Data Privacy Day

Original release date: January 28, 2021

January 28 is Data Privacy Day (DPD), an annual effort promoting data privacy awareness and education. This year’s DPD events, sponsored by the National Cyber Security Alliance (NCSA), focus on how to Own Your Privacy.

The NCSA teaches users how to protect valuable data online, while encouraging businesses to Respect Privacy by protecting data they collect. CISA encourages users and businesses to visit NCSA’s website to learn more, including several calls to action:

For Individuals: Own Your Privacy

  • Personal info is like money. Your purchase history, IP address, or location has tremendous value. Make informed decisions about whether or not to share such data with certain businesses.
  • Keep tabs on your apps. Delete unused ones and keep others secure by performing updates.
  • Manage your privacy and security settings. Continuously check them to limit what information you share.

For Businesses: Respect Privacy

  • If you collect it, protect it. Make sure any personal data you collect is processed in a fair manner and is only collected for relevant and legitimate purposes.
  • Consider adopting a privacy framework to manage risk and secure privacy within your organization.
  • Asses data collection practices by evaluating which privacy regulations apply to your organization. 
  • Transparency builds trust. Be honest with customers about how you collect, use, and share their personal information.
  • Maintain oversight of partners and vendors. You are responsible for anyone collecting and using your consumers’ personal information.

This product is provided subject to this Notification and this Privacy & Use policy.

Data Privacy Day

Original release date: January 28, 2021

January 28 is Data Privacy Day (DPD), an annual effort promoting data privacy awareness and education. This year’s DPD events, sponsored by the National Cyber Security Alliance (NCSA), focus on how to Own Your Privacy.

The NCSA teaches users how to protect valuable data online, while encouraging businesses to Respect Privacy by protecting data they collect. CISA encourages users and businesses to visit NCSA’s website to learn more, including several calls to action:

For Individuals: Own Your Privacy

  • Personal info is like money. Your purchase history, IP address, or location has tremendous value. Make informed decisions about whether or not to share such data with certain businesses.
  • Keep tabs on your apps. Delete unused ones and keep others secure by performing updates.
  • Manage your privacy and security settings. Continuously check them to limit what information you share.

For Businesses: Respect Privacy

  • If you collect it, protect it. Make sure any personal data you collect is processed in a fair manner and is only collected for relevant and legitimate purposes.
  • Consider adopting a privacy framework to manage risk and secure privacy within your organization.
  • Asses data collection practices by evaluating which privacy regulations apply to your organization. 
  • Transparency builds trust. Be honest with customers about how you collect, use, and share their personal information.
  • Maintain oversight of partners and vendors. You are responsible for anyone collecting and using your consumers’ personal information.

This product is provided subject to this Notification and this Privacy & Use policy.

McAfee ATR Launches Education-Inspired Capture the Flag Contest!

McAfee’s Advanced Threat Research team just completed its second annual capture the flag (CTF) contest for internal employees. Based on tremendous internal feedbackwe’ve decided to open it up to the public, starting with a set of challenges we designed in 2019.  

We’ve done our best to minimize guesswork and gimmicks and instead of flashy graphics and games, we’ve distilled the kind of problems we’ve encountered many times over the years during our research projects. Additionally, as this contest is educational in nature, we won’t be focused as much on the winners of the competition. The goal is for anyone and everyone to learn something new. However, we will provide a custom ATR challenge coin to the top 5 teams (one coin per team). All you need to do is score on 2 or more challenges to be eligible. When registering for the contest, make sure to use a valid email address so we can contact you.  

The ATR CTF will open on Friday, February 5th at 12:01pm PST and conclude on Thursday, February 18th, at 11:59pm PST.  

Click Here to Register! 

