Connections with the Lazarus group and North Korea

Just as of recent, Park Jin Hyok was indicted by the United States. Hyok was indicted with charges of Conspiracy and Conspiracy to Commit Wire Fraud. While his sole indictment was nothing more than identifying a person who was partly responsible in some major cyber attacks around the world since 2014, it helped to start to draw a line between the Lazarus Group and the government of North Korea. Furthermore, his capture itself can lead to exposure of other members of the Larazus Group. To give a little background in what the Lazarus Group is capable of, it takes a bit of history into the atrocities they have committed. In 2014, there was a hack on Sony because of the controversial movie “The Interview”. Next, in 2016, there was a hack on the Bangladesh bank for $81 million. In 2017, the WannaCry which affected well over 250,000 hospitals, corporations, and government agencies in 150 countries within 3 days.

connection

But how could this one hacker from this group lead to the revelation of the sophisticated hacker group? While a huge email infrastructure is good for phishing and the perceived idea that things can be kept secret separate, it was a big reason that the US government were able to identify the vast email infrastructure. Well that and they got lucky because a purported supervisor sent a resume and sent how the “company was doing”, the company being Chosun Expo Joint Venture. Since revealing all the Gmail accounts, Eric Chien from Symantec Corp. has it on good authority that attacks from the Lazarus Group will undoubtedly come to a pause. While this is hardly anything close to being a closed case or bringing down an organization, it’s a spark that can light up the room of the shady Lazarus Group. vast_email_infrastructure

– Andres Orbe

Sources:

Pompeo Discusses Cyber Security at the State Department

Former Secretary of State Rex Tillerson eliminated the cyber security position at the State Department about one month ago. Tillerson eliminated this position in hopes to form “a bureau focused on economic and business affairs.” This act disappointed many members of the US government, and eventually resulted in President Trump replacing Tillerson with the current CIA director Mike Pompeo. John Sullivan will serve as Secretary of State until the US Senate confirms Pompeo’s approval.

Shortly after President Trump fired Tillerson, the CIA began to put more resources into cyber security. Last Thursday, CIA Director Mike Pompeo said, “I can only say that, every element of government has a piece of its cyber duty. It’s one of the challenges that is so deeply divided, that we don’t have a central place to do cyber work.” Many believe the removal of the cyber security position at the State Department foreshadows the US not engaging in foreign affairs with cyber security. Fortunately, numerous state officials have insisted that cyber security remains a top priority at the state department. Pompeo has not given any information to his decision on the cyber security position.

-Spencer Fleming

Source : http://thehill.com/policy/cybersecurity/382882-pompeo-pressed-on-plans-for-cyber-at-state

New Laws for Security in the UK Energy Industry

Due to the rapid development and advancement of technology, laws have had a hard time keeping up with modern practices and problems. Increasingly more industries have started to include some connection to the Internet of Things, thus providing more opportunities for hackers to attack. One such industry is the energy industry. Currently, the UK is in the process of developing laws to ensure a certain amount of security is implemented by energy companies. These laws will require that the energy companies put particular measures in place in order to protect sensitive personal data. One aspect of these laws is that the process for reporting a company’s compliance will be more involved, and require the company to show how they are meeting the requirements, not just say that they are. Consequences of not complying with these regulations will be in the form of fees based on either a flat rate or an amount based off of their global turnover depending on the size of the company.

While this does place more burden on the companies in terms of forcing them to invest in security properly, one aim of these laws is actually beneficial to them. These laws aim to increase public trust in industries using network connections. This past year, the UK has seen a great increase in attacks compared to previous years, which has taken a toll on the confidence the public has in online security. Therefore, this law hopes to help push companies to increase their protection and save them from attacks which will not only lead to stolen customer data but also to a drop in public confidence.

~Rebecca Medina

Source: http://www.powerengineeringint.com/articles/print/volume-26/issue-2/features/the-cybersecurity-laws-you-must-know.html

New Eurpoean Privacy Standards Comming into Effect

Two years ago the European Union passed the General Data Protection Regulation (GDPR), on May 25th these regulations become enforceable. The GDPR aims to increase the number of privacy controls users have on the web through new privacy standards. Although the regulations were specifically passed by the EU, due to the international nature of the web many people from all over the world will feel its impacts.

