Get under the skin of ransomware

In 2016 alone, hackers have taken over $1 Billion in the form of ransoms from users trying to retrieve their files after being infected with ransomware. Ransomware is the most successful malware attack today. It works by locking up your files and crippling your systems until you’ve handed over money. And, one of the biggest […]

RansomwareIn 2016 alone, hackers have taken over $1 Billion in the form of ransoms from users trying to retrieve their files after being infected with ransomware.

Ransomware is the most successful malware attack today. It works by locking up your files and crippling your systems until you’ve handed over money.

And, one of the biggest problems in the fight against ransomware is the constantly reinvented attacks. Cybercriminals are finding new methods of spreading the malware, evading detection and even developing ransomware that deletes itself as soon as files are encrypted so that even IT security teams are unable to uncover what variant is on the system.

This video digs deeper into the inner workings of ransomware, techniques employed by crooks to evade traditional technologies and how it malware can be stopped:

 

Want more anti-ransomware tools and tips?

Head over to the The End of Ransomware page at Sophos.com.


Filed under: Corporate, Enduser Tagged: malware, ransomware, video

Join our webcast: Stop the Exploit. Stop the Attack.

We know ransomware is one of the biggest threats facing organizations today but the security industry has traditionally struggled to keep up with this sophisticated, ever-changing attack. Until now. Deploying a range of innovative next-gen technologies to block all kinds of advanced attacks, Sophos Intercept X is designed to stop ransomware in its tracks. It […]

WebcastWe know ransomware is one of the biggest threats facing organizations today but the security industry has traditionally struggled to keep up with this sophisticated, ever-changing attack. Until now.

Deploying a range of innovative next-gen technologies to block all kinds of advanced attacks, Sophos Intercept X is designed to stop ransomware in its tracks. It gives you comprehensive protection from rootkits, zero-day vulnerabilities, malicious traffic, and everything in-between.

Join Karl Ackerman, principle product manager at Sophos, for a live webcast on why Intercept X is the strongest next-gen offering on the market.

You will discover:

– How endpoint threats have evolved
– 2016 threat landscape: know what you’re up against
– Next-gen technologies to prevent attacks; CryptoGuard, Anti-Exploit, RCA and Sophos Clean

What: Stop the Exploit. Stop the Attack.

When: Wednesday, December 7, 2.00 pm EST

Register now!


Filed under: Corporate, Enduser, Security Tips Tagged: Intercept X, ransomware, Webcast

Did the Supreme Court of Canada formally establish a new form of consent? Is "implied consent" really "deemed, irrevocable consent"?

I just posted a comment on the new Royal Bank of Canada v. Trang decision from the Supreme Court of Canada (Supreme Court of Canada permits disclosure of mortgage document over debtor’s privacy objections), but there’s an aspect of it I’d like to dig into further.

On close review, it does appear that the Supreme Court of Canada has — perhaps inadvertently — re-written a key aspect of the Personal Information Protection and Electronic Documents Act (“PIPEDA”). In the decision, the Court found that Scotiabank had Trang’s implied consent to disclose a mortgage discharge statement to the Royal Bank of Canada. I don’t think that’s very controversial, but if you dig into it, the Court’s conclusion is significant. It found that “implied consent” is really not consent, but deemed and irrevocable consent where it’s reasonable.

“Implied consent” is consent where you can imply someone’s permission or consent from the circumstances. For example, if I ask someone for their name and address to send them something and they give their name and address, you can imply their consent to use it for that purpose. In other circumstances, it can be unspoken. If I were to ask the same person for their name and address and it is clear in the circumstances that I’d be using it to send them something, their consent can be implied by their providing the information.

This is in contrast to express consent, which is where the individual has expressed his or her consent at the time. (“Yes, I give you consent to use my name and address to send me that thing.”)

All of this is clear from PIPEDA. But what is also clear from PIPEDA is that an individual can withdraw his or her consent at any time:

4.3.8 An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.

In the Trang case, it was abundantly clear that Trang did not consent to any disclosure of the mortgage discharge statement. While the decision does not specifically say that Trang revoked it, it is clear that Trang was asked and did not consent. Further, Trang did not appear at an examination in aid of execution. (I’d imply no consent there.)

So what does this mean? In short, “implied consent” as used by the Supreme Court here is really not “implied consent” but “deemed deemed”. It’s a consent that is reasonable in the circumstances but really cannot be revoked or overridden. It occurs regardless of the actual wishes of the individual. And that’s a big deal.

Now, I don’t think that the Supreme Court just made this up. You might even say it is necessary given that that PIPEDA only has a limited number of circumstances where an organization can do away with consent, all of which are listed in s. 7 of the Act. We can see many examples in findings from the Office of the Privacy Commissioner of Canada, particularly those that arise in the workplace. For example, in Transit driver objects to use of technology (MDT and GPS) on company vehicle, the Commissioner found there was implied consent for a transit operation to use GPS to track his movements on the job. The driver who complained clearly objected — definitively communicated a lack of consent, but the Commissioner found that the purpose was reasonable and that notice was given to the employees, so all was kosher.

Much of this has been fixed with the Digital Privacy Act (but only for employees), which added this new section 7.3:

Employment relationship

7.3 In addition to the circumstances set out in section 7, for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, a federal work, undertaking or business may collect, use and disclose personal information without the consent of the individual if

(a) the collection, use or disclosure is necessary to establish, manage or terminate an employment relationship between the federal work, undertaking or business and the individual; and

(b) the federal work, undertaking or business has informed the individual that the personal information will be or may be collected, used or disclosed for those purposes.

So 7.3 fixes it and makes this discussion moot in the employment context, but the Supreme Court’s decision seems to support the proposition that there are circumstances where implied consent really equals deemed, irrevocable consent.

I hesitate to predict how this will play out in the future, but it’s likely significant.

I just posted a comment on the new Royal Bank of Canada v. Trang decision from the Supreme Court of Canada (Supreme Court of Canada permits disclosure of mortgage document over debtor’s privacy objections), but there’s an aspect of it I’d like to dig into further.

On close review, it does appear that the Supreme Court of Canada has -- perhaps inadvertently -- re-written a key aspect of the Personal Information Protection and Electronic Documents Act ("PIPEDA"). In the decision, the Court found that Scotiabank had Trang’s implied consent to disclose a mortgage discharge statement to the Royal Bank of Canada. I don’t think that’s very controversial, but if you dig into it, the Court’s conclusion is significant. It found that "implied consent" is really not consent, but deemed and irrevocable consent where it’s reasonable.

“Implied consent” is consent where you can imply someone’s permission or consent from the circumstances. For example, if I ask someone for their name and address to send them something and they give their name and address, you can imply their consent to use it for that purpose. In other circumstances, it can be unspoken. If I were to ask the same person for their name and address and it is clear in the circumstances that I’d be using it to send them something, their consent can be implied by their providing the information.

