New Eurpoean Privacy Standards Comming into Effect

Two years ago the European Union passed the General Data Protection Regulation (GDPR), on May 25th these regulations become enforceable. The GDPR aims to increase the number of privacy controls users have on the web through new privacy standards. Although the regulations were specifically passed by the EU, due to the international nature of the web many people from all over the world will feel its impacts.

These regulations aim to increase user privacy through expanding the scope of consent that sites are required to request. First, consent has to be explicitly given for each specific use of data provided by a customer – meaning web services must implement gradual permission systems. The user must be told exactly what the data is being used for and has a right to access all the information the company has on the user. Companies must also have the ability to prove that consent was given for a particular use of data. Second, a user must be able to withdraw their consent at any time. Lastly, all users have the right to be forgotten. This final provision means that a user can request that any data associated with them to be permanently erased from a companies database.

It is unknown at this time how willing the EU will be to enforce these provisions. However, breaking any of these cars large penalties on per-violation bases. These rules could potentially change the global playfield as many advertising, social media, and other businesses that rely heavily on data collection will be massively affected.

https://www.theverge.com/2018/3/28/17172548/gdpr-compliance-requirements-privacy-notice

https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html

https://www.huntonprivacyblog.com/2017/12/15/article-29-working-party-publishes-guidance-on-consent-under-the-gdpr/

Advertisements

Quantum Computing’s Impact on Cyber Security

With more and more technological advancements every day, our vision of quantum computing is turning more into a reality than a theory. Companies like IBM and Microsoft are accelerating forward and becoming closer than ever to build the first fully functioning quantum computer. Seemingly on the edge of an almost quantum revolution, it’s important to ask questions about how integral parts of our lives like cyber security will be affected by this change.

First, let’s understand what quantum computing is. Comparing it to modern computing, which relies on discrete values of a bit being either a 0 or a 1, quantum computing would allow both of these possibilities to exist simultaneously in something called qubits, and these values only truly form when they are observed. This allows quantum computers to handle operations and equations at speeds that are exponentially higher than what we are used to in modern computers and their energy costs are far less.

How does this effect today’s security? Many of today’s security systems rely on cryptography, this is because normal computers struggle at factoring large numbers. This means that cryptography based on factoring numbers would be a safe bet against our technology today, but with the introduction of quantum computing, these practices would be useless. This isn’t the end of cryptography though because there are some approaches in use today that will be safe against the power of a quantum computer. That doesn’t mean that important companies and governments are using them though, and if quantum computing is to take off faster than anticipated they could run into some trouble. Other security strategies that are used today, like two-factor authentication, will still be just as effective after the introduction of quantum computing, due to multiple steps being taken by the person to log into a system.

Tomorrow’s security will be something almost unfathomable with quantum-based security implementations. Techniques like theoretically unbreakable cryptography, encrypting data to stop working if anyone attempts to uncover them and guaranteeing a safe passage to send data no matter what attacks are being used against it can all be potentially achieved with quantum computing. It’s not all positive though because with the power to develop secure techniques comes the power to exploit older strategies. An almost quantum arms race has begun between intelligence agencies and this is because the first agency to gain access to quantum computing power will have an incredible edge over all other counties.

Although quantum computers may never be a household item, their impact in the world will definitely be historical. While many of their advancements will benefit society and the internet infrastructure as we know it, it is still important to make sure what the world is ready for a step this large.

-Jeremy McGrath

Sources:

https://www.technative.io/how-will-quantum-computing-impact-cyber-security/

https://www.nasdaq.com/article/quantum-computing-what-it-is-and-who-the-major-players-are-cm939998

 

Sanitize your strings, kiddos

Trusting user inputted strings has always been a problem in computing. Users will always find a way to break your application with some kind of weird character. Programmers have found clever ways to get around this, such as preparing SQL statements, escaping unknown characters, or just returning an error when coming across unknown text. However, with the rise of the internet and the availability of tools, hackers have gotten smarter at the way they attack inputs.

In the last month of so, Django found this out in their django.utils.text.Truncator class. This class had two methods, chars() and words() which would attempt to clean input.

Well, for some reason, users wanted a way to clean HTML with these methods, so Django added a html keyword argument to the methods, which would attempt to clean the text as if it were HTML. However, due to a catastrophic backtracking vulnerability in a regular expression in those functions, malicious users could input complicated HTML that would take a long time to process. This would result in a DoS attack on the web server, and bring down services to other users. Uh-oh.

So, looking at the CVE, you can see the security community ranked it a 5, the highest rating. Needless to say, Django quickly patched the issue and launched a hot fix.

The moral of the story is that security vulnerabilities can happen to anyone, and you should know what the framework you are using is doing, instead of just blatantly trusting that it will work. Be aware of security in your everyday life.

— Kyle Kaniecki

2020 Online Census

In two years the United States will be conducting the census like they do every 10 years. This time though will be different. The United States will be doing a primarily online census. This could be a giant security risk.

Back in 2016, Australia decided to try an online census. As soon as the survey was posted hackers performed a giant denial-of -service attack that caused the system to go down for 2 days. Though no information was breached it still was an embarrassment for the country and proved that they weren’t ready.

The United States has been toying around with the idea of doing an online census since 2000 but it wasn’t used in 2010 do to a lack of trust in data collection effectiveness and security. It seems that the lack of trust hasn’t gone away but the pressure to move digital has caused this change.

Problems are already popping up in this census. The bureau is rushing it out which has prevented thorough testing of the security. In the tests that were conducted the data had issues being transmitted and received.

Not receiving the data could be the least of our worries though. Hackers could flood the census with phony data or breach data and release it. Both of these outcome won’t look good on our government and will further a distrust people already have since the election. Maybe it is best to wait another 10 years until our platform is more secure and trustworthy.

—- Bailey Pearson

Sources:

https://www.motherjones.com/politics/2018/03/the-2020-census-is-a-cybersecurity-fiasco-waiting-to-happen/

Web Injects Used to Steal Bitcoin Money

With the increased use of cryptocurrency, hackers have started employing the use of Web injects to intercept payments and acquire user information.  Of course when it comes to hacking there are many ways, but this report is intended to inform readers of how Web injects work and why they can be hard to identify.  What a Web inject does is while the page loads, malware that changes the web page before the user sees it.  In this article, two website Web injects are used for Coinbase and Blockchain.info.  With Coinbase, the inject disables the enter key forcing the user to press a fake submit button, thus giving the user credentials to the hacker.  Likewise, the Web injects for Blockchain.info changes the web page so that the payment transaction goes to the hacker.

In the future, the use of online websites for bitcoin transactions (or payment transactions in general) will continue to increase.  A study claimed that by 2024, the number of bitcoin users will reach 200 million (RT news).  Therefore, hackers will always try to exploit the user’s information.  So in the future, companies with online payment platforms and bitcoin wallets will need to continue to research hacker attacks and stay up to date with security.  Also, users should be more aware of the how hackers use Web injections.  So for example, if a button does not work or there is a strange error, they should notify the companies.  This is all that companies and users can really do in this situation.  Just continue to develop security tools and pay attention to details on the webpages.

-Jamie Smith

https://www.darkreading.com/attacks-breaches/criminals-using-web-injects-to-steal-cryptocurrency/d/d-id/1331350

https://www.ccn.com/exponential-growth-number-bitcoin-users-reach-200-million-2024/