Changes to State Privacy Laws

Every year at this time there are new laws and this year is no exception.

Illinois, Nebraska and Nevada have added usernames or email to data elements that are considered personal information if that information is combined with other information that would let a hacker access your online account.  In other words, a username with a password or an email address with the answers to online security questions would be considered personal information.

California, Florida and Wyoming had already  passed laws adding these items to the list of personal information in 2014 and 2015.  In some of these states, an email address with the password OR security questions and answers EVEN if a person’s name is not attached to those items is considered personal information.

What this means is that businesses that collect email addresses need to be concerned about the fact that email addresses, when combined with certain other information, may be considered protected information.

Some states including Nevada, Rhode Island and Wyoming say that in order for an email address to be considered personal information it must be associated with at least a last name and first initial.  This means that the rules are different between, say, Florida and Nevada.  This makes things difficult for companies to be compliant.

Nevada and Rhode Island have added something called, in the law,
“access code” to the list of potential personal information, even though they do not define what an access code is.

Come the middle of 2018, American companies that do business in the European Union – meaning that they collect data on EU residents – will be required to follow the General Data Protection Regulation or GDPR.

Under the GDPR companies are required to notify the appropriate data protection officials WITHIN 72 HOURS  of a data breach unless it is unlikely that people will be at risk.

There have been a number of attempts to create a national data privacy/data breach law, but in all cases, those proposed federal laws would supersede state laws and offer less protection then the state laws that they would replace.  The proposed federal laws, for the most part, are the least common denominator of state privacy laws.  None of these attempts to pass a law have been successful and all have been met with strong opposition.

This does not mean that a federal law will not be passed at some point in the future because complying 47 or so state laws in the day of the Internet is really extremely difficult.  The JDSupra article below has a list of resources that will help people as they wrestle with the privacy law challenge.

Information for this post came from JDSupra.


Facebooktwitterredditlinkedinmailby feather

Browser Fingerprinting – Almost 100% Effective at IDing Anyone

Advertisers and web site owners have always wanted to know who is visiting their web sites and tracking interests across web sites.

Early on advertisers used cookies, but then users started blocking cookies or erasing them.

Then they moved on to Flash cookies which are very hard to erase.  But of course, a lot of people no longer run Flash.  In fact, several browsers (most recently Microsoft Edge on Windows 10) are blocking Flash entirely.

Advertisers and web site owners are never going to give up, of course.  It is too important to them to be able to track your behavior.

Browser fingerprinting has been popular for a little while.  The process uses API calls that the browser provides to characterize the system.  What fonts are installed in what order, the OS version, graphics card features and other parameters are combined to create a profile.  Put that all together and it provides a good picture of the device.

It used to be that browser fingerprinting was around 80% accurate.  Researchers in France last year bumped that up to around 90%.  A new technique from a group of U.S. researchers has bumped it up to over 99%. This new technique has the extra benefit of being able to track users across different browsers, so if you use Chrome sometimes and Firefox other times, this technique still tracks you.

There are ways to defeat this technique but none of them are simple.  Basically, you have to either present fake data to the browser or block the browser from calling certain APIs at all.

For example, there is a new API which allows the browser to see the percentage of charge left in your device’s battery.  While I am sure that you could come up some reason for why this is important, it isn’t that important.  Block the browser’s ability to get an answer to the battery charge and there is one less data element to use in mapping your device.

What you have to be careful about is that you don’t block too much information or the web page might not display correctly.  For example, if the browser tells the web site that your screen size is different than it is, it may not render the web page the way you want it to.

One way that does work is to use the TOR browser since it is designed to make your browsing experience anonymous.  It already disguises a lot of the browser parameters.  Most people are not going to take the performance and inconvenience hit of using TOR, so that is not really practical for most users.

But, stay tuned because as this technique becomes more popular, developers will make browser add-ons to deal with it. There already are some add-ons and there likely will be more.  How well they work – or not – is the next chapter in the cat and mouse game of tracking your actions.

Information for this post came from ZDNet.

Facebooktwitterredditlinkedinmailby feather

Peace Sign Could Mean Trouble – For Your Identity

Japanese researchers released a paper talking about the (hypothetical) risk of flashing the peace sign.

As we saw a couple of years ago with a German politician, a high definition photo from close enough (a few meters away according to the researchers) , with the right lighting, allowed the researchers to replicate the fingerprint.

