ΑΠΟΦΑΣΗ ΔΙΟΙΚΗΤΙΚΟΥ ΔΙΚΑΣΤΗΡΙΟΥ: απόρριψη προσφυγής αναφορικά με τη συλλογή και επεξεργασία δακτυλικών αποτυπωμάτων
Περισσότερες πληροφορίες στη σελίδα του Επιτρόπου Προσωπικών Δεδομένων.
working, consulting, monitoring your IT infrastructure for the future
Showing posts with label COMPANY. Show all posts
Showing posts with label COMPANY. Show all posts
Thursday, 21 September 2017
Συλλογή και επεξεργασία δακτυλικών αποτυπωμάτων - Δικαστική απόφαση
Saturday, 12 August 2017
Πως να προστατευτείτε από απάτες "ψαρέματος" (phishing) με απλές μεθόδους
Είναι
πλέον δύσκολο να μην αντιλαμβανόμαστε
την αυξανόμενη συχνότητα των επιθέσεων
phishing μέσω ηλεκτρονικών μηνυμάτων. Μέσα
σ' αυτή τη χρονιά, οι συχνότερες επιθέσεις
έγιναν σε χρήστες Google Cloud Docs. Τα λογισμικά
καταπολέμησης κακόβουλων επιθέσεων
γίνονται ολοένα και πιο 'εξυπνα' ή
καλύτερα πιο αποτελεσματικά έτσι οι
προσπάθειες καταδολίευσης και απάτης
επικεντρώνονται πλέον από τους hackers
στην 'ολίσθηση' στο λάθος των χρηστών.
Ακόμη και να νομίζετε ότι δεν σας αφορά αυτό το άρθρο, αξίζει να το διαβάσετε. Μπορεί να μη πληρώνετε μέσω διαδικτύου, μπορεί να 'νομίζετε' ότι δεν έχετε ευαίσθητες πληροφορίες στην 'διαδικτυακή σας παρουσία'. Όμως ΕΧΕΤΕ. Από τη στιγμή που χρησιμοποιείτε το διαδίκτυο ΕΙΣΤΕ ΕΥΑΛΩΤΟΙ!
Ακόμη και να νομίζετε ότι δεν σας αφορά αυτό το άρθρο, αξίζει να το διαβάσετε. Μπορεί να μη πληρώνετε μέσω διαδικτύου, μπορεί να 'νομίζετε' ότι δεν έχετε ευαίσθητες πληροφορίες στην 'διαδικτυακή σας παρουσία'. Όμως ΕΧΕΤΕ. Από τη στιγμή που χρησιμοποιείτε το διαδίκτυο ΕΙΣΤΕ ΕΥΑΛΩΤΟΙ!
Τι είναι το phishing;
Οι επιθέσεις phishing όπως αντιλαμβάνεται κανείς, είναι προσεγγίσεις που μοιάζουν νάναι νόμιμες και λογικές, προερχόμενες από ηλεκτρονικά μηνύματα ή/και (σε συνδυασμό) με ιστοσελίδες με πρωταρχικό στόχο την ανάκτηση πρόσβασης στο ηλεκτρονικό ταχυδρομείο του χρήστη ή έμμεσα/αμεσα στους τραπεζιτικούς λογαριασμούς του. Είναι με πανουργία και αποτελεσματικότητα προετοιμασμένες επειδή φαίνεται να προέρχονται από οργανισμούς ή εταιρείες με τις οποίες συνεργάζεστε. Σας οδηγούν σε σελίδες πανομοιότυπες με αυτές που έχετε εμπιστευτικά δεδομένα. Πέφτει στην παγίδα ο χρήστης και βάζει τους κωδικούς του νομιζόμενος ότι εισέρχεται είτε στην ασφαλή πύλη του ηλεκτρονικού ταχυδρομείου του ή στη σελίδα της τράπεζας του που του ζητά να επαναβεβαιώσει τους κωδικούς του. Ο σκοπός του ψαρέματος είναι πάντα ο ίδιος, να αποκτήσει πρόσβαση σε ευαίσθητες περιοχές του χρήστη. Οι hackers τότε αντιγράφουν τον τρόπο γραφής του χρήστη, τιμολόγια που συνήθως πληρώνει και κλέβει την (ηλεκτρονική) ταυτότητα του.Απλοί τρόποι να μην είστε το επόμενο θύμα phishing
