News Bites for Friday June 29, 2018

The Supremes Say Warrant Required For Cell Data

In a 5-4 decision last week, the Supremes said that the police should have gotten a search warrant before they asked for months worth of location data of a suspect.  The suspect in a robbery case was tracked by the police – over 12,000 locations, over 127 days, to correlate robbery locations to the suspect’s location.   Chief Justice John Roberts wrote the opinion, basically saying this this is a search within the bounds of the 4th Amendment.  This is good news for privacy advocates saying the the power of the government is not unbounded.  Source: CNet.

GDPR: One Month In

Not surprisingly, one month in and we have already seen the results of GDPR.

The UK Information Commissioner’s office says they have seen a sharp rise in both complaints and notifications.  In France, they have have seen a 50% rise in complaints compared to last year.

Austria says that they have received 128 complaints and 500 questions, along with 59 breach notifications.  Compare that 59 number to the entire eight months prior to the law going into effect – effectively an 8x increase.

Still numbers in the hundreds and not in the millions means that people are not going crazy.  What we don’t have data on, yet, is how many people requested copies of their information or requested that their information be deleted. Source:  WARC

Exactis Exposes More Than 340 Million Records

And the record for most breached records goes to Exactis.  Well, no, actually that record will hopefully always stay with Yahoo, but still, 340 million records (230 million consumers and 110 million businesses)  is not a drop in the bucket.

Exactis is one of those data aggregation firms that know everything from your name and address to how many kids you have and your income, among literally thousands of data points.

Now it appears that data was exposed because of a lack of controls placed on an Amazon Elastic Search setup.

Given new privacy laws in place and coming in place, this type of breach MAY need to be disclosed.  So far, the company is being quiet about it.  Older privacy laws did not consider things like your kid’s names, ages and genders private.  Newer ones are starting to, hence the requirement for disclosure, possibly.  Source: Wired)

8 States Settle With Equifax Over Breach

8 states – Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas – have come to an agreement with Equifax on security practices.  This is only one of MANY legal actions that Equifax will have to deal with.

The requirements are pretty mild and Equifax is likely doing most of these as a response to the breach: conduct annual security audits, develop written data protection policies and guides, monitor its outside vendors, and improve patch management.  It is actually surprising that a company of their size was not already doing all of these items and more.

The agreement does allow these states to take legal action if Equifax does not implement these controls.  Source; The New York Times

CA AB 375 – A Law That Will Change The Internet As We Know It

For those of you who do not have a life and hence follow the shenanigans of the legislative process in various states, today is a day that you will remember.

The California legislature was held hostage by real estate mogul Alastair Mactaggert.  Mactaggert spent $3 million of his own money (for him seat cushion money) to get the California Consumer Privacy Act on the ballot.

Here is the hostage part.

The ballot initiative would have built into the California Constitution consumer privacy protections similar to what just went into effect in Europe with the General Data Protection Initiative or GDPR.  Businesses were geared up to fight the intiative, planning to spend $100 million on it.  Mactaggert could have raised that much from his close friends, so there was going to be a battle.

Of course, no one knows if the ballot initiative would have passed, but if it did, if would have been impossible to change without another ballot initiative.

The alternative was for the legislature to pass a law, Assembly bill 375, that would mimic the major features of the ballot initiative, but would have been much more easily amended if there were unforeseen consequences.

TODAY was the deadline for pulling the ballot initiative.

So the legislature made a bargain from hell.  They passed the bill, Governor Brown signed it, but the bill has a poison pill in it.  If the ballot initiative isn’t pulled, the law is null and void.  Mactaggert agreed to pull the initiative if the bill is passed and signed.  He did pull the initiative today.

So tech companies get a law that has more wiggle room than the initiative would have had, but way less flexibility than what they can do today.

AND, unless they plan on having two Internets, one for California and one for the rest of the country, the change will affect everyone.

The bill was a work in progress up until the time is was voted on – we have seen that in Congress many times, so that should not surprise anyone.  Now that it has been signed into law, people will start dissecting it.  Without regard to the nuances, here  is what the San Jose Mercury News says about it.

First, the bill does not take effect until 2020, which is probably a fgood thing.

Like the GDPR, the law will allow consumers to know what data is collected on them, opt out of collection and hold companies accountable for data breaches.

When California passed the landmark privacy law SB 1386 in 2003, everyone thought they were crazy, and maybe they were, but 1386 is the basis of every privacy law in the United States.

