ECJ-Safe Harbor Trickle Down Is Already Starting

First, the European Court of Justice (ECJ) rules that the 15 year old Safe Harbor agreement which allowed companies to transfer data between the E.U. and the U.S. was invalid.  Effective immediately.

Then the Article 29 Working Group (who is responsible for Safe Harbor) met and said that if the E.U. and U.S. don’t come up with a new agreement by the end of January, country data commissioners are free to start filing complaints and fining companies.

This week, the Israeli Law, Information and Technology Authority revoked its prior authorization to transfer data from Israel to the U.S.  There is a somewhat strange relationship between Israel and the E.U. which sort of makes it an honorary member of the E.U. and they had been using the Safe Harbor agreement as a way to justify transferring data from Israel to the U.S.  That is no more.

That means that companies that don’t have binding corporate rules or standard contract clauses that have been approved by at least two E.U. country data protection authorities (once you get to 2, you sort of have a free pass for the rest of the E.U.), can no longer transfer data between Israel and the U.S.

This means that U.S. Silicon Valley companies that have offices in Israel, Israeli companies owned by U.S. companies and Israeli companies that work closely with U.S. companies will need to figure out a new strategy or risk facing fines.

Since it can take 6-12 months to create and get approval for binding corporate rules, it is not like something you can change overnight.

Also, since the U.S. and E.U. have been working for two years on a new version of Safe Harbor which was really a minor tweak and now they likely have to reinvent Safe Harbor, I doubt it will be done by the end of January deadline.

While many very large companies were already concerned about this and have been working for a year or two to get Binding Corporate Rules or Standard Contract Clauses (like Facebook, for example) approved and in place, smaller companies likely have not done that and should now be in a full scale fire fight.

We do not now what the data protection commissioners are likely to do come February 1, 2016, but waiting to see is probably not a good strategy.

It will be interesting to see if there is other fallout before the January 31, 2016 deadline – stay tuned.

If you are a company that does transfer personally identifiable data between the U.S. and the E.U – or Israel, you should already be talking to legal counsel to see what you need to do to stay off the radar.

 

Information for this post came from IAPP.

Security Experts and Average Users Think Differently

Google interviewed and/or surveyed hundreds of users and experts to see how they thought on security issues.  Not completely surprisingly, there were many differences.  Here are a few:

The #1 difference between experts and real people is in INSTALLING UPDATES.  Experts rated that as the most important thing to do to improve security.  35% of the experts and 2% of the average users ranked this as a top security priority.  For example, Adobe released two patches to Flash this week.  One is already being exploited in the wild.  Users who don’t install these patches quickly are more likely to be attacked.

Users often don’t install patches.  Often the process is complex and confusing – sometimes even to me.  In addition, software vendors sometimes bundle in non-related changes (for example, Microsoft bundled in Windows 10 update nag screens as a critical update recently), discouraging users from installing updates.

Number 2 is using a PASSWORD MANAGER.  73% of the experts but only 24% of the non-experts used a password manager.  Password managers allow users to use complex and different passwords in multiple web sites, thereby reducing the risk of account compromise.  Of course, even this does not fix the problem that I described yesterday of socially engineering AOL and Verizon – unfortunately.

Another difference is using TWO FACTOR AUTHENTICATION or 2FA.   2FA makes it more difficult for a hacker to compromise your account, even if they know your password.

On the other side, non-experts think that ANTI-VIRUS software will protect them.  42% of the non-experts but only 7% of the experts rank A-V software is in the top tier of security protections.  While A-V software will protect you from some malware, these days it really is a secondary protection due to the types of attacks.

For software updates, more software (browsers and Windows 10, for example) are automatically installing updates.  Assuming this is done securely, the users win with this strategy.

Ultimately, we have to get non-expert users to make changes to their daily practices in order to improve security.  Part of that is education; part of that is for the software vendors to make the process easier (like automatic updates).

For additional differences between the experts and non-experts, read the linked article below.

Information from this post came from Security Intelligence.

CIA Chief’s Personal Email Hacked – Are You Surprised?

Wired and other media are reporting the the head of the CIA, John Brennan, had his personal email account hacked.  The hacker, a teenager, talked to Wired about how he did it.  It points to general weaknesses in commercial online services security that you should understand.