Πάντα να σκέφτεστε διπλά πριν κάνετε κλικ σε σύνδεσμο (link) που σας δίνεται είτε μέσω ηλεκτρονικού ταχυδρομείου (email), SMS, messenger κλπ. Αναρωτηθείτε αν ο αποστολέας θα σας έστελνε μήνυμα τέτοιου περιεχομένου. Θα σας ζητούσε κάτι τέτοιο; Για παράδειγμα οι τράπεζες συνεχώς σας θυμίζουν ότι δεν σας ζητούν τους κωδικούς σας είτε από ηλεκτρ. μήνυμα ή άλλη ιστοσελίδα. Αποφεύγετε επίσης να κάνετε κλικ σε συνδέσμους τύπου shortURLs (π.χ https://goo.gl/Z6gYE5, http://alturl.com/i3tew αυτά είναι ασφαλή), δεν ξέρετε που σας οδηγούν. Με τον ίδιο τρόπο να αποφεύγετε να στέλνετε μηνύματα με τέτοιους συνδέσμους. Δεν είναι παράνομο ή κακό αλλά όταν οι παραλήπτες σας γνωρίζουν ότι δεν χρησιμοποιείτε τέτοιους συνδέσμους, ΔΕΝ θα ανοίξουν ένα τέτοιο σύνδεσμο αν φανεί ότι αποστέλνεται απο σας.Συνδέσμοι, URLs, Domains
Επίσης οι σύνδεσμοι δεν σημαίνει ότι σας οδηγούν σ' αυτό που φαίνεται στο κείμενο. Π.χ www.bankofcyprus.com ενώ νομίζετε ότι σας οδηγεί στην Τράπεζα Κύπρου, σας παίρνει στην Google! Κοιτάζετε το σύνδεσμο που γράφει στην κάτω μεριά του προγράμματος email που χρησιμοποιείτε (status bar). Εκεί φαίνεται πραγματικά η ιστοσελίδα που θα ανοίξετε. Οι hackers φυσικά δεν θα σας στείλουν σε 'αθώες' σελίδες όπως η Google Search Engine.Κοιτάζετε πάντα στο address bar του browser σας και βεβαιώνετε ότι είστε στη σελίδα που θέλετε να είστε. Απομνημονεύετε τους σημαντικούς διαδικτυακούς χώρους ενθυμούμενοι το domain τους. Για παράδειγμα, η www.hellenic-bank.com ΔΕΝ ΕΙΝΑΙ η Ελληνική τράπεζα (Κύπρου) της οποίας η σελίδα φυσικά είναι www.hellenicbank.com (χωρίς την '-').
Προσοχή στην λεπτομέρεια!
Οι phishers είναι έξυπνοι, ρισκάρουν, είναι θρασείς. Βελτιώνουν τις τεχνικές τους και σκαρφίζονται καινούργιες μεθόδους προσέγγισης του θύματος. Παίζουν ιδιαίτερα με αναγραμματισμούς των ονομάτων. Οι ιστοσελίδες http://helenicbank.com/ ή http://hellenikbank.com/ φυσικά ΔΕΝ σας οδηγούν στην Ελληνική τράπεζα. Ο ένας συνδεσμος είναι με ένα 'l' αντί με δύο ενώ ο άλλος είναι γραμμένος με 'k' αντί με 'c'.
Ηλεκτρονικά μηνύματα, Emails
Προσέχετε τα ηλεκτρονικά μηνύματα από που προέρχονται. ΜΗΝ βλεπετε ΜΟΝΟ το όνομα. Για παράδειγμα ένα μήνυμα από τον "Christos Andreades <234ss44ff gmail.com="">" είναι προφανές ότι δεν είναι από τον Χρίστο τον οποίο ίσως ξέρετε!Με τον ίδιο τρόπο μπορεί να γνωρίζετε κάποιο Χρίστο με email christos@mydomain.com αλλά λαμβάνετε μήνυμα από το email christos@my-domain.com. Υπάρχουν πολλαπλά τέτοια κρούσματα.
