by dmaric | Oct 11, 2023 | Data Privacy, Information Security
Escalating Dangers in the Digital Realm
Recent reports reveal a distressing upsurge in child sexual abuse content (CSAM) and online threats against minors, prompting global concern. According to the “Emerging Online Trends in Child Sexual Abuse 2023” report by Thorn, a non-profit utilizing technology to shield children from sexual abuse, minors are increasingly entangled in creating and circulating sexual imagery of themselves, both willingly and under duress, alongside witnessing a spike in perilous online engagements with adults.
John Starr, Thorn’s VP of Strategic Impact, lamented, “In our digitally connected world, child sexual abuse material is easily and increasingly shared on the platforms we use in our daily lives.” This vile content isn’t confined to the shadowy realms of the internet but is pervasive on commonly used platforms.
The Startling Numbers
- The National Center for Missing and Exploited Children (NCMEC)’s CyberTipline has witnessed a staggering 329% surge in reported CSAM files over the past five years.
- In 2022 alone, NCMEC was alerted to over 88.3 million CSAM files.
Factors contributing to this surge include the deployment of tools detecting known CSAM and the bolder moves of online predators, who are leveraging advanced technologies, such as chatbots, to intensify their manipulative tactics. Indeed, the NCMEC saw an 82% increase in reports of online enticement of children for sexual acts from 2021 to 2022.
Technology Fights Back: Hashing and Matching in CSAM Detection
Addressing this alarming issue necessitates the incorporation of technological solutions capable of managing its sheer scale. Hashing and matching emerge as crucial technological means that can assist in safeguarding platforms from hosting and enabling the circulation of CSAM, while also inhibiting its virality and the consequent cycles of revictimization.
Breaking Down Hashing and Matching
Hashing converts a file into a unique numerical string, or hash value, akin to a digital fingerprint. To detect CSAM, content is hashed, and the resultant hash values are matched against lists of known CSAM hash values, allowing platforms to identify, block, or eliminate this illegal content.
Enhancing CSAM Detection
Thorn’s Safer tool, designed for proactive CSAM detection, grants access to a large database, amalgamating over 29 million known CSAM hash values. Safer also facilitates the sharing of hash lists among technology companies, either identified or anonymously, thus broadening the corpus of known CSAM and mitigating its digital dissemination.
In 2022, Safer hashed in excess of 42.1 billion images and videos, locating 520,000 files of known CSAM on customer platforms. So far, Safer has aided its customers in identifying more than two million pieces of CSAM on their platforms.
A Collective Strive Toward a Safer Internet
Thorn insists on the pivotal role of content-hosting platforms in the fight against CSAM. Starr emphasizes, “This is about safeguarding our children. It’s also about helping tech platforms protect their users and themselves from the risks of hosting this content. With the right tools, the internet can be safer.”
The consolidation of efforts between tech companies and NGOs is fundamental to obliterating CSAM from the internet. The broader the utilization of CSAM detection tools across platforms, the higher the likelihood of reversing the distressing ascension of child sexual abuse material online.
Conclusion
Addressing the elevation in CSAM requires an unwavering alliance between technology, organizations, and global platforms, utilizing and innovating tools that impede the creation, distribution, and perpetuation of child sexual abuse material. Together, we can forge an internet that champions safety, inhibits exploitation, and preserves the innocence of youth across the global digital landscape.
Contact us for all your Business Security and Resilience needs.
by dmaric | Sep 29, 2023 | Data Privacy, Information Security
In a recent cybersecurity incident that made headlines, DarkBeam, a digital risk protection firm, suffered from a severe data leak. The exposed Elasticsearch and Kibana interface left 3.8 billion records vulnerable, including emails and password combinations. The incident not only raises concerns for DarkBeam’s clientele but has broader implications for cybersecurity at large.
