Category Archives: Data privacy

June 2018 – Red Shell service arousing public question!

DNS logs explicitly shown the internet user activities. For instance a malicious network traffic that can be identified in DNS logs. The technical details includes command and control (C2) traffic of the following cyber attacks.
Ransomware, malicious ads and redirects, exploit kits, phishing, typosquatting attacks, DNS hijacking; denial of service (DoS) attacks; and DNS tunneling.

Pi-hole is a Linux network-level advertisement and internet tracker blocking application which acts as a DNS sinkhole. DNS Sinkholing is a mechanism aimed at protecting users by intercepting DNS request attempting to connect to known malicious or unwanted domains and returning a false, or rather controlled IP address. The controlled IP address points to a sinkhole server defined by the DNS sinkhole administrator.

The Sinkhole server can be used to collect event logs, but in such cases the Sinkhole administrator must ensure that all logging is done within their legal boundaries and that there is no breach of privacy.

Red Shell helps PC & console games uncover where their players
come from through reliable attribution. Their system architecture build by PI-HOLE and bind opensourece application. Meanwhile PI-HOLE and BIND can do reverse engineering. It can do the end point monitoring, aim to keep track the customer behaviour.

A concerns of public and question the analytics package provided by Innervate, Inc., to game publishers.
Innervate, a Seattle-based company founded to help game makers reach more customers, is launching its new Red Shell service today.

Reference:

European Union Agency for Network and Information Security

What is a “DNS Sinkhole”? – https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/dns-sinkhole

Remark: Administrator must ensure that all logging is done within their legal boundaries and that there is no breach of privacy.

What is your privacy today? – Apr 2018

We are concerning about data privacy! Whereby we are scare of the surveillance program. As a matter of fact we are always under custodian.When you apply the loan or you have credit card. The financial instition will know your credit details. Your trustee will be categorized by score. Since this is the verification check and therefore we do not have negative comment. But it looks that the authorized agencies data custodian power become bigger and bigger. So a doubt occured after Equifax cyber security incident in 2017 causes data breach? Equifax is one of the credit report acency. There are total number of three company at this time. They are Equifax, Experian and TransUnion. Experian also offer INTERNET SURVEILLANCE,SOCIAL NETWORK MONITORING and anti-IDENTITY THEFT SERVICES. As far as I know, SunTrust Bank now offering identity protection for all current and new consumer clients at no cost on an ongoing basis because a former Employee Stole Details on 1.5 Million Customers. The identity protection services provider is Experian. Their power is bigger and no one aware. From technical point of view, their power similar government. But how we can do?

SunTrust 1.5 M client info stolen news – Apr 2018 (see below)

https://www.usatoday.com/story/tech/2018/04/20/many-1-5-million-accounts-may-have-been-compromised-suntrust-banks/535687002/

Facebook’s Zuckerberg ‘sorry’ over Cambridge Analytica ‘breach’

 

Facebook scandal looks a hot discussion topic this week. However the scandal looks like the vendor misbehavior instead of data breach. Anyway let’s the expert figure out the truth. Perhaps this is not a news of cyber security expert since facebook not a secure platform so far. Scam email, email plishing relies on stolen data on facebook client endpoint do the ditry tricks. Heard that the UK parliament asks Mark Zuckerberg to testify in data misuse case. Oh!

Facebook’s Zuckerberg ‘sorry’ over Cambridge Analytica ‘breach’. For more details, please refer following url for reference.

http://www.bbc.com/news/world-us-canada-43494337

 

GDPR – Art.17 GDPRRight to erasure (‘right to be forgotten’)

In effective of data protection policy on 28th May 2018. EU member countries mandatory to compliance data protection policy. It is a good news to avoid personal data misuse somewhere. Such benefits applies to all member countries citizen. Following ground of interpretation you are allow to execute following actions. For instance:

The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

But following criteria shall not apply to the extent that processing is necessary: For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Actually there are more. For more details, please refer to

Art. 17 GDPR – Right to erasure (‘right to be forgotten’)

Enjoy!

Blockchain technology can do the magic – EU GDPR new data protection regulation

Preface:

The movie title – when harry met Sally romantic. It is a comedy film written by Nora Ephron. It gives an idea to the world all we are interconnected with fate.

GDPR – High Level Understanding

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

GDPR principle

General Data Protection Regulation are, quite literally, data protection model. Details are shown as below:

  • Establish data privacy as a fundamental right
  • Clarify the responsibilities for EU data protection
  • Define a base line for data protection
  • Elaborate on the data protection principles
  • Increase enforcement powers

In regards to GDPR, how does blockchain technology assists?

Blockchains are secure by design.Each block typically contains a cryptographic hash of the previous block. By foundation, a blockchain is inherently resistant to modification of the data. This is exactly fulfill the GDRP mandatory requirements. Let’s take a simple understanding of the requirements of data controller.