Πολλοί χρήστες του διαδικτύου χρησιμοποιούν δωρεάν υπηρεσίες email όπως της Google (gmail), Microsoft (outlook.com, hotmail.com), Yahoo (yahoo.com) κλπ. Πολλοί επίσης τα χρησιμοποιούν και για επαγγελματική χρήση (κακώς!)
Εδώ οι hackers πάλι αναγραμματίζουν το username. Γνωρίζετε πχ κάποιον με email nikoshalikakakis@gmail.com. Σας στέλνουν email με αποστολέα nikoshallikakakis@gmail.com. Ένα 'l' περισσότερο! όμως ΔΕΝ είναι από τον γνωστό/συνεργάτη/πελάτη σας!
Ένα τελευταίο στα email που πρέπει να προσέχετε είναι ποιος είναι ο αποστολέας και ποιο email είναι δηλωμένο για 'reply to'. Είναι μια από τις ιδιότητες των email. Μπορώ για παράδειγμα να στέλνω email με το όνομα μου και το email μου αλλά θέλω οι απαντήσεις (replies) να πηγαίνουν στο 'κεντρικό' email της εταιρείας μου:
Christos Doe
reply to: MyCompany
Αυτή την ιδιότητα κάνουν πολλοί hackers χρήση γιατί υπάρχει (εύκολα) η δυνατότητα να στείλουν email κάνοντας χρήση ένα πραγματικό email που γνωρίζετε αλλά για σκοπούς επικοινωνίας μαζί του και όχι με τον γνωστό σας, βάζουν στο reply to το email του hacker!
Εταιρειες με καλή δομή στις email πλατφορμες τους κάνουν χρήση του λεγόμενου SPF Record το οποίο μπορεί να απαγορεύει στους διάφορους mailservers να αποδέχονται email των εταιρειών αυτών αν δεν προέρχονται από τους δικούς τους mailservers.
Λογισμικά προστασίας
Η χρήση λογισμικών προστασίας (antivirus, antimalware, firewalls κλπ) ΔΕΝ ΕΙΝΑΙ παντα αρκετή! Πρέπει να προσέχετε διπλά, σαν να μην έχετε προστασία! Οι επιθέσεις απάτης μπορούν να έρθουν είτε από email, instant messaging (messenger, whatsup etc) ακόμη και από SMS! Σκεφτείτε διπλά πριν δώσετε ευαίσθητα στοιχεία σας μέσω κάποιου μέσου που αναφέρουμε ποιο πάνω.Τιμολόγια, πληρωμές
Ελέγχετε όταν κάνετε πληρωμές τιμολογίων. Τα τιμολόγια πολλές φορές αναγράφουν αριθμούς λογαριασμών τραπεζών που πρέπει να γίνει η πληρωμή. Συγκρίνετε τους αριθμούς αυτούς με τους αριθμούς που έχετε κάνει χρήση σε προηγούμενη πληρωμή. Αν ακόμη συναλλάσεστε συχνά με αυτή την εταιρεία και κάνετε πληρωμές μέσω online banking, φυλάξετε τις εταιρείες αυτές στους beneficiaries που σας δίνει δυνατότητα (συνήθως) η τράπεζα σας να φυλάξετε.Αν παίρνετε εντολές πελατών σας για πληρωμές, επιβεβαιώνετε μαζί τους με δεύτερο τρόπο (πχ SMS verification) ότι σας έστειλε να κάνετε αυτή την πληρωμή.
Επιπλέον προστασία
Τέλως ακόμη μια καλή μέθοδος προστασίας είναι και το multi-factor ή two-step authentication. Πολλοί από σας που κάνετε διαδικτυακές πληρωμές, ήδη το χρησιμοποιήτε με το λεγόμενο 'dongle' που σας υποχρεώνει η τράπεζα να έχετε για τις πληρωμές σας. Πολλές υπηρεσίες Cloud όπως η Google, Microsoft κλπ το παρέχουν και το συστήνουν.Τελειώνοντας...