This is in contrast to express consent, which is where the individual has expressed his or her consent at the time. (“Yes, I give you consent to use my name and address to send me that thing.”)

All of this is clear from PIPEDA. But what is also clear from PIPEDA is that an individual can withdraw his or her consent at any time:

4.3.8 An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.

In the Trang case, it was abundantly clear that Trang did not consent to any disclosure of the mortgage discharge statement. While the decision does not specifically say that Trang revoked it, it is clear that Trang was asked and did not consent. Further, Trang did not appear at an examination in aid of execution. (I’d imply no consent there.)

So what does this mean? In short, “implied consent” as used by the Supreme Court here is really not “implied consent” but “deemed deemed”. It’s a consent that is reasonable in the circumstances but really cannot be revoked or overridden. It occurs regardless of the actual wishes of the individual. And that’s a big deal.

Now, I don’t think that the Supreme Court just made this up. You might even say it is necessary given that that PIPEDA only has a limited number of circumstances where an organization can do away with consent, all of which are listed in s. 7 of the Act. We can see many examples in findings from the Office of the Privacy Commissioner of Canada, particularly those that arise in the workplace. For example, in Transit driver objects to use of technology (MDT and GPS) on company vehicle, the Commissioner found there was implied consent for a transit operation to use GPS to track his movements on the job. The driver who complained clearly objected -- definitively communicated a lack of consent, but the Commissioner found that the purpose was reasonable and that notice was given to the employees, so all was kosher.

Much of this has been fixed with the Digital Privacy Act (but only for employees), which added this new section 7.3:

Employment relationship

7.3 In addition to the circumstances set out in section 7, for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, a federal work, undertaking or business may collect, use and disclose personal information without the consent of the individual if

(a) the collection, use or disclosure is necessary to establish, manage or terminate an employment relationship between the federal work, undertaking or business and the individual; and

(b) the federal work, undertaking or business has informed the individual that the personal information will be or may be collected, used or disclosed for those purposes.

So 7.3 fixes it and makes this discussion moot in the employment context, but the Supreme Court’s decision seems to support the proposition that there are circumstances where implied consent really equals deemed, irrevocable consent.

I hesitate to predict how this will play out in the future, but it's likely significant.

Rule 41 — FBI Gets Expanded Power to Hack any Computer in the World

Hacking multiple computers across the world just got easier for the United States intelligence and law enforcement agencies from today onwards.

The changes introduced to the Rule 41 of the Federal Rules of Criminal Procedure by the United States Depar…

Hacking multiple computers across the world just got easier for the United States intelligence and law enforcement agencies from today onwards. The changes introduced to the Rule 41 of the Federal Rules of Criminal Procedure by the United States Department of Justice came into effect on Thursday, after an effort to block the changes failed on Wednesday. The change grants the FBI much greater

UPDATE Firefox and Tor to Patch Critical Zero-day Vulnerability

The critical Firefox vulnerability being actively exploited in the wild to unmask Tor users has been patched with the release of new browser updates.

Both Mozilla and Tor Project has patched the vulnerability that allows attackers to remotely execute …

The critical Firefox vulnerability being actively exploited in the wild to unmask Tor users has been patched with the release of new browser updates. Both Mozilla and Tor Project has patched the vulnerability that allows attackers to remotely execute malicious code on Windows operating system via memory corruption vulnerability in Firefox web browser. Tor Browser Bundle is a repackaged

Password Manager Pro — Easiest Way to Keep Enterprises Secure

Recent corporate breaches have taught us something important — the average enterprise user is spectacularly bad at choosing good passwords.

As modern enterprise is becoming a hybrid organization with infrastructure spread across on-premises data centers as well as in the cloud, security of information, applications, and assets has become a paramount concern.

Cyber security is no longer an

Recent corporate breaches have taught us something important — the average enterprise user is spectacularly bad at choosing good passwords. As modern enterprise is becoming a hybrid organization with infrastructure spread across on-premises data centers as well as in the cloud, security of information, applications, and assets has become a paramount concern. Cyber security is no longer an

Supreme Court of Canada permits disclosure of mortgage document over debtor’s privacy objections

The Supreme Court of Canada has recently applied common sense to prevent debtors from using Canadian privacy laws to tie the hands of lenders looking to enforce their legal rights.

In a proceeding brought by the Royal Bank of Canada against a debtor, the bank required the mortgage discharge statement held by Scotiabank in order to complete a sheriff’s sale of the property. Scotiabank took the view, following Citi Cards Canada Inc. v. Pleasance, 2011 ONCA 3, that the discharge statement is “personal information” and that the Personal Information Protection and Electronic Documents Act (“PIPEDA”) prohibits its disclosure unless there is consent or a court order. The debtor would not consent.

The Royal Bank brought a motion for such an order and was denied, citing the Citi Cards case. The Ontario Court of Appeal upheld this decision.

Ultimately, in front of the Supreme Court of Canada (Royal Bank of Canada v. Trang), the Court overruled Citi Cards and made some interesting observations that likely have broader application. The Court principally considered two questions: first, would the order sought by the Royal Bank satisfy the consent exception in PIPEDA that permits disclosure pursuant to a court order? Secondly, is there implied consent so that a mortgage discharge statement can be disclosed to a judgement creditor?

On the first question, the Court was clear that a creditor can seek and obtain such an order, and that the order would satisfy the provisions of PIPEDA:

[31] Further, it is clear that this is a case in which it was appropriate to make an order for disclosure. The majority of the Court of Appeal observed that a party seeking an order under rule 60.18(6) must demonstrate “difficulty” in enforcing its judgment, and that “courts should be reticent to require strangers to the litigation to appear on a motion” (para. 77). Hoy A.C.J.O. concluded, however, that rule 60.18(6)(a) can be applied less cautiously where a mortgagee is being examined in order to obtain a mortgage discharge statement. I agree. As Hoy A.C.J.O. noted, a mortgagee is not a stranger to the litigation in the sense that its interest in the property is at issue as well — the sheriff requires the mortgage discharge statement in part to settle the priority between mortgagees and creditors. Moreover, in practice, only the mortgagee can produce a mortgage discharge statement.

[32] I also agree with Hoy A.C.J.O. regarding the application of rule 60.18(6). I conclude that an order requiring disclosure can be made by a court in this context if either the debtor fails to respond to a written request that he or she sign a form consenting to the provision of the mortgage discharge statement to the creditor, or fails to attend a single judgment debtor examination. A creditor who has already obtained a judgment, filed a writ of seizure and sale, and completed one of the two above-mentioned steps has proven its claim and provided notice. Provided the judgment creditor serves the debtor with the motion to obtain disclosure, the creditor should be entitled to an order for disclosure. A judgment creditor in such a situation should not be required to undergo a cumbersome and costly procedure to realize its debt. The foregoing is a sufficient basis to order Scotiabank to produce the statement to RBC, and I would so order. But there is more in the present case.

