In Case You Thought GDPR Was Overblown – Its Not

When GDPR first went into effect in May 2018, people talked about horror stories of fines to the tune of 4% of a company’s total global revenue.

Then reality hit and there were no fines or tiny fines.  Or so it seemed.

The problem with regulators is that it always takes them a while.

Legitimately, you do want them to make sure that they only issuing fines when appropriate.

This week we have two big fines on the horizon.

The UK Information Commissioner’s Office (ICO) has decided to fine Marriott 99 million Pounds Sterling or roughly $125 million for the Starwood breach.  While not the end of the world for a company like Marriott and it is even possible that they have insurance to cover some or all of that,  Marriott is fighting it.  (Source: BBC).

Also in the UK, The ICO decided to fine British Airways 183 million Pounds Sterling or about $225 million for a website breach that affected about a half million people.  That represents 1.5% of their global revenue for 2017. Source: BBC.

Some people were hoping that the various data protection authorities were going to be all bark and no fine, but reality is a little different.

We have already seen many smaller fines.  But it is all relative.  A Polish taxi cab company was fined 160,000 Euros for failing to delete data that they could not justify why they retained it.  160,000 Euros for a taxi company might be harder to swallow than 183 Pounds for BA.

And from the scuttlebutt, what we hear is expect many more fines during 2019 and 2020 as the authorities ramp up their staff and complete investigations.  As of January of this year, authorities had received about 60,000 complaints (Source:  Helen Dixon, the Irish Data Protection Commissioner, had 29 people on her staff in 2015 – before GDPR.  Ireland is where companies like Facebook have their European HQs due to tax reasons.  Helen has a staff of 133 right now with 30 openings and is anticipating adding more staff in 2020.

Companies big and small should not plan on flying under the radar because even if one of the data protection authorities don’t single you out, if your users are among those 60,000 complaints — you still could wind up being investigated.

Rules Are Changing for Companies Using Software Applications

Lets be real – the category of people and companies that use software applications – well, that is just about everyone, but right now this affects a slightly smaller group.  Assuming other framework vendors don’t already do this or don’t do this in the future.

The issue at hand is how Microsoft and Oracle are distributing .Net and Java respectively.

Up until now, if users installed the monthly or quarterly Microsoft and Oracle patches for .Net and Java, you were good.

But these companies are changing the rules.

For users of applications based around Microsoft’s .Net, you used to have to install the .Net Framework separately from your application (sometimes applications bundled the two separate installs so that they sort of looked like one, but they were still actually two).  If Microsoft updates the .Net Framework, the monthly Microsoft updates will install the updates to the Framework.

Now there is something called .Net core.  That actually becomes a part of the application and if the developer chooses to go that route, each application developer, whether  internal or third party, needs to rebuild and re-release each application every time there is an update, which could, potentially, be every month.  Application developers are unlikely to do all that work for free, so for users that do not have a maintenance agreement, they will likely just be vulnerable to being hacked.

For Oracle Java, the situation is the same, although they only release patches once a quarter.  That doesn’t mean that bugs aren’t found every month, it just means they don’t fix them as quickly.

With Java 11, Oracle eliminated the Java Runtime Environment or JRE.  That  means that you, as a developer, must get a new Java Development Kit (JDK).   Oracle MAY be on the way for charging for this – it seems to kind of depend.  In any case, you still need to release a new version of the product and that is not likely to be free.

The bigger problem is that most users do not know whether their software is based on  one of these tools or not.

Sooooo, here is what needs to happen.  

You know that vendor cyber risk management program that I always talk about?  We now have a new line of questions for EACH AND EVERY APPLICATION that you use , whether internally developed, open source or commercially licensed.

That question is does this application or any part of an application set use Java or .Net core.   If the answer is yes or worse  yet, “HUH?”, then you need to dig in further.  Much further.  And you are likely to get the deer in the headlight look, at least for a while.  You need to find out for sure and then you need to understand what the companies update policies are and what the update frequency is.