Προσέχετε στο διαδίκτυο, έχει καταντήσει να είναι πιο επικίνδυνο από το να περπατάς στο δρόμο....Μπορείτε να επικοινωνήσετε μαζί μας για περισσότερες πληροφορίες και συμβουλές στο email μας, info(at)scicane.com
Το παρόν άρθρο όπως και τα υπόλοιπα στην ιστοσελίδα αυτή αποτελούν πνευματική ιδιοκτησία της SCICANE LTD και απαγορεύεται η χρήση/αντιγραφή/επαναδημοσίευση μέρους ή όλου του άρθρου χωρίς την έγγραφή αποδοχή της εταιρείας
Περισσότερες πληροφορίες για μας στο About Us
Monday, 1 May 2017
Companies still fail security basics, as ransomware rises
Most breaches take advantage of simple passwords
Companies are still failing to take basic steps to secure their businesses, a new report has found.
Verizon's annual Data Breach Investigations Report, published today, revealed that of the almost 2,000 breaches and security incidents that were analysed, a whopping 81% used easily-guessed or stolen passwords.
Furthermore, over 65% of malware infections were delivered via email attachments - a technique that has been around for decades. Pretexting - a form of social engineering used to obtain privileged information - is also on the rise.
With so many enterprises falling victim to age-old tactics, why are businesses still failing to take basic security measures like strong password hygiene and regular data backups?
"It's a very good question, and it's one we ask ourselves on a recurring basis," Verizon's director of international security solutions, Ali Neil, told IT Pro, "because this is not the only year that we find that the human vector is probably the most susceptible, and theoretically the easiest one by which to combat things."
"You don't have to pay a fortune for a SIEM solution or an intrusion detection solution, you actually have to enforce some basic standards," he added. "Our message is that training is the simplest thing you can do with people."
Not everyone agrees, however. Bromium's EMEA CTO, Fraser Kyne, said that companies need to spend less time focusing on employee training, not more.
"What most interested me in this year's report was that phishing attacks are actually becoming even more prevalent," he said. "One in 14 users are being duped into clicking on a bad link or attachment; but even worse, a quarter of those people go on to do it again. There is a phrase that I think is very apt here - "You can't patch stupidity'.
"Organisations therefore need to shift the onus away from controlling user behaviour if they are to get a handle on the situation. The best way of mitigating phishing attacks is to have a safety net in place, allowing end users to click with freedom, without having to worry too much about stumbling upon a bad link or malicious attachment."
The report included further interesting findings, such as the fact that organised crime gangs were behind more than half of all breaches, almost 70% of all threats to healthcare come from within the organisation, and around 50% of attacks on educational institutions were perpetrated by state-affiliated hackers.
Unsurprisingly, ransomware has also gone up by 50% compared to last year's report. Across the numerous reports put out by the security industry, a consistent rise in ransomware activity is one of the universal constants.
Source: ITPRO
Companies are still failing to take basic steps to secure their businesses, a new report has found.
Verizon's annual Data Breach Investigations Report, published today, revealed that of the almost 2,000 breaches and security incidents that were analysed, a whopping 81% used easily-guessed or stolen passwords.
Furthermore, over 65% of malware infections were delivered via email attachments - a technique that has been around for decades. Pretexting - a form of social engineering used to obtain privileged information - is also on the rise.
With so many enterprises falling victim to age-old tactics, why are businesses still failing to take basic security measures like strong password hygiene and regular data backups?
"It's a very good question, and it's one we ask ourselves on a recurring basis," Verizon's director of international security solutions, Ali Neil, told IT Pro, "because this is not the only year that we find that the human vector is probably the most susceptible, and theoretically the easiest one by which to combat things."
"You don't have to pay a fortune for a SIEM solution or an intrusion detection solution, you actually have to enforce some basic standards," he added. "Our message is that training is the simplest thing you can do with people."
Not everyone agrees, however. Bromium's EMEA CTO, Fraser Kyne, said that companies need to spend less time focusing on employee training, not more.
"What most interested me in this year's report was that phishing attacks are actually becoming even more prevalent," he said. "One in 14 users are being duped into clicking on a bad link or attachment; but even worse, a quarter of those people go on to do it again. There is a phrase that I think is very apt here - "You can't patch stupidity'.
"Organisations therefore need to shift the onus away from controlling user behaviour if they are to get a handle on the situation. The best way of mitigating phishing attacks is to have a safety net in place, allowing end users to click with freedom, without having to worry too much about stumbling upon a bad link or malicious attachment."
The report included further interesting findings, such as the fact that organised crime gangs were behind more than half of all breaches, almost 70% of all threats to healthcare come from within the organisation, and around 50% of attacks on educational institutions were perpetrated by state-affiliated hackers.
