Category Archives: Security

Swiss Data Protection? What if this is just another lie?..

‘Europe demands different’ says pCloud CEO

PCloud is your personal cloud space where you can store all your files and folders. Based in Switzerland, it has a user-friendly interface that clearly shows where everything is located and what it does. The software is available for almost all devices and platforms – iOS and Android devices, MacOSX, Windows OS, and all Linux distributions. All your devices are instantly synchronized and you have direct file access to any update you make. Generally speaking, pCloud is the European analogue of well-known US iCloud or Google Drive.

PCloud has seen a 500% growth in just four years. Today it is over 10.5 million users strong and growing rapidly. It has become famous for their security standard, which has taken all the necessary steps to meet full GDPR compliance.

What is GDPR? Europe’s General Data Protection Regulation, brought by the European Parliament, is a set of measures to enhance EU user privacy rights (from May 25, 2018). It imposes strict regulations on how organizations operating in the EU collect, store and manage personal information.

What is more, pCloud offers not only reasonable prices but also lifetime plan/ lifetime subscription.

It all sounds great, does not it? But there are nuances.

 Firstly, to guarantee your files’ safety, pCloud uses TLS/SSL encryption, applied when information is being transferred from your device to the pCloud servers. Optionally, you can subscribe for pCloud Crypto and have your most important files encrypted and password protected. Without additional encryption, pCloud is able to get access to your data at any time, as the keys for file decryption are stored on their servers.

Secondly, the company reserves the right to cooperate with law enforcement agencies by disclosing your personal information, or to review your files at its sole discretion to make sure that nothing violates their rules. Such conditions immediately make it clear that behind loud slogans about guarantees of absolute confidentiality of stored files will be observed only if additional paid services are used. Neither pCloud as a service provider, nor any authority or service will ever have access to your encrypted files. They do not store your Crypto Pass on servers, which means that you are the one in charge.

Personal data will be stored in pCloud for the period set by EU and US laws (depending on the servers where your files are stored). Personal data may be stored for longer if the company deems it necessary or if it does not violate the law. PCloud also collects information about you while you are using the service, including your IP address, browser type, information about your operating system, your time, phone number, location data, session duration, viewed sections, folders, pages, and etc.

Nothing is free; everything has a price. In this particular case you pay company with money or, otherwise, with your data.

 

 

Sources:

https://www.pcloud.com/eu

https://techcrunch.com/sponsor/pcloud/europe-demands-different-from-us-tech-giants-says-pcloud-ceo/

https://medium.com/@nnm_club/%D0%BF%D0%BE%D1%87%D0%B5%D0%BC%D1%83-pcloud-%D0%BD%D0%B5-%D1%81%D1%82%D0%BE%D0%B8%D1%82-%D1%80%D0%B0%D1%81%D1%81%D0%BC%D0%B0%D1%82%D1%80%D0%B8%D0%B2%D0%B0%D1%82%D1%8C-%D0%BA%D0%B0%D0%BA-%D0%B0%D0%BB%D1%8C%D1%82%D0%B5%D1%80%D0%BD%D0%B0%D1%82%D0%B8%D0%B2%D1%83-google-drive-d9d4d02cb454

Microsoft Teams phishing campaign attack on O365 Users

Image shows capabilities of Microsoft teams- a Network of sharing files, calendar, emotions, statics, comment, and mails.

© Image inserted from Microsoft News – news.microsoft.com

 

Due to the COVID-19 situation many Governments, Organisations, and businesses transform into online communication platforms or integrate into their system and use it as a primary communication channel. Universities and academic institutions all around the world also decide for a sudden shift to online learning in a short period of time.

According to the New York Times analysis of internet usage in the US and special services that allow us to work and learn from home increasing continuously.

 

© Image Screenshot from NY Times – App popularity according to iOS App Store rankings on March 16-18. · Source: Apptopia

 

At Kozminski our main communication channel is Microsoft Teams, MS Teams is one of the products of O365, and a very popular subscription services that MS offer academic institutions among Google G Suite, Zoom for Education, and many more.

Cloud-based communication platform security is a huge threat that we as a student, employer, and user-facing threats daily, it’s clear to us there is no perfection in SaaS. Startup, Footprint, Runtime, Responsiveness, Hangs, rendering, and so many more that we use to hear as BUGS, but Security Bugs is one of the scariest to end user because makes us a vulnerable and the main target.

Abnormal Security researchers warn of a phishing campaign that pretends to be an automated message from MS teams, but actually aims to steal the credentials of O365 recipients.

Phishing is a fraudulent attempt to obtain sensitive information or data, it’s a very popular and old technique of attack. This campaign attack was sent to 15,000 – 50,000 O365 users according to researchers with Abnormal Security

“Because Microsoft Teams is an instant-messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification,” said researchers in a Thursday analysis.

The phishing Email displays the name “There’s new activity in teams”, making look like it’s an automatic notification from Microsoft Teams.

As can be seen in the picture below, the email tells the recipient that his teammates are trying to reach him, warns him that he has missed the MS Teams Chat and shows an example of a teammate chat where he is asked to submit something.

 

Email Attack: The email is sent from the display name, ‘There’s new activity in Teams’, making it appear like an automated notification from Microsoft Teams.

© Image inserted from Abnormal Security

 

It’s certain that Using 2FA or Multi-FA will make an important additional layer, low coast solution In many cases, it does stop phishing attacks from succeeding but it doesn’t mean your are immune to attacks. Also according to MS365 administration official documentation first task is to “Set up multi-factor authentication” and apply to the user as required widely within the organization and the Second task “Train your users” Also Microsoft recommended The Harvard Kennedy School Cybersecurity Campaign Handbook guidance.

In my opinion, due to rapid changes and system integration, most IT Teams can not feed their users enough information and updates, and it’s time for us as the end-user to watch tutorials to familiarises ourselves and read more informations about our daily software/tools.

And here is to learn more about how to set up 2FA on your Microsoft account Step by Step

The Image show steps, how 2FA works on clients point of view.

© Image inserted from ZUKO TECH – Two-factor authentication (2FA)

 

Resource: Abnomal Security

MS = Microsoft Teams   –   O365 = Office 365   –   2FA = Two-Factor Authentication

Tagged , , ,