Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for April 2017

#IAPP Conference: Panel – GDPR Beyond May of 2018

#IAPP Conference: Panel – GDPR Beyond May of 2018

On April 19, at the International Association of Privacy Professionals Global Privacy Summit 2017 in Washington DC, a panel of senior privacy executives from leading multi-national corporations discussed how their organizations are preparing for implementation of the General Data Protection Regulation (GDPR) set for May of 2018, and how they will work to operationalize, sustain and monitor their GDPR privacy compliance programs to be effective and demonstrably compliant for the long0term.

The Panel:
Carolyn Holcomb, CIPP/US, partner, Cybersecurity and Privacy, PwC (Moderator)
Keith Enright, CIPP/G, CIPP/US, director, Global Privacy Legal, Google 
Asim Fareeduddin, CIPP/US, VP, IT Security and Regulatory Controls Assurance, RELX Group 
Lori Fink, senior VP, Assistant General Counsel, CPO, AT&T 

Holcomb: How are your teams set up, and will you make any changes to your team structure because of the GDPR?

Enright: Google has a global team of lawyers and legal specialists. We are always following how laws are evolving so we can make sure we comply and advise the business for optimal flexibility. Google also has a massive cross-functional effort involving multidisciplinary product managers, engineering leaders, user experience designers. For 2018, we’re working now to make our privacy program appropriately auditable, so we can demonstrate evidence to third parties. Our audit has traditionally been with PwC, but with the GDPR, there is a larger community now asking for evidence and examining our program. There are new legal privilege considerations around the records a privacy program produces. 

Fink: I’m an attorney, reporting to our General Counsel. Our team is a dotted line to the Compliance Office, who reports to the Chairman. Our privacy team focuses on our privacy policy and program; on training for the business units – we’ve included people from the BU’s to be part of the privacy team so we understand the business perspective – and on regulatory compliance. GDPR is our biggest priority right now. Given recent acquisitions, we needed to morph from a US-based to a global privacy program. We now have to look at an issue and assess if it’s a global concern, and how we make our policy scalable. 

Fareeduddin: RELX is B2B focused. We’re a $9bn business that owns many other big businesses. To us, GDPR is first and foremost a business problem. My team does IT assurance, rolling up to the General Counsel. We have a sister organization of data privacy attorneys that project manage their GDPR compliance effort. We’re all working with the attorneys from our various businesses to ensure they’re getting ready for May 2018.

Holcomb: What are your top three factors for sustaining a privacy program over time?

Fink: Have a program that’s interoperable. Customers expect you to be in compliance with legal requirements. Next, the GDPR compliance tools you develop have to be simple and easy to use. Help users get results under the requirements. Third, be flexible – you’re dealing with so many ad hoc country requirements, you must adapt as regulations change. Don’t be tied to any specific country. 

Enright: The GDPR is a very ambitious law, but it’s just a starting point. One of the greatest dangers large organization face is tacking toward 2018 and thinking you’re done. We are seeing nearly daily guidance from national authorities, society, academia, the Article 29 Working Party – it’s a conversation we’re just beginning. It won’t begin and end in Europe – this will eventually affect the policy discussion in the US and globally. Don’t hard code your program to just GDPR compliance – you’re setting yourself up for a lot of pain when the next challenge comes. 

Fareeduddin: GDPR compliance is about how to apply the new framework to what you’re already doing. Don’t look at implementing controls as a checklist of GDPR-related things to get done; look at it as a business process. If it’s a check the box exercise, it will be looked at as busy work and might not get done properly. Bring the right stakeholders to the table, including the business side. 

Holcomb: So how do you bring all the stakeholders in?

Fink: Regulatory compliance is done on top of what you’re already doing daily. We bring small teams into the process. We also mobilized across leadership – technical, the CISO, HR, Compliance. You need to keep that outreach going. It helps everyone to understand how time and resource intensive this issue is.

Enright: User trust has been key to our company from the beginning. The founders made decisions early on, so that we never struggle for access to the senior-most levels of management. Because of Google’s products and services, we’ve always gotten a lot of attention from regulators worldwide. That’s been beneficial to us on balance from a privacy perspective. It has elevated our cultural sensitivity and awareness of regulators’ perspectives. This well positions us for GDPR and whatever comes next.

Holcomb: How will you monitor your program?