Unsurprisingly, ransomware has also gone up by 50% compared to last year's report. Across the numerous reports put out by the security industry, a consistent rise in ransomware activity is one of the universal constants.
Source: ITPRO
Saturday, 29 April 2017
GDPR (General Data Protection Regulation) Compliance Requirements
Overview
The European General Data Protection Regulation will come into force throughout Europe by 2018. It is a major change to EU data protection law and includes a significant increase in sanctions. The Council of The European Union has finished writing its new Regulation – “The Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data,” commonly known as the General Data Protection Regulation or GDPR. It was circulated in December 2015.
The EU Parliament formally adopted the new regulation on April 14, 2016. It is due to come into force two years and 20 days after being adopted, so will become law automatically in every EU country on or around May 4, 2018.
The project to write the EU GDPR started in 2012, and is a major update to the previous EU Data Protection Directive published in 1995. It is intended to harmonize the laws across the 28 member states, clarify areas that were previously interpreted differently in different countries, increase its scope to include any organization or individual that collects data on EU citizens, and ensure that the regulations are enforced in a similar manner across all states.
Any organization that collects data (a “data controller”) or stores and processes data (a “data processor”) on residents of the EU must conform to this regulation and incorporate appropriate policies and technology to conform.
The full regulation covers many areas. The top ten provisions are:
Increased fines. Fines can be up to 4% of global turnover or €20M, whichever is higher.Opt-in consent. Users must give clear, unambiguous consent for you to use their data and you must only use it for the purpose defined.Breach notification. The local supervisory authority (see Supervisory Authorities & Their Responsibilities) must be informed within 72 hours of any data loss and users informed “as soon as possible.”Territorial scope. Any organization with data on EU residents has to conform, wherever they are based.Joint liability. Data controllers and data processors are jointly liable for data loss incidents.Right to removal. Users have the right to demand the removal of their data.Removes ambiguity. One law across the EU.Data transfer. Transferring data outside the EU is allowed, but the data controller is ultimately responsible if data is lost via a non-EU cloud provider.Common enforcement. The enforcement agencies are expected to enforce consistently across all the countries.Collective redress. Users can work together to sue using class action lawsuits.
Who does it affect?
GDPR applies to any organization (commercial or governmental) globally that collects, stores, or processes data on EU individuals. The law is an expansion of the previous directive which only affected data controllers and could only be enforced on organizations themselves based in the EU. Data processors are now jointly liable with data controllers, so if your organization collects data on individuals and then outsources the processing of that data to another entity, both you and they are jointly liable for that data.
Data controllers outside the EU
Some data controllers based outside the European Union have, in the past, claimed that they are not subject to the directive because they are not based in one of the 28 countries of the EU. The regulation makes it very clear that anyone, wherever the organization is based, is responsible if they are processing data on European data subjects.
An organization does not need to have a legal presence in a particular EU country for the courts to decide that it is responsible there to the supervisory authority. The Weltimmo case has found that the company is responsible in Hungary even though its headquarters was in another country, Slovakia. As it had at least one employee in Hungary and was offering a service to Hungarian customers via its website, it was liable for the Hungarian interpretation of data privacy laws.
Definition of personal data
The law has been written in a way that does not specify everything that is personal data to ensure the law does not become out of date if a new way of identifying people appears. Broadly speaking, any data that identifies a living person is considered personal data.
Consequences of noncompliance
The current data protection directive left the decision on the imposition of fines and the level of fines to the member states, which has resulted in different levels of fines for each country. Over time, these fines have also been modified. For example, the maximum fine that the UK regulator was able to impose in 1998 was £50,000; this was then increased to £500,000 in April 2010. Over the years, the average fine for a data breach has risen with the largest to date at £350,000 imposed in February 2016. The regulation states that fines should be “effective, proportionate and dissuasive” and the maximum possible fine has been increased to ensure that it gets the attention of organizations
The maximum fine is now €20,000,000 or up to 4% of global turnover of an organization, whichever is higher for breaking the key articles of the regulation. The introduction of the regulation states “The protection of natural persons in relation to the processing of personal data is a fundamental right… everyone has the right to the protection of personal data concerning him or her.” This level of fines should leave no one in any doubt that data protection is taken very seriously and anyone misusing or losing data on people living in the EU countries is at risk of serious penalties.
