Many InfoSec and data protection or privacy courses reference 3 authoritative yearly reports that show interesting numbers, statistics and trends about breaches year over year.
And these are extremely useful to talk about to your management…
Interesting to know they all have been updated for 2019.
1. Verizon DBIR
(The Verizon Data breach Investigations Report, DBIR)
Did you ever got a mail from yourself, but you’re sure you did not send it?
This week I got that mail from a mail alias I’m using, so it’s actually not a native mailbox, but a mail forwarder address, which makes the claim that “the mailbox is hacked” pretty silly…
But if you got this message from a native mailbox, it does sound scary, isn’t it?
I already had some similar symptoms on other mail addresses in the same domain.
Symptoms
You get a mail from your own mail address… which is called mail spoofing.
And it looks like:
Spoofed mail message content
Hi!
As you may have noticed, I sent you an email from your account.
This means that I have full access to your account.
I’ve been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited.
If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.
I also have access to all your contacts and all your correspondence.
Why your antivirus did not detect malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.
I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this video to all your emails and contacts on social networks.
I can also post access to all your e-mail correspondence and messengers that you use.
If you want to prevent this,
transfer the amount of $778 to my bitcoin address (if you do not know how to do this, write to Google: “Buy Bitcoin”).
My bitcoin address (BTC Wallet) is: 1GoWy5yMzh3XXBiYxLU9tKCBMgibpznGio
After receiving the payment, I will delete the video and you will never hear me again.
I give you 48 hours to pay.
I have a notice reading this letter, and the timer will work when you see this letter.
Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.
If I find that you have shared this message with someone else, the video will be immediately distributed.
Best regards!
Root cause
The DNS setting of your domain is missing SPF records, that counter mail spoofing (an unauthorized mail server, user or hacker sending mail as “you”)…
Troubleshooting
When looking at the mail properties it’s pretty difficult (if not impossible) to find out who actually has sent the mail….
Solution
Basic domain settings
Add an SPF record to your domain DNS settings.
To get started, look up your mail provider or hosting provider’s name + SFP.
FYI, I’m hosting my domains at one.com, they’ve got some straight forward advise to configure the DNS. For any other domain, at any other provider it’s similar.
Note-to-self: extended reprint of a LinkedIn post…
I might have mentioned it already, but if you have passed the CCSK exam before, better logon to your CCSK profile on the CSA website and check if you still have an exam token left.
By default you get 2 tokens each exam registration, so…
If you pass your exam the first time, the “second try” backup token is left unused in your profile.
And (if not yet expired) you can use it to upgrade your CCSK to v4.
The page below is a (growing) overview of resources for GDPR info and compliance by Microsoft. The page is updated with other sources I find on my quest for GDPR.
Just a quick hint if you want to contain legal spam under GDPR.
Recital (14) “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person. ”
Recital (26) “The principles of data protection should apply to any information concerning an identified or identifiable natural person. ”
In short, GDPR only applies to natural persons (people breathing), not to legal person (like, the thing with a VAT number or company registration nr).
So: Companies/legal persons can be legally contacted or spammed.
Conclusion: use a general mail address (like info@ or company@) in all non-personal company registrations and contact details, white pages, yellow pages, VAT or government paperwork…
Make sure your official company registration DOES NOT refer to a personal address.
And as owner or delegate, keep your mail address for your personal professional communication, eg signature with personally identifiable contact details (mail, phone, mobile, skype, IM, …).
Because then your personal mail account is related to an identified and identifiable natural person, and covered by GDPR, protected from direct marketing violations. Should be.
