Category Archives: Privacy

When is a hack all-white?

From Chris Cope – Advent IM Security Consultant

hacker_d70focus_1What’s the difference between a ‘white hat’ security researcher and a hacker?  As a general rule of thumb, if  someone discovers a vulnerability on your system and informs you (without undertaking any unauthorised or unlawful activity in the process) then a ‘thank you’ is generally considered to be in order.  There are numerous ‘white hat’ researchers who trawl software and internet sites, detecting vulnerabilities and alerting the appropriate owners or developers.  Many companies have benefited from a quiet advisory and it’s reasonable to suggest that without ‘white hats’, the policy of releasing software and patching later, adopted by many vendors, would be severely undermined.

advent IM data protection blog

oops there goes the sensitive data

So why is a white hat researcher, Chris Vickery to be precise, in the news?  Mr Vickery discovered a database on a website.  The website belongs to a company called uKnowKids, this provides a parental monitoring service for your technology savvy children.  The database contained an array of information that the company did not want to be made public, including in the words of the BBC ‘detailed child profiles’.  However, the company claims that the information was not personal data and no customer information was at risk.  Mr Vickery was able to access the data base and take screenshots, which were sent to the company as proof of the vulnerability.  However, rather than thank him, the company accused Mr Vickery of risking their continued viability and claimed that his access was unauthorised.  By Mr Vickery’s account, the database was in a publicly accessible area and had no access controls in place.

Since the notification, uKnowKids has patched the vulnerability.

So what can we take from this?  UKnowKids obviously intended for the database to remain private.  Under UK law, Intellectual Property rights provide protection for confidential information, but there is one pretty fundamental requirement – the information needs to be protected.  Placing a database on a publically accessible internet page, without protection is, however, akin to leaving a sensitive file in paper format on a train.  Organisations shouldn’t be surprised if information left in such a public and insecure state is read by unintended third parties. 

Before protecting information, an organisation needs to understand what information it holds, and what needs protecting.  Once that is established, there are a variety of means that can be used to protect it; physical controls on physical copies, labelling of information, educating staff so they understand the required handling measures and routine audits all form part of the basic protections required for all types of information.  For electronic information, then one needs to consider technical measures such as access controls and encryption.  When a database, containing sensitive information, must be placed in an area where it is accessible from outside the organisation, then access to it must be very carefully controlled.

iStock_000014878772MediumIn this instance, the reputation of a company, which holds intelligence on children, could have been seriously undermined if a hostile breach had occurred, even without the loss of personal information.  If personal information was lost, then the financial implications could have been severe; increasingly so as new EU legislation on data protection comes into effect.  So make sure that you fully understand your assets (including information) and what level of protection they require and, when designing controls, its important to ensure that the full range of counter measures, including physical, personnel, procedural and technical, are considered, properly implemented and integrated.  And if you do come across a publicly spirited individual who warns you of a potential breach in your security, remember to say ‘thank you’.

Security Predictions for 2016

As 2015 draws to a close, we asked the Advent IM Staff to ponder the challenges for next year. 2015 saw some huge data and security fumbles and millions of people had their personal information exposed as hack after hack revealed not only how much this activity is on the increase, but also how  the security posture of some businesses is clearly unfit for purpose.

Over to the team…

Image courtesy of Vlado at FreeDigitalPhotos.net

Vlado at FreeDigitalPhotos.net

 

Dale Penn – I predict that with the recent introduction of Apple Pay and Google’s Android Pay we will see a large upswing in mobile device targeted attacks trying to get at our bank accounts.

Del Brazil – Attacks will be pushing in from the Siberian peninsular coupled with additional attacks from the orient- this will bring a chill to the spines of organisations.  These attacks are likely to be followed by sweeping phishing scams from the African continent.  There is also the likelihood that attacks towards HMG assets from Middle Eastern warm fronts will further identify/expose weaknesses within organisations. Closer to home is the ever increasing cold chill developing within organisations as the realisation that the threat from insiders is on the rise. In summary it’s going to be a mixed bag of events for a number of wide ranging organisations. However on the whole, as long as organisations grab their security blanket they will be best placed to ward off the majority of attacks.