It is less of a surprise that Brennan’s commercial, consumer email account (it was an AOL account) was hacked than what he had in it.

Some details:

  • First, the fact that it was an AOL account.  Probably an indication of his age.  Hopefully, not an indication of his technical sophistication.
  • The hackers (apparently, it was a team effort) posed as Verizon technicians and were able to socially engineer Verizon customer service out of his account number, PIN, backup mobile phone number, email address and last 4 of his bank card number.  The fact that they were able to do that is not a surprise, but it should be a concern.  It points to the processes for security that most commercial providers use are “somewhat lacking”.
  • Once they had that information, they went to AOL, impersonating Brennan and said they were locked out.  Using the information they got from Verizon, they got AOL to reset the password.  Unfortunately, password resets are relatively, very easy to get them (meaning all consumer online providers) to do.
  • Brennan, for some pretty strange reason had a number of sensitive, but unlikely unclassified, documents stored in his AOL account – his government security clearance form that contains an identify thief’s dream information, a spreadsheet containing names and socials of people who may be intelligence agents and other files.  That he would store this information in a public, commercial, consumer information service makes me nervous.
  • Brennan attempted to recover his account and the hackers stole it again.  Apparently, 3 times.
  • Brennan finally deleted his account.

So what does this tell you?

First, don’t trust commercial, consumer online services not to be socially engineered.  Unfortunately, commercial business class services are not much better.

Second, don’t trust those service’s security.  If you are using it for something sensitive, you need to make sure that you overlay your own security (such as encryption with you controlling the keys).

If you are a business, sometimes you can negotiate additional security with online service providers – you can always ask.

While the CIA is not confirming that this is real, there are a number of media sources reporting it and the CIA is not denying it, so it has some credibility.  The files date back to 2009, so it is possible that Brennan had forgotten it existed.

For the nation’s head spy, this is a bit embarrassing.

 

Information for this post came from Wired.

How The NSA Broke Trillions Of Encrypted Connections

Encryption can be very secure.  Or Not.  It depends on how it is implemented.  Apparently, at least according to some sources, most of the Internet has gotten it wrong.  That’s not very comforting.

The rules of who people are protecting themselves from has changed from just a few years ago.  Now we are talking about nation states and extremely well funded hackers.

Here is the flaw.  The most common form of encryption is what is behind HTTPS,  VPNs and SSH.  Part of that protocol is to exchange keys between the sender and the recipient and is called Diffie Hellman or DH.   Those keys secure the communications used in eCommerce (such as Amazon) or your bank (such as Chase or Citi).

Apparently, most common DH implementations use one of two 1,024 bit prime numbers as part of the process.

Cracking one of these numbers would allow the NSA to decrypt two thirds of the VPN connections and one quarter of the SSH sessions around the world.

Cracking the second of these numbers would give the NSA access to 20% of the top 1 million web site.

According to the article, it would likely have taken the NSA a year and a few hundred million dollars.  Given the payback, this is a no brainer.

Obviously, the NSA is not confirming this, but this is what researchers think.

The solution is either to increase the size of the numbers that the web site is using (from 1,024 bits to either 2,048 bits or 4,096 bits), which makes the computation required to crack the keys out of reach of the NSA or at least change the software to not use one of these standard primes.

Some web sites (I just checked Google and Facebook) have already upgraded to more secure solutions.  Hopefully, they are not using “standard” numbers, but that leaves tens of millions of web sites and VPNs still susceptible.  Hopefully, many of these are in the Mideast!

VPN and SSH administrators can control their key size, making the encryption much more difficult to crack – but they must do that;  the users usually cannot do that themselves.  For users of web sites, the web site has to make the change.  All the user can do is complain and hope they fix it.

Which is why security IMPLEMENTERs have to be so careful.

Information for this post came from Reddit and The Hacker News.

Vendor Risk Assessment Is Critical For Business

It was reported across the media late last month that the Hilton Hotel chain had a credit card breach.  While some media is reporting that the dates of the attack are from April 21 to July 27 of this year, Brian Krebs is reporting that sources are telling him that the breach may go as far back as November of last year and may still be going on – a much bigger window, if accurate, than earlier reported.

