A New Brexit Deal Is Proposed

As we get closer to the January 31st deadline for the UK to sort of kind of leave the EU, the bill that the PM’s side so carefully drafted may or may not hold together.

Over the last two days, the House of Lords voted against Johnson 5 times, forcing the bill back to the House of Commons, which will likely try to undo the changes.  What the House of Lords does after that is not clear.  Read the details of the changes here.

What is in the bill with regard to security and privacy is this:

  1. After the 31st, the UK will enter a transition period lasting until the end of this year during which time the EU and UK will negotiate about what happens on January 1, 2021.
  2. Apparently there is no option to extend this 11 month negotiating period and if the EU and UK can’t agree, the UK will leave in a so-called “hard exit” where the UK becomes a third country with whatever agreements might have been created during the next 11 months.
  3. In the meantime, UK companies will need to continue to follow GDPR.
  4. Companies will also need to comply with the UK Data Protection Act of 2019.
  5.  As a result of 3 and 4, data can continue to flow between the EU and UK for the next 11 months.
  6. The UK will try to negotiate an “adequacy decision” meaning that the EU says that the UK’s data protection laws are adequate so that data can flow permanently.  Historically, these determinations have taken way longer than 11 months, so that doesn’t seem likely.
  7. Alternatively they could write and approve a privacy-shield type law like the US has with the EU.  While this could be done more quickly, the courts may strike down the US Privacy Shield law this year so,  I am not sure what this means.
  8.  If 6 or 7 doesn’t happen then companies will need to figure out a different solution such as Binding Corporate Rules, but those are both complex and not easy to get approved.
  9. In the case of moving data between the UK and US, Privacy Shield still works, at least in the short term, but it will need some changes.
  10. The UK says that it plans to keep complying with GDPR long term (because they do want to be able to facilitate commerce between the EU and UK).

Bottom line, things are moving forward, but there is still a lot of uncertainty.  Some information for this post came from CSO Online.

Facebooktwitterredditlinkedinmailby feather

Does Your Incident Response Plan Address TLS Certificate Revocation?

Warning: Sorry, this post is way more technical than most of my posts.  If you are an executive reading this, you may want to show this to your security or IT folks and ask “how are we handling this?”.  They should be able to explain that to you in English.

Incident response is all about having already considered the scenarios and having a plan for dealing with it.

Consider this scenario:

You have a web site, mail server or other system which is encrypts traffic using a TLS (or more generally X.509) certificate.  That protection works with a secret encryption key and a public key.  Those keys expire after a time period such as one, two or three years (I have seen ones as long as 10 years).

This all works as long as the secret key remains secret.

But what happens if you have an incident where the secret key, which may live on a server or an admin’s workstation (IT SHOULD NOT!) gets compromised?  How do you deal with that.

The problem is that if the private (secret) key is no longer secret, then a hacker can masquerade as you and even encrypt the data with their victim.  There is nothing that a victim can see that would make them suspicious.

If the secret key gets compromised, you can get a new one, but the challenge is how to revoke the old one.  This is something the industry has been wrestling with for years.

FIRST ATTEMPT: Certificate revocation lists:  The certificate authorities that you get your TLS certificates from maintain a list of revoked certificates.  It turns out that this process was so unwieldy that many browsers don’t even look at these lists any more, so that measure is useless.

SECOND ATTEMPT: OCSP or Online Certificate Status Protocol is an attempt at fixing the first attempt.  Instead of browsers having to maintain and update lists in each user’s computer when you try to connect to a secure web site, the browser can make another connection to the certificate authority’s OCSP server to see if the certificate is good.  Only problem is that what do you do if the OCSP server doesn’t respond?  Do you deny access or do you cross your fingers and hope that the same hacker who stole your certificate is not blocking your access to the OCSP server?  Plus, it means that every time you establish a connection to a  secure web site (almost all of them now), it will take twice as long because you have to make a second connection.

THIRD ATTEMPT:  OCSP Stapling.  With OCSP Stapling, the SERVER sends a copy of the OCSP certificate at the same time that you are negotiating the connection.  The server updates the OCSP proof frequently (say every 10 minutes) so there is much less overhead from the browser’s standpoint.    It turns out that some stapling implementations don’t work right and a hacker might tell the victim’s browser not to use OCSP or stapling and the victim would not know any better.

FOURTH ATTEMPT: As I am guessing that you can tell by now, this problem does not have any easy answers.  The next attempt was ACME or Automated Certificate Management Environment.  ACME creates certificates that have a relatively short life expectancy.  For example, Let’s Encrypt creates certificates that only last 90 days and automatically renews them.  But 90 days is a long time for a hacker to be able to run amuck with your credentials.  What you want to do is make it last only a day or a few hours.  This means if the vendor that is issuing the ACME based certificates is down, you won’t be able to get a new certificate and you will be down.  Still, this is way better than the first three attempts.

