None Of Your Business

Max Schrems – the same Max Schrems that battled Facebook and won and the same Max Schrems that got the Court of Justice of the European Union to strike down Safe Harbor – that Max Schrems – has a new mission.

The General Data Protection Regulation, the new privacy law that takes effect in the European Union next May, allows for “Group Actions” – kind of, sort of, like class actions.  Max’s new organization – NOYB for None of Your Business, plans to take on companies that are not following the GDPR law and make their life miserable.  Ask Facebook.  He is very tenacious.

His plan is to raise a half million Euros between now and May and then go on the attack.

GDPR allows for people to sue, but it is complicated and expensive.  What if an NGO existed solely for the purpose of collecting these people, aggregating their claims and going after the offenders?  It now exists and it is called NOYB.

Schrems has been pretty successful in the past, so I would not under estimate him.

If I were a company operating in the EU, I would definitely keep Schrems and NOYB on my radar screen.

In the mean time I would be working very hard to be in compliance with the regulations.

May 2018 is only 6 months away and the requirements of the GDPR may mean that you have to change data collection, data processing, data storage and data transmission practices as well as hiring a data protection officer.  Those are only some things that are required.

Stay tuned.  If history is any indication, Max could be trouble.

Information for this post came from the IAPP.

White House Considering Banning Personal Cell Phones

In a move that the White House says is for security, John Kelly is considering banning personal cell phones.

On one hand, you can’t blame them.  After all, Kelly’s own personal cell phone was hacked for six months before they figured it out.

On a self serving theme, it is possible that it might cut down on leaks, but I doubt that would really make much of a difference.  If they are going to talk to the press, they will do it off the White House grounds.

From the staff’s perspective, they work somewhat insane hours and being cut off from their families for that long would be, at least for me, a reason to find a different job.  Given the pressures of the job, it is probably hard to find good people anyway and if you add another barrier, it just makes finding people harder.

If a staffer uses a government issued phone to talk to their family and friends, the question comes up about open records and how much would be exposed.  Also, government issued phones can’t do text messages and most families live on those.  I assume you could not install snap chat or telegram or signal on a government phone.  It just seems like a mess.

Government phones can’t access GMail;  I am sure no White House staffers use that.

In addition,  government officials for years have gotten into trouble for using personal phones and personal emails for government business (think Hillary Clinton or Collin Powell, for example), so banning personal phones helps fix that problem, MAYBE.  On the other hand, they also get in trouble for using government phones and emails for personal business.

Now, if this rule goes through, you just made things even harder.  If someone told you that you couldn’t access your personal phone, text messages, social media or personal email for say, 12-18 hours a day, would you take the job?  I suspect a lot of people would not.

It is fair to assume that foreign powers would love to tap into govies’ phones, so there is no easy answer.

Stay tuned for more details.

Information for this post came from Bloomberg.

Maybe Chris Roberts Was Right

For those of you who have been around the Denver cyber security scene, Chris Roberts is a bit of an icon.  For those of you who do not know him, he is a white hat hacker who most recently got some undesired fame when he tweeted about hacking a Boeing 737 he was on.  The FBI wasn’t amused (see article).  The FBI “greeted” him when he landed and United banned him for life.

Well now the Department of Homeland Security is admitting that it was able to hack a Boeing 757 REMOTELY last year.  Chris said his hack required him to be on the plane.  A remote hack is much scarier because if you can do that, maybe you can hack any plane from anywhere in the world.

Boeing, of course, went on immediate damage control.  They said they were aware of it and it wasn’t so bad because all they were able to hack was the plane’s communications system and not it’s flight controls.  Well, that makes me feel better already.

As security people always say, hacks never get better, only worse.  Maybe, today, all they can hack from half way around the world is the plane’s communications, but what will they be able to hack tomorrow?

Ponder this for a moment.  If the TSA is focused on stopping you from bringing a nail scissors on to a plane but the hackers are attacking the plane from half way around the world………… Well, you get the idea.

Basically, they validated what Chris was saying last year and what we all suspected.

This does not mean that planes are going to start falling from the sky – it is statistically safer to fly than to drive.  But what it does mean is that the manufacturer’s of airplanes are going to need to up their security game.  Now that it has become public more money will be found.

No one wants people to be scared to fly.  I am sure that the spin doctors are in full panic mode right now figuring out how to deal with this.

All of this is because there is so much software on an airplane these days.  If you compare a third generation 737 with a current eighth generation 737, in many ways they are really two different airplanes.

This is definitely a story to watch.  Why Congress could even get involved.

Information for this post came from Business Insider.


Intel Issues Security Alert Affecting PCs, Servers and IoT Devices

Intel issued an alert for owners of select PCs, Servers and IoT devices running Intel Core processors shipped since 2015.   The firmware in those computers may be vulnerable to attack.  The attacks may give hackers access to privileged system information and allow attackers to take over those computers.

MOST of the attacks require local access, but at least one of them can be done remotely.  Now that the details are out, it is possible that further exploits may be found.

Intel has released tools that allow users to determine if their systems are vulnerable.  Those tools, for Windows and Linux, are available on Intel’s web site, here.

Now here is the challenge.

Unlike Windows update, where patches are pushed out to users, these updates have to come from the hundreds of motherboard and system vendors that have used the affected processors over the last two years.  For many users, they know who makes their computers, but for lesser known manufacturers (not HP, Dell or Lenovo, for example), those vendors may not issue patches and may not warn their buyers.

For end users who are concerned, download the utility, test your computer and then, pester your computer manufacturer until they test and release a patch.

As of earlier this week, Dell, HP and some other vendors are testing new patches for release.

If there is any good news here, it is that most of the affected systems are higher end computers inside enterprises.  While that is bad since enterprises likely have more valuable data to steal, they also have IT departments who can and will run detection scripts to find out which computers need to be patched.

Home users that have high end systems that will need to be patched, but likely never will be patched, making it easy for hackers to take over control of those computers.

This particular attack points to a whole class of vulnerabilities that fall into the hard to deal with category.  Whether it is an Internet of Things device or a motherboard in a desktop PC, these bugs are much less likely to get fixed.  Vendors may or may not know who the end user is and the store that sold it may not know who the user is either.  The result is that a patch is never installed.  The hackers know this and will be trolling to find affected PCs, yours included.

Information for this post came from Ars Technica.


In case you thought you were being paranoid, you were not.  Have you ever gone to a web site, wandered around but never clicked on anything and then closed the browser only to see an ad for whatever you were looking at show up on some other web site?

There is a reason for that and no, you are not imagining it.

Some web sites track every single keystroke and mouse click that you make, capture it and store it.  They can tell if you hover over an image (even if you don’t click on it) and how long you do that.

Hundreds of sites including Microsoft, Adobe and Godaddy capture every keystoke and mouse movement.  In many cases, that even includes passwords.  A study of 50,000 popular web sites found 482 of them did this.

Our course, without telling you.

These are called session replay scripts and can be used for many purposes from figuring out what part of their web sites are more trafficked to capturing data to send you spam and ads.

Scripts from FullStory, Hotjar, Yandex, and Smartlook were the most intrusive because they recorded all input including Social Security numbers, and dates of birth.

Here is a demo of the replay technology:

The research, conducted by Princeton’s Center for Information Technology Policy, only tested 50,000 web sites.  No one knows if the percentage (about 1 percent) would stay the same if the sample size increased.  Assuming that the percentage stays flat, that means of the one billion web sites, ten million are capturing your info, whether you want them to or not.

I guess the good news is that it is only one percent and not 70 percent.  But since these tools can capture credit card numbers and passwords and since the web site owners share the data with third parties, it makes me wonder how safe things are.

If you use two factor authentication to log on, that significantly negates the risk from some third party having your password, but since only a tiny percentage of folks do use two factor authentication, that won’t help most people.

Some web sites do “mask” sensitive data, but since they don’t even tell us that they are doing this, they certainly aren’t telling us if they are masking data or not.

Bottom line – assume everything that you are typing or clicking may be captured and shared with a third party.  AND, likely, AGGREGATED.

There are tools that can help you protect yourself but they complicate the world and slow things down.  Still, they may be worthwhile in some cases.

Depends on YOUR level of paranoia.

Information for this post came from Ars Technica.


Uber Paid Hacker $100k Hush Money; Didn’t Disclose Breach

This may turn out to be a lesson in Internet law for everyone.

In October 2016, hackers breached Uber’s systems and made off with personal information for 57 million customers.  They also made off with other information for 7 million Uber drivers and 600,000 drivers license numbers.

Uber says that no socials or credit cards or trip information was taken.

At the time, Uber was fighting with U.S. regulators regarding privacy violations.  Someone inside the organization decided that, given what was going on, maybe burying this breach might be a better idea than fessing up.

So Uber paid the hackers $100,000 to “delete” the data.  I am sure that they did that because they are people of honor.  Then they buried the incident.

Fast forward a year and Uber has a new CEO after a whole bunch of bad press.  The CEO hires an outside law firm to help clean up the old west and what do they discover but an old breach, a $100,000 ransom and an oopsie, we forgot to report this.

Paying the ransom is probably not illegal.

Not telling shareholders that they were breached, well that is less clear.  I guess they could say that a breach of 57 million customers is not material.  Unless, that is, word about it gets out and they get sued – which is exactly what is happening now.

Not telling regulators about that – pretty clear that is illegal.

And, given that Uber operates in most states in the U.S. and there are different privacy laws in each of the states, they likely broke the law in a whole bunch of states.

IF, and this is not clear, there was information on residents of foreign countries, they likely broke foreign laws as well.

Here is the lesson in Internet law.

Since the breach was disclosed, the New York AG has said he is investigating and a lawsuit has been filed seeking class action status.

Uber’s co-founder learned of the breach in November 2016, right after Uber had settled a privacy lawsuit with the New York AG and was negotiating with the FTC over the handling of consumer data.  Apparently he decided not to tell the AG or the FTC.

The hack was pretty simple.  The hackers found a private Github repository that apparently was not adequately (or at all) protected and found Amazon web services credentials in that repository.  They logged on to Amazon, found the data and attempted to extort Uber.

Uber does not have a reputation as a model citizen; in fact they have been involved in at least five criminal probes over bribes, illegal software, questionable pricing schemes and other issues.  This fits right in there.

Uber has brought in some high priced talent to help sort out the mess and rehabilitate their image.  Former GC of the NSA (not sure they sould be a role model for Uber), for example.  Based on some questionable NSA activities in the past, he may fit right into Uber’s culture.

What we don’t know at this point is what the various state regulators are going to do about this.  I assume that regulators COULD revoke Uber’s license to operate in their state, but I doubt that will happen.

Could the various states file criminal and/or civil charges – that I suspect is much more likely, especially since they knowingly covered up the breach?

I am sure that it will be at least a few months before we have any idea on the scope of the fallout.  Given Uber’s past and very rocky relationship with regulators, those same regulators may decide that it is payback time.

Information for this post came from Bloomberg.