Howard Solomon Howard Solomon @howarditwc
Published: February 4th, 2019
Wise words on privacy from a Canadian expert, a U.K.insurance company fined for mixing business and politics for Brexit and how to secure that email.
Welcome to Cyber Security Today. It’s Monday February 4th. To hear the podcast click on the arrow below:
I was at a privacy conference in Toronto last week where I heard the respected Canadian expert Ann Cavoukian speak. She reminded attendees that privacy and security go together: They aren’t opposites. In fact, she said, privacy is essential to innovation. Companies that do both privacy and security will have an advantage over competitors because customers will trust them more. Is improving the control customers have over their personal information costly, including giving the ability to refuse to allow their personal data to be re-used or shipped to another firm? Maybe. But, Cavoukian adds, that’s nothing to the damage to your brand, loss of trust, and lawsuits that result from a data breach.
Speaking of privacy breaches, the U.K. information commissioner has fined a British insurance company that sent over one million emails to subscribers of the Leave EU Brexit campaign without their full consent three years ago. And the campaign was fined as well for unlawfully using the insurance company to 300,000 political marketing messages to customers. It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes; and vice versa,” said the information commissioner. You can read her full report here
Fake email, where an attacker uses a phony “from” email address, a deceptive domain or a display name that impersonates a familiar company, is behind many successful data breaches. Someone clicks on a link or opens an attachment and in seconds they’re infected. If only there was a way to authenticate where email comes from. Actually, there is: It’s an open standard called DMARC. The good news is more companies are using it. The bad news, according to security vendor Vailmail, is not enough of them are doing it, nor are they configuring it right. In a study released on Friday, the company said 80 per cent of U.S. federal government domains now use DMARC. By comparison at least 50 per cent of Fortune 500 and large U.S. tech companies have adopted DMARC. Does your company have a way of authenticating email it sends? You should ask.
Finally, ever wonder how cellphone companies co-ordinate the billions of phone calls and text messages sent around the world? They do it through a protocol called SS7. This protocol has vulnerabilities. However, until recently it was thought only intelligence agencies could break into it. But last week the news site Motherboard confirmed a British bank was victimized by an SS7 hack, so it seems cybercriminals now have the capability as well. What this means is the six-digit text messages a financial institution will send you as part of a two-factor authentication login system are increasingly likely to be stolen. I’ve talked about this before: The standard text messaging app that comes with many smartphones may not be safe enough for two-factor authentication. Some cellphone companies say they have taken steps to better secure their text messaging. But if you use an email, company login or bank app that offers two-factor authentication in addition to a username and password, see if it offers the ability to get the special code through a safer messaging app. Four of them are Google Authenticator, Authy, Authenticator Plus, and Duo.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.