Fink: The audit approach is traditional. Short of doing that, we can do compliance reviews – identify high risks, or new areas of a program that need more engagement. Work with business units to ensure they have the right protocols in place. Are you getting questions from them? If so, it’s working, they’re seeking expertise, but if it’s just check the box, it won’t work. You must have a regular dialog. 

Fareeduddin: Proactive questions show a level of maturity and awareness in the organization. Make privacy part of your regular business process. We will perform risk assessments and look at automated, continuous monitoring as well, especially with the complexity of GDPR. 

Enright: We have two primary objectives: to ensure we keep promises to users; and to ensure we’re managing risk appropriately. Google has a wide array of controls already in place for both of these. For the former Safe Harbor program and now the Privacy Shield, we have an extraordinarily rigorous process. Every year we review and confirm all commitments and make sure we satisfy them. This results in hundreds of certifications coming to me, which I review before submitting to the US Department of Commerce. 

Holcomb: What are you doing about a Data Protection Officer (DPO)?

Fink: My advice is to start somewhere! Your program should evolve. The GDPR caused us to review what we have today, which is 19 DPOs in 17 countries. We don’t need to change where all of them are. For the GDPR, we have decided to take a regional approach – the Americas, EMEA and AsiaPac., but what we do today may not be where we are six months or three years from now. 

Enright: There are a lot of open questions right now. Should a DPO be a lawyer or not? If he or she is a lawyer, what does it do to their legal obligations? Do they need to reside in Europe? We have a legacy structure that will give us a good start, but there are new incremental things now. We will keep an open dialog with national regulators and working parties, because we don’t want to disappoint them., but we don’t want just a defensible legal position, we sincerely want to go farther. The GDPR is trying to satisfy a philosophical issue, and we want to satisfy the regulatory appetite in Europe so we can demonstrate we’ve taken this commitment seriously.

Holcomb: What about companies that are struggling to get executive attention on this issue, or don’t have funding?

Fink: You could mention the 4% penalty risk up front to get in the door. However, to be sustainable, it’s about customer and employee relationships and expectations. It will become a contractual requirement. This is what will move the needle. 

Enright: Never waste a crisis! Leverage it for what you can. Be careful about the 4%. It creates a staggering blue sky figure they may filter out because it’s too terrifying. Modify how you describe the seriousness of GDPR to say it’s civil penalty authority like nothing you’ve seen before in Europe or the US. That should get attention. Also, I don’t think we’ll see these huge sanctions right away. The EU regulators are being thoughtful, but they want to see sincere efforts. However, if we don’t see a massive penalty after some time, you may lose the attention of your Board and will do your program a disservice in the longer term. Be more honest and forward-looking. The GDPR is a symptom of how the privacy and data protection conversation is changing around the world. We’re not going to solve it in 2018 and be done.

Fareeduddin: Ask for what you need, but don’t say the sky is falling because it hurts your credibility. Look at what others in your industry are doing and discuss that competitive reality with leadership. Look at other compliance measures you’ve already leveraged and show how you’ll build on those. Only use bad examples and scare tactics minimally. 

Source: Information Security Magazine

(ISC)2 Issues Recommendations to Trump Administration

(ISC)2 Issues Recommendations to Trump Administration

As the Trump Administration approaches 100 days in office, (ISC)2 has announced a set of cybersecurity recommendations for the Trump Administration to consider.

The recommendations were delivered to White House Chief of Staff and others on President Trump’s team in order to urge prioritization of workforce development within the pending cybersecurity executive order and beyond.

During a December 2016 gathering sponsored by the (ISC)2 U.S. Government Advisory Council (USGAC), participants, including former Federal Chief Information Security Officer (CISO) Gregory Touhill and federal agency CISOs and executives, discussed transition planning from the cybersecurity workforce perspective. The following is an abridged list of areas that (ISC)2 has since identified as critical for the new administration to address:

Time Is of The Essence. The widespread and damaging effects of cyber threats are revealed on a daily basis. At the same time, the demand for skilled cybersecurity workers is rapidly increasing.

Consider the Progress Already Made. Cybersecurity is a bi-partisan issue. Critical work has been done over the last eight years to advance the cybersecurity workforce.

Harden the Workforce. Everyone must learn cybersecurity. We have to break the commodity focus of simply buying technology and stopping there, without focusing on training all users.

