All posts by mitch tanenbaum

Will New York Follow In California’s Footsteps?

The New York Privacy Act was introduced last month.  Like California’s CCPA, it gives consumers more power over their data, but in addition to that, it would require companies to put their customer’s privacy before their own interests.  I am sure that there will be a huge lobbying effort by special interests.

While the sponsor is still looking for cosponsors in the lower house, he thinks he already has enough votes to pass it in the Senate.

The Committee on Consumer Protection is scheduled to hold a hearing this week.

Like California’s law, this bill would allow people to find out what data companies are collecting, who they are sharing it with, get it deleted, make companies correct incorrect data and stop companies from sharing the data with third parties.

One difference from the California law, is that this bill allows from consumers to sue companies over privacy violations.  One compromise that was made when the California bill was passed was to change that to only allow a private right of action in cases where there was a breach.  Here, a private right of action would exist for any violation.

Another big difference is that while the California law only applies to companies with revenues over $25 million (or a couple of other situations), this bill would apply, like Colorado’s law does, to any company of any size.

Obviously, the big companies (Facebook,. Google and others) and their lobbyists (the Internet Association) are more than just freaking out.    They are saying that keeping customer’s data private is “unworkable for businesses” which really means that it messes with their business model and fails to give residents meaningful control over their data, which makes no sense at all.  Are they suggesting that their current business model already gives people meaningful control over their data?  That certainly doesn’t seem to be the case.

While I certainly agree that a law like this messes with the business models of some companies that have built a business around selling your data, if those businesses have something that people find valuable, most people will recognize that this is a reasonable trade.

What is required is transparency and that is something that folks like Google and Facebook fight, because they know that for many people, it is not worth the trade.

This is far from law, but definitely a bill to watch.

The name of the bill is NY S 5642.

While this bill may not pass in its current form, it seems like the handwriting is on the wall and smart businesses will start to understand privacy concerns and rework their business models to take that into consideration.

Information for this post came from Wired (registration required).

 

Facebooktwitterredditlinkedinmailby feather

The Cloud is NOT Disasterproof – Are You

Over the weekend, Google suffered an outage that lasted about 4 hours. (See Google Appstatus Dashboard)

The good news is that the outage happened on a Sunday afternoon because that reduced the impact of the outage.   Next time it could happen on a Monday morning instead.

The outage took down virtually every Google service at some point during the outage.

But worse than that, it took down all of those companies that depended on one Google service or another.  Examples include Snapchat, Shopify, Discord and even a number of Apple services went down because Apple is not in the data center business.  iCloud mail and drive and iMessage were all affected.

This is not to beat up on Google.  Both Amazon and  Microsoft have had similar meltdowns and so have much smaller providers.

And they will again.  Human beings design computers, build computers and operate them.  And, after all, humans are, well, just human.

One more time, this is a lesson for users of cloud services.  

Maybe you can deal with a 4 hour outage on a Sunday.

But can you deal with an 8 hour or 24 hour outage on a Wednesday (like Microsoft had recently)?

What is the cost in lost productivity when users can’t get to their email or their office documents?

What is the impact to your customers if they can’t get to your service?  Will they move to a competitor?  And stay there?

I am not proposing any solution.  What I am proposing that you consider what the impact is of an outage like this.  Impact on both YOU and also on your CUSTOMER.

Then you need to consider what the business risk is of an inevitable outage and what your business continuity plan is.  Will your BC plan sufficiently mitigate the risk to a level that is acceptable to your company.

Finally, you need to look at your Vendor Cyber Risk Management program.  

Apple’s systems went down on Sunday NOT due anything Apple did, but rather something their vendor (Google) did.

At this point Google has not said what happened, but they said they will provide an after action report soon.  But, remember, this is not, ultimately, a Google problem, but rather a problem with cloud consolidation.  When there are only a handful of cloud providers hosting everything (3 tier one providers — Google, Microsoft and Amazon) and a slightly larger handful of tier two providers, if one of them burps, a lot of companies get indigestion.

Source: Vice 

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending May 31, 2019

Baltimore Ransomware Attack Could Be Blamed on the NSA

I think this is what they call a tease.

Technically correct, however.

You may remember the NSA hacking tool that got out into the wild called EternalBlue?  It was leaked by the hacking group ShadowBrokers in 2017.  Before that, it exploited a Microsoft  bug that the NSA decided was  too juicy to tell Microsoft to fix – for five years.  Then it got out.  Now North Korea, China, Russia and others are using it.

So who’s fault is it?  Should the government tell vendors to fix bugs or should they risk not telling them and having a Baltimore or WannaCry which destroyed the British Healthcare system or NotPetya or many others.

Certainly you could blame ShadowBrokers, but as we have seen with other malware, as soon as you use it, you run the risk of it being detected and used against you.

In this case, I blame Baltimore because Microsoft patched the flaw in March 2017 and apparently, it is not deployed in Baltimore.

Three weeks and counting, Baltimore is still trying to undo the damage.  For lack of a patch.  To be fair, it might have happened anyway.  But it would not have spread like wildfire.   Source:  NY Times.

First. Time. Ever! – Moody’s Downgrades Equifax Due to Breach

Turnabout *IS* fair.

For the first time ever, Equifax is discovering what they do to others all the time when they downgrade consumer’s credit scores.

In this case, it is Moody’s that is downgrading Equifax’s score.

Moody’s downgraded Equifax from STABLE to NEGATIVE.

Likely because they just announced that they have spent $1.35 Billion fixing the breach damage and none of the lawsuits are settled yet.  This is likely to be the costliest breach ever.  Source: CNBC.

 

Cisco Warns Thangrycat Fix May Destroy Your Hardware

More information has come out about the Cisco Trust Anchor vulnerability called Thrangrycat.  The trust anchor is the root of all security in Cisco devices and if it gets compromised, then there is no security in the device at all.

The good news is that the hackers who found it said it was hard to find, BUT, now that the hackers know what to look for, expect an attack kit to show up for a few bucks on the dark web.

The problem is that Cisco has to reprogram a piece of hardware inside all of those switches, routers and firewalls.  THAT MUST BE DONE ONSITE.  Worse yet, there is a possibility that the reprogramming could turn your firewall into a really expensive brick.

Cisco says that if your device is under warranty or if you have a maintenance contract and they brick your device, they will mail you a new one.  The device will be down until you get the new one.

I am sure they will try hard not to brick things, but reprogramming FPGAs on the fly – its not simple and things could go wrong.

IF, however, you do not have a warranty or maintenance contract and the device gets bricked, you are on your own.

For those people, now might be the time to replace that Cisco gear with someone else’s.  That won’t be perfect either, however.  Source: Techtarget.

 

New Zealand Cryptocurrency Firm Hacked To Death

As I keep pointing out, “investing” in cryptocurrency is much like gambling with no insurance and no hedge.

In this case Cryptopia , a New Zealand based cyptocurrency exchange is filing for bankruptcy and still has millions in digital assets that belong to its customers.

But maybe not for long because their IT provider says that they owe millions and is threatening to take down the servers that contain the digital assets.  In the meantime, customers wait.  Source: Bloomberg.

 

Flipboard Says Hackers Were Roaming Inside For NINE Months Before Being Detected

Flipboard admitted that hackers were inside their systems from nine months between June 2018 and March 2019 and then again in April 2019, when they were detected.

Flipboard says that user passwords, which were salted and strongly hashed, were taken.  What they didn’t say, because they are not forced to by law, was what else was taken.  According to the security firm Crowdstrike, the best hackers move laterally from the system in which they entered, in 18 minutes.  The average hackers take 10 hours.  Where did they move in nine months?

If they want me to believe that nothing else was taken, they must think I am a fool.  I am not.  But the law doesn’t require them to tell you what else was taken.

Since they are not publicly traded, they don’t have to tell the SEC what else was taken.  In fact, they only have to tell the SEC if it materially affects the company – a term which is conveniently not defined.  Source: ZDNet.

Turnabout – Part Two

While President Trump shouts about Huawei spying for the Chinese, the Chinese are removing all Windows systems from their military environment due to fear of hacking by the US.   While this won’t have any significant financial impact on Microsoft, it is kind of a poke in their eye.

For some strange reason, they are not going to use Linux, but rather develop their own OS.  One reason might be that a unknown proprietary OS that only the Chinese military has the source code for would be harder to hack by the US than any other OS.  Source: ZDNet.

Facebooktwitterredditlinkedinmailby feather

Self Inflicted Cyber Breaches Still Huge Problem Along with Third Party Risk

And it continues to be a major issue for some reason.

This week researchers found 85 gigabytes of security log data (talk about a nightmare for a business to expose that) in an elastic search database.

The server was discovered on May 27th and the data goes back to April 19th, so that might be the exposure window.

The sever has been connected to the Pyramid Hotel Group.  Their web site says they provide superior operations, owner relations and support services to hotels and their investors.  IT DOESN’T SAY ANYTHING ABOUT PROVIDE SECURE SERVICES TO THEM.

The data was locked down after Pyramid was informed but they have not publicly admitted to the breach.

IN THE U.S., THERE MAY BE NO LEGAL REQUIREMENT TO DISCLOSE BREACHES OF THIS TYPE BECAUSE THEY MAY NOT CONTAIN AND NON-PUBLIC PERSONAL INFORMATION.

It is unknown what the contracts between these hotel owners and Pyramid say, but for our clients who engage us to review outsourcing contracts, Pyramid would have a huge liability in this case – probably in the tens of millions or more due to the amount of emergency work that will be required to mitigate the damage – see below.

Pyramid manages hotels for franchises of Marriott, Sheraton, Aloft and many independents.