These regulations aim to increase user privacy through expanding the scope of consent that sites are required to request. First, consent has to be explicitly given for each specific use of data provided by a customer – meaning web services must implement gradual permission systems. The user must be told exactly what the data is being used for and has a right to access all the information the company has on the user. Companies must also have the ability to prove that consent was given for a particular use of data. Second, a user must be able to withdraw their consent at any time. Lastly, all users have the right to be forgotten. This final provision means that a user can request that any data associated with them to be permanently erased from a companies database.

It is unknown at this time how willing the EU will be to enforce these provisions. However, breaking any of these cars large penalties on per-violation bases. These rules could potentially change the global playfield as many advertising, social media, and other businesses that rely heavily on data collection will be massively affected.

https://www.theverge.com/2018/3/28/17172548/gdpr-compliance-requirements-privacy-notice

https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html

https://www.huntonprivacyblog.com/2017/12/15/article-29-working-party-publishes-guidance-on-consent-under-the-gdpr/

Facebook’s personal data acquisition and use in the wake of court rulings

On Monday, February 12, a ruling from a German court regarding Facebook’s default privacy settings and personal data use was made publicly available. The ruling handed down from a regional court in Berlin found five of Facebook’s default privacy settings and eight clauses of their terms of service to be in breach of consumer law. A similar case in Belgium occurred later that week, on the 16th of February, in which Facebook has been ordered to cease tracking through third party sites. These rulings appear to be continuing a precedent of European concern regarding Facebook’s collection, use, and distribution of both consumer and non-consumer data.

Under the requirement for explicit and informed consent, the German court ruled that the default privacy settings were in violation of German data protection laws. Other rulings of interest are as follows: “read and understood” clauses are invalid, a clause that required users to use their real names or names they are popularly identified by was ruled invalid, and a clause that was designed to give consent for Facebook to transfer user data to the United States was ruled invalid.

The ruling regarding “read and understood” clauses has interesting implications regarding the future of methods of consent in Europe. A great number of services have obscenely long terms of service contracts which are generally ignored but serve as the primary form of communicating the conditions of a product’s use. If these sorts of terms and service contracts can be declared invalid under the assumption that a user cannot be expected to fully read and understand the terms, then it could potentially force companies to either find alternative ways of setting terms of use or just encourage companies to shorten them.

The removal of a “real name” clause theoretically removes a convenient user id for select users, possibly requiring Facebook to resort to cross referencing to tie data available on Facebook with other identifying data in order to maintain the same user data structure they once had. This would be complicated by the fact that cross-referencing personally identifiable data is currently illegal in all EU countries, and Facebook has already faced an EU taskforce in October of the previous year regarding the cross-referencing of data between Facebook and WhatsApp. Of course, the implications of the removal of the “real name” clause runs under the assumption that Facebook haven’t already discovered or designed a more convenient alternative.

The final ruling of interest here regarding the transfer of personal data to the US actually has much stronger implications on the value of the personal data collected by Facebook than it seems. Much of the data collected by Facebook is very niche, and not very useful for their advertisement algorithms on their own. To allow for more insights into this data, Facebook cross-references the individual data sources in order to generate a more valuable combined dataset for their algorithms and for other companies. In Europe, however, the cross-referencing is complicated because of the illegality mentioned previously. To circumvent this, Facebook would send the individual data to the United States, where cross-referencing personal data is legal, combine the data sets, and then send the combined dataset back to Europe. This ruling could remove the ability for companies to circumvent the data protection laws via this method, which would reduce the desire for companies to gather as much niche data.

– S. Carlton

References:

Court Ruling (German):

https://www.vzbv.de/sites/default/files/downloads/2018/02/12/facebook_lg_berlin.pdf

German Court News:

https://www.reuters.com/article/us-germany-facebook/german-court-rules-facebook-use-of-personal-data-illegal-idUSKBN1FW1FI?il=0

https://www.theguardian.com/technology/2018/feb/12/facebook-personal-data-privacy-settings-ruled-illegal-german-court

https://www.theguardian.com/technology/2017/oct/26/whatsapp-facebook-eu-data-article-29-working-party-taskforce-sharing-user

Belgian Court News:

https://www.theguardian.com/technology/2018/feb/16/facebook-ordered-stop-collecting-user-data-fines-belgian-court