Incentivize Hiring and Retention. In today’s world, a sense of mission doesn’t always override good pay—incentives work.

Prioritize Investment in Acquisition, Legal and Human Resources (HR) Personnel. Acquisition, legal and HR professionals are essential players within the federal cybersecurity ecosystem.

Prevent Getting Lost in Translation. The government needs effective communicators who can translate technical risk to business leaders.

Civil Service Reform. The civil service system is broken and does not meet the government’s needs.

Compliance Does Not Equal Security—Embrace Risk Management. In the government’s quest for cyber resiliency, a risk management perspective will be essential.

A Standard Cyber Workforce Lexicon. Once finalized, the NICE Cybersecurity Workforce Framework should provide an excellent resource for workforce development.

“In a recent congressional hearing, (ISC)2 had the opportunity to present these recommendations in an effort to advocate for our members and the broader cybersecurity profession during the presidential transition and beyond,” said Dan Waddell, (ISC)² managing director, North America Region. “Significant progress has been made over the past decade to advance the federal cyber workforce; our recommendations reflect the importance of building future cybersecurity policy—including the pending executive order—on the existing foundation.”

Source: Information Security Magazine

Researchers Find Multiple RCE Bugs in Linksys Routers

Researchers Find Multiple RCE Bugs in Linksys Routers

Linksys is urging users of its Smart Wi-Fi routers to reconfigure their devices after researchers at IOActive revealed remote code execution and other vulnerabilities in 25 models.

After reverse engineering the firmware, IOActive’s Tao Sauvage discovered 10 bugs, six of which can be exploited remotely by unauthenticated attackers.

Hackers can exploit two of these to DoS the router. Other vulnerabilities allow for the collection of sensitive data such as firmware and Linux kernel version, running processes, connected USB devices and the Wi-Fi WPS pin.

Unauthenticated attackers can also access the firewall configuration, read FTP configuration settings and extract the SMB server settings, Sauvage explained.

However, the most serious could allow attackers to execute commands on the router OS remotely with root privileges, giving them persistent backdoor access.

“Backdoor accounts would not be shown on the web admin interface and could not be removed using the Admin account,” he explained. “It should be noted that we did not find a way to bypass the authentication protecting the vulnerable API; this authentication is different than the authentication protecting the CGI scripts.”

Linksys appears to have worked closely with IOActive to resolve the issues since being informed of the bugs in January, and was described by Sauvage as “exemplary in handling the disclosure.”

The Belkin-owned company released a security advisory today urging customers using guest networks on any of the affected models to disable the feature.

It also advised users to change the default admin password and to switch on automatic updates so that the smart router can receive security fixes when they become available.

The affected models are: WRT1200AC; WRT1900AC; WRT1900ACS; WRT3200ACM; EA2700; EA2750; EA3500; EA4500 v3; EA6100; EA6200; EA6300; EA6350 v2; EA6350 v3; EA6400; EA6500; EA6700; EA6900; EA7300; EA7400; EA7500; EA8300; EA8500; EA9200; EA9400 and EA9500

Source: Information Security Magazine

Android SMS Spyware Sees Millions of Downloads

Android SMS Spyware Sees Millions of Downloads

An Android SMS-based spyware dubbed SMSVova, which can steal and relay a victim's location to an attacker in real time, has been downloaded between one and five million times since 2014 from the US Google Play store.

Zscaler ThreatLabz found that the app claimed to give users access to the latest Android software updates, but in fact was being used to spy on a user’s exact geolocation, which could have been used for any number of malicious reasons.

Despite clear red flags, millions downloaded it.

“The app portrays itself as a ‘System Update,’” the firm’s researchers explained, in a blog. “After reading the app reviews, it became clear that several users were misled by the app, thinking that it would provide them with latest Android release. Many users were unhappy with the app and conveyed their concerns.”

In addition to the negative reviews, there were other indicators that raised suspicions: The Google Play Store page for this particular app was showing blank screenshots, which is not common, and there was no proper description for the app. It also didn’t mention that it would track the victim, nor that it would send location information to a third party. It said only, “This application updates and enables special location features.”

“There are many spyware variations present on the Google Play store, such as Cell Tracker, but the legitimate apps are explicit in their intentions, and have specific purposes for tracking a user’s device,” Zscaler researchers noted.