If the company says that they are going to release a new version of each of their applications every month, then you need to get that in writing as part of the contract so that once they realize how much that is costing them they can’t change their mind.

If they say they are not going to patch their applications monthly, then you have to ask am I willing to live with the risk.

Remember, the bad guys already have this figured out.  As soon as the patch comes out they figure out how to exploit it, if possible.  Then they start scanning the internet looking for people and companies that haven’t installed the patch.  They are then attacked.

In case you think that won’t be you, let me point to someone else who said that.  Equifax, the source of one of history’s largest data breaches ever didn’t patch one server.   At last count, and this is FAR from over, they have spent $1.3 BILLION dealing with the after effects of that decision.

Consider yourself warned,  Source:  Help Net Security.

Security News for the Week Ending July 5, 2019

This is What Spies Do

It has come out that western (read one or more of the five eyes countries) inserted malware into Yandex (Russia’s equivalent of Google) in order to steal administrative credentials.  The purpose was, apparently, to read emails of interest to the western spies.  We need to understand that we do it to them and they do it to us, but the idea is to make it hard for them and easy for us.  Source: Reuters.

Firms That Claim to be Able to Reverse Ransomware Sometimes Lie

Another so called “Data Recovery” firms that claim to be able to recover from ransomware just pay the ransom and mark the cost up.  The most recent firm to be outed is Red Mosquito Data Recovery was outed when they were the target of the sting.  The researcher played the role of both the victim and the ransomer and discovered what Red Mosquito was doing.  Remember that if you do pay the ransom, you still need to rebuild your systems from the ground up because you do not know what time bombs or back doors the ransomer left behind.   Source: Propublica,

Trump Changes His Mind – Huawei Not a National Security Threat?

After Tweeting for months that Huawei is a national security threat; that their equipment needs to be banned in the US and abroad and that existing equipment needs to be removed — to it is okay if we sell Huawei parts.  This happened the day after he met with Xi at the G20 and it is reported Xi told him that the trade war would continue until the ban was removed.  While not removed, it is a hole wide enough to drive a tractor trailer through.  Source: The Register.

One Terabyte of Police Bodycam Video Available on the Dark Web

In another example of companies not requiring vendors to have adequate cybersecurity programs in place, researchers found a terabyte (that is 1,000,000,000,000 bytes) of police bodycam video from Miami and other cities available on the dark web.  It is likely this video has been copied and sold.  Miami PD is not talking.  Probably a good time for the police to plead the Fifth.  The problem is linked back to 5 IT vendors who did not protect the data.   Either police departments did not care (worst cast) or do proper due diligence (best case).  I hope they have a bunch of insurance because you know that there will be lawsuits.  At some point people will figure out that even though vendor cyber due diligence is hard, getting sued and defending yourself is even harder.  Source: The Register.

If China Can’t Buy Memory Chips From the US, it will Get into the Memory Biz and Compete Against Us

In the trade wars are hard department, the Chinese just convinced the Godfather of Japan’s DRAM business to come to China and head up a company that plans to build its own memory chips.  This is likely the result of the current trade war.

If successful, the result will be that western memory chip makers will lose all of their sales to China, but more importantly, China might flood the market with cheap memory chips, damaging the worldwide multi-billion dollar memory business.  Source: The Register.

Microsoft to Require CSPs to Use Multi-Factor Auth

In light of the recent leak of details on Cloud Hopper, Microsoft is becoming very visible and requiring their O.365 resellers to use multi-factor authentication in order to reduce the risk that they represent to the ecosystem.  This is a proactive effort on their part – likely – as  they have not been publicly named as a cloud hopper victim, but they certainly are a target.  Source: Brian Krebs.


Presidential Alerts Spoofable

Okay, no jokes about our current President’s love of twitter.

Researchers at the University of Colorado (CU) have demonstrated how easy it is to spoof the Presidential alerts – assuming you even get them (you may remember they tested the system last year and lots of people, including me, didn’t get the test).