Chris Cope – If 2015 saw a significant number of high profile information security breaches, then expect 2016 to be more of the same.  Attackers are getting cleverer at exploiting weaknesses; most notably those presented by people.  I confidently predict that a significant number of incidents in 2016 will feature poor security decisions made by employees.  I also predict a significant challenge for many organisation which hold personal data.  The forthcoming EU regulation on data protection will provide significant challenges on the protection of personal information of EU citizens.  With a significant increase in financial sanctions highly likely, the importance of safeguarding personal data has increased dramatically for any organisation, even those who were not challenged by the penalties previously awarded by the Information Commissioners Office (ICO).  Could this be the start of a wider regulatory drive to improve information security – probably not, at least not yet. Finally, with continuing uncertainty across key areas of the globe, particularly the Middle East, we will also see more examples of ‘cyber warfare’ as this nascent capability continues to be exploited.  This will lead to a flurry of reports on how cyber war is about to doom us all or is irrelevant (depending on one’s viewpoint); surely an opportunity to educate the wider populace, and key decision makers, on what information security, and its potential consequences, could actually mean?

Mark Jones – I predict…

  • Cloud security becomes even more important as more and more businesses move services there – more demand for ISO27017
  • Related to the above, more Data Centre Security certifications due to contractor (customer) requirements
  • More BYOD-related security incidents with more mobile malware found on all platforms with China the main source – mobile payments being a prime target
  • Cyber Essentials leads to more demand for ISO27001 certifications from SMEs
  • Privileged insider remains the main Threat Source & Actor
  • More incidents relating to online cyber-extortion / ransomware
  • With increasing demand for infosec specialists and/or DPOs organisations will find it more difficult to recruit than ever
  • More incidents relating to the Internet of Things – smart devices such as drones falling out of the sky causing harm; more car computers hacked resulting in more car theft

Ellie Hurst – Media, and Marcomms Manager – I predict the growth of ransomware  in business.  Ransomware, is mainly (though not exclusively) spread by phishing and given the success of phishing as an attack vector and that one in four UK employees don’t even know what it is (OnePoll for PhishMe), I think it will continue to be the most likely form of ransomware proliferation. Of course, it can also be spread by use of inappropriate websites and so businesses that do not have, or enforce a policy or exercise restrictions in this area, will also find themselves victims of this cynical exploit.

A word from our Directors…

Julia McCarron

Julia McCarron – Advent IM Operations Director – I predict a RIOT – Risks from Information Orientated Threats.

 

 

Mike Gillespie_headshot

 

Mike Gillespie – Advent IM Managing Director – I predict an escalation in the number and severity of data breach in the coming year. Recent failures, such as TalkTalk, VTech and Wetherspoons highlight that many businesses still do not appreciate the value of the information assets they hold and manage. Business needs to increase self-awareness and looking at the Wetherspoons breach, ask the difficult question, “Should we still be holding this data?”

I think the buzz phrase for 2016 will be Information Asset Owners and if you want to know more about that, then you will have to keep an eye on what Advent IM is doing in 2016!

Morrisons staff suing over data breach. Del Brazil takes a look at what we know and what it might mean.

Advent IM Security Consultant, Del Brazil discusses some of the questions raised by the legal action from Morrisons employees over a data breach that led to their private information being leaked…

It has been reported in Computer Weekly that thousands of Morrisons staff are planning to sue the retailer over a data breach in which a disgruntled former employee published the bank, salary and National Insurance details of almost 100,000 employees, online.

Did Morrisons fail to prevent the data leak that exposed tens of thousands of its employees to the very real risk of identity theft and potential loss?  Only a fully and thorough investigation will reveal the answer along with exactly how the breach was committed and over what period of time the breach occurred.

Any investigation will highlight the security measures deployed at the time of the incident.  A decision will then be made by the Information Commissioners Office (ICO) or other investigative body, as to whether the measures implemented were in line with the Data Protection Act and that any measure was correctly configured, managed and/or monitored.

Advent IM Data Protection ConsultantsThe Data Protection Act 7th Principle says that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

So in simple terms each and every organisation that stores, processes or handles personal data should be able to establish whether they can reasonably do more to protect the personal data they hold.  If the answer raises eyebrows or poses further questions then the simple answer should be yes; however all organisations should be consistently and regularly reviewing their security measures in order to highlight potential weaknesses or areas for improvement. What may be appropriate and adequate at one time, may not always remain the same, so the need for review and testing is key.

iStock_000018385055SmallIn the event that personal data is stolen, changed or misappropriated, then the repercussions to the individual could be devastating.  There is a possibility that their information may be sold on to a third party for spamming purposes or sold on to a criminal organisation with the intent of identity theft. The resulting financial losses to individuals are not only unfair and criminal, on a wholesale basis, but frequently go to fund other criminal and terrorist activities.  Sadly, there is a frequently a somewhat relaxed attitude towards the loss of personal data from an individual’s perspective as they believe that it won’t happen to them. However there is always a risk to your personal information being used for purposes that you are not aware of.  No one should ever be afraid to question an organisation or employer how they protect their information and what measures they are taking to ensure its security.  If there are resulting concerns about levels of protection or safeguards, then the Information Commissioner’s Office (ICO) may be contacted as they may investigate these concerns further.

Individuals can be quick to pass on their details to organisations/companies for genuine reasons; we all live a digital and data-driven life, in the belief that this information will be adequately protected.  Arguably, in some cases you have no choice than to share personal information especially from an employment perspective and it would reasonable to expect your employer to take sufficient care of your information to prevent it being accessed or passed to individuals/organisations intent on committing some form of illegal activity. Being aware of how our information is protected is not unreasonable and employees have a perfectly reasonable expectation that their employers will consider this part of their duty of care.

stick_figure_pointing_north_america_image_500_clrThe UK can sometimes follow the US culturally and the question has been raised as to whether the culture of litigation is one we can expect to see expand in the UK, particularly with this kind of high profile legal action. There are numerous incidents in the US where companies/organisations have been sued for failing to protect personal information, but can we expect this to become part of our corporate life? This is a very tricky question to answer, as the laws governing the protection of data in the US differ from those in the UK; although they do deliver the same message.  Each and every personal data breach is unique but the re-occurring question in any investigation will always be whether the individual, company and/or organisation took sufficient care to protect personal information by the deployment of appropriate technical, physical and procedural measures and what was the impact to individual concerned?  So whilst the regulation may differ, the spirit of the regulation is consistent and whether this is the future for the UK too will remain to be seen. Certainly we are seeing growing numbers of breaches and it is unlikely that this growth will continue without some kind reaction from the victims.

Advent IM Information Security AuditWhat is the likelihood that the Morrisons legal action is successful?  This would depend on the outcome of the ongoing investigation and as to whether Morrisons was deemed to have adequately protected their employee’s data.  Should the legal bid be upheld then the repercussions may potentially have a massive impact on all organisations storing and/or processing personal information.  There is a likelihood that organisations may go massively overboard with extra or increased measures in an attempt to defeat any possible threat of an insider attack without first reviewing and/or assessing the result of the findings of the ongoing Morrisons case.

The Morrisons data breach does raise a few questions though; what measures are deemed to be appropriate and sufficient to detect and/or deter an insider attack?  There is a fine balance between organisations having a high level of protective monitoring that gives employees the ‘Big Brother’ impression or such a low level that pretty much no monitoring takes place.  A very similar tone could be taken to staff vetting as at what point does vetting no longer be seen as an assurance practice but more of an intrusion into personal life?  These are questions that will continuously trouble both employers and employees.

Organisations are generally over reliant on technical solutions for protective monitoring to provide a quick fix rather than looking at the problem and identifying an appropriate solution.  There are a whole raft of technical solutions available, all of which require an element of physical monitoring and response.  It is an organisational decision as to whether to use a more technical solution with little staff interaction to maintain the system, as opposed to relying more heavily on human inspection of various logs; however consideration should also be given to allowing/ensuring that there are sufficient staff available to respond to alerts or discrepancies that may be detected in whichever solution is deployed.  Organisations should also ensure that they have a tried and tested plan in place to maximise their ability to understand, contain and respond to the ever increasing threat to personal information.

It is the opinion of the author that organisations should employ comprehensive protective monitoring procedures, which when coupled with a degree of staff vetting and a good security awareness programme should demonstrate to any governing body an organisation’s commitment to deterring or detecting insider threats.

Unfortunately the insider threat will never go away and with the value and importance of information increasing rapidly so the temptation for employees to sell personal information also increases.  Every level and type of industry relies upon information, no matter what form it takes and as such, every industry should keep an eye on this case as it develops.

Although organisations should pay close attention to this ongoing legal case raised by Morrisons employees and/or organisations shouldn’t be overly concerned until the full details of the investigation and the outcome of the legal case are made public.

Every organisation should ensure appropriate measures are in place (technical and non-technical) to secure and protect personal information to the best of their ability, including continually educating, training and making their staff aware of the insider threats.

No more Safe Harbour…or Harbor

European Court of Justice has ruled that transatlantic data sharing agreement is invalid. What does this mean for UK businesses that utilise US datacentres or Cloud services?

Advent IM Director Mike Gillespie, “There are issues arising from this ruling that require the urgent attention of UK businesses and they need to be aware of the legislative implications of how they plan to store and manage data”.

For some time now, hosting companies, system support and system management companies, contact centres and most recently cloud providers have been selling their services, some or all of which reside in the US, into the EU. These companies have consistently cited Safe Harbor as the assurance that EU citizen data would be afforded the commensurate level of protection that it would receive from an EU/EEA member state.

The inception of Safe Harbor predates the US Patriot Act, legislation which, many people feel made a nonsense of Safe Harbor. This has been widely documented and discussed by Data Protection practitioners for some time now and, whilst there have been ongoing negotiations, the European Commission appears to have made little progress. Meanwhile any EU Citizen data resident in US servers remained vulnerable to release to US authorities.

In one fell and rather final swoop, the Court removed the blanket approval for data transfers to the US. This now allows for individual national Data Protection Authorities (ICO in UK) to scrutinise any proposed transfers to ensure that transfers guarantee the rights to privacy and freedom from surveillance afforded each of us by the Charter.

Of course one way to attempt to get round the issue could be by following the EU Model Clauses route, an option often deployed by organisations in the past wanting to transfer data to/allow data processing in non-EEA or other trustworthy countries ie India. This option required the inclusion of a series of model clauses into contracts which effectively bind the Data Processor to abide by the principles of EU Data Protection. However, which takes precedence, contract law or the Patriot Act? Can a commercial contact ensure the privacy of EU Citizens personal data and guarantee it to be free from disclosure to US Authorities? This seems highly unlikely.

A further option could be implementing Binding Corporate Rules (BCRs) which are “designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA”. So far so good as this sounds just the ticket especially for multinational hosting providers and cloud computing providers?

However for BCRs to work, applicants must demonstrate that their BCRs “put in place adequate safeguards for protecting personal data throughout the organisation”.

How can any company hosting data inside the US offer this? In reality they probably cannot.

The truth is, EU Citizens data protection cannot be guaranteed once it’s transferred to the US, this has been acknowledged so finally that the EU Commission and member states’ Data Protection Authorities have an imperative to do something about it.

The fallout from the decision is yet to be felt but could have far reaching for some organisations. The ICO has been at pains to point out that the ruling does not mean there is an increase in threat to people’s personal data. However, companies will need to review how they ensure that data transferred to the US complies with legislation. Safe Harbor was not the only regulation available for transfers between the US and EU but it was the most widely used.

So what does this mean in the short term? Immediately little will probably happen. The ICO are considering the judgement and will be issuing guidance in due course. A new Safe Harbor agreement is also currently being negotiated between the EU and US, and has been in negotiation for the last two years, following the Snowden revelations. Once various authorities have cogitated over the ruling we will then need to assess the full impact on organisations moving forward as more guidance is released. In the meantime, a review of current practices is recommended by those organisations transferring data to the US.

Issued:  08.10.15                             Ends                                     Ref: safeharbor-01-Advent -MG

NOTES TO EDITORS

About Advent IM

Advent IM is an independent specialist consultancy, focusing on holistic security management solutions for information, people and physical assets, across both the public and private sectors. Established in 2002, Advent IM is a centre of excellence for security services, promoting the benefits of best practice guidelines and standards and the need to address risk management to protect against potential threats.
From its offices in the Midlands and London, its Consultants work nationwide and are members of the CESG Listed Advisor Scheme (CLAS), Institute of Information Security Professionals (IISP), The Security Institute (SyI), Business Continuity Institute and British Computer Society.

Consultants are also Lead Auditors for the International standard for information security management (ISO 27001) and business continuity management (ISO 22301), Practitioners of PRINCE2, a recognised project management methodology widely used within the public sector, CISSP qualified and Home Office trained physical security assessors.