The Scale of the Exposure
First identified by Bob Diachenko, CEO of SecurityDiscovery, the unprotected instance contained an extensive collection of login pairs—email addresses and passwords—segmented into 16 collections. With DarkBeam’s primary function being to alert its customers about data breaches, the irony is stark.
The leak was sealed as soon as Diachenko informed DarkBeam, but the damage might be far-reaching. This colossal data set serves as a treasure trove for malicious actors, providing them with potent tools for a multitude of cyber-attacks.
Underlying Causes
Such vulnerabilities often trace back to human error, usually when employees forget to reinstate security measures post-maintenance. In an era where data protection should be paramount, lapses like this are inexcusable and reflect broader systemic issues in cybersecurity hygiene.
The Risk Landscape
The amalgamation of this extensive data enhances its value exponentially for malicious actors. Even if a majority of the data originated from known sources, having it all collated and organized presents an alarming risk. It creates a conducive environment for spear phishing campaigns, where attackers can masquerade as trusted entities to extract even more sensitive information.
Historical Context
This incident is not without precedent. In the past, there have been similar large-scale leaks. Notably, the RockYou data breach, which involved 8.4 billion password entries, also resulted from a compilation of multiple breaches. However, the DarkBeam incident serves as another critical reminder of the ever-present vulnerabilities in our digital lives.
Immediate Actions to Take
If you suspect your data has been part of this leak, consider the following remedial steps:
- Change Your Passwords: Utilize a robust password generator to make your accounts more secure.
- Enable 2FA: Two-factor authentication provides an additional layer of security.
- Be Vigilant: Monitor for suspicious emails, texts, and other communications. Exercise caution and do not click on unrecognized links or attachments.
The Road Ahead in Cybersecurity
The DarkBeam incident serves as a poignant reminder that even entities tasked with ensuring digital security can fall victim to lapses. As businesses and individuals alike navigate through the complexities of the digital world, maintaining stringent cybersecurity practices is not just recommended—it’s essential. Companies must internalize lessons from incidents like this and reinforce their cybersecurity postures to guard against future vulnerabilities.
by dmaric | Sep 21, 2023 | Data Privacy
Welcome back to our enlightening series on GDPR. In our last article, we looked at why GDPR was introduced, emphasizing its pivotal role in making the digital world more secure, transparent, and fair. Today, we’re going to explore the scope and jurisdiction of GDPR, helping you understand who is affected by these rules and why. Let’s get started.
It’s Not Just a European Thing
First off, a common misconception is that GDPR is only for European Union (EU) citizens or companies. While it’s true that GDPR was born in the EU, its reach is global. Remember how we talked about GDPR being a game-changer? Well, one way it’s doing that is by influencing data practices across the globe.
Criteria for Applicability
Here’s a simple breakdown of who falls under the GDPR’s broad umbrella:
1. Companies in the EU
If a company is based in the EU, then GDPR applies—no ifs, ands, or buts about it. Whether you’re a mom-and-pop shop in France or a giant corporation in Germany, you have to follow the rules. Simple as that.
2. Companies Outside the EU
Now, this is where it gets interesting. Even if a company is not based in the EU, it might still have to comply with GDPR. How so?
a) Offering Goods or Services to EU Citizens
Imagine an online clothing store based in the United States, but it also ships products to France, Italy, or any other EU country. That store has to comply with GDPR when handling data from EU customers.
b) Monitoring Behavior of EU Citizens
Let’s say there’s a fitness app developed in Australia that tracks steps, sleep, and other health data. If citizens of the EU can download and use the app, then the Australian company needs to adhere to GDPR rules.
3. Data Processors
As we covered in our first article, data processors are entities that process data on behalf of data controllers. A third-party email marketing service used by an EU-based company, for example, is also subject to GDPR compliance.
Your Role as a Data Subject
If you recall, a data subject is an individual whose data is being collected—so that’s you and me. Whether you’re shopping online, signing up for newsletters, or creating a social media profile, you are a data subject. And GDPR empowers you, regardless of your nationality, to have certain rights over your data when dealing with companies that fall under the GDPR’s jurisdiction.
Responsibilities Extend to Partners and Vendors
Companies can’t just look inwards; they also have to make sure their external partners and vendors are GDPR compliant. Let’s say you’re a London-based company using a cloud storage service from Canada. It’s not just your company that needs to be compliant; the Canadian service must be too, if it handles data of EU citizens.
Understanding Penalties
Falling foul of the GDPR can lead to severe penalties, a topic we’ll delve into in greater detail in a later article. But to give you a preview: non-compliance can lead to hefty fines, which makes it crucial for all relevant parties to understand their obligations.
What’s Coming Up Next?
In our next article, we’ll focus on Understanding Data Subjects, Data Controllers, and Data Processors, revisiting them in a more detailed manner.
Summing Up Your New Insights
So, who does GDPR affect? Well, the reach is broad: companies within the EU, companies outside the EU that offer services to its citizens, and all the individuals who interact with these organizations. And remember, this is not just about companies; it’s also about empowering you as a data subject.
Now that you understand the extensive scope of GDPR, you’re better prepared to navigate the digital world responsibly and knowledgeably. As we often say, in a world full of data, being informed is your best defense.
Thank you for joining us for another enlightening lesson on GDPR. Stay tuned as we continue to explore this significant regulation. Until then, happy learning!
by dmaric | Sep 21, 2023 | Data Privacy
Hello again! Welcome back to our series on understanding GDPR. In our previous article, we discussed what GDPR is and the basics of how it works. If you remember, we compared GDPR to a sheriff that helps protect your personal “digital” treasures. Today, we’re going to delve into the reasons and the history behind the creation of GDPR. Ready? Let’s get started!
Once Upon a Time: Data Chaos
To understand why GDPR was introduced, we first need to go back in time a bit. Imagine a bustling marketplace where everyone is trading goods, but there’s no set of rules. Some traders are honest, while others are not. People’s items might get stolen, and there’s nothing much anyone can do about it. That’s sort of what the digital landscape was like before GDPR.
Companies collected data without clearly telling people what they’d do with it. Sometimes, this data even got sold to other companies, and before you knew it, your email inbox was flooded with newsletters and promotional offers you never signed up for. It was a bit like the Wild West, where anything goes.
The Need for Control and Clarity
The digital world was changing fast, and old laws couldn’t keep up. The European Union realized that something had to be done to make this digital marketplace more secure and fair. They wanted to give people, or ‘data subjects’ as we learned in the previous article, the power to control their own data.
The EU also wanted companies, known as ‘data controllers,’ to be more transparent and responsible. It shouldn’t be like a magic trick where you don’t know where your card (or in this case, your data) will end up. Instead, everything needed to be above board.
Learning from Past Mistakes
Before GDPR, there was a regulation called the Data Protection Directive. However, it was like an old instruction manual that didn’t cover new gadgets. It had gaps and inconsistencies and was not fit for the challenges of the modern digital world.
For instance, remember the massive data breaches that made headlines? Companies like Yahoo and LinkedIn faced massive data leaks, exposing millions of user accounts. These incidents made it clear that stronger regulations were needed to safeguard people’s data.
The Goals of GDPR
So, the European Union came up with GDPR, aiming to:
- Strengthen Individual Rights: As we touched on in the first article, GDPR provides you several rights, like the right to correct or delete your data.
- Enhance Transparency: Companies must tell you what they’re going to do with your data and must get your approval.
- Boost Security: Organizations need to put robust security measures in place to protect your data from cyberattacks or leaks.
- Hold Companies Accountable: The rules are strict, and the fines, as we mentioned before, can be astronomical for companies that don’t comply.
How GDPR Changed the Game
Imagine you have a neighbor named Tim who borrows your lawnmower but never tells you what he does with it. One day, you find out he’s been renting it out to others and earning money off it! Now, let’s say there’s a new neighborhood rule: you must give explicit permission for how your belongings can be used. That’s a game-changer, right?