As soon as the user tries to start up the app, it abruptly quits and hides itself from the main screen. From there, it sets up an Android service and broadcast receiver to fetch the user’s last known location and set it up in Shared Preferences. An attacker could also set a location alert when victim’s battery is running low.

Interestingly, the code is a carbon copy of the location-stealing code in DroidJack, the remote access trojan.

“There are many apps on the Google Play Store that act as a spyware; for example, those that spy on the SMS messages of one’s spouse or fetch the location of children for concerned parents,” researchers said. “But those apps explicitly state their purpose, which is not the case with the app we analyzed for this report. It portrayed itself as a system update, misleading users into thinking they were downloading an Android System Update.”

Google has removed the app from the store since Zscaler reported it to the Google security team.

Source: Information Security Magazine

Mobility Programs Snowball but Security Concerns Remain

Mobility Programs Snowball but Security Concerns Remain

As mobility shifts from a new initiative to a foundational capability for the enterprise, organizations are expressing new needs from their enterprise mobility programs, according to new research. Security concerns remain top of mind.

Apperian’s 2017 Executive Enterprise Mobility report, conducted in conjunction with CITO Research, which found that 57% of respondents are concerned about corporate data on personal and other non-managed devices. This concern is on the rise, up 13% from last year.

Forty-three percent of respondents listed improved productivity as their primary goal of enterprise mobile apps—a 20% jump over 2016. Additionally, enterprises are looking for more sophistication, with 85% of respondents believing a combination of apps will improve productivity across the organization and create the biggest impact on mobility programs. This is a shift from early adopter programs, which used basic apps to mobilize workforces. Also, 22% of those surveyed listed new revenue or service delivery opportunities—a 17% increase from last year. These findings suggest that enterprises expect mobility to drive bottom-line impact, not just improve business processes or employee satisfaction. But do these benefits outweigh organizations’ ability to properly manage the mobile environment?

According to September 2016 Gartner report, "the demand for mobile apps continues to grow at a very rapid pace, leaving most IT organizations questioning their ability to respond to the demand. Mature mobile enterprises, albeit a very small percentage, often have portfolios of mobile apps that number in the hundreds; enterprises should assume that this will be the norm rather than the exception going forward."

There’s a continued expansion of mobile apps, the report found, with 80% of those surveyed stating they plan to expand their app portfolio over the next 12 months. There’s also more variety in app portfolios—85% of individuals believe their organization will be most impacted by a combination of apps that improve productivity company-wide, in addition to apps that enable mobile sales and field service.

“The increasing sophistication of, and expectations for, enterprise mobility efforts is becoming clear,” said Mark Lorion, President and General Manager of Apperian. “This year’s research findings show that executives now see enterprise mobility as a key enabler in new revenue and service delivery opportunities for their organizations. Not only are mobility programs becoming more strategic, but they also are increasing in reach. Enterprise apps are now deployed to much broader communities of users, extending well beyond traditional full-time workers.”

But addressing non-managed devices remains a security worry—45% of those surveyed are concerned about addressing BYOD, contracted workers or other users in the extended enterprise—a 14% increase over 2016.

Source: Information Security Magazine

Hundreds of Google Play Apps Infected with the BankBot Trojan

Hundreds of Google Play Apps Infected with the BankBot Trojan

An Android trojan known as BankBot is targeting hundreds of apps on Google Play in a wide-net effort to steal mobile users' online banking credentials.

BankBot first surfaced earlier this year after its source code was leaked in December. It infiltrates benign programs, hitching a ride to installation on users’ phones. Once opened, it prompts the user to grant it administrative privileges, then hides by removing its shortcut from the home screen.

From there, it can send and intercept texts, obtain contact list phone numbers, track device geolocation via GPS satellites and request additional privileges to do things like make phone calls. And of course, it steals confidential user information by tracking the launch of online banking applications and payment system software. When those applications are launched, it loads a phishing input form on top of the attacked application to capture credentials.

To the user, the apps still work and appear legitimate, because they started off that way. And the bad actors are making the most of that situation. Securify’s Niels Croese, for instance, found that with the Funny Videos 2017 app, someone infected it with the trojan just after the last time it had received an update—giving it the longest possible window for infection. As many as 5,000 users had installed the compromised app before it was updated and the trojan defanged.

Unfortunately, it doesn’t stop with one app, which Google has removed. Croese examined the code and found that the trojan had compromised more than 400 apps available for download on Google Play.

"Consumers have been repeatedly told that only reputable online stores should be used to download apps,” Robert Capps, VP of business development at NuData Security, told us by email. “Yet, this discovery throws that advice into question and leaves the consumer with few options beyond combing reviews, or to download the app directly from the bank’s site where possible. Banking apps are now a fact of life. In 2016, the Federal Reserve reported that banking apps had stable market penetration at around 43% of the mobile phone market. Many mobile phone users not using their phones for banking reported security concerns as part of their reluctance, and trojans like this being found within apps on a major app store only support their concern.”

The issue can be addressed by more than Google’s policing. Banks could offer customers robust account protection that includes a suite of layered authentication technologies that go beyond just username and password credentials.

“These new solutions authenticate users based on their online behaviors; methods that are extremely resistant to impersonation, don’t rely on credential data, and can even provide banks with options to upgrade user experiences for trusted good customers,” Capps added. “These technologies are going to defeat trojans and malware by making the credentials and payment card details the fraudsters go after obsolete. I’d love to get to the point that fraudsters are holding a bag full of nothing, because that is where these new technologies are taking us."

Source: Information Security Magazine

Board Members Want a Helicopter View of Cyber-risk

Board Members Want a Helicopter View of Cyber-risk

CISOs say they spend far less time discussing data protection and brand protection with the board, and spend more time giving security guidance on business enablement and loss avoidance—despite widespread coverage of how breaches affect intellectual property and trust.

That’s the word from Focal Point Data Risk’s Cyber Balance Sheet Report, which examines the roles of boardroom members and CISOs in managing cyber-risk.

“For years, pundits have been saying 'cyber needs to be a boardroom issue,' but the Cyber Balance Sheet Report replaces this sound bite with the most illuminating look yet at where cyber issues are making headway with boards or falling off the table,” said Yong-Gon Chon, CEO of Focal Point. “The report reveals important indicators around cyber-awareness at the top levels of governance. We have evolved from cybersecurity being a component of IT performance to becoming an issue that prompts broader questions about protecting valuable company data. Yet, as the report discloses, it’s the nature of these questions and how CISOs respond that determines how far oversight and accountability still have to evolve.”

It uncovered that board members are five times as likely to cite “risk posture” as a key security metric compared to CISOs, and 13 times as likely to say the same about peer benchmarking—showing boardrooms’ affinity for the big picture.

Board members also report being inundated with security data and often assume CISOs—armed with data—have things under control. One CISO was told, "We do not understand everything you are telling us, but we have a lot of confidence you are doing the right thing."

Boards want a helicopter view of the cyber battlefield, in other words, versus CISOs’ day-to-day view of threats and trends—which is more analogous to driving tanks through the mud.

“Pending legislation, shareholder pressure and media attention are all pushing board members to take responsibility for their organizations’ cybersecurity,” said Wade Baker, co-founder of the Cyentia Institute, which conducted the study. “As this happens, it’s important to understand the questions that board members are asking and measure whether CISOs are providing the answers,” said Baker, the lead researcher on the report.

Source: Information Security Magazine

Bad Guys Still Rely on Marks to Click on Something

Bad Guys Still Rely on Marks to Click on Something

User interaction is still one of the biggest keys to the success of malicious activity. By observing the timing of alerts generated, Rapid7’s Q1 analysis observed that attackers still heavily rely on social engineering and permissions.

In its inaugural quarterly threat report, the firm found, for instance, that on Monday holidays, alerts dipped significantly, which the analysts attributed to a lack of employees interacting with malicious emails, attachments and links.

“Reducing alert fatigue should always be a goal, but there’s more to it: A better signal-to-noise ratio means responders and analysts are more likely to see meaningful trends,” the firm noted.

The report leverages intelligence from Rapid7’s Insight platform, Rapid7 Managed Services, Rapid7 Incident Response engagements, and the Metasploit community.

“Often, threat intelligence and data science reports present an abundance of statistics that are inaccessible and difficult to apply. Our goal with this report, and the ones to follow, is to provide incident response teams and SOC analysts with distilled learnings and practical, actionable guidance from the complex wealth of data Rapid7 gathers continuously,” said Bob Rudis, chief data scientist at Rapid7.