What is more interesting is that – and we have seen this before – that the attack did not affect the front desk charges;  it only affected restaurants, coffee bars and gift shops.

Why would it only affect those credit card readers and not the ones at the front desk.

According to Krebs, those locations are franchised.  While that term is a little vague to me (many of the hotels themselves are franchises), I think what he means is that those operations are not run by Hilton and are not run by the hotel franchisee either;  they are operated by a third party.

Assuming this is accurate and I think it is, what it means is that one or more VENDORs that Hilton selected had poor security.

As more and more businesses outsource little bits of their business (besides this one, the Target, Home Depot, Office Of Personnel Management, the Zoo gift shop breach (a number of zoos that outsource their gift shops), this breach, T-Mobile (twice) and a number of others all started with a vendor.

I understand that a vendor risk assessment program costs money, but as Hilton and T-Mobile, this month, are learning, it is also expensive NOT to have a vendor risk assessment program.

It is a classic case of pay me now (have a vendor risk program) or pay me later (deal with the vendor being breached).

Just to be clear, a vendor risk assessment program will not STOP all breaches, but it will improve your odds, if you do it right.

If the program is a paper exercise and no one really cares about the results, then it won’t do any good.  On the other hand, if the business is willing to fire the vendor (not give them any more business) if their risk profile is not at the level that the company wants, then the vendors will improve their security.

Each company needs to identify their high risk vendors.  These are the ones that either have data which, if compromised, will cost the company a lot of money to deal with or have direct access to the company’s computer network.  Those are the first vendors to do a risk assessment on.

Vendor risk assessments – they are an important part of your security program.

 

 

Information for this post came from Krebs On Security.

EU Begins To Digest ECJ Privacy Agreement

The Article 29  Working Party (WP29), the group that is responsible for dealing with the fallout from the European Court of Justice invalidation of the Safe Harbor Agreement, met for the first time since the decision to start sorting things out.  For companies moving data between the U.S. and the E.U., there were some good things said and some not so good things.

Here is the news:

  • The Working Party thinks that it is essential that they have a robust, collective and common position.  For companies, this is good news. Like dealing with 50 state privacy laws here, dealing with 17 separate legal positions in Europe would be a killer.
  • The Working Party reiterated the court’s position on massive, indiscriminate data collection in the U.S. and said that this was incompatible with E.U. privacy laws.  They (continue to) ignore the massive and indiscriminate data collection done by European spy agencies.
  • The Working Party said that transfers of data to countries where the state authorities have too much power to access data will not be considered a safe destination for transfers.  That is a direct shot on the U.S. and NSA.
  • The Working Party asked the member states to urgently try and work out some sort of agreement with the U.S.  using political, legal and technical solutions.  Given that it took everyone two years to come to the agreement on the proposed new agreement that just got blown out of the water, I am not confident in everyone’s ability to create a whole new agreement quickly.
  • The Working Party will continue to look at other laws and agreements that may have been impacted by the court’s decision.
  • In the meantime, standard contract clauses and binding corporate rules can still be used but state data protection authorities can look at individual cases to stop transfers.
  • Any transfers taking place after the court’s decision based on the Safe Harbor agreement are unlawful.  That is, of course, a true statement, but it does not provide much wiggle room for U.S. companies to negotiate with.
  • And, finally, the Working Party set a deadline of January 31, 2016 for the E.U. and U.S. to come to some agreement.  That, in my opinion, is very aggressive and is a timetable that is not likely to be met.  They said if an agreement is not in place by that time, the data protection authorities are committed to taking all necessary and appropriate actions which may include shutting down data transfers.

Of course, the could change their mind tomorrow.  Or in January.  There is nothing carved in stone.

There is one thing that seems important and that is for the U.S. to pass a law allowing E.U. citizens to sue in U.S. court over privacy violations.  That requirement from the E.U. seems non-negotiable. That right does not exist today.  A bill is going to be introduced, but who knows where it will go after that.

What is clear that U.S. companies that transfer data from the E.U. have a lot of uncertainty and, apparently, a short time frame for two governments to come to some agreement.

I think we live in interesting times.

 

The WP29 press release can be found here.