FIFTH ATTEMPT: (is this getting a bit out of hand?)  There is a new standard in the pipeline with the Internet Engineering body (IETF).  It is designed for big firms right now, but it will evolve.  It does require a change in the browser to make it work, but Firefox already has it and it is likely that Chromium (the basis for Chrome, Brave, Opera, Edge and others) will likely have it soon.  But remember, this is, right now, only for the big folks.  This is called Credential Delegation.  With Credential Delegation, the certificate authority issues the web site owner a normal signed credential but the web site owner has the ability to create delegated credentials that might only last a day or an hour.  They can only do this to the same domain that the certificate authority originally issued their certificate for.  The win here is that if a Delegated Credential is compromised, it will only be usable for a couple of hours to a couple of days.  For example, Facebook is one of the early adopters and is testing it.  If someone were to steal a Facebook credential but that credential was only good for say, 6 hours – or 30 minutes – the amount of damage they could do is greatly limited.

Here are a couple of takeaways:

1. If you are using traditional TLS certificates, do not create certificates that are valid for more than one year.  At least you are beginning to reduce the risk window.

2. Make sure that your certificate provider supports OCSP.

3. Make sure that your certificate provider implements OCSP stapling and that you have enabled it on your server.

4. If your certificate provider supports it, implement OCSP MUST STAPLE.  This will cause the connection to fail if there is no attestation attached to the connection that a hacker uses to try and scam a victim.

5. Use an ACME provider if possible.  Again, we are trying to reduce the time window that a hacker can use your stolen information.  If that window is reduced from one year or two years down to 90 days or 30 days, that is a huge win.

6. Watch for progress on Credential Delegation.  If might be a year away, but when it happens and is available for everyone, you will have the ability to close that window that a hacker can use your stolen certificate down to a day or a couple of days.  Much better than a year.

I know this is a very technical post;  if you have questions, please reach out to us.

For more technical information, see here, here, and here.

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending January 17, 2020

Orphaned Data in the Cloud

Researchers at security firm vpnMentor found an unsecured S3 bucket with passport, tax forms, background checks, job applications and other sensitive data for thousands of employees of British consultancies.  Many of the firms involved are no longer in business.

The researchers reported this to Amazon and the UK’s Computer Emergency Response Team (UK CERT) on December 9 and the bucket was taken offline by Amazon (likely at the request/order of UK CERT) on December 19th.

For people who were affected, if these companies are out of business, there is no one to sue.  Under GDPR, it is unclear who the government can go after if the companies no longer exist.  I suspect that the problem of orphaned data is only going to become a bigger problem over time.  This includes data stored by employees who have left the company and who did not “register” their data trove with their company’s data managers.  Another reason to get a better handle on where  your data is stored.  Source: UK Computing

 

Ransomware 2.0 Continues and Expands

I recently coined/used a term called ransomware 2.0 where the hackers threaten to publish and/or sell data exfiltrated during ransomware attacks.  While we saw threats in the past, we did not see any follow through.  In part, this is likely due to the fact that they did not, in fact, exfiltrate the data.

However, first with Maze and now with REvil, hackers are following through and publishing some data and selling other data.  REvil is the ransomware that is afflicting Travelex.

Companies will need to change their ransomware protection strategy in order to protect themselves against this form of attack.  Backups are no longer sufficient. Source: Bleeping Computer

 

The Travelex Saga (Continued)

FRIDAY January 17, 2019

Travelex says that the first of its customer facing systems in Britain is now back online.  The automated ordering system that some of its bank customers use is now working, but its public web site is still down.  Virgin Money, Tesco Bank and Barclays still say their connections are down.  Source: Reuters

WEDNESDAY January 15, 2019

Likely this incident falls under the purview of GDPR and  the UK’s Information Commissioner’s Office says that Travelex did not report this to them within the legally mandated 72 hour window.  Travelex says that no customer data was compromised  in the attack (even though the hackers were publicly threatening to sell and/or publish the stolen data and that Travelex was said to be negotiating with them).   When asked if they paid the ransom, Travelex said “There is an ongoing investigation. We have taken advice from a number of experts and we are not going to discuss this.”  Translated, this means that we know we are going to get our butts kicked in court and by the ICO, so we are just going to be quiet now.  If the ICO finds that they did not report and there was a GDPR covered event, they could fine them up to 4% of the global annual revenue OF THEIR PARENT COMPANY, Finablr.  Their revenue is estimated to be around $1.5 billion.  That of course, is just one of the costs.  Their public web site is still down and has been down for 16 days now.  Source: UK Computing