On the second question, the Court effectively determined that an order – while available – is not necessary. It can be given under implied consent. PIPEDA provides that implied consent can be applicable where the information is less sensitive. Though financial information is generally considered to be sensitive, the Court noted that the information in a mortgage discharge statement is at the less sensitive end of that spectrum. PIPEDA also states that the reasonable expectations of the individual are relevant in the circumstances.

[43] Turning to the reasonable expectations of the individual, the parties disagree on the appropriate scope of the inquiry. The Privacy Commissioner submits that only the relationship between the Trangs as mortgagors and Scotiabank as mortgagee is relevant to assessing the Trangs’ reasonable expectations in the circumstances; the relationship between the Trangs and RBC has no role to play. On the other hand, RBC argues that the party receiving the disclosure is a relevant consideration when determining the Trangs’ reasonable expectations.

[44] In my view, when determining the reasonable expectations of the individual, the whole context is important. This is supported by the Office of the Privacy Commissioner’s consideration of context in various decisions: PIPEDA Report of Findings No. 2014-013; PIPEDA Case Summary No. 2009-003; PIPEDA Case Summary No. 311. Indeed, to do otherwise would unduly prioritize privacy interests over the legitimate business concerns that PIPEDA was also designed to reflect, bearing in mind that the overall intent of PIPEDA is “to promote both privacy and legitimate business concerns”: L. M. Austin, “Reviewing PIPEDA: Control, Privacy and the Limits of Fair Information Practices” (2006), 44 Can. Bus. L.J. 21, at p. 38.

[45] As the motion judge observed in the initial motion, and as I have already noted, a mortgage discharge statement “is not something that is merely a private matter between the mortgagee and mortgagor, but rather is something on which the rights of others depends, and accordingly is something they have a right to know” (2012 ONSC 3272 (CanLII), para. 29). In other words, the legitimate business interests of other creditors are a relevant part of the context which informs the reasonable expectations of the mortgagor.

Looking at the situation and assuming a “reasonable debtor”, the Court found implied consent:

[48] Here, RBC is seeking disclosure regarding the very asset it is entitled to, and intends to, realize on. A reasonable person borrowing money knows that if he defaults on a loan, his creditor will be entitled to recover the debt against his assets. It follows that a reasonable person expects that a creditor will be able to obtain the information necessary to realize on its legal rights. From the opposite perspective, it would be unreasonable for a borrower to expect that as long as he refused to comply with his obligation to provide information, his creditor would never be able to recover the debt.

Interestingly, the Court did not consider or comment on whether this implied consent that would have existed initially had been or could be overridden by the debtor’s clear refusal of consent that was communicated during the collection proceedings.

The Supreme Court of Canada has recently applied common sense to prevent debtors from using Canadian privacy laws to tie the hands of lenders looking to enforce their legal rights.

In a proceeding brought by the Royal Bank of Canada against a debtor, the bank required the mortgage discharge statement held by Scotiabank in order to complete a sheriff’s sale of the property. Scotiabank took the view, following Citi Cards Canada Inc. v. Pleasance, 2011 ONCA 3, that the discharge statement is “personal information” and that the Personal Information Protection and Electronic Documents Act (“PIPEDA”) prohibits its disclosure unless there is consent or a court order. The debtor would not consent.

The Royal Bank brought a motion for such an order and was denied, citing the Citi Cards case. The Ontario Court of Appeal upheld this decision.

Ultimately, in front of the Supreme Court of Canada (Royal Bank of Canada v. Trang), the Court overruled Citi Cards and made some interesting observations that likely have broader application. The Court principally considered two questions: first, would the order sought by the Royal Bank satisfy the consent exception in PIPEDA that permits disclosure pursuant to a court order? Secondly, is there implied consent so that a mortgage discharge statement can be disclosed to a judgement creditor?

On the first question, the Court was clear that a creditor can seek and obtain such an order, and that the order would satisfy the provisions of PIPEDA:

[31] Further, it is clear that this is a case in which it was appropriate to make an order for disclosure. The majority of the Court of Appeal observed that a party seeking an order under rule 60.18(6) must demonstrate “difficulty” in enforcing its judgment, and that “courts should be reticent to require strangers to the litigation to appear on a motion” (para. 77). Hoy A.C.J.O. concluded, however, that rule 60.18(6)(a) can be applied less cautiously where a mortgagee is being examined in order to obtain a mortgage discharge statement. I agree. As Hoy A.C.J.O. noted, a mortgagee is not a stranger to the litigation in the sense that its interest in the property is at issue as well — the sheriff requires the mortgage discharge statement in part to settle the priority between mortgagees and creditors. Moreover, in practice, only the mortgagee can produce a mortgage discharge statement.

[32] I also agree with Hoy A.C.J.O. regarding the application of rule 60.18(6). I conclude that an order requiring disclosure can be made by a court in this context if either the debtor fails to respond to a written request that he or she sign a form consenting to the provision of the mortgage discharge statement to the creditor, or fails to attend a single judgment debtor examination. A creditor who has already obtained a judgment, filed a writ of seizure and sale, and completed one of the two above-mentioned steps has proven its claim and provided notice. Provided the judgment creditor serves the debtor with the motion to obtain disclosure, the creditor should be entitled to an order for disclosure. A judgment creditor in such a situation should not be required to undergo a cumbersome and costly procedure to realize its debt. The foregoing is a sufficient basis to order Scotiabank to produce the statement to RBC, and I would so order. But there is more in the present case.


On the second question, the Court effectively determined that an order – while available – is not necessary. It can be given under implied consent. PIPEDA provides that implied consent can be applicable where the information is less sensitive. Though financial information is generally considered to be sensitive, the Court noted that the information in a mortgage discharge statement is at the less sensitive end of that spectrum. PIPEDA also states that the reasonable expectations of the individual are relevant in the circumstances.

[43] Turning to the reasonable expectations of the individual, the parties disagree on the appropriate scope of the inquiry. The Privacy Commissioner submits that only the relationship between the Trangs as mortgagors and Scotiabank as mortgagee is relevant to assessing the Trangs’ reasonable expectations in the circumstances; the relationship between the Trangs and RBC has no role to play. On the other hand, RBC argues that the party receiving the disclosure is a relevant consideration when determining the Trangs’ reasonable expectations.

[44] In my view, when determining the reasonable expectations of the individual, the whole context is important. This is supported by the Office of the Privacy Commissioner’s consideration of context in various decisions: PIPEDA Report of Findings No. 2014-013; PIPEDA Case Summary No. 2009-003; PIPEDA Case Summary No. 311. Indeed, to do otherwise would unduly prioritize privacy interests over the legitimate business concerns that PIPEDA was also designed to reflect, bearing in mind that the overall intent of PIPEDA is “to promote both privacy and legitimate business concerns”: L. M. Austin, “Reviewing PIPEDA: Control, Privacy and the Limits of Fair Information Practices” (2006), 44 Can. Bus. L.J. 21, at p. 38.

[45] As the motion judge observed in the initial motion, and as I have already noted, a mortgage discharge statement “is not something that is merely a private matter between the mortgagee and mortgagor, but rather is something on which the rights of others depends, and accordingly is something they have a right to know” (2012 ONSC 3272 (CanLII), para. 29). In other words, the legitimate business interests of other creditors are a relevant part of the context which informs the reasonable expectations of the mortgagor.

Looking at the situation and assuming a “reasonable debtor”, the Court found implied consent:

[48] Here, RBC is seeking disclosure regarding the very asset it is entitled to, and intends to, realize on. A reasonable person borrowing money knows that if he defaults on a loan, his creditor will be entitled to recover the debt against his assets. It follows that a reasonable person expects that a creditor will be able to obtain the information necessary to realize on its legal rights. From the opposite perspective, it would be unreasonable for a borrower to expect that as long as he refused to comply with his obligation to provide information, his creditor would never be able to recover the debt.

Interestingly, the Court did not consider or comment on whether this implied consent that would have existed initially had been or could be overridden by the debtor’s clear refusal of consent that was communicated during the collection proceedings.

Moving beyond EMET, Part 2

Microsoft has now mapped out the future for the Enhanced Mitigation Experience Toolkit (EMET) in part one and it looks pretty bleak. The advice given to EMET users was also a little vague: Upgrade to Windows 10. It’s a more secure operating system. Although that’s true, it doesn’t cover everything that EMET does for you. […]

microsoftMicrosoft has now mapped out the future for the Enhanced Mitigation Experience Toolkit (EMET) in part one and it looks pretty bleak. The advice given to EMET users was also a little vague: Upgrade to Windows 10. It’s a more secure operating system.

Although that’s true, it doesn’t cover everything that EMET does for you. Over on the CERT/CC blog, Will Dormann provides an excellent post about why Windows 10 can’t protect insecure applications like EMET can. The table seen in Dormann’s post highlights the protection available with and without EMET on Windows 7 and Windows 10. As you’ll see, Windows without EMET looks a little risky.

However, we thought we’d build upon the table in Dormann’s post by adding Sophos Intercept X to the mix.

image001

Intercept X includes many additional exploit technique mitigations that protect your applications. The software radar in Intercept X detects browser, audio, Office and PDF applications, automatically applying protection to those programs without needing any additional configuration.

Learn more about the exploit mitigation techniques in Intercept X.

Try Intercept X


Filed under: Corporate, Enduser Tagged: Enhanced Mitigation Experience Toolkit, Intercept X, Microsoft, Windows 10

ITALY – Personal data “CAN” be transferred under the Privacy Shield

Following the Schrems Judgment, there was some uncertainty as to the legal basis to transfer personal data from Italy to the US. Consistently with other European Data Protection Authorities, also the Italian Data Protection Authority (Garante per la protezione dei dati personali, “the Italian DPA”) authorized the transfer of personal data to the US under …

Continue reading »

Following the Schrems Judgment, there was some uncertainty as to the legal basis to transfer personal data from Italy to the US.

Consistently with other European Data Protection Authorities, also the Italian Data Protection Authority (Garante per la protezione dei dati personali, “the Italian DPA”) authorized the transfer of personal data to the US under the so-called Privacy Shield, i.e. the new agreement signed between the EU and the US which served as the alternative for the old Safe Harbour that was invalidated by the European Court of Justice (for further information see here).

In light of the above, it can now be confirmed that also the Italian jurisdiction formally conforms to the latest European Commission Adequacy Decision that declared that an adequate level of protection is granted for the data of EU residents that are transferred to US organizations certified under the Privacy Shield mechanism.

The Italian DPA has nevertheless reserved the right to further verify the compliance of the data transfer, adopting, where necessary, all restrictive measures provided by the Italian Privacy Code. In this respect the Italian DPA made a specific reference to the Article 29 Working Party statement which emphasized the role of the DPAs joint review of the Privacy Shield mechanism, including a right to directly access all necessary information, including elements allowing a full evaluation of the necessity and proportionality of the collection and access to the personal data transferred. Certain commercial aspects, as well as the access to the personal data by the US public authorities, will no doubt be under a closer scrutiny during the so called Privacy Shield First Annual Joint Review as referred in the European Commission Decision.

Is this the end of the EU-US data transfer saga? Probably not, as some commentators do not exclude that the Privacy Shield validity will still be challenged in the future. Under such circumstances, it may well be assessed other data transfer solutions, including, for instance, the EU Standard Contractual Clauses which also allow transfers involving other jurisdictions than the US.

@giangiolivi

Watch now – Sophos Intercept X: Signatureless Exploit Prevention in 60 Seconds

Exploits are one of the key methods attackers use to spread malware. They take advantage of the vulnerabilities in genuine software products to deliver their chosen flavor of malware on to your system. This is where the signatureless exploit prevention technology in Intercept X excels. Instead of poring over a vast bank of malware samples, […]

sophos-intercept-x-icon-150Exploits are one of the key methods attackers use to spread malware. They take advantage of the vulnerabilities in genuine software products to deliver their chosen flavor of malware on to your system.

This is where the signatureless exploit prevention technology in Intercept X excels. Instead of poring over a vast bank of malware samples, it concentrates on the relatively small number of techniques used to by the attackers to exploit the vulnerabilities; fending off attacks before they even get started.

Want to know more?

You can learn more about Intercept X over on the sophos.com site, or if you’d like to try the product yourself, you can sign up for a free trial of Intercept X here.


Filed under: Corporate, Enduser Tagged: exploit prevention technology, Exploits, Intercept X, malware, video

FRANCE: New Law Introduces Class Actions for Data Protection Violations

By Carol A.F. Umhoefer (carol.umhoefer@dlapiper.com) and Caroline Chancé (caroline.chance@dlapiper.com) France’s Law on the “Modernization of the judiciary in the 21st century”, adopted on November 18, 2016, creates a new general framework for class actions in France and a specific class action right for violations of the French data protection law. Although the introduction of a …

Continue reading »

By Carol A.F. Umhoefer (carol.umhoefer@dlapiper.com) and Caroline Chancé (caroline.chance@dlapiper.com)

France’s Law on the “Modernization of the judiciary in the 21st century”, adopted on November 18, 2016, creates a new general framework for class actions in France and a specific class action right for violations of the French data protection law.

Although the introduction of a data protection class action represents a ground-breaking development in French data protection law, the conditions for bringing a class action are restrictive, and the permissible remedies are limited.

After the introduction in 2014 of consumer class actions by the so-called “Hamon law”, and health class actions earlier this year by the so-called “Touraine law”, the new law on the “Modernization of the judiciary in the 21st century” (the “Law”) expands the scope of the class action mechanism to data protection violations (as well as discrimination and environmental law violations).

The Law lays down the legal and procedural framework for all class actions in France (except for consumer class actions, which remain subject to the Hamon law), and creates a new Article 43 ter in the French data protection law, with specific provisions regarding data protection class actions.

Who can file a class action? Data protection class actions may only be brought by:

  • Associations that have been duly registered for at least 5 years and whose statutory purpose is the protection of privacy and personal data;
  • Consumer protection associations recognized at national level and approved in accordance with Article L. 811-1 of the French Consumer Code, when the personal data processing affects consumers; and
  • Trade unions representing employees, civil servants or judges, when the processing affects the interests of those persons.

In what circumstances can a class action be filed? When several individuals who are in a similar situation suffer a loss resulting from a violation of the French data protection law committed by a data controller or a data processor, a class action may be filed before a civil or administrative court having jurisdiction.

The substantive scope of the class action is very broad as it concerns any violation of the French data protection law.

It is also interesting to note that French data protection law places nearly all data protection obligations on the controller; but under the Law, class actions may also be filed against the processor. Direct processor liability is however consistent with Article 28 of the GDPR, which enshrines a principle of data processor liability in specific circumstances.

Finally, the Law is ambiguous as to whether the plaintiff must have received / collected complaints from several victims in order to launch a class action. Indeed, whereas the new Article 43 ter of the data protection law remains silent on this issue, Article 62 of the Law, which applies subject to Article 43 ter, provides that a class action may be exercised “in view of the individual cases presented by the plaintiff”.

For what purpose? Unlike other class actions, data protection class actions can only seek injunctive relief; the class action cannot be used to claim damages. While this restriction could conceivably be explained by the fact that it may be difficult to prove individual damages, it should be noted that Article 80 of the GDPR allows Member States to provide that certain bodies, organizations and associations have the right to  exercise a data subject’s rights to an effective judicial remedy, including financial compensation.

The fact that class action litigants cannot claim damages will undoubtedly limit the impact of the Law, although unwelcome publicity and harm to the defendant’s reputation can certainly still ensue from the filing of a class action, let alone an injunctive order.

How? The action must be filed in accordance with the rules set forth in the French Civil Procedure Code or the French Administrative Justice Code, as applicable. Pursuant to Article 64 of the Law, the plaintiff must, prior to introducing a class action, send a formal notice to the defendant. The class action cannot be filed before the expiration of a 4 month period after the receipt of the formal notice, and in such case the judge may automatically declare the action inadmissible. We note that this notice period is longer than the ones usually given by the French data protection authority (the “CNIL”) when issuing cease and desists (see e.g., recent cease and desists against companies like Facebook[1], Microsoft[2] or CDiscount[3] granting three months to comply; other cease and desists, such as the one against W.M.G (Gossip app)[4], have given controllers only one month to comply).

For more information, please contact carol.umhoefer@dlapiper.com or caroline.chance@dlapiper.com

[1] Decision No. 2016-007 of January 26, 2016

[2] Decision No. 2016-058 of June 30, 2016

[3] Decision No. 2016-083 of September 2016

[4] Decision No. 2016-079 of September 26, 2016

Anonymous Hacktivist ‘Barrett Brown’ Released From Prison

Barrett Brown, a journalist, formerly served as an unofficial spokesman for the hacktivist collective Anonymous, finally walked free from prison on Tuesday morning after serving more than four years behind bars.

The Dallas-born investigative journalis…

Barrett Brown, a journalist, formerly served as an unofficial spokesman for the hacktivist collective Anonymous, finally walked free from prison on Tuesday morning after serving more than four years behind bars. The Dallas-born investigative journalist was arrested in 2012 from his home while he was in the middle of an online chat after posting tweets and YouTube video threatening revenge

GERMANY: Second draft of a new German data protection act “implementing” the GDPR published

A second draft of the new German Federal Data Protection Act (BDSG-new), aimed at aligning German data protection law with the EU General Data Protection Regulation (GDPR) and EU directive 2016/680, was published on 22 November 2016. It replaces the first draft dated September 2016, which was heavily criticized. Currently, it is not clear whether …

Continue reading »

A second draft of the new German Federal Data Protection Act (BDSG-new), aimed at aligning German data protection law with the EU General Data Protection Regulation (GDPR) and EU directive 2016/680, was published on 22 November 2016. It replaces the first draft dated September 2016, which was heavily criticized. Currently, it is not clear whether this draft will eventually become law. It has yet to be approved by the Department of Justice and the German Parliament. What we do know, however, is that if it is approved, it will replace the current BDSG (BDSG-current) entirely and will supplement the GDPR, which will be enforceable from 25 May 2018 onwards. Although the GDPR itself has direct legal effect in all Member States, it allows national legislators to enact national laws with which it is consistent to supplement the EU regulation. Therefore, it is crucial for businesses operating in Germany to take a close look at the new draft BDSG in order to prepare for the new data protection regime. The following summary focuses on the draft’s most relevant provisions for data protection in the private sector.

1. Employee data (Section 24 BDSG-new)

According to Section. 24 of BDSG-new, the employer may process personal data for the purpose of the employment relationship if this is necessary for the decision about beginning, carrying out or terminating the employment relationship. This provision does not, in fact, contain any changes but corresponds with the current national stipulation on the processing of employee data (Section 32 BDSG-current). The fact that the drafting committee included the definition of employee currently found in Section 3 para. 11 BDSG-current adds to a better understanding of this provision.

2. Information obligations of the data controller (Sections 30, 31 BDSG-new)

One key aspect of the GDPR is the obligation to inform individuals in detail in the event of collection of their personal data, such as Articles 13 and 14 GDPR regarding the duty to notify data subjects of the controller’s and the data protection officer’s contact data, the purpose and the legal grounds for the processing, storage periods, the right to appeal and to demand correction or deletion etc. BDSG-new attempts to limit these obligations, claiming that Article 23 GDPR allows the national legislator to do so.  Section 30 para. 1 BDSG-new provides that the information obligation shall not apply if it is impossible, requires disproportionate effort to provide the relevant information or if the individual’s interest in receiving the information is secondary. Section 31 para. 1 BDSG-new stipulates additional exceptions to the controller’s information obligations, which apply when personal data is not acquired from the individual. The exceptions apply if the disclosure poses a significant threat to the controller’s business purposes, taking into account the interests of the data subject, or if a public authority decides that disclosure would jeopardize the public order or safety or would otherwise be detrimental to national or state interests.

