data a given company has about them.

Because of this sweeping new legislation, companies are scrambling to let people know that they need to authorize them to retain the private data they hold about you.  They also need you to reconfirm that you give them permission to email you.

Now you know.  These messages are to ensure compliance with the new law.  Even tough this is a law of the EU, it applies to companies outside the EU, so give these messages a quick review before you delete them, just to be sure you want the company who sent it to you, to have personal information about you in their databases.

Here are a couple of examples I’ve received in the last 24 hours, along with links to other blog posts about GDPR:

GDPR and What it Means for U.S. Companies

GDPR Isn’t Just for Europe. What US Companies Need To Know.

It Happens One Month From Today

Here’s a Pretty Lame Scam

Standard

Scam1-538x218

I got the following voice mail today on my home phone.  It’s a pretty poorly done scam, yet some unsuspecting people will take it as legitimate and call the number as directed.

Here is the transcription of the voice mail:

“Or 584-0766. Let me repeat. This is a very important call to notify you that your Microsoft Windows license key has been expired on your computer. So Microsoft Corporation has stopped the Windows Services in your computer to renew the Microsoft Windows license key please call 844-584-0766. I will repeat 844-584-0766. Thank you.”

If you want to listen to the actual message, you can by clicking below.

It’s safe to click as I uploaded the voicemail recording to this blog, so that’s where it is playing from.  The actual message is pretty bad as it’s likely a foreign hacker using a generated voice so as not to sound foreign.  Even so, it sounds pretty bad.

Pretty bad, right?  But think of an elderly person getting this message.  They are likely to return the call as it seems important.  Worse, if the person being called actually picked up, it’s likely a live person would have been on the other end of the phone.

Just another social engineering attack, to trick unsuspecting people into giving the bad guys money.  Spread the word that this is going around, so no one you know gets taken by this.  Yes, it’s lame, but it obviously works or they wouldn’t be doing it.

CompTIA Statement on Administration’s Elimination of Top Cybersecurity Official

Standard

White-House-eliminates-Cybersecurity-Coordinator-role

We all know how serious cybersecurity threats are.  It seems new ones are reported almost daily.  I was surprised to learn that the administration had eliminated the White House Cybersecurity Coordinator position.  CompTIA has released a statement on this action and I fully support CompTIA’s position and recommendations on this topic.

Source: CompTIA Statement on Administration’s Elimination of Top Cybersecurity Official

GDPR and What it Means for U.S. Companies

Standard

The following was published in today’s editions of Foster’s and Seacoast Sunday.

Keep Calm GDPR

GDPR is the European Union’s new data protection law. It stands for the General Data Protection Regulation and it goes into effect May 25. While this is a European law, U.S. companies are still subject to it, as are any organizations that possess private data on European Union citizens. It’s a sweeping update to existing data privacy laws that could have wide reaching implications.

The United States has yet to pass a truly comprehensive data privacy standard. Individual states have passed varying data privacy laws, which make compliance confusing and very inconsistent. GDPR stands to set the standard for broad reaching regulation that standardizes compliance and enforcement across borders, within the European Union and across the globe.

This past week, the Computing Technology Industry Association, CompTIA, released a survey on “The State of GDPR Preparedness in the U.S.” Some of the findings are scary. More than half of U.S. companies say they are still trying to determine whether or not GDPR is applicable to them. Well if they have any personal information on a citizen of the European Union, it does. So, for example, if you have just one employee, who holds dual citizenship with a country in the European Union, GDPR applies. If a single citizen of the European Union has purchased something from your company, requiring them to submit payment and shipping information to your company, GDPR applies to your company. You get the idea.

In addition to not knowing if GDPR applies to their business, nearly 65 percent of companies are unaware of the substantial fine structure associated with violations of GDPR. This could lead to significant financial exposure for companies that have not familiarized themselves with GDPR and its applicability to their business.

Those that have looking into GDPR’s impact on their business may think about whether or not they want to continue doing business with the European Union. It’s too soon to tell if the regulation will turn out to hamper business between companies within and outside of the European Union. Of the organizations surveyed, one-third indicate they have no plans to change their business practices with the European Union and its citizens and one-third say it may. The remaining one-third is not sure.

Some of the unique provisions of GDPR that may be difficult for businesses to comply with are the requirements for data transparency and the right to be forgotten, among others. Data transparency requires that a person be able to review any personal information that a company stores about them. The company must also provide a way for an individual to correct any inaccuracies in that stored information. Even more daunting, perhaps, is the right to be forgotten. To be in compliance, companies must be able to prove that they have completely erased personal information on any individual who wants the company to do so.

We won’t know for sure, what real implications GDPR will have for U.S. companies until one gets caught in violation. Once that first case comes to light, we will know how successful this law will be and whether it will become a model that others will follow. Until then, ambiguity, confusion and the threat of significant fines seem to be how GDPR is being perceived in the U.S.