  • (Article 24) – be accountable, demonstrate compliance
  • (Article 25) – Adopt privacy by design
  • (Article 27) – If not in the EU, appoint a representative
  • (Article 28) – Take care when using 3rd parties (Processors)
  • (Article 30) – Keep records of processing
  • (Article 32) – Do security well
  • (Article 33) – Tell the regulator if they have a breach (72 hours)
  • (Article 34) – Tell Data Subjects about some breaches
  • (Article 35 and 36) – Do privacy impact assessments
  • (Article 37,38 and 39) – appoint a Data Protection Officer where specified

Let’s see how blockchain technology addressing these subject matters

Perhaps reader not interested to read a whole bunch of words.An explicit view and explanation in below informative diagram.

Reminder – New EU GDPR will be effective in May 2018

END of discussion.

Mew Trend 2018 – Exfiltrating Data via DNS

New Trend 2018 – Exfiltrating data via DNS (see below url for reference)

https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns

Comments: A popular discussion on cyber attack topic this year focusing on DNS attack. Security expert found that threat actor transform DNS topology as a hack tool assists their goal. It show small data set with frequent connections. But the new generation of malware found today looks like a prototype. Why? The fact is that malware relies on executable file instead of hide himself in memory.

Reminder – New EU GDPR will be effective in May 2018

Are you ready for EU-GDPR new data protection regulation yet? The new GDPR established common rules across Europe and gives individuals better control over their personal data held by the organizations and will be effective on May 2018. Below details are the principle for your references. But did you confirm your inhouse strategy align with data protection?

  • Establish data privacy as a fundamental right
  • Clarify the responsibilities for EU data protection
  • Define a base line for data protection
  • Elaborate on the data protection principles
  • Increase enforcement powers

In short, your company needs to:

  • Classify data, tag them, implement encryption.
  • Modify application
  • Manage hardware and software for encryption for distributed platforms

For more details, please refer following url: https://www.eugdpr.org/

 

 

Data Privacy Day 2018 Livestream on 28th Jan 2018

In last hundred years, the record of information includes storage of information without big changes. A revolution appears enforce computer technology jump to another generation computer world with big data and digitization technology. Cyber attack wreak havoc recently. In order to avoid any mistake given by antivirus program. The antivirus vendor enforce their defensive technique. They keep track your daily activities simultaneously. Perhaps you and me do not empower to 3rd party doing similar of jobs. But what we can do today protect your personal data privacy?

The Data Privacy Day 2018-Live From LinkedIn. Data Privacy Day 2018 Livestream on 28th Jan 2018 (see below url for reference)

https://staysafeonline.org/dpd18-live/

 

 

 

Lawful interception – How’s your personal privacy value today?

Cloud computer platform looks like a fight carrier in the data world. Meanwhile, the data stored inside the cloud are under cloud protection. However different country implement different data protection law and data custodian policy. Perhaps development countries unaware this topics last decade. However big data upgrade his political position progressively. It looks that government enforcement unit not easy get the data in cloud farm easier. At least they must apply the key escrow or search warrant through official channel. Or you may say sometimes ask president approval can evade all the official channel. But how to monitor billion of mobile phones & computers? Perhaps it is not a secret, wikileak became a whistleblower since 2014 (see below url for reference). A strange issue draw my attention this year? There are more antivirus vendor detected finfisher malware this month (see attached detail in picture left hand corner).FinFisher customers include law enforcement and government agencies in the world. Do you think there is a new round of hostile country surveillance program being engaging at this year?

2014 – wikileaks SpyFiles 4

https://wikileaks.org/spyfiles4/index.html

2014 – Wikileaks releases FinFisher files to highlight government malware abuse (by theguardian.com)

https://www.theguardian.com/technology/2014/sep/16/wikileaks-finfisher-files-malware-surveillance

 

Smart City & IoT -Mandatory 3 principles for working with Big data

We frequently heard smartcity project and usage of big data. Such key terms for the 1st impression to people is that it is a advanced technique and techology trend in future. In fact it was not possible to say we are keen to enjoy the benefits of smart city and big data analytic but we just ignore the peripherals. How does a city approiate to do such setup on start from strach situation. For example HKSAR issued the smart City blue print mid of last year. But it got whole bunch of unkown answer waiting for queries(public or quires with industries)? Perhaps the objectives of smart city goal to ehance public safty and governance of the city. The career oppuntunities is the side products which carry by this project. If the key items of city not been resolve yet. For instance: population, immigation policy and land use. Even though you enforce this project it may far away from their original design objectives.

Below url is the smart city blueprint for HKSAR for your reference.

https://www.smartcity.gov.hk/blueprint/HongKongSmartCityBlueprint_e-flipbook_EN/mobile/index.html#p=30