In this case, the CU researchers say that 4 low power base stations could target every person in a football stadium of say 50,000, causing mass panic.    While it might be hard to get these briefcase size devices inside a football stadium, it would be pretty easy to get it into soft targets like office buildings or shopping centers and depending on the message (Ex: Inbound nukes from China; will detonate here in 10 minutes), could cause mass panic.  Source: BBC

Mozilla (Firefox) Named Internet Villain for Supporting Privacy

Okay, this is going to take a little bit of explaining so bear with me, but it is important.

Everyone knows about the padlock in their browser with says that the traffic to that web site is encrypted using Secure Sockets Layer (SSL) encryption, which has now been upgraded to Transport Layer Security (TLS).  The differences between SSL and TLS are technical and not relevant to this conversation.  This keeps the actual data that you send and receive private (mostly).

But there is one big hole that allows ISPs to track you (and sell your data) as well as the government to see who is going where and that is Domain Name Service (DNS).  DNS is the technology that translates the name you put in your browser into the numbers that the Internet actually uses (123.45.670.02).  DNS traffic, up until now, has not been encrypted.

Now both Google (Chrome) and Mozilla (Firefox) are testing DNS over HTTPS or DoH and both will be incorporating them into their browsers by default.  Mozilla is a little bit ahead of Google, but not by much.

The UK Internet Service Providers trade group gave Mozilla (but not Google – why?) the title of Internet villain for protecting people’s privacy.  Why?  Because it makes it tougher for them to spy on users.

It is important to understand that even with DoH the actual IP address of the web site that you visit will be visible to your ISP, so don’t go too crazy, but if the web server hosts hundreds of websites, like many do, some of the detailed data will be invisible to your ISP and the government, protecting your privacy a little bit and annoying your ISP and the government equally.

Interestingly, the US government, which usually whines loudly about anything that reduces their spying ability hasn’t said anything.  They still have time.  They probably will want to do something like China has done, which is to install spyware on everyone’s phones so that they can get your data directly.  Not here.  Yet.

The other thing about DoH is that it works at the app level, so even if the operating system doesn’t support DoH, as long as you have a current browser, you are protected.

The UK’s nanny state is worried that their system for blocking you from visiting sites that you want to visit but they don’t want you to visit won’t work any more.

In fact, in the UK but not in the US (yet) there is a law that requires ISPs to block sites the government says are bad (what could go wrong with that?)  This may make that hard or impossible to do, but my guess is that the government can’t force ISPs to do something that is technically impossible for them to do.  I suppose, it could ban Chrome and Firefox or make them create a crippled version for UK users (remember the crypto wars from the 1990s where the US government forced software makers to release crippled versions of their software if they made their software available internationally?  We are still dealing with the fallout from that, 25 years later).

At least GCHQ (the UK’s version of the NSA) is being honest about it.  They say is will impede their ability to spy on people.

Stay tuned, this war is not over yet.  No government likes it when their ability to spy on their citizens is reduced.

Source: ZDNet.



States Implement New Security and Privacy Laws

In the absence of the federal government doing anything useful when it comes to cybersecurity or privacy laws, the states are left to their own ways to implement a patchwork of laws.  Here is what they are doing right now.  The impact rating is my own.

Illinois SB 1624 – This bill requires businesses that have breaches affecting more than 500 Illinois residents to notify the AG and the AG is now permitted to publish information about breaches. IMPACT-Low.

Maine LD 946 – This bill stops Maine ISPs from selling customer’s data or pressuring customers into allowing them to sell that data by giving them either financial penalties or incentives.  IMPACT-Low

Maryland HB 1154 – This law expands the scope of businesses covered by the law, stops a business from charging the data owner for information needed for notifying people of the breach and prohibits businesses from using the information obtained to notify people about the breach for any other non-breach-related purpose.  IMPACT-Low.

Massachusetts HB 4806 –  REQUIRES a company to provide breach victims with 18 months of credit monitoring if the breached data includes socials.  Breach notifications must be provided on a rolling basis to avoid delay and if the data is owned by a third party, the notice has to identify that party (which means you have to track who owns what data).  In addition, businesses must notify state regulators if they have a written information security program.  Since that is already required by the current law, not having one would likely subject you to more legal action.  IMPACT-Moderate.

New Jersey S.52 – This law expands the definition of personal information to include email addresses, security questions and other items,  adds new requirements to the breach notification letter and  prohibits notification via email if the email information was compromised, adding expense.  IMPACT-Moderate.

New York SB 5575B – Adds new categories of data to protect including biometrics, account, credit and debit card info without a security code and other information.  It exempts businesses from notifying people in cases where an unauthorized person inadvertently discloses the information AND the business finds the breach  does not pose ANY financial or emotional hard (how do you decide that?) or the business has already sent out notifications under other laws.  The definition of a breach is expanded to include just accessing the data.   Businesses are also required to take reasonable safeguards to protect data and reasonable is defined to include designating and training employees to implement and oversee the security program, regularly testing the effectiveness of the program and promptly deleting any data that is no longer used.   The AG will now have three years to bring an action against an attacker.  IMPACT-High.

Oregon SB 684 – This law expands the scope of covered data and notification requirements.  Effective 1/1/20, vendors will have TEN DAYS to notify a covered entity of a breach.  They also have to notify the AG if the breach affects more than 250 people.  It also expands the definition of covered data. IMPACT-High.

Texas HB 4390 – This law requires that consumers be notified without delay and within 60 days and notify the AG if the breach affects more than 250 people.

More importantly, it creates a commission to report to the governor after studying laws in the state, in other states and in foreign countries – including recommendations for additional laws. IMPACT-Low, not counting whatever the commission recommends next year.

Washington HB 1071 – Expands the definition of personal information and sets new notification requirements.

Effective 3/1/20, the definition of personal information is expanded to include birthdates, private signing keys, biometric information and other information.   Businesses cannot send breach notification by email if part of the breach included email access information.  If the breach affects more than 500 people, the company must notify the AG with specific information.  The law also reduces the notification window to 30 days. –IMPACT-Moderate.

As you can see, the requirements vary from state to state and the definitions differ from state to state.  Notification windows are shrinking, which is a problem for businesses and the whole process is complicated and expensive.  Businesses need to make sure that they have an attorney available who is knowledgeable in this particular area of the law

This means that businesses really need to take this seriously.  If you can avoid a breach, you can avoid a lot of pain.  Source: Data Protection Report.

New Malware Intentionally “Bricks” Poorly Protected IoT Devices

Internet of Things (IoT) and the Industrial version (IIot) are kind of like the wild west at the moment.

People and businesses are deploying IoT and IIoT devices at an incredible rate.  Estimates are that there will be tens of billions of them deployed over the next few years.

But that doesn’t help the security problem.

So a couple of European teenagers decided to help get the message out.  Maybe not in the best way to do that.

One using two aliases ‘Light The Leafon’ and ‘Light The Sylveon’.  and two other members,  ‘Alx’ and ‘Skiddy’,  developed malware that looks for IoT devices that still have the default passwords.

The malware is based on the incredibly effective Mirai malware that infected millions of devices a few years ago, but this malware works differently.  This is about as simple as malware gets.

If it can get into the device,  it runs scripts that delete the device configuration files, flash memory and then run more commands.  Finally, it reboots the device, effectively turning it into a very expensive brick.

They said they did this so that other hackers could not take over the device and turn it into a botnet.

Theoretically, the devices could be restored if you had the ability to reflash its memory, but for many devices, that is not technically possible in the field and even if it is, MAYBE 1 in 10,000 users MIGHT have the skills to do that.

The hackers, after proving their point, turned off the malware’s control server, but any device that had already been infected was still dead or dying.

The good news is that this is relatively simple to deal with.  Not all IoT/IIoT malware is, but this one is.

Take basic security precautions.  Change passwords.  Install patches.  Put IoT and IIoT devices behind firewalls.  Train your users.

This particular malware did limited damage – unless your device was one that was destroyed – but the next one – maybe not so much, so prepare now or you could be the next victim.

Source: The Bleeping Computer.