Also, if companies design indicators based only on currently available information, rather than seeking out additional intelligence or adding industry- and company-specific context, the result will be low-quality alerts, the report postulates. In other words: while most alerts are triggered from known, malicious activity, the quality of these alerts is entirely dependent on the established indicators.

The analysis also noted that many organizations fear sophisticated, targeted attacks from APTs.  But understanding an organization’s threat profile can help determine whether or not these types of attackers should be accounted for in the threat landscape. For organizations in industries that align with nation-state interests—government, manufacturing, aerospace—sophisticated attack activity is alive and kicking. For the most part, this analysis observed that organizations outside those industries were not significantly affected by highly targeted attacks.

Similarly, Rapid7 found that understanding the threat presented by new vulnerabilities, mapped to specific threat profiles, can help to determine when something needs to be prioritized.

“While a 30-day patching cycle was once generally effective, the Apache Struts vulnerability (CVE-2017-5638) presented a strong case to reevaluate this traditional thinking,” the report said. “Just days after the Apache Struts vulnerability was publicly disclosed, our analysts began to detect mass-exploitation attempts.”

Source: Information Security Magazine

#CRESTCon & IISP Congress: Passive Data Sources Can Make System Mapping Great Again

#CRESTCon & IISP Congress: Passive Data Sources Can Make System Mapping Great Again

“Passive [enumeration] methods seem to be very under-appreciated”, and there is a lot to learn from listening to our systems.

These were the words of Chris Day, senior consultant at MWR, speaking at CRESTCon & IISP Congress in London today.

Day outlined the importance of understating a risk before mitigating it, but companies often face challenges in understanding and knowing their systems, with outdated and incomplete documentation, staff departures, recent acquisitions and unauthorized and undocumented deviations issues that can all prove troublesome.

However, he argued that this can be aided by implementing passive data sources into security strategies, and whilst active techniques do carry several benefits, they alone can also raise a series of issues that can cause companies problems. These include:
•    Interaction with systems
•    Potential for disruption
•    IP focus
•    Overloaded networks
•    Sensitive devices

In contrast, passive techniques can bring about benefits such as no interaction with the system, easier automation and being data rich. So, continued Day, there is a place for reimagining passive enumeration to work in tangent with active techniques, and creating enumeration tools that can do things like create system diagrams, log files and host native tool output.

In order to do this, what does an ideal tool look like? According to Day, an ideal enumeration tool should:

•    Aggregate data sources
•    Capture non-ethernet interfaces
•    Be capable of entirely passive operations
•    Produce engineer and CEO output
•    Be accessible to users
•    Maintain an audit trail for data

Source: Information Security Magazine

Call for DHS to Abandon Demands for Travelers' Social Log-Ins

Call for DHS to Abandon Demands for Travelers'
Social Log-Ins

Rights groups are calling on the Department of Homeland Security (DHS) not to demand the social media passwords of foreigners entering the United States, claiming it’s a violation of human rights and creates serious cybersecurity risks.

In a new campaign dubbed "Fly Don't Spy", groups including the Electronic Frontier Foundation (EFF), American Civil Liberties Union (ACLU), Committee to Protect Journalists (CPJ) and Open Technology Institute reference a report from earlier this month that the DHS is considering a range of vetting options for people coming to the US.

These include forcing them to provide passwords to their social media accounts as well as smartphone contacts.

According to reports, the department – which currently asks visa applicants to voluntarily hand over access credentials – would require log-ins not just for visitors from countries deemed high-risk like Syria but ‘allies’ such as the UK.

However, the 29 groups lobbying the public to stand up to DHS secretary John Kelly over the proposal argued: “This would violate the right to privacy, freedom of expression, and create numerous cybersecurity risks for all people.”

“Log-in access to social media accounts provides intimate information on a person as well as their connections. If you use a social media account to log in to other websites, it may also create a detailed dossier that broadly maps your entire digital life,” the petition notes.

“The requirement will disproportionately impact low-risk travellers since terrorists and criminals will simply evade these requirements by using different accounts and devices. US citizens will also feel the impact, as other countries will almost certainly follow suit.”

The rights groups are almost certainly correct about the last point, given that the European Parliament last month voted to end visa-free travel for US tourists to the EU after Washington refused the same for citizens of five EU countries.

Source: Information Security Magazine