MONDAY January 13, 2019

Travelex says that they are making good progress with their recovery, whatever that means.  They say that services will be restored soon.  Their website, however, is still down. Trtavelex is still saying that they have not seen evidence that customer data that was encrypted was exfiltrated, although the hackers who say that they are responsible claim that they will be releasing the data on the 14th (tomorrow) if they don’t get paid.  Source: ZDNet

 

Nemty Ransomware Joins the Ransomware 2.0 Crowd

The ransomware 2.0 community (steal your data before encrypting it and threaten to publish it if you don’t pay up) is becoming more crowded every day.  Now Nemty says they are creating a website to post stolen data of companies that have the nerve not to pay them.  Backups are no longer sufficient.  Source:  SC Magazine

Facebooktwitterredditlinkedinmailby feather

Top EU Court Says ‘National Security’ Does Not Override Everything Else

This is not a done deal yet, but it is a very interesting development and one, if it holds, that could have significant impact on a lot of countries, including the U.S.

Over the last few years, a number of countries have enacted laws that allow their intelligence apparatuses to override many privacy laws and hoover up vast quantities of data without any particular justification – just in case.   They say that they don’t know what they might need – until they do.  And, there is some justification to that story.  Some.  Justification.

The EU high court, technically called the Court of Justice of the European Union or ECJ can appoint an advocate to advise it on matters where they feel that is  justified.

In this case, Privacy International, a privacy rights organization, sued both the UK and France, saying that their respective laws that require businesses to hand over anything they ask for just because they say the magic words “national security”.

Specifically, this case says that the UK’s Investigatory Powers Act (also referred to as the Snooper’s Charter) and France’s Data Retention law go too far.

What happened yesterday is that the Advocate General advising the high court released his opinion.

The opinion says screaming terrorist is insufficient to violate people’s rights under the European Directive on privacy and electronic communications.

Very importantly, the ECJ has not handed down it’s opinion yet;  this is just the advise from the AG.  HOWEVER, the ECJ does agree with the AG about 80 percent of the time.

*IF* the ECJ does agree with the AG, that will mean several things:

  1. UK’s Snooper’s Charter is likely illegal under EU law and will need to be revised if the UK wants to enforce it in the EU.
  2. Likely France’s Data Retention law would violate EU law.
  3. For those of us in the U.S., it would likely mean that the U.S. government’s use of large scale data vacuum cleaners also does not comply with E.U. law.

The AG said that whatever the government does by itself is OK IF IT IS INTENDED TO SAFEGUARD NATIONAL SECURITY AND IS UNDERTAKEN BY THE PUBLIC AUTHORITIES THEMSELVES, WITHOUT REQUIRING THE COOPERATION OF PRIVATE INDIVIDUALS.  So, for example, they could intercept data on fiber optic Internet cables but they can’t ask AT&T to let them tap those cables (which they did) and cannot ask Google or Facebook to hand over their encryption keys.

What the AG is saying is that rather than vacuuming up terabytes of data per hour, that hoovering needs to be done “on an exceptional and temporary basis” and only when justified by “overriding considerations relating to threats to public security or national security”.

When the U.K. leaves the E.U. – maybe this month – it doesn’t have to be bound by E.U. law, but if it doesn’t agree to abide by E.U. law, then companies in the E.U. will not be able to send data to the U.K. and U.K. companies will not be able to collect any data of E.U. residents.

Probably more important for U.S. companies is this.

A few years ago, when the E.U.  started enacting privacy laws, they said that laws in the U.S. were not adequate to protect the privacy of E.U. citizens so data collected by U.S. companies could not be sent to the U.S.

In response to that, the U.S. and E.U. came up with this agreement called Safe Harbor which supposedly protected the privacy rights of E.U. residents.

Unfortunately, this same court ruled that Safe Harbor didn’t really protect the rights of E.U. citizens.  This threw U.S. businesses that suck large quantities of data out of the E.U. into a bit of a tailspin.

After Safe Harbor was struck down, the U.S. got out a large tube of lipstick and put it on Safe Harbor.  The new agreement was called Privacy Shield and it is under review by this same court right now.

If the ECJ agrees with the AG in this different case, it seems like a REALLY small step to say that Privacy Shield doesn’t hack it either, which would create tailspin 2.0.

That would require that the U.S. and E.U. try a third time to come up with something that the courts will hold as adequate.

Various authorities have gotten their respective countries to pass laws that say as long as they claim “national security” privacy laws do not apply.  Countries who have done this include the U.S., U.K. and Australia, three of the “five eyes” countries.

This battle is far from over, but this is a very interesting development.  Source: The Register

 

Facebooktwitterredditlinkedinmailby feather

Telcos Not Doing Good at Preventing SIM Swap Attacks

A SIM is the (usually) hardware card that gives your phone its “personality”.  The SIM is tied to the carrier and contains all the information that the phone needs to talk to your carrier.