​​​​​​​If you’ve never participated in a CTF before, the concept is simple. You will: 

  • Choose the type of challenge you want to work on, 
  • Select a difficulty level by point value, 
  • Solve the challenge to find a ‘flag,’ and 
  • Enter the flag for the corresponding points.​​​​​

NOTE: The format of all flags is ATR[], placing the flag,  between the square brackets. For example: ATR[1a2b3c4d5e]. The flag must be submitted in full, including the ATR and square bracket parts.
 

The harder the challenge, the higher the points!  Points range from 100 to 500. All CTF challenges are designed to practice real-world security concepts, and this year’s categories include: 

  • Reverse engineering 
  • Exploitation 
  • Web 
  • Hacking Tools 
  • Crypto 
  • RF (Radio Frequency) 
  • Mobile 
  • Hardware
     

The contest is set up to allow teams as groups or individuals. If you get stuck, a basic hint is available for each challenge, but be warned – it will cost ​​​​​​​you points to access the hint and should only be used as a last resort.  

Read before hacking: CTF rules and guidelines 

McAfee employees are not eligible for prizes in the public competition but are welcome to compete. 

When registering, please use a valid email address, for any password resets and to be contacted for prizes. We will not store or save any email addresses or contact you for any non-contest related reasons.

Please wait until the contest ends to release any solutions publicly. 

Cooperation 

No cooperation between teams with independent accounts. Sharing of keys or providing/revealing hints to other teams is cheating, please help us keep this contest a challenge for all! 

Attacking the Platform 

Please refrain from attacking the competition infrastructure. If you experience any difficulties with the infrastructure itself, questions can be directed to the ATR team using the email in the Contact Us section. ATR will not provide any additional hints, feedback, or clues. This email is only for issues that might arise, not related to individual challenges. 

Sabotage 

Absolutely no sabotaging of other competing teams, or in any way hindering their independent progress. 

Brute Forcing 

No brute forcing of challenge flag/ keys against the scoring site is accepted or required to solve the challenges. You may perform brute force attacks if necessary, on your own endpoint to determine a solution if needed. If you’re not sure what constitutes a brute force attack, please feel free to contact us. 

DenialofService 

DoSing the CapturetheFlag (CTF) platform or any of the challenges is forbidden

Additional rules are posted within the contest following login and should be reviewed by all contestants prior to beginning.

Many of these challenges are designed with Linux end-users in mind. However, if you are a Windows user, Windows 10 has a Linux subsystem called ‘WSL’ that can be useful, or a Virtual Machine can be configured with any flavor of Linux desired and should work for most purposes.​​​​​​​

​​​​​​​Happy hacking! 

Looking for a little extra help? 

Find a list of useful tools and techniques for CTF competitions. While it’s not exhaustive or specifically tailored to this contest, it should be a useful starting point to learn and understand tools required for various challenges. 

Contact Us 

While it may be difficult for us to respond to emails, we will do our best – please use this email address to reach us with infrastructure problems, errors with challenges/flag submissions, etc. We are likely unable to respond to general questions on solving challenges. 

[email protected] 

How much do you know about McAfee’s ​​​​​​​industry-leading research team? 

ATR is a team of security researchers that deliver cutting-edge vulnerability and malware research, red teaming, operational intelligence and more! To read more about the team and some of its highlighted research, please follow this link to the ATR website. 

General Release Statement 

By participating in the contest, you agree to be bound to the Official Rules and to release McAfee and its employees, and the hosting organization from any and all liability, claims or actions of any kind whatsoever for injuries, damages or losses to persons and property which may be sustained in connection with the contest. You acknowledge and agree that McAfee et al is not responsible for technical, hardware or software failures, or other errors or problems which may occur in connection with the contest.  By participating you allow us to publish your name.  The collection and use of personal information from participants will be governed by the McAfee Private Notice.  

The post McAfee ATR Launches Education-Inspired Capture the Flag Contest! appeared first on McAfee Blogs.