It is questionable whether Article 23 GDPR may serve as a legitimate legal basis for the above-mentioned limitations because one may well argue that Sections 30 and 31 BDSG-new do not meet its requirements. The provision lists extreme conditions under which limitations to the controller’s information obligations are permitted (such as for the purpose of ensuring national security, public safety, the defense of the country, the execution of a sentence, the prosecution and prevention of crime, important economic or financial interests of the European Union or of a member state, the protection of court procedures and the independence of the judiciary or the enforcement of civil rights, etc.). “Disproportional efforts by the data controller” is not among them. All legislative measures meeting the requirements must additionally contain specific regulations regarding, for instance, information about the purpose and categories of processing, the scope of the limitations, the categories of personal data, a guarantee against misuse, illegal access and illegal transmission, information about the responsible parties, information regarding the storage period and the concerned parties’ right to be informed about the imposition of limitations, etc.

3. Rights of the data subjects (Sections 32 – 35 BDSG-new)

Sections 32 – 35 BDSG-new further limit the rights of data subjects. These provisions contain numerous exceptions under which individuals may not demand disclosure of processing (Section 32), the deletion of personal data (Section 33), and may not have the right to object to the processing of their data (Section 34 and Section 35). Again, the German legislator refers to Article 23 GDPR as the legal ground for these limitations. It is questionable whether this is accurate for the same reasons as those set out above with regard to the data controller’s information obligation.

4. Appointment of a data protection officer (Section 36 BDSG-new)

Section 36 para. 1 BDSG-new stipulates under which conditions a data protection officer (DPO) must be appointed. Luckily, the GDPR luckily adopted the proven German DPO concept without regulating the details. Instead, Article 37 para. 4 GDPR authorizes the national legislator to enact details on the appointment of a DPO. As a result, Section 36 para. 1 BDSG-new mostly corresponds to the current law (Section 4 para. 1 BDSG-current). This means that as a general rule, a data controller permanently employing more than nine people in connection with the automated processing of personal data must appoint a data protection officer. Although it may not appear to be a business-friendly regulation at first sight, Section 36 BDSG-new will help data controllers and processors by providing clear instructions. Thus, it will  prevent fines for non-compliance with the GDPR and the BDSG.

5. Special provisions

Further, the BDSG-new contains a few special provisions regarding the processing of personal data for the purpose of scientific and historical research (Section 25) and consumer loans (Section 29) as well as for the processing of personal data subject to non-disclosure obligations (Section 26). Businesses engaged in these activities should take a closer look at these provisions.

6. Sanctions

As is widely known, the GDPR provides for a “significantly wider range of offences” than does the current BDSG (see also http://blogs.dlapiper.com/privacymatters/germany-bavarian-data-protection-authority-issues-guidance-on-gdpr-sanctions/) and imposes severe financial sanctions.

However, the GDPR only explicitly regulates the liability of controllers, processors and accredited certification bodies and does not specifically refer to natural persons. The draft BDSG clarifies that natural persons acting on behalf of the data controller or processor can  be held directly responsible (as is already the case under current German law) and stipulates a maximum administrative fine of 300,000 EUR for offences committed by anyone acting “on behalf of the controller or processor as part of his job” (Section 40 para. 1 BDSG-new).

The draft provision is based on Article 84 para. 1 GDPR. It is doubtful whether the liability cap for natural persons is enforceable since it can be undermined by claims for compensation by the controller or processor against the responsible person.

Another question arising from this provision is whether data protection officers will be considered to act “on behalf of the controller or processor as part of his job” and therefore also personally liable. As the liability concept of the GDPR does not take into account personal liability, it will be crucial to see how other Member States will approach the question of individual liability for data protection violations. If Germany is the only Member State win which individuals can be held directly responsible, this may result in significant disadvantages for German businesses and ultimately affect price calculations.

In addition, it remains unclear to what extent fines may be imposed for non-compliance with informational obligations, see Section 40 para. 2 BDSG-new.

7. Relevance

Allegedly, the German legislator’s intention was to draft a business-friendly law. Whether this goal was achieved by the current draft legislation is questionable, to say the least. In particular, it is arguable that the GDPR is not a sufficient legal basis for the provisions of BDSG-new limiting information obligations and rights of the data subjects. The direct liability of individuals for data protection violations may also put businesses at risk. In any event, the draft makes data protection law even more complex and creates further legal uncertainty. It is unclear whether and to what extent it will enter into force. If it does enter into force, data controllers and processors doing business in Germany will need to comply with it in addition to the GDPR. Until then, it is advisable to prepare for the GDPR and simultaneously to keep a close eye on the German legislator’s progress in enacting a new BDSG.

Press Shift + F10 during Windows 10 Upgrade to Launch Root CLI & bypass BitLocker

If your computer’s security relies on Windows BitLocker Hard Drive Encryption software, then Beware! Because anyone with physical access to your PC can still access your files within few seconds.

All an attacker need to do is hold SHIFT+F10 during Win…

If your computer's security relies on Windows BitLocker Hard Drive Encryption software, then Beware! Because anyone with physical access to your PC can still access your files within few seconds. All an attacker need to do is hold SHIFT+F10 during Windows 10 update procedure. Security researcher Sami Laiho discovered this simple method of bypassing BitLocker, wherein an attacker can open a

Firefox Zero-Day Exploit to Unmask Tor Users Released Online

Hackers are actively exploiting a zero-day vulnerability in Firefox to unmask Tor Browser users, similar to what the FBI exploited during an investigation of a child pornography site.

Tor (The Onion Router) is an anonymity software that not only provi…

Hackers are actively exploiting a zero-day vulnerability in Firefox to unmask Tor Browser users, similar to what the FBI exploited during an investigation of a child pornography site. Tor (The Onion Router) is an anonymity software that not only provides a safe heaven to human rights activists, journalists, government officials, but also is a place where drugs, assassins for hire, child

Being displayed today at AWS Show … Sophos protects server instances in Amazon Cloud

Designed to secure business critical servers without sacrificing performance, Sophos Server Protection protects Windows and Linux servers from malicious attacks using a variety of traditional and next-gen methods, including Malicious Traffic Detection, Application Whitelisting (Lockdown), and soon CryptoGuard anti-ransomware capabilities. Sophos now enables application and management of Server Protection policies for Amazon Web Services Auto […]

logo-apn-tech-smallDesigned to secure business critical servers without sacrificing performance, Sophos Server Protection protects Windows and Linux servers from malicious attacks using a variety of traditional and next-gen methods, including Malicious Traffic Detection, Application Whitelisting (Lockdown), and soon CryptoGuard anti-ransomware capabilities.

Sophos now enables application and management of Server Protection policies for Amazon Web Services Auto Scaling Groups, and display valuable information about EC2 Instances in the Sophos Central management console.

Today at re:Invent Sophos will show how it protects dynamic AWS environments where Auto Scaling is used to automatically add and reduce the number of deployed servers.