That’s precisely what GDPR did. It forced a lot of companies to change how they collect, store, and use data. Now Tim (or any company) needs your express permission to use your lawnmower (or data), and you can even tell him to bring it back anytime you want.
Why Does It Matter to You?
GDPR matters to you for all the reasons we’ve talked about so far. Your data is yours, and you should have control over it. With GDPR, you’re not just a spectator; you’re a player in the game who can call the shots about how your personal data is used.
What’s Next?
We’ve covered a lot today! We talked about why GDPR was introduced, the problems it aimed to solve, and how it changed the digital landscape for companies and individuals alike. In our next article, we’ll dive into the scope and jurisdiction of GDPR to understand who it affects and how.
By understanding the ‘why’ behind GDPR, you’re well on your way to becoming informed about how to protect your data and why it’s so crucial in today’s digital age.
So, why was GDPR introduced? To make the digital world more secure, transparent, and fair for all of us. Remember, in a world full of data, knowledge is your best defense.
Thank you for joining us for another lesson. Stay tuned for more insights on this essential regulation. Happy learning!
by dmaric | Sep 21, 2023 | Data Privacy
Welcome to the first step in your journey to understanding the General Data Protection Regulation, or GDPR as it’s commonly called. Imagine you’ve got a treasure chest of your personal items. Now, wouldn’t you want to keep it secure and decide who gets to see or use those items? Well, GDPR is all about keeping your personal “digital” treasures safe. Let’s get to know it better.
What Exactly is GDPR?
GDPR stands for General Data Protection Regulation. It’s a law that came into effect in the European Union (EU) on May 25, 2018. Think of it as a big rule-book that tells companies how to treat your personal data. You know, all that information you give when signing up for newsletters, online shopping, or creating social media profiles. That’s right! This law makes sure that companies handle this sensitive information carefully and respectfully.
Why Was It Created?
Have you ever received spam emails or had your information suddenly “shared” with other companies without your permission? Quite annoying, isn’t it? GDPR was introduced to prevent such mishaps and to make companies more responsible. It also aims to give you, the individual, more control over your own data. The digital world needed a sheriff, and GDPR is it.
Who is Affected?
Here’s the interesting part: although the law started in the EU, it affects companies worldwide. How so? Let’s say you live in the United States but you use a service based in the EU. This service must follow GDPR rules when dealing with your personal information.
Or consider an online store located in Asia that sells products to customers in Europe. This store has to comply with GDPR because it deals with personal data of EU citizens. In simple terms, if a company is collecting or processing data from individuals within the EU, GDPR kicks in.
Basic Terminology You Should Know
Before we go further, let’s understand some terms:
- Data Subject: That’s you! The individual whose data is being collected.
- Data Controller: The company or organization collecting your data. Think of your favorite online store or streaming service.
- Data Processor: The entity that processes data on behalf of the Data Controller. For example, a payment gateway that the online store uses to handle transactions.
We’ll explore these terms more deeply in the next articles, but for now, it’s good to have an initial understanding.
Your Rights Under GDPR
One of the coolest things about GDPR is the rights it gives you. Here they are in simple language:
- Right to Know: You have the right to know what data is being collected about you.
- Right to Correct: If the information is wrong, you can ask the company to fix it.
- Right to Delete: You can ask the company to delete your data. This is also known as the ‘right to be forgotten.’
- Right to Say No: You can say no to your data being processed in certain ways.
- Right to Transfer: You can take your data and move it to another service.
Imagine you are at a restaurant, and you see the staff jotting down notes about your meal preferences. According to GDPR, you can ask them what they’ve noted down, request changes, or even tell them to forget you ever like spicy food!
Responsibilities of Companies
Companies have to be super careful when it comes to handling your data. They need to have your explicit permission to collect and process your data or it must be based on some other legal basis. Moreover, they are required to keep it safe. Imagine if someone found the keys to your house—what a nightmare! Similarly, companies need to make sure no one unauthorized gets access to your personal information.
What Happens If Rules Aren’t Followed?
Let’s say a company doesn’t play by the GDPR rule-book. Uh-oh! They can face some hefty fines, and we’re talking millions or even billions. These penalties ensure that companies take the law seriously and make safeguarding your data a priority.
Wrapping Up Your Introductory Lesson
You’ve now taken the first step to understand the powerful and protective world of GDPR. With this background, you’ll find it easier to delve into the more detailed aspects of GDPR, like the rights of data subjects or the responsibilities of data controllers and processors, in our upcoming articles.
So, why is GDPR important? Because it’s designed to keep your personal information safe and give you more control over it. Companies have guidelines to follow, and there are penalties for those who don’t. In a world where our digital footprints are larger than ever, having a regulation like GDPR ensures that our steps tread safely.
Congratulations on completing your first lesson on GDPR! Stay tuned for our next article, which will explore the reasons and history behind the creation of GDPR. Until then, happy learning!
by dmaric | Sep 12, 2023 | Data Privacy, Information Security
Browser extensions are the unsung heroes of our internet experience. They block ads, manage passwords, and even enable us to shop smarter. But what happens when these very tools become the Achilles’ heel of our digital safety? Researchers have recently unveiled unsettling truths about some browser extensions that pose serious risks to your private information, including plaintext passwords. This article delves into the disconcerting findings and suggests how to fortify your digital fortress.
The Web of Vulnerabilities
Researchers from the University of Wisconsin-Madison have turned the spotlight on a critical issue: not all browser extensions are safe. In their recent paper, the team created a proof-of-concept extension for Chrome capable of stealing plaintext passwords from websites’ HTML source codes. This research highlighted that extensions often possess an overreaching access to the DOM tree, exposing sensitive user input fields.
Principles Violated
The current browser extension architecture violates two crucial security principles: least privilege and complete mediation. Least privilege implies that a component should have only the permissions it needs to function correctly and no more. Complete mediation ensures that all accesses to resources are checked to ensure they are allowed. Browser extensions, as it turns out, have a bit of a free rein, potentially creating a playground for malicious developers.
Risk-Prone Websites
Although the study focused on Chrome, it’s important to note that these risks are not limited to a single browser. Major websites like Gmail, Amazon, Facebook, Citibank, and Capital One store plaintext passwords within their HTML source code. With a considerable number of extensions on various browsers having the necessary permissions to exploit these vulnerabilities, we’re looking at a privacy nightmare on a global scale.
Immediate Countermeasures
The research team has proposed two immediate countermeasures:
- JavaScript Package for Sensitive Fields: Website developers should employ a specialized JavaScript package to secure sensitive input fields.
- Browser Warnings: Users should receive a warning message from their browser each time an extension tries to access sensitive fields.
Beyond Manifest V3
Most modern browsers now employ the Manifest V3 protocol, which does curtail some API abuses. This protocol prevents extensions from fetching code hosted remotely and also restricts the use of eval statements. However, these steps are more like sticking plasters rather than comprehensive solutions.
Time for Vigilance
Browser extensions have made our online lives easier, but the research serves as a stark reminder that comfort should not come at the cost of security. While industry players and developers mull over these findings and hopefully come up with robust solutions, users must be discerning when installing extensions.
Your Next Moves
- Educate Yourself: Stay updated with security advisories and understand the permissions you’re granting.
- Trust but Verify: Stick to well-known developers or extensions with high ratings and reviews.
- Regular Audits: Periodically review the extensions you have installed and remove those you don’t need or trust.
The Future of Secure Browsing
While the proposed countermeasures are a step in the right direction, they are not the be-all and end-all. Security is a complex, ongoing process, and it’s only through constant vigilance, education, and system improvements that we can hope to safeguard our digital lives effectively.
Stay safe and browse wisely.
