Social Engineering Social Engineering

Adwind: a remote access Trojan delivered via Spam Campaign

Written by Alan Ferrari, SUPSI and Enrico Frumento, CEFRIEL

Nowadays, cybercriminals are becoming dramatically more adept, innovative, and stealthy (only 117.649 variants of this specific attack have been seen). The new trends have moved to novel techniques that come with limitless attack vectors, support for cross platforms and low detection rates (source: TrendMicro).
Recently that Adwind, (a java-based notorious cross-platform Remote Access Trojan), has re-emerged and is used to target enterprises in the aerospace industry, mostly located in Switzerland, Austria, Ukraine, and the US...

Read more

 

WP29’s new opinion on data processing at work

Written by Yung Shin Van Der Sype, KU LEUVEN

Earlier this week the Article 29 Working Party (WP29) released an opinion on data processing at work. This opinion complements the previous publications of the WP29 on data processing in the employment context (i.e. Opinion 8/2001 on the processing of personal data in the employment context, WP 48 and the Working Document on the surveillance of electronic communication in the workplace WP 55)...

Read more

 

Another day, another ransomware: NotPetya

Written by Federico Valentini, CEFRIEL

Another day, another ransomware.
This new strain is called Petya, or Petrwap, or NotPetya and according with multiple sources, Ukraine is the most targeted country followed by Russia. What we saw in the early hours of propagation were so many technical analyses, many of which turned out to be wrong or inaccurate.
At the time of writing, I can say that this is not the usual ransomware campaign we are used to see because right now it’s clearer that NotPetya is definitely not designed to make money, but rather to cause damage, spreading fast and globally, camouflaging to look like the original Petya ransomware...

Read more

Suicides and the Internet: a controversial relation

Written by Davide Andreoletti, SUPSI

In this post we discuss some of the relations between the use of Internet and the plaguing phenomenon of suicides.
The number of people committing suicides is alarming, with countries that reach up to 80 suicides over 100000 citizens per year. Recently, several cases of suicide teenagers come under the spotlight of the media due to a possible link with an online game, called The Blue Whale, diffused on the Russian Social Network VKontakte...

Read more

 

Phishing as a service

Written by Davide Andreoletti, SUPSI

In this post we describe the emerging model of Phishing as a Service (PHaaS).
The increasing complexity and widespread diffusion of IT systems made necessary a radical shift of paradigm from standalone solutions to the more flexible and cost-effective service-based ones. This is the case, for example, of remarkable cloud-based solutions offering Storage as a Service (e.g., Dropbox)...

Read more

 

Ransomware attacks spread 'world wide'

Written by Enrico Frumento, CEFRIEL


Today 12th of May, few hours ago, this news spread the world: Ransomware infections reported worldwide. Several site news, for example BBC, report that an huge ransomware attack is ongoing.
«There have been reports of infections in as many as 74 countries, including the UK, US, China, Russia, Spain, Italy and Taiwan».
Hackers using a tool stolen from the United States government conducted extensive cyberattacks on Friday that hit vast sections of Europe and Asia, severely disrupting Britain’s public health system and wreaking havoc on computers in at least 11 other countries, including Russia.

Read more

What persuasion techniques are generally employed in phishing e-mails?

Written by Davide Andreoletti, SUPSI

In this post we discuss what are the most influential persuasion techniques in phishing e-mails.
Social Engineering aims at manipulating users into performing undesirable actions, which likely lead to a data breach. Therefore, social engineering techniques are deeply rooted in psychology and, in particular, in persuasion techniques. Persuasion techniques have been widely studied in the literature, e.g., concerning marketing and politics.

Read more

 

When to perform a Data Protection Impact Assessment?

Written by Yung Shin Van Der Sype and Michiel Sudnik, CITIP - KU LEUVEN

The General Data Protection Regulation (Regulation 2016/679) (GDPR) was adopted on 4 April 2017 and will apply from 25 May 2018. Article 35 of Regulation 2016/679 requires data controllers to perform a Data Protection Impact Assessment (DPIA), when the processing is “likely to result in a high risk to the rights and freedoms of natural persons”. 

To clarify this new GDPR requirement, the Article 29 Working Party recently released a document with guidelines on DPIAs.
(The Article 29 WP, WP258, 4 April 2017).

Read more

 

Information Sharing and data breaches

Written by Davide Andreoletti, SUPSI

In this post we discuss the issue of data breaches inside companies, and, based on the analysed literature, we show that a well-orchestrated information sharing system is a possible solution to mitigate the problem.
Information sharing infrastructure: a viable mitigation solution to data breaches. Fredrik Bergstör, consultant at Tieto, declared that “Data is the new gold”, implying their incredible value in an increasingly digitalized world. In fact, according to Ponemon the average lost for a breach of 1000 records of data within a company is estimated to be between $52000 and $87000.
As a consequence, the cyber black market has grown to exploit this appealing source of revenue. The black market is characterized by a clear structure with defined entities and roles.

Read more

 

Employees are the weakest link - Enable your employees to effectively become a part of your security team. PART III: The Human Component’s Fundamental Role in AntiPhishing Prevention - Real-World Simulations

Written by Maria Monteiro, Filipe Custódio, VISIONWARE

This article is the third part of a series published by the DOGANA Consortium with the purpose of providing information on how enabling employees to effectively become a part of the enterprise security. To better understand this article please read the previous parts "Companies’ role in Antiphishing Prevention”, and "The Human Component’s Fundamental Role in AntiPhishing Prevention — Initial Training".

The best way to prepare employees for real-world attacks is to train them with real-world simulations. Individual learners follow different paths through the instruction based on their responses...

Read more

 




This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618