CA AB 375 may do that again – leading the way.  The saying goes, “As goes California, so goes the rest of the country”.

The passing of this bill came right on the heels of the Exactis data breach of 340 MILLION people and businesses, so the California tech companies were playing Russian roulette with at least 4 bullets.  In light of this breach, would California voters enshrine a much more aggressive law into the Constitution?

One part of the bill that companies who do business in California are breathing a sigh of relief over is that, under AB 375 you and I can Sue a company for a breach – something that does not exist today – but under the ballot initiative, we could sue if they violated any part of the law.  Still, the threat of 30 million Californians suing you over a data breach should get the attention of most Board members.

In exchange for limiting the right to sue, residents can ask for what information companies have on them, twice a year, for free.  It also gives people the right to delete it.

For kids under 16, companies must get an opt-in to collect their data in the first place.

Google and Facebook want to change the law already, but I assume that if they stray too far, Mactaggart will dust off the initiative, which now will probably seem to many Californians like a tweak and the odds of passing a new initiative are greatly increased.

After today, Californians will expect this to be the new norm.

Facebook and Google’s trade group said that they want to change it so that Californians get all the benefits and opportunities consumers expect.  One of the benefits many consumers expect is a tiny little bit of privacy.  One of the benefits that Facebook and Google want to sell every little thing that they can find out about you.

A recent poll found that 73 percent of those polled think there should be more regulation of big tech companies, so I would say they (Facebook and Google and their friends) should be very careful about what they do or they may get something that they REEEEEALY don’t like – a new ballot initiative.

Professor Eric Goldman, Professor of Law at Santa Clara University School of Law, co-director of the school’s High Tech Law Institute and supervisor of the school’s Privacy Law Certificate writes an incredible blog.

Yesterday he wrote the longest blog post I have ever seen him write about this, at the time, bill.

I won’t even try to recreate the blog in this post, but a link to it is available at the end.

Professor Goldman calls the bill a privacy bomb.  Depending on which side you are on, it is either a good bomb or a bad bomb.

The bill creates what is now called the California Comsumer Privacy Act of 2018, effective in 18 months on January 1, 2020.

Just like GDPR, businesses of all sizes would need to create a mechanism to respond to consumer requests for data, deletion requests and data sharing limitations.  Businesses can decline to delete information if they meet one of the several allowances.

It prohibit a third party (like Exactis who was just breached) from selling personal data about a consumer unless the consumer has received explicit notice and has the right to opt out.  For businesses that are in the business of selling your data, this is a nightmare.

Just like GDPR, businesses have to provide a conspicuous link on their homepage for “Do Not Sell My Personal Information”.  Today, if there even is a way to do it, it is buried on page 22 of privacy policy full of dense legalese.

The bill would prohibit discrimination against a consumer because they exercised their rights under the law.  Discrimination includes denying goods or services to the consumer, charging different prices, providing a different level or quality of goods or services .

But there is a takeaway here.

They can charge a different price or different level of service if that difference is reasonably (are the lawyers paying attention) related to the value provided to the consumer by their data.  So, if Facebook can make say $5 a month per user by selling their data, they could say that if you don’t want us to sell your data, give us your credit card and we are going to charge you $5 a month.  Under that scenario they could not say that they want to charge you $25 a month.

Businesses are authorized to pay you to be allowed to sell your data (which somehow is different from charging you a different rate for selling your data),  Consumers would have to opt-in for that.

Like GDPR, businesses have to disclose a whole bunch of new information in their privacy policy.

Finally (this post is already way too long), the bill allows consumers to initiate a civil action and collect damages of between $100 and $750 per incident, or actual damages, whichever is GREATER, in case of a breach of unencrypted data.

Professor Goldman’s post has a lot of additional information, so please read it.

The bill does have an exemption for small businesses.  The law applies to businesses which meet ANY of these criteria:

  •  $25 million in revenue -OR-
  • Derives more than 50% of its revenue from selling data -OR-
  • Buys, sells, shares for commercial purposes or receives for commercial purposes the information on 50,000 or more consumers,  households or devices.  That means 137 visitors a day.

My guess is that the last item is the one that will catch most small businesses.

I will write more about this as the details become more solid. Professor Goldman wrote his blog based on a three day old version of the bill, so who knows what got added or deleted.