As users SLOOOOWLY migrate to using text messages as an extra layer of authentication for logging in to a variety of online accounts, hackers need to figure out how to compromise that.

One way to do that is to tell your carrier that you have a new SIM (typically a new phone).  If the hacker is successful, then all of the text messages (which may include password reset messages for things like your email or your bank account) are destined for you will go to the hacker, along with all of the money in your bank account.

In theory phone carriers are not supposed to do a “SIM swap” unless they know the request is coming from you.

But they want to be customer friendly and that is sometimes a challenge when it comes to security.

Recently some Princeton researchers did a test of five major phone carriers – AT&T, T-Mobile US, Tracfone, US Mobile and Verizon – and wrote a study regarding the carrier’s authentication procedures.  The results were:

  • AT&T – 10 out of 10 fraudulent swaps successful
  • T-Mobile US – 10 out of 10 fraudulent swaps successful
  • Tracfone – 6 out of 10 fraudulent swaps successful
  • US Mobile – 3 out of 10 fraudulent swaps successful
  • Verizon – 10 out of 10 fraudulent swaps successful

The problem is that the carriers want to make the process simple for their staff so they ask for secret information only you would know – like you address or email or date of birth.  Not so secret.

Sometimes they will try to send a one time password to your phone but if you say that your phone isn’t working, they often give up.

You may remember that Jack Dorsey, the CEO of Twitter, got his own Twitter account hacked following a SIM swap.  Source: The Register

If that doesn’t work, they bribe some phone company employees to give them remote access into the phone company systems so that they don’t have to bother trying to trick other employees – they can do the SIM swap themselves. They just enable RDP into the bribed employee’s workstation.  Source: Motherboard

Several Congress-critters have written to the FCC’s chairman Ajit Pai suggesting that he do his job and actually regulate the carriers.  Don’t count of the FCC doing anything useful.

One thing that you can do is ask the carriers what other security measures they have like passwords and PINs and other measures.

Of course you can lobby your Congress-critters to pass a law forcing the FCC to do what it should do.  Of course the carriers don’t want to have to do any more work than they have to, so they will probably drop bags of cash in Congress to get them not to pass such a law (I guess I am a bit pessimistic that DC will actually do anything helpful).

Ultimately, it is important that yoou be vigilant because that is much less painful that trying to regain control of stolen accounts or getting your money back from your bank.

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Preparing for DoD’s CMMC

DoD continues to take actions that lead us to believe that they are very serious about the Cybersecurity Maturity Model Certification process.

This process will require that all DoD contractors ultimately get a third party cybersecurity certification on an annual basis if they want to continue to be part of the DoD food chain.

When I say part of the DoD food chain, I mean at every level.  An example DoD used recently was a requirement for the companies that mow the lawn and tend to the bushes at DoD installations would need to be certified.  EVERYONE is the plan.

Reports are the there are plans underway to make changes to the DFARS, the DoD acquisition regulations, this summer to reinforce the certification requirement.

It is also possible that they may extend this to the more general FARs, the acquisition regulations for the rest of the government.  They have been talking about doing that for a couple of years, so if they really do that, it won’t be a real surprise.

One step forward is the naming of Ty Schieber as the head of the 13 member body that is charged with certifying auditors.  Ty is the senior director for executive education at Virginia’s Darden School Foundation.

A DoD spokesperson said that CMMC requirements will begin showing up in presolicitation documents around June of this year.  While that date is very aggressive and may slip, it does seem to indicate that DoD is very serious about this.

Some folks say that requiring contractors to get a certification that they are protecting DoD information might discourage some contractors from bidding on DoD work.

Getting sued by the DoD for breach of contract for not protecting DoD’s information in case of a breach could be a downer as well.  That seems to be the other alternative to me and far worse.

Ignoring situations where the Chinese and others can steal our intellectual property is not a viable option any more.

It is possible that DoD COULD skew the playing field by requiring a higher level of certification than is actually required on a specific contract because their favorite contractor has that level of certification, but DoD bidders are very familiar with disputing DoD contract awards, so that, ultimately, would backfire if they did that at any large scale.

There is a concern, and it is legitimate, that certifications from different auditors could produce different results.  That puts the onus on DoD to set good guidelines so that everyone knows how the process needs to work.

The important thing is to get started now.  While the next version of the spec might change a bit, the basics are locked in stone and it will take a while to get them  done.

The plan, as it has been explained to us, is that contractors who are not certified at the appropriate level will not be allowed to bid on contracts that specify a CMMC requirement.  There will likely be long queues once the final process is announced, so getting started now will put you in a place where you can request certification earlier and get a jump on those people who wait.

Source: Washington Technology

 

 

Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed