ICYMI: EU data protection, iPhone spyware and Flash zero-days
ICYMI: EU data protection, iPhone spyware and Flash zero-days

Infosec teams unprepared for new EU data protection laws

In a new survey, anti-malware specialist FireEye revealed that more than one-third (39 percent) of organisations in the UK, Germany and France do not have the defensive measures in place for the EU's Network and Information Security (NIS) directive and General Data Protection Regulation (GDPR), with this figure even lower for the long-awaited GDPR.

Only two-thirds of respondents (66 percent) said that their firm fully understood the impact from the proposed regulations, while the study highlighted that more than half had serious reservations over the proposed fines (58 percent), the potential damage to business reputation (57 percent) and the loss of business and/or revenue (58 percent). In addition, 60 percent claimed that there was ‘no clear guidance' on the legislation, while 68 percent and 56 percent respectively bemoaned implementation costs and policy complexity.

Just days after this announcement, the EU announced that the GDPR will come into effect in 2015.

NSA whistleblower Edward Snowden warns of iPhone spyware

NSA whistle-blower Edward Snowden reportedly refuses to use Apple's iPhone because he fears the handset can be monitored by spy agencies.

Snowden's lawyer, Anatoly Kucherena, said that he will not use the iPhone for fear of secret services being able to track his actions and view transmitted data.

“Edward never uses an iPhone, he's got a simple phone," said Kucherena in an interview. "The iPhone has special software that can activate itself without the owner having to press a button and gather information about him, that's why, on security grounds, he refused to have this phone."

The attorney didn't elaborate on this software, although Snowden has claimed in his latest leaks to Der Spiegel how the NSA spyware program ‘DROPOUTJEEP' can be used to identify (via the Apple device's UDID) and spy on every Apple iPhone and its user.

Tech companies must surrender their crypto-keys, says EU adviser

Internet and telecoms companies should be forced to hand over their data encryption keys to security agencies, according to the European Union's counter-terrorism co-ordinator.

Gilles de Kerchove's controversial call comes in a briefing note that “sets out priorities which should be taken forward urgently” by EU Justice and Home Affairs Ministers.

The 14-page document, which has been leaked to London-based civil right group Statewatch, complains that “the encryption internet and telecoms companies have started to use increasingly makes lawful interception by the relevant national authorities technically difficult or even impossible”.

Adobe suffers second zero-day in 24 hours

Adobe has been hit by two zero-day flaws in the space of 24 hours, raising questions over the safety of its Flash Player platform which is being heavily targeted by cyber-criminals.

First, as reported by SC, security researcher ‘Kafeine' discovered that black hats were using the 'Angler' exploit kit to mount attacks on Flash Player through a previously undiscovered bug (CVE-2015-3011).

But inside 24 hours, Adobe admitted that a second zero-day (CVE-2015-0310) was also being used in attacks in the wild.

In a 22 January advisory, the company said this bug “could be used to circumvent memory randomisation mitigations on the Windows platform”, and that it was being “used in attacks against older versions of Flash Player”. The firm has issued an out-of-band patch.

UK government extends Cyber Essentials to charities

The UK government has partnered with the IASME consortium and the Give01Day not-for-profit organisation to offer Cyber Essentials certification to UK charities to help them keep safe online.

The partnership aims to educate, inform and spread the word on the scheme, whilst also ensuring that signed-up charities meet the standards required.

Charities are eligible to sign up for Cyber Essentials (a self-assessment questionnaire which is later verified by a certified body to ensure the standards have been met) or Cyber Essentials Plus (which involves external testing of the charity's cyber-security practices). Give01Day says that it is offering “ limited” number of wholly subsidised certifications, with this funding being supported by a number of security companies.

As an added bonus, any UK-based certified charity that meets the requirements will be eligible to receive free cyber-liability insurance, so long as their annual turnover is less than £20 million per year. This insurance will cover them for up to £25,000 in the event of a cyber-breach.