Information about the bill can be found on the Assembly’s web site, but as of tonight, the enrolled bill is not there.  Here is a link to the bill’s history.

Information for this post came from the San Joe Mercury News and Prof. Eric Goldman’s Privacy Blog.


What Happens When Your Firewall Loses the War and Joins the Other Side?

Cisco released an announcement that a high severity vulnerability affecting many Cisco ASA firewalls and Firepower security appliances has a proof of concept available in the wild.  This means that even amateurs can take that code, modify it a bit and successfully either force your firewall to randomly reboot or to steal credentials from that firewall.

Cisco is “recommending” that customers patch their firewalls.

The attack can be executed remotely – such as from China – and does not require the attacker to have any valid credentials.

The bug affects ASA 5500 and 5500-X firewalls, Firepower 2100, 4100 and 9300 appliances and several other models.

There are no workarounds for this flaw other than to power off your firewall and take down your Internet connection.

So what should you do?

While this bug patch was updated just a couple of days ago, it was released several weeks ago.

Users should always keep on top of patches for equipment that they have installed.

Cisco, as just one of many vendors that customers likely use, has a security advisory page at  .  Each vendor announces patches in a different way.

One of the benefits of buying Cisco is that you can only download patches if you have a current, valid, support agreement.  If you do not subscribe to Cisco’s model for making them rich, you cannot obtain security patches.  This is different than most vendors who distinguish between security patches and new features.

If you do not have a support contract, Cisco will be happy to sell you one.

Information for this post came from Help Net Security.

Digital Tools of Domestic Abuse

People thought they were going crazy.

Their air conditioner randomly turned off.

The combination on their door lock changed every day.

The doorbell kept ringing even though no one was there.

These are all symptoms of domestic abuse where one partner understands how to use those technical toys against the other partner.

And, in the case of Internet connected cameras, they could watch and listen as well.

I have heard stories of an aggravated partner turning the heat up to 100 when their former partner was away or turning the heat off in the middle of the winter to have their  ex wake up to a freezing house.

Not surprisingly, the law is a tiny bit behind the times.  As in clueless.

Many of the victims were women and many of the gadgets were installed by men.  Many of them from wealthy enclaves where the tech IoT boom has gone crazy.

The idea behind doing this is control – again not surprising.

Do not expect the courts to be much help when it comes to restraining orders.  Most don’t cover digital domestic abuse and the few that do – good luck proving what happened and who did it.

So, what do to about it?

Obviously, the simple answer is to disconnect the devices.  If you have a smart thermostat, replace it with a simple mechanical one.  Not as “cool”, but I dare you to remotely hack a mechanical thermostat.

For smart lights, replace them with inexpensive dumb lights.

If you want to keep the tech, the problem becomes more complicated.

First, change the WiFi password.  But a word of warning.  This will likely break every smart device that you have.

Once you have changed the WiFi password, next you get to figure out how to do a reset on every device in the house and reprogram it.  Until you reprogram a given device, it is a dumb device.  If the smart lightbulb cannot be remotely accessed, you are going to have to walk over to the wall and turn the light on.

For some devices, I would recommend never turning them back on.  Like smart locks.  Way too risky.

For online services, create new accounts and disable or delete the old accounts.

And, create complex passwords that your ex will not be able to figure out.  Your ex probably knows at least some of your current passwords and if there is a pattern to them, your new passwords cannot use those same patterns.  Random is way harder to guess, but you will have to use some form of password manager to keep track of them.

Also, if the new account wants an email address to use for password resets, DO NOT use any existing email account that you have.  Create a new GMail account and make it non-obvious.  Don’t use SamT1234. Use S4735x2.  Something that will be very difficult to guess and give it a complex password as well.

If you don’t want to just shut off these smart devices – and that may be easier, it is going to take some level of effort.

Your choice.  Not a pretty choice, but a choice none the less.

Information for this post came from the New York Times.

News Bites For June 22, 2018

Latest Cost Estimates For Equifax Breach is $439 Million

According to recent (March) tax filings, costs related to their breach are now $439 million, making the Equifax breach the costliest in US history.  Assuming insurance does pay, it would cover, at most, $125 million, leaving Equifax to write a check for $300  million plus.  Given that none of the lawsuits have been settled yet, that $439 million number is sure to grow.  While Equifax’s investors can write that check, I am sure that none of them are happy about doing so.  (Source:

Apple, Others Allows Russians to Look for Vulnerabilities in Software Used by the Pentagon and FBI

After all, what could go wrong?