Apparently, in Japan, taking selfies with the peace sign is popular, so people are posting many pictures with their fingers in them with their prints facing the camera.

While Snopes went all crazy on it and said the article was no longer there, it is there tonite, at least for me.

Since we know that this has already been done, there is really not much new here.

What is important to understand is that this is technically feasible and will only become more practical for an actual attack as digital cameras get better or people take better photographs.

In fairness to Snopes, they didn’t deny this was possible, they suggested that we should not panic.  I agree with Snopes on that, there is always time to panic later.

However, this is a good opportunity to point out that people are using biometrics in the place of passwords and I suggest (and many people agree) that this is a terrible idea.

One more time, we are trading security for convenience.

If you lock your iPhone with your fingerprint and someone compromises your fingerprint, how do you change your fingerprint?  I guess, the good news is that most people have ten fingers so you can keep rotating fingers until you run out.  If your fingerprints are compromised several at a time (say by lifting the prints of all of your fingers of one hand off a glass, then you might only be able to change it one time.

For most people, protecting their iPhone (and I am only using Apple as an example) is a pretty low priority and a low risk.

For other people biometrics protect a higher value asset, such as a safe.

For those of us who have seen Mission Impossible and other movies, they use biometrics incorrectly.

There is a distinction to security folks, between identifying someone and authenticating them.

Using biometrics to identify a person is fine.  Think of using your fingerprint (or iris or retina or other biometric) as a replacement for your user NAME, not your password.

Using it in that way is fine because it is not required to remain secret.

In data centers it is common to use biometrics to control access.  You look into a retina scanner or use a fingerprint to identify yourself.  Then you enter an 8 digit, for example, PIN to authenticate that it is really you.

This is a form of two factor authentication, there are two things that are required to gain access – something you have – like a fingerprint or hand geometry and something you know – a PIN.

So while I agree with Snopes that we should not panic over this Japanese report, I also think it is a reminder about the appropriate way to use biometrics and that is NOT to use it for authentication.

We have seen a few cases where law enforcement has forced people to press their finger on their phone to unlock it.  This is because your fingerprint is something your have.  There have been way fewer courts that have said that you can be compelled to unlock a device protected by a password.  That subtle distinction – something you have vs. something you know, makes all the difference when it comes to the Fifth Amendment.

And, on a more practical plane, whether it is the Japanese or the Germans or anyone else, you just make life much harder for the bad guys if you use two factor authentication.

So, it all boils down to security or convenience.  Your choice.  And all risks are not created equal, so sometimes convenience is fine.  Just not always.  Just make an informed decision.

Information for this post came from Japan Times and Snopes.

Facebooktwitterredditlinkedinmailby feather

Cellphone Hacker Becomes Hackee

The Israeli company Cellebrite, known for building hardware and software to extract data from most cell phones, was itself hacked.

Earlier this week a hacker gave Motherboard 900 gigabytes of data from Cellebrite.  We do not know if this is all they have or merely the beginning of a long trickle.

Motherboard says that there was a lot of technical data, customer information, customer trouble tickets, device images.

At this point, it is not clear what the hacker plans to do with the data.

The trouble tickets give some indications of countries that they sell to such as Turkey, United Arab Emirates and Russia.

While Cellebrite says that they only sell to governments (police and military), some of those governments have a questionable civil rights record.

Cellebrite, in defending themselves, said the hack was illegal.  Some people say that while the software that they make and sell may be technically legal (they say they are not responsible for how their software is used), it is used in ways that may not be morally supportable.  Of course, that is a very subjective conversation.

Besides saying that the hack was illegal, they said that the data was from an old, web facing customer portal.

What we do not know is how much other data was taken and whether there will be “interesting” information in the device images that were stolen.

Certainly Cellebrite is not unique in selling hacking software to questionable countries, nor are they the first – or last – “hackers” to be hacked themselves.

If, in fact, the data taken was from an old server used by customers who had not moved to a new server, it points out that those migrations should be managed so that old servers don’t stick around any longer than needed.  Servers that are not powered on are hard to hack.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Medsec vs. St. Jude – Security Research Version 2

About four months, a security firm named Medsec discovered some flaws in St Jude Medical’s cardiac implantable products.  The accepted way to deal with this is to privately let the manufacturer know what you found, let them fix it and then release your research.