Attack of the Drones – guest post from Julia McCarron – Advent IM Director

So this week came the worrying news that mobile phones attached to drones can hack Wi-Fi devices and steal our data. That Star Wars script of yesteryear could be coming into its own! Oh hang on … that was Clones not Drones J But seriously, the use of drones in warfare is becoming more and more prevalent, so could their use in cyber hack-attacks become a common threat too?

Image courtesy of Victor Habbick at FreeDigitalPhotos.net

Image courtesy of Victor Habbick at FreeDigitalPhotos.net

Drone usage in war and the fight against terrorism is a concept that’s been explored by TV and film script writers for a long time. (SPOILER ALERT: An insight into my television habits coming up). 5 years ago an episode of Spooks saw an American drone hacked by the enemy in Afghanistan. An episode of NCIS a couple of years ago saw a systems engineer steal a surveillance drone for the purposes of selling it to a terrorist group who then bombed a high profile event attended by the US military. An episode of Castle saw a government drone hacked and used to kill a government whistleblower. Far-fetched? Maybe. Possible? Definitely. Likely? Well we would hope not! But as we often see, TV dramas have a nasty habit of bringing reality to our screens and indeed drone usage has been part of our warfare arsenal since 1959, albeit they were unsophisticated unmanned aircraft essentially.

Drones have many other uses aside from warfare, cyber or otherwise. The US Navy for example uses tiny drones called Cicada containing sensor arrays that monitor weather and location. But they also have microphones that can eavesdrop on conversations within their vicinity. A useful tool for espionage?

Since 2013 the Police Service Northern Ireland have deployed drones as surveillance cameras to support policing operations during royal visits, political summits, the Belfast Marathon, searching for missing persons and the Giro d’Italia. Arguably a positive use of unmanned aerial vehicles as crime prevention and detection aids and possibly deterrents.

In July this year, a student Videographer shot footage of 4 young people running across a school

Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net

Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net

roof in Northern Ireland. He lived nearby and spotted them on the roof, so sent his drone out to inspect what was going on. The children got spooked and jumped down, running for cover.  Private use of this nature however does open up a wider privacy issue in the same way that CCTV coverage does.

So how can they be used to steal data? Researchers at the National University of Singapore announced on Monday that by attaching a mobile phone containing two different apps to a drone, they successfully accessed a Wi-Fi printer and intercepted documents being sent to it. The apps were designed so that one detected open Wi-Fi printers and identified those vulnerable to attack and the other actually detected and carried out the attack by establishing a fake access point, mimicking the end device and stealing the data intended for the real printer. These are techniques they claim that ultimately could be used by corporate spies for industrial espionage, or indeed by terrorists.

As drones are yet to become common place in our everyday lives, it is likely that we would spot the physical threat before the cyber attack occurs. Today. But what about tomorrow? In the last 30 years technology has taken over our lives. Who would have thought we’d all be carrying around a telephone in our back pockets, that’s also a computer and literally voices, “Don’t forget it’s your Mother’s birthday”!

At some point, in the not too distant future, seeing drones flying above our heads will become the ‘norm’. And that’s when our guard will be down and drone attacks won’t just be connected to air strikes but cyber hack-attacks too.

Its 1984 meets Star Wars but this time it will be ‘Attack of the Drones’. May the Force be with us all!

What is TOR ?

An opinion piece post from Advent IM Consultant, Del Brazil

TOR is a service that is freely downloadable that assists in providing anonymity or improves privacy for users who wish to keep, among other things, their internet location secure.  In essence it provides a defensive mechanism against traffic analysis, network surveillance and assists in protecting confidential business activities, relationships and potentially assists in maintain security.  It can also be used to circumnavigate certain country restrictions such as the ‘Great Firewall of China.’

TOR operates by operating through a series of virtual tunnels or a system of TOR relays (other TOR users) which facilitates the use of the TOR network.  In essence the more TOR relays (users) the faster, the more secure and more robust the TOR network is.  TOR relays (users) can be either Middle Relays, Exit Relays or Bridges each with a distinctive role to play in the TOR Network.  A Middle Relay allows internet traffic to be passed onto the next relay whilst the Exit Relay is the final relay before any internet traffic reaches its destination.  A user operating as a Middle Relay will have their IP Address masked and hence be hidden to the rest of the internet but visible to the TOR Network.  Any user/organisation conducting illegal or objectionable activities whilst operating as an Exit Relay may be answerable to policing agencies, complaints or copyright infringement notices etc.    TOR Bridges are vital TOR relays that enable users to circumnavigate censorship software deployed by various countries to ensure that information is freely available or distributed to all persons.

It was developed by the US Department of Defense and is still currently used today by the US Navy for open source intelligence gathering whilst some Journalists use it to contact whistle blowers.  A few organisations use TOR to allow their workers to connect to their home website while they’re in a foreign country, without notifying everybody nearby that they’re working with that organisation. For example if you’re travelling abroad and you connect to your employer’s computers to check or send mail, you can inadvertently reveal your national origin and professional affiliation to anyone observing the network, even if the connection is encrypted.  Some TOR users, such as research development engineers, journalists and seekers of democracy are clear that their use of TOR is for legitimate purposes; however it is clear that criminals are frequently using TOR to conduct illegal activities.  There are concerns from various organisations that TOR assists the criminal underworld in conducting illegal activities whilst remaining near enough un-discoverable such as drugs, person or arms trafficking, child abuse or identity theft; That said there has been a few high profile convictions of persons conducting illegal activities whilst using TOR, this includes the Silk Road investigation which resulted in the hidden underground illegal-drugs website being shut down in October 2013.

It has been reported that in the USA the NSA have attempted to target TOR users through cyber-attacks aimed at security weaknesses within various internet browsers.  These targeted attacks only go to reinforce the necessity to ensure that security measures are developed with browsers, applications, operating systems, software and hardware and are also updated on a regular basis.

There are a few security experts that have highlighted TOR as being the first step in attempting to remain secure against cyber-attacks; however as attacks methods and frequency increase, the likelihood of TOR remaining secure are rapidly diminishing.  This will not deter some elements of the internet community from utilising TOR as they strive to remain anonymous whilst corporate and government surveillance increases.

Is there a future for TOR in the corporate or even the government sector within the UK?  In the author’s opinion TOR is unlikely to be used in its current form as potentially throws up a multitude of questions as to why persons or organisations feel the need to conduct business behind ‘closed doors’.  In this age of where transparency and honesty go hand in hand the use of TOR may invoke a distrusting attitude which can harm business opportunities despite the legitimate use of TOR.  TOR does have its uses and in certain circumstances can assist with maintaining confidentiality whilst ensuring that the freedom of speech is maintained.  It is, as always, a fine balance between promoting a business whilst also protecting it as even though using of TOR is not illegal it may, if disclosed or later discovered deter businesses or organisations from interacting with each other.

The U2 Album and some phishing

GrrOpinions vary on the success and indeed the ethics of Apple’s decision to place a copy of U2’s new music in iTunes libraries. Some people have welcomed it, though I assume these are the ones who did not have their personal preferences overridden. Apparently, it appears many people had not selected the auto download option in their settings but this seems to have made little or no difference. (These may or may not be some of the contributors to the Twitter hashtag #IblameBono currently occupying a space in my recommended trends. I hasten to add Advent IM has not contributed)

It has also become apparent that the album is not too easy to remove either… indeed the news today includes an update from Apple, who have now created a remove U2 with one click tool after the clamour from iTunes users. They do say that there is no such thing as bad publicity but I can’t help but wonder if invading people’s privacy in this way would ever be good news for a brand. Knowing that your wishes can be overridden with impunity is not reassuring. Realistically, I would think that regular reassurance and demonstration of privacy and security being respected would be a far better approach.

ID-10067364One of the unintended consequences of this has been a massive increase in the number of iTunes and Bono-based phishing emails. Some have offered a ‘delete the U2 album link or tool’ (either carrying or linking to malware). Others have capitalised on the fact that Apple have given something away by purporting to carry a link to a free film from Apple. Users who were suitably impressed by being given the free U2 album have been ‘softened’ into thinking it was perfectly believable Apple would now be sending them links to free movies. 

So users who were less than happy with the sneaking of U2 into their library may get caught by the first kind and those who were thrilled and were then happy to have more free Apple stuff may be caught by the second…

Whatever way you look at this, the U2 album has been a bit of a nightmare from a security perspective. #IMightBlameBono…