Shipping soon, this new functionality ensures that any new servers that are launched as part of an Auto Scaling Group are automatically configured with Sophos Server Protection policy, and any automatically terminated AWS instances are no longer visible in Sophos Central.

Sophos provides this integration between Sophos Central and AWS using native AWS APIs.

Sophos Server Protection can be installed using the customer’s preferred deployment tool, such as Chef or Puppet using ready-made scripts provided by Sophos, or by creating an AMI with Sophos Server Protection installed.

When new AWS instances are launched with Sophos installed, the agent will register with the customer’s Sophos Central console and apply threat protection policy automatically.

Thus, Sophos provides consistent security policy and visibility of Windows and Linux servers whether on premises and in cloud, from a single management console using either of the Sophos Central Server Protection licenses. And the security of servers can be managed alongside endpoints, mobile and wireless devices, email and web gateways.


Filed under: Corporate, Partners

Sophos responds to the new Investigatory Powers Act

Sophos responds to the requirements of the new Investigatory Powers Act, which has just become law in the UK

sophos-shieldSince the Snowden revelations, it is not news to anyone that GCHQ and other government agencies are spying on UK citizens’ online activities.

Whatever you may feel about government snooping, it could be argued that all the Investigatory Powers Act has changed is to formalise what the UK government was already doing, and put more structure and control around it.

However, there is one huge issue that I and other technologists have complained about from the beginning of the consultative process, although the complaints have fallen on deaf ears. That is the ability for the government to force internet service providers (ISPs) and other tech companies to keep a year’s worth of records about ALL of our surfing habits – every UK citizen and resident.

The requirement is, in theory, for them to keep details of the pages we visit and other “communications data”, but not the “content” of those pages – although any technologist will tell you that the distinction between the two is becoming increasingly blurred. Either way, they will hold a vast amount of sensitive data about all of us – business and personal, like who you bank with, who your energy provider is, what email service you use, who you send emails to and how often, and so on.

Some may object to the government having all this data on privacy grounds, others may feel that this is OK if it helps law enforcement and security services identify and catch more baddies.

But my concern is more practical than political. This storage of our personal data only gives the massive cybercrime industry more opportunity to steal it, and places an increased burden on ISPs to protect it. High-profile data leaks occur all too often, so why put more data at risk? Especially after the revelations about TalkTalk, one of the ISPs that will need to store the data. The government’s advisers claim that there will be very strict controls on the storing and security of the data. But I for one feel very nervous about that.

I also continue to have four other issues with the Act that have not adequately been addressed in its passage through parliament, despite lots of lobbying:

1) Backdoors. Although Theresa May, in announcing the new bill as Home Secretary, said there would be no requirement on technology companies to provide access to their customers’ encrypted data, no mention of this was made in the Act itself.

In fact there is no mention of encryption at all – the government has tried to duck the issue. Sophos remains vehemently opposed to backdoors: read about it here.

2) Weak definitions mean that it is open to very broad interpretation. The requirements apply to something rather harmlessly and quaintly referred to as a “telecommunications operator”. This, as you chase the circular legalese definitions, can mean any company that enables data to pass between two or more computers as long as one is used in the UK – meaning pretty much any technology company. We don’t think this is the intent of the Act – we think that it is intended to apply to ISPs and providers of email, instant messaging service and so on – but it is sloppy drafting that could be horribly abused in future.

3) Judicial Commissioners – will they have the relevant knowledge? The suggestion is that they be appointed from a pool of people such as retired judges. Retired judges are hardly people famed for their understanding of complex technology. Would this really be a safeguard from rogue officers extracting way more personal data than they should and using it for nefarious means?

4) Disadvantage to the UK. The unfair disadvantage to UK-based ISPs still seems to apply despite claims to the contrary after the committee review stage. Section 262 clearly defines “telecommunications operator” as applying to those operating systems based in the UK. Whatever the law says, it is hard to see how the government will enforce it on companies like Whatsapp or Google who operate their communications services entirely outside the UK.


Filed under: Corporate, Enduser Tagged: Internet Service Providers, Investigatory Powers Act, ISPs, Privacy, UK

Cyber Attack Knocks Nearly a Million Routers Offline

Mirai Botnet is getting stronger and more notorious each day that passes by. The reason: Insecure Internet-of-things Devices.

Last month, the Mirai botnet knocked the entire Internet offline for a few hours, crippling some of the world’s biggest and m…

Mirai Botnet is getting stronger and more notorious each day that passes by. The reason: Insecure Internet-of-things Devices. Last month, the Mirai botnet knocked the entire Internet offline for a few hours, crippling some of the world's biggest and most popular websites. Now, more than 900,000 broadband routers belonging to Deutsche Telekom users in Germany knocked offline over the weekend

Marine incentives programs may replace ‘doom and gloom’ with hope

Incentives that are designed to enable smarter use of the ocean while also protecting marine ecosystems can and do work, and offer significant hope to help address the multiple environmental threats facing the world’s oceans, researchers conclude in a new analysis.

Incentives that are designed to enable smarter use of the ocean while also protecting marine ecosystems can and do work, and offer significant hope to help address the multiple environmental threats facing the world’s oceans, researchers conclude in a new analysis.

San Francisco Metro System Hacked with Ransomware; Resulting in Free Rides

Nothing is immune to being hacked when hackers are motivated.

The same proved by hackers on Friday, when more than 2,000 computer systems at San Francisco’s public transit agency were apparently got hacked.

San Francisco’s Municipal Transportation Ag…

Nothing is immune to being hacked when hackers are motivated. The same proved by hackers on Friday, when more than 2,000 computer systems at San Francisco's public transit agency were apparently got hacked. San Francisco's Municipal Transportation Agency, also known as MUNI, offered free rides on November 26th after MUNI station payment systems and schedule monitors got hacked by ransomware

Hacker who exposed Steubenville Rape Faces longer Prison term than Rapists

Remember Steubenville High School Rape Case?

In 2012, Steubenville (Ohio) high school’s football team players gang-raped an unconscious teenage girl from West Virginia and took photographs of the sexual assault.

In December 2012, a member of the hack…

Remember Steubenville High School Rape Case? In 2012, Steubenville (Ohio) high school's football team players gang-raped an unconscious teenage girl from West Virginia and took photographs of the sexual assault. In December 2012, a member of the hacker collective Anonymous hacked into the Steubenville High School football fan website Roll Red Roll and leaked some evidence of the rape,

Researchers Show How to Steal Tesla Car by Hacking into Owner’s Smartphone

New technology is always a little scary, so are Smart Cars. From GPS system and satellite radio to wireless locks, steering, brakes, and accelerator, today vehicles are more connected to networks than ever, and so they are more hackable than ever.