What’s in the data?

  • Information on hotel room locks and room safes .
  • Physical security management equipment.
  • Server access API keys
  • Passwords
  • Device names
  • Firewall and open port data
  • Malware alerts
  • Login attempt information
  • Application errors
  • Hotel employee names and usernames
  • Local PC names and OS details
  • Server names and OS details
  • security policy details
  • and a bunch of other information.

In other words, a veritable road map for the bad-peops.

Businesses need to create processes to manage new cloud instances and ensure they are secure as well as audit existing cloud instances.

Likely in this case, this instance was created by an employee to do a particular task and probably never even considered security.

Servers will now need to be rekeyed and automation edited to accommodate that and companies will need to figure out the security implications and mitigations of the rest of the data that was exposed.

And of course, since this is an outsource vendor, these company’s vendor cyber risk management program are, apparently, defective.

Information for this post came from ZDNet.

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

$67 Million Jury Verdict for Violating People’s Privacy

This is not directly a security issue.  Or a privacy issue. Because the County did not get hacked.

BUT it still is important to businesses.  And governments.

Juries are no longer sitting back and allowing organizations to ignore basic privacy law without consequences.

In this case it is Bucks County, Pennsylvania (population about 650,000), and this is going to cost them some bucks.

The federal jury awarded $1,000 for each of the 67,000 people who were booked into jail in the county since 1938.

The Bucks County budget is about $400 million, so this verdict, if it stands, represents about 16% of the total county budget for a year.

These people, whether they were convicted of a crime or not, were added to a publicly available web site  called the Inmate Lookup Tool.

The suit started in 2013 – six years ago – when Daryoush Taha was arrested and charged with harassment, disorderly conduct and resisting arrest.  He was released the next day.  He completed a one year probationary program for first time offenders and the judge ordered that his arrest record be expunged.

For whatever reason, the folks that ran the Inmate Lookup Tool didn’t get the message and his name, photo, personal details and charges were available online.  Apparently, posting that information online is against the law in Pennsylvania.

The federal judge granted class action status and the plaintiff’s attorney said, in closing arguments, that residents have the right to expect that local governments follow the law.

The county said that they did not know that posting all of this personal information on people who were arrested was illegal.

Basically, their defense was “we’re dumb.  We didn’t know the law.”

I wonder how that defense would work for someone they arrested?

Likely the County does not have insurance for this and, for the most part, you cannot get insurance to cover the penalty for being convicted of a crime.

This is only one of a number of cases we have seen lately where juries have said (to steal a line from a movie) “I’m as mad as hell and I am not going to put up with it any more“.

For businesses, this means that a defense of ignorance or gee, I’m sorry, is not a sure fire defense anymore.  We just saw Equifax’s Moody’s rating downgraded to NEGATIVE as a result of their breach as an example.

Information for this post came from the Philly Inquirer.

I don’t have a crystal ball, but I don’t see this getting better for companies that violate privacy or security laws in the future.

Facebooktwitterredditlinkedinmailby feather

Germany (And Others) Talks About Banning End to End Encryption

Der Spiegel is reporting that the German Ministry for Internal Affairs is planning to require all Internet message service providers be able to provide unencrypted copies of messages if requested.

This is, of course, not new.  The Crypto Wars started in the 1990s with Phil Zimmerman and PGP and continues to this day.  A few years ago the FBI got into a fight with Apple after the San Bernadino shootings and lost.

But politicians are not stopping.

Maybe what is going on in Germany is an edge case, but we should not assume that.

If end to end encryption is banned (meaning that Whatsapp, iMessage, Signal and a host of other products would be illegal), how would that be enforced?

Would ISPs be required to have access to your computers and phones to detect and remove such products?

Would countries have to implement tech like China’s great firewall (which Russia and other countries are already working on doing)?

Lets assume such a law passes and messaging providers comply.  That means that they would have to have the crypto keys needed to decrypt any message.  Or the government would.

Given that hackers seem to be winning the war, do you really think that Russia or China would not compromise some Apple or Google employee?  Threaten to kill their entire family?  Or worse?

Of course, people could install software that was written in countries that didn’t have such a law.

Possibly, the law could say that if you are found in possession of such software they will throw you in jail.

And how do you deal with Steganography – the art of hiding information in photos and other images.

I promise this will not end any time soon.

Unfortunately, we need to educate politicians worldwide about the risks and difficulties of what they are asking for and that won’t be easy because people want to feel safe and that is what politicians think they are offering them.  In fact, what they are really doing is increasing risk.  Risk to people’s privacy.  Risk to people’s healthcare.  Risk to people’s finances.  Risk to people’s lifestyle.

Just remember that proverb – may you live in interesting times.  It is definitely interesting.

Some information for this post came from Boing Boing and Bruce Schneier.

 

 

Facebooktwitterredditlinkedinmailby feather