Brazilian General Data Protection Law (LGPD) entered into force and requires attention

In 2018, the Brazilian General Data Protection Law (LGPD), inspired by the General European Data Protection Regulation, was sanctioned by President Michel Temer. Following the global trend to regulate the subject, the LGPD, responsible for creating a new legal framework for the use of personal data in Brazil, both online and offline, in the public and private sectors, came into force, unexpectedly and after a turnaround in the Federal Senate, on September 18, 2020.

The administrative sanctions, it is important to clarify, will only come into force in August 2021. However, lawsuits have already started to be filed based on the LGPD, and it is necessary to adopt compliance practices in order to avoid liability for eventual breaches in the judicial sphere.

Brazil has several sectorial laws and regulations regarding privacy and data protection that directly or indirectly deal with the protection of privacy and personal data, in a sector-based system. The LGPD seeks not to replace those laws and regulations that currently exist, but shall establish general rules and principles so that they can be met in a more beneficial manner for the data subjects.

Regarding the LGPD, the law that will make Brazil enter in the roll of more than 100 countries that may be considered to have an adequate level of data protection and privacy, requires special attention, considering that it establishes a series of obligations related to the processing of personal data, from general ones, up to obligations related to the processing of sensitive data, use of under age’s data, international transfers of data, the need to appoint a data controller and processors and to perform Data Protection Impact Assessments – on a case by case basis – and measures to be taken in case of data breaches.

In general, any practice that process personal data will be subject to the law. Also, the law has an extraterritorial application, that is, any foreign company that has at least a branch in Brazil, offers services to the Brazilian market or process personal data of data subjects located in the country will be subject to the LGPD.

The LGPD establishes that all personal data processing activities must be recorded, from their collection to their exclusion, indicating what kinds of personal data are being collected, the legal basis that authorizes their uses, their purposes, the retention time, the information security practices implemented in the storage and with whom the data can be eventually shared.

In this regard, the LGPD also establishes that both data controller and data processor, despite the lack of obligation to enter into a DPA, shall take appropriate technical, security and administrative measures to protect personal data, subject to being held liable in case of data breach.

Under the LGPD, data subjects have their basic rights expanded, being important to highlight the right to access, which shall be guaranteed free of charge, in addition to the right of rectification, cancellation or exclusion, opposition to treatment, right to information and explanation about the use of its personal data.

Regarding an eventual data breach, the LGPD creates the obligation to notify the National Data Protection Authority (“ANPD”) and the data subject of the occurrence of any security incident that may result in any relevant risk or damage.

The ANPD, already provided for by law, but under a structuring phase, has functions that go beyond the inspection and application of sanctions in case of non-compliance with the law and shall assume a relevant and rigorous role in promoting protection of personal data in Brazil.

The penalties imposed by the LGPD, which are expected to come into force only in August 2021, vary from a simple warning to a fine of up to 2% of the company’s or its business group’s income in Brazil in the previous year, limited to R$ 50,000,000.00 (approximately US$ 10,000,000.00) per infraction, and even to the publication of the infraction, which has potential to cause reputational damages in amounts higher than the fines established by law.

The LGPD will have a relevant impact, since, today, almost every practice of the society deals with the use of personal data. Companies from all sectors shall adapt themselves and a new culture about the appropriate use of personal data must be created, which can be challenging, considering that Brazil only starts to give the right attention to the subject now.

The protection of personal data should be seen not as a cost, but as a competitive advantage and a market differential. In a moment of major data breaches around the world, complying with such rules can restore or increase confidence in the market, being the conduction of a data protection compliance project, from a legal and technical perspective, of main importance in order to avoid particularly rigorous sanctions.

This challenging scenario and the uncertainties surrounding the LGPD should start to become less obscure before long. The expected effective start of the ANPD’s activities, as well as eventual judicial decisions issued in the coming months, should foster the matter and enable us to deepen our analyses and recommendations for compliance with the LGPD. There is no doubt that we will be able to bring more developments on the subject soon, as matters crystallise in Brazil.

Subscribe and stay updated
Receive our latest blog posts by email.