It’…

New technology is always a little scary, so are Smart Cars. From GPS system and satellite radio to wireless locks, steering, brakes, and accelerator, today vehicles are more connected to networks than ever, and so they are more hackable than ever. It's not new for security researchers to hack connected cars. Previously they had demonstrated how to hijack a car remotely, and how to disable

Beware! Malicious JPG Images on Facebook Messenger Spreading Locky Ransomware

If you receive an image file sent by someone, even your friend, on your Facebook Messenger, LinkedIn or any other social media platform, just DO NOT CLICK ON IT.

Even JPG image file could eventually infect your computer with the infamous Locky Ransomw…

If you receive an image file sent by someone, even your friend, on your Facebook Messenger, LinkedIn or any other social media platform, just DO NOT CLICK ON IT. Even JPG image file could eventually infect your computer with the infamous Locky Ransomware. Earlier this week, we reported a new attack campaign that used Facebook Messenger to spread Locky Ransomware via .SVG image files,

Mark Weinstein: Did Facebook Really Elect Trump President?

By now we’ve all heard about it. Facebook has a fake news problem, a rampant epidemic of phony and outrageous headlines in which a fraction-of-a-penny-per-click gets traded for lies.
Read more: Trump, President, Donald Trump, El…

By now we've all heard about it. Facebook has a fake news problem, a rampant epidemic of phony and outrageous headlines in which a fraction-of-a-penny-per-click gets traded for lies.

Read more: Trump, President, Donald Trump, Election, Privacy, Online Privacy, Obama, Clinton, Hillary Clinton, Truthiness, Willie Horton, Daisy Girl, Facebook, Zuckerberg, Mark Zuckerberg, Pew Research, Democracy, Google, Nature, Time Warner, Comcast, Algorithm, Politifact, Buzzfeed, Macedonia, Clickbait, Technology, Politics News

Sophos scoops two awards for security excellence

The inaugural 2016 Security Excellence Awards by UK magazine Computing saw Sophos collect two industry prizes last night: SafeGuard 8 took the Data Encryption Award and Sophos XG Firewall won the Firewall Solution and UTM Award. The ceremony was held in London in the shadow of the Shard, where the Sophos representatives enjoyed the somewhat surprising, […]

screen-shot-2016-11-25-at-16-44-30The inaugural 2016 Security Excellence Awards by UK magazine Computing saw Sophos collect two industry prizes last night: SafeGuard 8 took the Data Encryption Award and Sophos XG Firewall won the Firewall Solution and UTM Award.

The ceremony was held in London in the shadow of the Shard, where the Sophos representatives enjoyed the somewhat surprising, albeit entertaining, performance of the skinny public-schoolboy-looking freestyle-rapping presenter, Chris Turner.

Out of the hundreds of companies shortlisted for the 21 awards, Sophos was one of very few companies to collect more than one prize on the night.

img_20161124_213407img_20161124_214441

 

 

 

 

 

 

 

Sophos SafeGuard 8, its revolutionary next-gen Synchronized Encryption technology, was up against strong competition from companies including Covata, Vormetric and Cloudview. Sophos XG Firewall, with its ultimate firewall performance, security and control, faced heavy rivals including Barracuda and Panda.

Thanks to the solid efforts of the SafeGuard and XG Firewall product teams, once the dust settled and the freestyle rap had died down, there was only one winner in two of the top categories: Sophos.

img_20161124_220321

All in all, we’re very pleased with our results in this first ever year of the Computing Security Excellence Awards, and we are looking forward to collecting many more prizes in years to come.


Filed under: Awards, Network Tagged: Computing Security Excellence Awards, SafeGuard Encryption 8, XG Firewall

Microsoft Shares Telemetry Data Collected from Windows 10 Users with 3rd-Party

Cyber security is a major challenge in today’s world, as cyber attacks have become more automated and difficult to detect, where traditional cyber security practices and systems are no longer sufficient to protect businesses, governments, and other org…

Cyber security is a major challenge in today's world, as cyber attacks have become more automated and difficult to detect, where traditional cyber security practices and systems are no longer sufficient to protect businesses, governments, and other organizations. In past few years, Artificial Intelligence and Machine Learning had made a name for itself in the field of cyber security, helping

THN Deal — Learn Wi-Fi Hacking & Penetration Testing [Online Course: 83% OFF]

Hacking Wi-Fi is not a trivial process, but it does not take too long to learn. If you want to learn WiFi Hacking and Penetration testing, you are at right place.

Don’t associate hacking as a negative, as you can learn some hacking skills yourself to …

Hacking Wi-Fi is not a trivial process, but it does not take too long to learn. If you want to learn WiFi Hacking and Penetration testing, you are at right place. Don't associate hacking as a negative, as you can learn some hacking skills yourself to secure your networks and devices. WiFi hacking is an all time hot topic among hackers as well as penetration testers. This week's featured deal

Gartner acknowledges Sophos’ continued data protection leadership

After being recognized by Gartner as a leader in seven consecutive Magic Quadrants for Mobile Data Protection, we continue our success by being one of the vendors with the most comprehensive solution in the new Gartner report, Market Guide for Information-Centric Endpoint and Mobile Protection.* This new report by John Girard of Gartner is the […]

gartner-tileAfter being recognized by Gartner as a leader in seven consecutive Magic Quadrants for Mobile Data Protection, we continue our success by being one of the vendors with the most comprehensive solution in the new Gartner report, Market Guide for Information-Centric Endpoint and Mobile Protection.*

This new report by John Girard of Gartner is the replacement for the now retired Gartner Magic Quadrant for Mobile Data Protection. It defines nine different methods for information-centric endpoint protection, ranging from basic device protection to comprehensive file-based protection methods.

Of the 18 representative companies discussed in the report, Sophos is one of only two companies that can provide a solution for every single method with Sophos SafeGuard and Sophos Mobile Control.

Sophos SafeGuard, with its always-on file-based Synchronized Encryption, will protect your files wherever they go, for example when shared across platforms, emailed, or uploaded to cloud-based storage. The secure container technology and personal information management (PIM) capabilities in Sophos Mobile Control provide secure collaboration everywhere, working across mobile devices without compromising security and preventing accidental data leakage.

We agree with Gartner that, considering that information is highly mobile in today’s world, data protection solutions can no longer be centered around full disk encryption but should instead account for the many ways that business information needs protection as it moves.

To find out what Gartner says about the Information-Centric Endpoint and Mobile Protection marketplace, download the complete Market Guide here.

About Gartner
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

*Gartner Market Guide for Information-Centric Endpoint and Mobile Protection, John Girard, 26 October 2016


Filed under: Awards, Corporate Tagged: Encryption, Gartner, Gartner Magic Quadrant, Magic Quadrant for Mobile Data Protection, Market Guide for Information-Centric Endpoint and Mobile Protection, Mobile, Mobile Data Protection, SafeGuard Encryption 8, Sophos Mobile Control