GDPR Isn’t Just for Europe. What US Companies Need To Know.

Standard

As I posted yesterday, It Happens One Month From Today, the European Union’s GDPR data privacy regulations go into effect in less than one month now.

GDPR-USA

CompTIA, representing the global information technology industry surveyed 400 US based companies about their understanding of and readiness for GDPR.  The results were not good, if you are concerned about data privacy and companies compliance with laws governing it.

CompTIA issued a press release yesterday, highlighting the results of its survey on the topic.  As the press release highlights;

“Confusion about the regulations remains a significant problem for many companies,” said Todd Thibodeaux, CompTIA president and CEO.   “Only one in four respondents claim to be very familiar with GDPR,” Thibodeaux reported. “Some believe it applies primarily to companies in the EU; others, only to large multinational corporations. Alarmingly, three in ten companies believe GDPR does not go into effect until the end of 2018.”

Alarming indeed!  Data privacy issues do not know borders nor governments.  It transcends everyone and everything.  To think that so many organizations do not think the new regulations impact them and have not even started to plan to support the new regulations within one month of implementation is negligent.

If you are concerned about data privacy, I encourage you to review the CompTIA State of US GDPR Readiness survey results and take action to protect yourself and your business.

It Happens One Month From Today

Standard

GDPR

On May 25, 2018 GDPR goes into effect.  What is GDRP?  It’s the General Data Protection Regulation of the European Union.  In other words, it’s the newest and most sweeping data protection law in the world and it’s implications extend beyond the boarders of European Union member countries.

GDPR will replace the prior regulations, which were enacted in 1995.  The Internet was just gaining mainstream recognition in 1995, so this is a significant replacement, though EU regulators are downplaying the immediate impact of the changes.

In practical terms, GDPR introduces new rights for individuals and new requirements for businesses related to the storage and dissemination of personal information.  For the individual, they will have more access to the information that companies hold about them.  The companies holding that data have to meet enhanced security requirements related to personal information.  Business are also subject to a new range of fines, should they violate the new regulations.

There has been some considerable angst about GDPR among private industry and the tech industry specifically.  With four weeks to go, I’m sure you will be hearing more about GDPR as the implementation date draws closer.  I’ll be blogging about GDPR over the next month as we prepare to see the real impacts come online on May 25th.

So Mr. Zuckerberg Went To Washington

Standard

The following was published in the Sunday, April 15, 2018 edition of Foster’s and Seacoast Sunday.

Zuckerberg Testimony

I think the woman in green represents how everyone in the room was feeling, except the members of Congress.

Amidst the outcry over revelations that the political data mining firm Cambridge Analytica inappropriately accessed and used the personal data of nearly 87 million Facebook users, Facebook founder and CEO Mark Zuckerberg answered the call from Congress to come to Washington, D.C.

He faced two days of questioning from House and Senate committees. The results were sometimes downright bizarre.

I think Zuckerberg should be complimented for agreeing to come to Washington and face this questioning. While many criticized Facebook’s initial response to the scandal, the company has done a lot since then and is acknowledging where it can do better. What’s that old cliché? The first step to admitting you have a problem is to say you have a problem. Facebook admits it has a problem and Zuckerberg directly apologized for the breach of the public trust and took responsibility as any good leader should.

Now, as for the value of the questioning and what it says about both Facebook and our elected representative? It sure didn’t leave me feeling great. The talk among my colleagues in the industry ranged from outright laughter to downright disgust. What came through loudest was how unprepared our elected officials are to deal with issues like this. The sheer lack of basic technical understanding from some of the members was appalling.

I could only watch bits and pieces of the sessions because I became frustrated by the lack of preparation on the part of the members, our elected officials, who have an obligation to protect our interests. The vast majority of them should be embarrassed and apologize to both Facebook and us, their constituents, for wasting our time and distracting themselves from the important work we expect from our Congress.

Instead, many grandstanded, obviously relishing the spotlight they were able to exploit for who knows what purpose. There was no real outcome from the hearings, other than Congress feeling they should legislate a solution and everyone else fearing what that legislation might look like.

The members of Congress would have been far better serving the interests of their constituents if they had consulted with industry and privacy experts to understand exactly what happened and to equally understand what complexities will come to the table in trying to prevent a recurrence. Instead, it felt like several of the members had searched for social media conspiracy theories and crafted their questions accordingly.

Clearly, it wasn’t all bad, but unfortunately, the bad outweighed the good by a significant margin. Facebook has a problem. All of social media has a problem, but perhaps the biggest problem of all is that many people still do not grasp social media for what it is. Most are platforms that do not charge any fee to the individual to be a member. Why, because they make their money in other ways. Mostly through advertising and data sharing. We all know this, so the outrage is just a tad overblown, in my humble opinion. If you wouldn’t choose to hang up a banner outside your home announcing your name, hometown, relationship status and your most precious pictures, then why would you put it on social media? If you are using a complex, technology driven platform like social media for free, shame on you if you didn’t stop to think about how the company is making money from your membership.