U.S. tech companies have given in to Russian, Chinese and other country’s demands to review the source code for their products.  Not only does this expose vulnerabilities (which they likely will NOT point out to the U.S. company), but it also gives away U.S. intellectual property, all in a never ending quest to increase sales and profit.

A bill currently in Congress would force companies who do business with the government to disclose any source code review done by military adversaries.  Forcing companies to disclose will keep the pressure on to stop doing that.

The limited leaks that we have already seen have caused companies to do a quick dance to try and mitigate the PR damage.

The companies say that the reviews are done in company controlled facilities.  I am sure that they use one of those memory wipers from the Men In Black movies on the reviewers before they leave the room.

The knowledge that the Russians and Chinese get is, of course, used against everyday companies as well as the government and is used to build competing products that they sell against ours.

The article has a graphic with examples of software reviewed and who uses it.  (Source: Reuters)

Senate Votes 85 to 10 to Continue ZTE Ban

ZTE, the Chinese electronics maker said to be a national security threat to America, was banned last month, from buying parts and selling products in the U.S. by the Commerce Department.  President Trump tried to overturn the ban, which basically shut the company down, by asking the company to pay a billion dollar fine and saying that would make it a non-threat.  The Senate attached a bill to the Defense Authorization Bill outlawing ZTE, nullifying Trumps gimicky non-solution.  Trump could risk shutting down the Armed Forces by vetoing the bill, but even if he did, which would be an incredibly risky political move given his base, at 85 to 10, any veto would be quickly overridden. (Source: Politico)

macOS Quicklook Feature Exposes Data on Encrypted Volumes

Let’s assume that you have some sensitive pictures and you store them on an encrypted volume on your mac.  MacOS conveniently creates thumbnails of those pictures to show you and stores them unencrypted, so while the full resolution picture is encrypted, the thumbmail is not.  Apple says this is a feature and is not going to fix it.

This problem also exists on Windows.  If you store a Word or Excel document, for example, on an encrypted volume, the temp file that those programs use will be on an unencrypted system volume.  The only way to “fix” this is to encrypt the system volume. (Source: Ars Technica)

Software Supply Chain is a Critical Issue

Recently there have been a number of reports of cities having credit card breaches.  It turns out that it all ties back to the same vendor that those cities all use called Superion.  At least 10 cities have reported being breached and there are probably more.  Superion has finally admitted that the breach was due to a WebLogic (Oracle) bug  that had not been patched.  The cities counted on Superion to keep them safe.  Superion is blaming Oracle.  Ultimately, it is the cities and taxpayers who will foot the bill for this mess – a mess caused by not managing the entire software supply chain from end to end.  Likely those cities were not even aware that they were running Oracle software.  Who’s fault is that?  (Source: Dark Reading)

Developers Using Unprotected Databases Exposing Millions of Passwords

Thousands of Android and iPhone mobile apps use the Firebase database.  The database runs in the cloud and, apparently, by default has no security.

The net effect of this is that 100 million records, or more, are exposed for anyone to capture.

Firebase, a database run by Google, is very popular with Apple and Android developers.  It is popular because it allows for synchronizing data automatically across devices.

The data stored includes userids and passwords and even banking records, all unencrypted unless the developers protected the data themselves.

Researchers discovered 3,000 apps leaking 2,300 databases with over 100 million records or 113 gigabytes.

The vulnerable Android apps, which are the majority of the 3,000 apps, were downloaded 620 million times, so this is a mainstream problem.

Developers are responsible for protecting the data that they collect and users count on them to do that.

So what are you to do?

First, if you are a developer, you need to consider security when you design applications.  If you can’t figure out whether the data you are storing is secure, you should not be in the development business.

Unfortunately, as an end user, you don’t really know whether the people who developed the app that you downloaded is secure. 

You can do research on the apps, but until this security flaw was announced, research would not have told you there was a problem.

The only other alternative is to be very selective about what apps you download.  That certainly is not a great answer either.

You also can be selective about what data you give the apps, but if, as some of these are, health data apps, and you don’t give the app your health data, what good is it?

Ultimately, the responsibility for this particular mess falls, for the most part, on the development community, so folks, you need to up your game.  Just my two cents.

Information for this post came from The Hacker News.