Source: Skyhigh Networks
The European General Data Protection Regulation will come into force throughout Europe by 2018. It is a major change to EU data protection law and includes a significant increase in sanctions. The Council of The European Union has finished writing its new Regulation – “The Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data,” commonly known as the General Data Protection Regulation or GDPR. It was circulated in December 2015.
The EU Parliament formally adopted the new regulation on April 14, 2016. It is due to come into force two years and 20 days after being adopted, so will become law automatically in every EU country on or around May 4, 2018.
The project to write the EU GDPR started in 2012, and is a major update to the previous EU Data Protection Directive published in 1995. It is intended to harmonize the laws across the 28 member states, clarify areas that were previously interpreted differently in different countries, increase its scope to include any organization or individual that collects data on EU citizens, and ensure that the regulations are enforced in a similar manner across all states.
Any organization that collects data (a “data controller”) or stores and processes data (a “data processor”) on residents of the EU must conform to this regulation and incorporate appropriate policies and technology to conform.
The full regulation covers many areas. The top ten provisions are:
Increased fines. Fines can be up to 4% of global turnover or €20M, whichever is higher.Opt-in consent. Users must give clear, unambiguous consent for you to use their data and you must only use it for the purpose defined.Breach notification. The local supervisory authority (see Supervisory Authorities & Their Responsibilities) must be informed within 72 hours of any data loss and users informed “as soon as possible.”Territorial scope. Any organization with data on EU residents has to conform, wherever they are based.Joint liability. Data controllers and data processors are jointly liable for data loss incidents.Right to removal. Users have the right to demand the removal of their data.Removes ambiguity. One law across the EU.Data transfer. Transferring data outside the EU is allowed, but the data controller is ultimately responsible if data is lost via a non-EU cloud provider.Common enforcement. The enforcement agencies are expected to enforce consistently across all the countries.Collective redress. Users can work together to sue using class action lawsuits.
Who does it affect?
GDPR applies to any organization (commercial or governmental) globally that collects, stores, or processes data on EU individuals. The law is an expansion of the previous directive which only affected data controllers and could only be enforced on organizations themselves based in the EU. Data processors are now jointly liable with data controllers, so if your organization collects data on individuals and then outsources the processing of that data to another entity, both you and they are jointly liable for that data.
Data controllers outside the EU
Some data controllers based outside the European Union have, in the past, claimed that they are not subject to the directive because they are not based in one of the 28 countries of the EU. The regulation makes it very clear that anyone, wherever the organization is based, is responsible if they are processing data on European data subjects.
An organization does not need to have a legal presence in a particular EU country for the courts to decide that it is responsible there to the supervisory authority. The Weltimmo case has found that the company is responsible in Hungary even though its headquarters was in another country, Slovakia. As it had at least one employee in Hungary and was offering a service to Hungarian customers via its website, it was liable for the Hungarian interpretation of data privacy laws.
Definition of personal data
The law has been written in a way that does not specify everything that is personal data to ensure the law does not become out of date if a new way of identifying people appears. Broadly speaking, any data that identifies a living person is considered personal data.
Consequences of noncompliance
The current data protection directive left the decision on the imposition of fines and the level of fines to the member states, which has resulted in different levels of fines for each country. Over time, these fines have also been modified. For example, the maximum fine that the UK regulator was able to impose in 1998 was £50,000; this was then increased to £500,000 in April 2010. Over the years, the average fine for a data breach has risen with the largest to date at £350,000 imposed in February 2016. The regulation states that fines should be “effective, proportionate and dissuasive” and the maximum possible fine has been increased to ensure that it gets the attention of organizations
The maximum fine is now €20,000,000 or up to 4% of global turnover of an organization, whichever is higher for breaking the key articles of the regulation. The introduction of the regulation states “The protection of natural persons in relation to the processing of personal data is a fundamental right… everyone has the right to the protection of personal data concerning him or her.” This level of fines should leave no one in any doubt that data protection is taken very seriously and anyone misusing or losing data on people living in the EU countries is at risk of serious penalties.
Source: Skyhigh Networks
Subscribe to:
Posts (Atom)