As I wrote about in my last column, you can do a lot to limit what information Facebook shares about you. The same is true of most social media platforms, but Facebook is the one in the spotlight at the moment. As I suggested, Facebook has made a lot of improvements to its app settings over the last several weeks. When you click the arrow next to the help icon and select settings and go to apps, you’ll find it much more obvious what apps you have allowed to be connected to your Facebook account. It’s easy to now select the apps you don’t want to have access and remove them with the click of a single button. The options for all of the apps is much easier to find and intuitive to change. The same is true for the ads settings.

So unlike one senator or congressman who made the statement that he likes chocolate and didn’t understand why after he mentioned chocolate on Facebook he started seeing chocolate ads, hopefully you understand how that happens and how to manage your exposure.

Hopefully, this entire fiasco has made you a more educated social media user. I wish the same were true for the people who have the power to limit and regulate the technology we have access to. Hopefully they will catch up to their constituents, many of whom were shaking their heads this week.

A New Low

Standard

Following up on my post about a Phishing Example, the people behind these phishing attacks have sunk to a new low.

Playing on the fears of active shooter events, especially at schools, these latest phishing scams try to trick you into clicking on a link related to an event on a college or high school campus.  When you click the link, you are presented with a fake Microsoft login screen to try to steal your Microsoft Account credentials.  This started in Florida, but will like quickly spread around the country, so be on the lookout!

Security firm KnowBe4 sent out the following advisory related to this new, low trick:

“Heads-up. You’d think it could not get any worse, but some bad guys have sunk to a new low. They are now exploiting recent active shooter events on campus to get people panicked and “click-by-reflex” to find out if a loved one is safe.

This same phishing attack could be used against any organization with an active shooter protocol and training in place. If you see emails with titles like:

cyberscooty-alert_phishing

  • “IT DESK: Security Alert Reported on Campus”
  • “IT DESK: Campus Emergency Scare”
  • “IT DESK: Security Concern on Campus Earlier”

Please think before you click, and look for any red flags related to a phishing scam.”

Phishing Example

Standard

Last week, I attended an industry conference and spoke on a security panel.  More on that in a post over the next couple of days.  One of the consistent themes around cyber security was how effective phishing email and social engineering are.  It has become the number one vehicle that hackers are using to gain access to secure networks.  This morning, I received a well crafted phishing email that I want to share, as it has several elements that are good to be aware of, in order to not fall victim.

Let’s take a look at the email that arrive this morning with the subject “Shipment Tracking Number” from “notification@fedex.com.”  Both the subject and From address seem legitimate.  Here is the actual message:

FedEx Phish.png

This message looks fairly legitimate and if you were to simply quickly glance at the message, many people would likely click on the link, so let’s look deeper.

If you hover over the link instead of just clicking it, which is ALWAYS recommended, here is what you see:
FedEx Phish Hover

When you look at the image above, when hovering over the link, the URL does not match the URL that was in the email.  This should be a clear warning that could be a phishing message.

Now let’s look a little more closely at the message text itself:

FedEx Phish Markup.png

The sentence that begins at the #1 is not properly capitalized.  The dollar representation at #2 is not in proper currency format and the USD should be capitalized.  The comma following usd is also misplaced and follows a random space.  There is no punctuation at #3 or #4.  #5 lacks proper capitalization and punctuation.  #6 is not the real FedEx logo.  Notice how it is standard text and not the bold logo where the d and E are actually connected.

So, taken all together, do you think the real FedEx would ever allow a message like this to be sent?  No, not at all.  This is definitely a phishing email, designed to get you to click on the link, which will instantly infect your computer and allow a hacker access to your computer or worse, to capture everything you type on your keyboard, which will give them access to far more.

For the more technically inclined, if you also look at the email header, you will find several other identifying details that confirm this is not really from FedEx and a phishing email:

X-Country-Path Denmark->
X-Note-Sending-IP 212.237.47.12
X-Note-Reverse-DNS host12-47-237-212.serverdedicati.aruba.it

These three lines of the header really confirm this.  The IP address resolves to the domain aruba.it.  A WhoIs lookup of that domain shows it being registerd to an organization called Aruba Spa, surely a fake organization.  The country is reported as Denmark, but if you know your world geography, Denmark is in Europe and Aruba is in the Carribbean.  Further, the .it domain suffix is actually the top level domain for the country of Italy.  So, did this email come from Denmark, Aruba or Italy?  Probably none.  It’s likely all an elaborate path to mask the real sender, who, if you were not convinced to this point, you should now know without a shadow of a doubt, is not FedEx.

I hope all this information helps you protect yourself from these types of socially engineered phishing scams.