What is Going to Happen in Europe Regarding Privacy?

Well, we certainly DO live in interesting times.

The UK is supposed to leave the EU at the end of March, but no one knows if they will, if there will be a deal, if they will delay Brexit, if they will have another vote.

The European Data Protection Supervisor says do not expect anything with regard to UK “adequacy” (meaning that you can freely move data between the EU and the UK) for at least a couple of years.  For folks with large operations in the UK, that could be a problem.

The Supervisor also said that it is unlikely that GDPR will be revisited for another 7-10 years; then considering the adoption process, do not assume any changes to GDPR of around 20 years.  For those hoping for relief, do not count on it.

He also told the European Parliament that Privacy Shield, the Frankenstein agreement concocted by the US and EU after the EU courts struck down Safe Harbor, is “an instrument of the past”.  He said that Privacy Shield is an interim instrument.  He said that when you look at the full scope of GDPR, Privacy Shield doesn’t make any sense.

Regarding the ePrivacy legislation that is in the works, he is hoping to get some consensus this summer, but whether that means there will be a vote-ready version, that is another story.  That, once approved, will be another set of rules for companies to adopt.

When it comes to data retention, he wasn’t happy about Italy’s law which allows people to keep data for 6 years.  Of course, in the US, there is no limit on retention.  He did, however, like the German approach, which allows retention for weeks, not years.

Suffice it to say, there is a huge gap between European desires (and their laws) and current American practices and that will likely continue to play out in the courts.  Stay tuned.  Source: IAPP (membership may be required to view).

This is Why I am So Adamant About the Importance of Patching

Just ONE day after the announcement of the NINETEEN YEAR OLD bug in the very popular WinRAR utility, Checkpoint Software found examples of it being exploited in the wild.  Given that the vast majority of the 500 million copies  will likely NEVER be patched and the fact that the bug allows the hacker to take over full control of the system, this is a bit problematic.  The good news is that it is possible that certain parts of the attack will be blocked (today, in this version) if the user is not a local admin.

In a somewhat entertaining turn of events, the WinRAR folks can’t find the source code necessary to fix the nineteen year old bug, so the opted to just remove the infected feature completely.  Likely the loss of this feature will not be noticed by most users.

And this situation is not unusual.

Also this week, the developers at Drupal patched a critical flaw that would allow hackers to take over your web site.  It is more likely that this bug will be patched than the WinRAR bug, but I am sure that there are many web sites that will never be patched.

Drupal is open source and WinRAR is closed source, pointing out that all software is buggy and open source software is not statistically any less buggy than close source software.

So what should you be doing?

If you do not already have a complete inventory of all software installed on all user devices and all servers, that is the place to start.  This inventory needs to be updated frequently.

Once you have this inventory, you need to come up with a plan monitor all of these applications for available patches and available bugs so that you can patch these bugs quickly once patches are available and so that you can place the findings in your cyber risk register if either there is no patch or if you are making a decision not to install the patches now (or possibly ever).


As a side note,  if you choose not to follow my advice and later have a breach attributed to a missing patch (think of the Equifax breach as an example of the problem missing patches cause), make sure your lawyers are all paid up because you will be sued.

Source; The Hacker News.

Linkedin Messaging Used to Target Businesses

Many employees are at least curious about their next job.  That is the basis for this attack.

The attacker sends Linkedin direct messages from a  legitimate Linkedin account.

If that doesn’t appeal  to the target, the attacker sends emails to the targets business email address suggesting a job offer.

The links in the email points to web page that looks like the home page of a legitimate recruiter’s web site.

That web page will automatically download an infected Microsoft Office document.  The Office document has malicious macros in it and it will try to get the target to enable macros.

Assuming the target enabled the macros, the attacker downloaded the last stage of the attack, a piece of backdoor software called More_eggs which allowed the attacker to control the infected computer.  Forever!

Once they have control of the machine they can download whatever other payloads they want to in order to further the attack – or attack other systems.

While this attack has a lot of vectors to get the victim  to download the infected Word document, it ultimately boils down convincing the user to enable macros.

If the user won’t click on the enable macro button, the entire scheme fails.

Through simulated phishing attacks and other training, we have tried valiantly to stop users from clicking on links like the one that says enabling macros is dangerous;  only do it if you trust the sender.  And people click on them anyway.

Judging by articles I found, this attack has been working since at least 2017.  Apparently well enough for attackers to continue using it.

Users are almost always the weakest link in the security chain.  This attack is no different.

Source: Bleeping Computer.


Security News Bites for the Week Ending February 22, 2019

Over 5 Billion Records Exposed in 2018

Risk Based Security is reporting that there were 6,515 publicly reported breaches in 2018 exposing over 5 billion records.  This is a couple hundred breaches less than 2017, but the final numbers are not in yet as breaches continue to be reported.

The number of days between discovery and disclosure is 49 days, well beyond what is required by GDPR. Source: Risk Based Security.


Industrial Refrigerators Can Be Defrosted Remotely – By Hackers

As we have been saying for a while, Industrial Internet of Things (IIoT) security is horrible.  Researchers are reporting that temperature controlled systems made by Resource Data Management use a default password which can be found on their web site.  If you can find the IP address, you can log in using any browser and wreak havoc on hospitals, restaurants and supermarkets.  The researchers found hundreds of these systems using the search engine Shodan.

The manufacturer’s defense is that they clearly tell people to change the default password.  Which of course, no one does.  Source: Tech Crunch.


Wendy’s Agrees to Pay $50 Million to Settle One More Breach Lawsuit

Wendy’s has agreed to settle a lawsuit with the financial institutions who lost millions as a result of the Point of Sale system breach at hundreds of Wendy’s franchises (interestingly, none of the stores breached were owned by Wendy’s).  Wendy’s will pay $27.5 million and their insurance company will pay the rest.  This is part of the process of putting the 2016 breach behind them.  Wendy’s is famous because their CFO once said on tape that they didn’t want to spend the money to upgrade their credit card terminals to chip based readers because it was cheaper to give away a few free hamburgers.  I wonder if he still feels that way.  Source: Bizjournals.


UK Tells Trump Huawei Cyber-Risk is Manageable

President Trump is working hard to get the rest of the world to support him in banning Huawei technology from the next generation of cellular networks due to the possibility of them being compromised by the Chinese government and putting back doors in their software to be able to hack our cell networks.

Apparently, the UK security chiefs disagree with our prez and said that the potential risk from Huawei is manageable.  This doesn’t mean that they think there is no risk and they do not make the final decisions, but given the relationship with our allies is complicated at best, the final result is unknown.

I suspect that will not make the President very happy.  Source: The Guardian.


Google to Fix Incognito Mode in Chrome That Leaks Info

Advertisers and web developers really don’t like it when browser makers stop them for doing whatever they want to do.

So they try to find ways around the stops.

In this case, advertisers figured out that even though they could not make cookies persist when the user was in incognito mode, they could figure out if the user was using incognito mode to stop being tracked.  If the user was doing that, some web sites would block them from using the web site.

Now, in Chrome 74, Google will create a virtual in memory file system that will behave just like the real file system so that web site developers won’t be able to detect the use of incognito mode.  At least not that way.  Now they will have to find another trick.  Source:  9to5Google.


Not a Great Day for One Law Firm, Its Vendor and its Clients

I wrote a while back about hackers that had compromised a law firm and its customer Hiscox insurance – or said differently Hiscox and its vendor.  The law firm was handling claims related to 9/11 (almost 20 years later and still litigating!).

A lot of law firms (certainly not all) have not figured out that they are a high value target for hackers because of all of the customer data that they have.

The hackers broke into the law firm and stole tens of thousands of claims documents and emails.  Stuff that Hiscox’s clients probably did not want to be public.

Then the hackers tried to extort Hiscox and the law firm.

Apparently that didn’t work.

The hackers had distributed three encrypted blobs after the extortion became public a couple of months ago.

Now the hackers have released another encryption key.  This time it exposed about 8,000 emails – about 5 gigabytes of stuff.  That means a lot of attachments, otherwise 8,000 emails would be a lot smaller.

Since  the hackers are dribbling out these encryption keys they may be still trying to extort the law firm and Hiscox, but each one of these data dumps makes things worse for them.

Hiscox’s story was “it wasn’t us” meaning that the hackers didn’t break into the insurance carrier, but, you know what, when it comes to lawsuits, Hiscox’s customers are going to say that they gave the documents to Hiscox;  if they gave it to someone else, that is Hiscox’ problem, not theirs.  And, I think, the courts are likely to agree.

And, Hiscox added, once they learned about the breach, they informed the policy holders.

I’m guessing that the insureds are going to say that Hiscox had a fiduciary responsibility to protect the data that they shared and that responsibility can’t be waived.

Given that this is 18 years after 9/11, those suits still being litigated are probably big dollar claims.  I hope Hiscox has a lot of insurance because I can’t imagine they are not going to be sued.

Okay, so what is the implication to you?

At all levels here, we are talking about a vendor cyber risk management (VCRM).  Between Hiscox’s clients and Hiscox and between Hiscox and its vendors.  There will be lawsuits over that.

The second issue is the security at the law firm.  Apparently not so good.  How good is the security at the law firm that you use?  Even though you might be able to sue them after a breach, that doesn’t really solve the problem.  

Now there is a big mess.  Who gets to pay for the cleanup?  Look at the agreements that everyone signed.  My guess is that the law firm wrote something in the contract that said they were not responsible.  Assuming Hiscox accepted such language. 

Did the law firm have cyber risk insurance?  If not, can they write a check for $10 or $100 million out of their checking account?  If not, they file for BK and walk away, leaving the customer holding the bag.

YOU, as the customer, need to make sure that everyone has their ducks in a row.  To quote a sign I saw yesterday:

     I don’t have ducks
     I don’t have a row
     I have squirrels
    And they are drunk


Information for this post came from Motherboard.



When Will Web Developers Learn

Stanford University is considered is fairly good college.  They have some well known grads such as Sergey Brin and Larry Page (Google founders), Herbert Hoover, Peter Thiel (Paypal founder), John Steinbeck and Sandra Day O’Connor.

But apparently when it comes to software, they, themselves, are not so good.

A little over a year ago they exposed the personal details of thousands of students and non-teaching staff.

Now another bug allowed students to access the data of other students.  This one is neither a hack nor a bug, but rather crappy software design that we see frequently.  Perhaps they should take a class in secure software development practices.

What did they do?

They put parameters on the address line something like


While this is a bit of a simplification, if a user changed the number at the end, they could see other students information.

I remember eliminating this programming practice decades ago as not secure.  But not at Stanford.

They say that this is part of vendor provided software (where is their Vendor Cyber Risk Management Program?), so I hope their contract with the vendor says that the vendor is liable for breaches.  Probably not.  What do your vendor contracts say?

To add insult to it, the vendor is longer selling or supporting the software (kind of like those of you still running Windows XP).

Stanford’s disabled the software and told students to visit the registrar’s office in person if they need the information.  How 1960’s.

Long term, they will replace the software,

Does any of the software that you use pass parameters on the command line?

If so, you could be the next Stanford.

Not necessarily a “rep” that you want.

Information for this post came from Security Info Watch.