December 2, 2019

How Cyber Forensic Can Help Battle Fake News

by Danka Mihajlovic

It is the fact that made-up “facts” existed long before the internet. Still, the reason why the term fake news became so infamous recently lies in the fact that the internet and the technology behind it enabled super-fast dissemination of all kinds of disinformation - from doctored photos and videos to hoaxes and deliberate lies.

Fraudsters just love the online environment in which they can reach a large number of people all over the world with a little effort. They are counting on the dark side of human nature - the tendency to pick only those bits of data that confirm one’s preexisting beliefs.

Fake news can prove harmless, but most of the time they are not. When information about the sudden death of  21-year old Ethereum’s founder Vitalik Buterin became viral in 2017 it dropped the value of the world’s second most valuable cryptocurrency by $4 billion. When it turned out to be just another fake news, it seemed that the damage was already done.

Recent researches confirmed long suspected rumours. Both Donald Trump's victory in the 2016 US presidential election and the success of anti-Brexit movement have a lot in common with the rise of disinformation online. As the time for the new US election approaches, so does the rising concern on this topic.

From the last elections, it seems that a lot of internet users managed to recognize and ignore basic manipulations. Also, a list of free online tools that are used for debunking fake contents gets longer every day. Yet, the problem stays persistent as new ways of online content manipulation are flourishing and the hoaxers become more subtle and cautious.

Focus: Where do all those dubious websites lead to?

Fortunately, even though every internet user should bear responsibility for its shared content, the users aren’t alone in this process. A growing number of fact-checking outlets and NGOs that aim to counter the spread of misinformation shows that they take the problem seriously. The last example comes from international NGO EU Disinfo Lab which discovered 265 coordinated fake local media outlets in more than 65 countries that serve Indian governmental interests. This huge debunk story would take ages to do only manually.

Debunking big disinformation campaigns is a time-consuming process. It also requires a lot of trained staff and the tools that automate debunking operations. Time plays an important role in this process because if debunking comes too late, the damage may already be irreparable. Spotting the fake story or media outlet at its very beginning means preventing those stories to go viral or gain attention.

New solutions: Find what others try to hide

It is already a common practice among investigative journalists, activists and social media watchdogs to use all kinds of available tools to collect evidence of coordination between various domains which are claiming to be independent while trying to hide its origin. However, it is not always easy to prove that such connections exist, even when there is reasonable suspicion.

Abstract can be of great help in finding evidence of a connection between dubious websites and other online resources. Online activities often leave some kind of traces which online actors aren’t always aware of. Abstract conducts an investigation on its own throughout various online layers and brings back human-readable format that binds a wide range of information into sensible and usable data.

This tool won’t be of great help when investigating if one particular story, picture or video is fake. However, it can be of invaluable benefit to journalists when discovering the whole network of fake, fraudulent or scam websites. Instead of searching for a needle in a haystack, cyber forensic tools can help you build the whole haystack made of needles.

On this task, Abstract and investigative journalist share the same aim - to find what others are trying to hide.

December 2, 2019

You Know What Is GDPR, but Do Your Vendors Know?

by Danka Mihajlovic

Although not all entrepreneurs welcomed GDPR with open arms, it is an obligation and part of the business routine for more than a year. The new regulation made handling consumer data more complex and expensive, but on the other hand, it helped customers gain a greater level of control over their data. Companies must take the required steps to protect citizens’ data in their care, but that’s not where the story ends. The GDPR clearly states that if a company has any third-party contracts which involve the processing of personal data, then those partners also need to ensure GDPR compliance.

GDPR fines await those who don’t comply

After the infamous Magecart group used card skimming script to extract confidential data from around 380.000 British Airways customers over two weeks, the UK's data protection authority (ICO) fined BA ~€204 million. This record-high fine came as a result of “poor security arrangement at the company”, as ICO stated in its statement. It was the first fine which was drastically higher than those under prior regulations.  It guaranteed stricter GDPR fines policy onwards.

GDPR Enforcement Tracker keeps track of all public fines and penalties which data protection authorities within the EU have imposed under the GDPR. The list is constantly getting longer. It is obvious from the list that failing to check whether third-party processors are GDPR compliant means costly fines for businesses. In some cases, violators of the GDPR may be fined up to €20 million or up to 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. And that’s just for one breach.

Third-parties are typical of the way most companies process confidential data. It may include the whole spectrum - from cloud platforms, cloud-hosted finance, HR applications to advertising agencies and web analytics software. Third-party ecosystem carries a significant amount of risk for a controller (primary organizations), considering that according to the results of Opus & Ponemon Institute research almost 60% of the last year data breaches in the US companies can be traced back to third-party affiliations.

On the other hand, third-parties are also an important source of business value and strategic advantage. As the need for the third-parties continues to grow, so do the associated risks. Those risks in the final act can bring reputational damage or financial loss to the company.

Mitigating third-party risk

To obtain true protection for users the company must manage and keep under control its third parties. In an ideal case, organizations transfer their data protection policies and procedures to its third-parties and then monitor proper compliance.

As GDPR’s main concern is how to protect individuals and their sensitive data, possible financial and reputational damage for companies relate to how sensitive the breached data was, and not where particularly in handling chain data was leaked. That means that primary organizations can’t excuse themselves and point fingers to third parties if a data breach happens. Third-party risk must be dealt with proactively, making sure that compliance is taken seriously.

The first step in that direction is an independent external assessment. Investigation of the internet security posture of a third-party will reveal any apparent problems, but also the way that the company’s present or future partners relate to data security. Collecting external data about the vendor’s security habits is essential when considering its reliability and should come before any inner look into the vendor’s technologies and processes.

It is important to be aware that certain overlooking in this early stage may lead to very big and unwanted consequences including high GDPR fines and reputational damage. The choice of the right tool for external assessment is crucial for keeping sensitive data away from malicious attackers. ABSTRACT provides comprehensive insight in one’s cybersecurity standings, inventory of web applications and infrastructure, as well as other critical business data.

Recent researches say that hackers are aware that your third-parties may be your biggest weakness. Don’t let the hackers outsmart you.