In this case, Medsec had been told that St. Jude would not be receptive to the conversation and, they were told, some people had been shown the door when they tried to disclose bugs to St. Jude.

So, Medsec tried a novel method.  It worked, sort of, but has them in the middle of a lawsuit, so I don’t recommend trying it.

Medsec licensed the flaws to a company named Muddy Waters.  Muddy Waters makes money short selling companies.  The way they do that is to disclose mud about the company after short selling the stock, hoping the price will go down. Medsec’s deal was that they would somehow split any profits.

St. Jude Medical, which about to be acquired by Abbott for $25 billion wasn’t too happy about it.  They figured, like in the Verizon/Yahoo merger, news like this could scuttle the deal or at least cause Abbott to want to change the terms of the deal and make the stock price go down.  Looking at a stock price chart, it appears the price did go down by about $5 a share after the announcement, probably long enough for Muddy Waters to make their money, but the price appears to be $20 a share higher than it was a year ago.

However, there are some other developments.

St. Jude formed a cyber security advisory group in October, even though they say the claims are baseless.

Muddy Waters/Medsec has created a website and released videos of the hack to defend themselves as part of the lawsuit.

St. Jude Medical released a patch to solve part of the problem.

And finally, the FDA released a public alert saying that they have confirmed the vulnerabilities in the St. Jude Medical implantable cardiac devices – which I assume would have a positive effect for Medsec and Muddy Waters in the lawsuit that St. Jude Medical filed against them.

St. Jude Medical claimed that Medsec and Muddy Waters were intentionally trying to manipulate the stock price.  Of course, the question still to be answered is not whether it was willful, but whether was was illegal.

While we will never know, it appears that their tactic did achieve a goal of get the flaw patched and getting the FDA to issue an alert.  Whether the alert will impact the stock or whether Muddy Waters is going to try and short the stock again is unknown.

What is clear is that this researcher was willing to go to some pretty extreme measures to get St. Jude Medical’s attention.  The patch only fixed part of the problem and Medsec said that they expect more patches from St. Jude Medical.  Now that the FDA has published a public alert, there will likely be even more pressure on St. Jude Medical to fix the remaining problems.

For other businesses, there is a lesson here.  When a customer or security researcher comes to talk to you about a security problem, don’t blow them off.  YOU could be the next short sell play or, if you are not public, they could just set up a web site for spite.

What would that do to your reputation?

Information for this post came from Dark Reading.


Facebooktwitterredditlinkedinmailby feather

Web Databases Under Attack

MongoDB, the free and open source NoSQL database (see Wikipedia entry here) that is used by hundreds of thousands of web sites is under attack.

A number of attackers are using search engines like Shodan to find Mongo databases that are exposed to the Internet and attempting to compromise them.  Apparently, a surprising number of these databases are set up either with no password or the default password.  Some of them are also unpatched.

The combination of all of these issues makes for easy pickings for hackers.

First find the database, then attack it.  If you get in, backup the database(s) and copy the data to a server in Ukraine or some place and delete all the data.  Then tell the users that if they pay up they will get there data back.  Pretty simple.

For users that do not have appropriate backups, paying the ransom may be the only possible option.

Whether users have a backup or not, this likely constitutes a breach under HIPAA, PCI or state privacy laws because the user has lost control of the data.  That could lead to fines and reputational damage.

What is surprising is how poorly protected these databases seem to be.

In one day, the number of compromised databases jumped from about 12,000 early yesterday to over 27,000 later in the day.  And, rapidly growing.

Researcher have identified at least 15 different attackers – apparently, they consider this a target rich environment.

The attackers are asking for around 1 Bitcoin or about $900.

Realistically, for most users, paying $900 to not have to deal with the mess is likely worthwhile and many are paying.

Apparently, security is not a priority for Mongo database administrators because attackers seem to be having a field day.

For those of you responsible for servers on the Internet, it would seem that making sure that the servers are secure would be a no brainer and a high priority, but apparently, not so for Mongo DB users.

Kind of like driving past a car wreck, it is impossible not to be fascinated by the carnage of all these database attacks at one time.

While I feel sorry for the businesses who are being affected, it is not like people did not know.  Secure your servers.  Patch them.  Monitor them.  IT 101.

So for those of you responsible for your servers, as you tuck those servers in for the night tonight, make sure that they are secure.  If they are not or you just think they may not be, put fixing that at the top of your todo list for tomorrow.


Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed