Categories
Uncategorized

The privacy tussle; can there be a win-win?

Add Your Heading Text Here

Share it:

It was a quarter to the hour of eight when I got home with weary and tired legs, surely I was famished and it was kenkey from my favorite vendor, hot pepper and fried eggs on the menu; just when I stuck my thumb into the kenkey Ga-man-style, a notification came through my phone and honestly I thought it’s payment hitting the account (man is hot); but no, it wasn’t in fact it was just a news item, citinewsroom.com has reported a story captioned “Communications Ministry fights BoG over mobile money data” well I chuckled, in my mind I retorted -what’s wrong with my “Ghana people“ again?

I continued with the supper whilst I read the article in full, it caught my eye because it does contain a subject am passionate about, yes! data protection it is, the article stated in part “The Communications Ministry in a series of letters had asked the Bank of Ghana to release the data to a private contractor, Kelni GVG, which has been tasked to verify the amount of revenue generated by telcos.

The Ministry specifically requested for disclosure of customer balances, transaction amounts, date and time of the transactions.

 However, the Bank of Ghana declined to grant the Communication Ministry’s request, arguing in a letter signed by its Secretary, Frances Van-Hein that disclosing such an information will breach the guidelines of Electronic Money Issuers and Data Protection Act.”

So without wasting much time I decide to make a point or two after the food settles my unintended self-imposed fasting. So here we go, it is true that per section 91 of the Data Protection Act 2012, Act 843, the three (3) organs of State are bound by the provisions of the Act, more so when it comes to disclosure. Let just say quickly before I proceed that this is not meant to be a comprehensive lecture on data protection, on the contrary its just a brief touching on key issue I gathered, which is the outright rejection to disclose.

As a practitioner, I will proceed to ask why the data is needed in the first place. Regulatory activities or? Well let me just presume and move on, having said that, section 63 of Act 843 should suffice for regulatory activities in so long as the reason fall under the exemptions provided, let’s assume again that it is for taxation or related purposes, then Section 61(1)(c) of Act 843 further allows for exemption for the purposes of the assessment or collection of a tax or duty or of an imposition of a similar nature.

Generally, and as a rule of principle, the provisions of the law do not apply to data in so long as the data subjects cannot be identified from the set of attributes, which calls for anonymization or pseudo-anonymization. Well primarily once you properly anonymized data, then data subjects behind the attributes cannot be identified and that means the issues of privacy do not arise. This also means the systems disclosing and receiving the information respectively should envisage this in their technology; either as an added functionality or in-built with something called “privacy-by-design”, but then like I keep saying in various forums; if we build systems that are not resilient to the inherent risk and how to manage same; then due diligence can be construed as negligible if not nonexistent. As I doze off now, and hoping am not missing the point, the exemptions under Act 843 are not blank cheques, it is exemption to disclose the information therefore all other principles under the law applies with full-force, i.e. accountability, lawfulness of processing, specification of purpose, compatibility with further processing, quality of the data, openness, security safeguards and data subject participation.

The provisions of the Act 843 will override the Electronic Money Issuers (2015) Guidelines to the extent that the latter is a substantive law. It can also be a matter of regulator-to-regulator mutual understanding and of course measures of alternative effect under the context of the laws to create a controller-controller or controller-processor relationship and capture the lawful terms of use in a data transfer or exchange agreement as envisioned under the Act 843.

If the truce won’t work, well I will just sleep soundly by recommending that under section 66, of Act 843 one can coerce the other with a court order to do the needful; but rightly so with lawful justification lest the court throws you out for want of lawful justification.

As the night settles into its late hours may we be reminded that data protection however is a fundamental human right, it’s regulations governing data processing is not an outright show-stopper but a business enabler with the potential of appreciating the currency of the digital consumer; this currency is “trust” and therefore further providing competitive business edge, and in as much as one party as a regulator has the right of refusal over the other it is also the case that this refusal cannot be absolute in the face of lawfully justified exemptions. Let the parties re-look their positions.

Permit me to leave you with some thoughts:

“Privacy – like eating and breathing – is one of life’s basic requirements.” ― Katherine Neville

Desmond Israel

Lead Consultant @ Information Security Architect

Categories
Internet Security Mobile Phones Uncategorized

“TROJAN LOAPI” HUNTS PORNOGRAPHIC LOVERS!!!

Add Your Heading Text Here

Share it:

It seems virus writers are yet to give up on developing on different kinds of unpleasantness to frustrate android users who are fond of downloading adult-rated android application and anti-virus application from third-party stores as well as Google playstore onto their devices.

 A Trojan horse or Trojan is another kind of malware usually disguised as legitimate software. Hackers use trojans to gain access to users’ systems.

Unlike other trojans, this particular one is programmed to overheat your device as a result of the prolonged operation of the processor at maximum load. In addition, it can turn your phone into a zombie and hijack it to use in DDoS attacks against Web resources as well as sign up users to paid services secretly.

HOW TROJAN LOAPI OPERATES:

Users attract the Loapi Trojan by clicking on an ad banner or by downloading a fake AV or adult-content app . As stated earlier,  fake av or adult-content app are common vehicles used by Loapi to gain access to user’s devices.

After installation of fake apps, Loapi asks for administrator rights . Notification to grant Loapi administrator right appears on the user’s device screen until the user finally accepts Loapi administrator demands.

If the user later tries to deny Loapi of administrator rights, it locks the screen and closes the settings frame.

Furthermore, if the user tries to download apps to protect his device against malware and trojan, Loapi declares them to be malware and orders their removal.

Loapi heavily relies on frustrating users in order to prevent them from downloading legitimate anti-virus apps to wipe out other similar trojans.

HOW TO AVOID TROJANS:

  •     Deactivate installation of apps from unknown sources. In Settings go to Security and ensure that the Unknown sources checkbox is not selected.
  • Get a reliable and proven AV for Android and regularly scan your device with it because Google playstore is safe too. Doing so adds another layer of security.

#ISA_informs

#ISA_ltd

Categories
Uncategorized

LESSONS GLEANED FROM EQUIFAX HACK

Add Your Heading Text Here

Share it:

Recently, we have heard of how Equifax servers were hacked by black hats. According to sources close to the credit reporting agency responsible for monitoring credit breaches, Equifax servers were hacked in mid May and went undetected until the month of July.

Equifax Inc. is a consumer credit reporting agency in the United States, considered one of the three largest American credit agencies along with Experian and TransUnion.

Hackers who broke into the servers stole driver’s license numbers and about 209,000 credit cards. This particular breach has affected almost half of Americans and it is really devastating because until May, Equifax is deemed as the most secure and trusted credit reporting agency holding data of half of US population.

Our security engineers sat down to discuss, analyze the breach and came up with lessons all and sundry could learn from equifax breach.

  1. Don’t trust security. It’s a myth:  

“Our servers are secured from hackers”. “Our servers are behind robust firewalls”. These statements are commonly found on the web nowadays.  However we should not trust these words from vendors. Equifax is noted for storing users’ data in a secured place yet it was hacked. Don’t trust security. It’s a myth.

2. Place emphasis on prevention. Not safety: 

One of the best ways to recover from a data breach immediately without even the media being aware of is to put up a prevention plan. Prevention plan is far from different from safety measures or tips. A prevention plan can’t stop hackers from breaking into servers but it could prevent them from achieving their main purpose. For instance, storing users’ data in a server behind a firewall can’t stop hackers from breaking your server but accessing raw data of customers may be difficult because of hashing and salting of data.

3. To be hacked is inevitable: 

Despite numerous, safety measures recommended by so-called “cybersecurity experts”, likewise equifax, no company under the sun is invulnerable to hackers. The best option you have now is to hide yourself by not announcing that your “web portal is secure or your servers are hardened” or make it difficult for hackers by putting up firm prevention measures.

4.  Detection tools can’t stop data breaches: 

If you begun from the very first line of this article, we concluded that sources close to Equifax told media that equifax servers were hacked around May undetected. A mega company such as Equifax definitely surely have detection tools installed on their server to detect attacks from hackers. However, it seems detection tools on their servers failed to detect any unauthorized entry. We advise to implement detection tools but don’t rely on them fully.

5.  Audit your systems regularly:

We advise everyone to take this particular lesson with all seriousness. Auditing your systems regularly is sure way of ensuring that both clear and hidden loopholes are detected even before hackers attempt to breach your servers.

We encourage everyone interested in secure storage of data to reflect on these lessons to prevent future server breaches.

#ISA_informs 

#ISA_ltd