Category Archives: Compliance

Vaccine Passports

Talk about a political football, oh my.

Florida has passed a law outlawing them. Not sure that Florida is a bastion of privacy – just wants to stick it to certain folks.

But, if some other state or other company requires it, the law is meaningless. Lets say, just making something up, that New York requires a vaccine passport to enter. Joe gets on a plane in Florida and when he arrives in New York, they say “Passport please”. Joe doesn’t have one and complains that Florida law makes that illegal. Joe now gets to get back on the plane and return to Florida. Foreign countries are unlikely to be moved by such a law in Florida.

But some lawyers are saying that even in Florida, such a law may be unenforceable – kind of an illegal law. I guess we have to wait for the courts to decide that one.

But one company has decided to capitalize on this.

CLEAR, the company that runs the fast lane at airports for folks that pay hundreds of dollars a year to go to the front of the line, has created a vaccine passport app. I don’t *think* there is a cost to the user for this one. That probably would not be popular. Businesses, on the other hand, are likely fair game.

Currently 60 stadiums and venues are deploying the CLEAR app, including the New York Mets and the San Francisco Giants. You can use paper proof, but the motivation is that CLEAR is faster.

It seems likely that CLEAR will store your data, probably including every time you use the app.

Privacy advocates are rightfully concerned about this.

United Airlines is already using the app in their LA to Hawaii flights since Hawaii has requirements for vaccines and/or negative tests.

Excelsior pass is New York’s version of CLEAR. Built by IBM and only for New York residents, it is another competitor in what is going to be a crowded field.

Several European countries have built apps for access to transportation, gyms and even restaurants.

To use the CLEAR app, you take a picture of your drivers license and upload it with a selfie. They then connect to hundreds of labs to look for results. Not sure what happens if your name is not in one of those databases.

I am sure that these apps are unhackable. That is certainly a valid concern, depending on how much data they keep.

This battle is far from over. It is not clear how it is going to turn out. On the other hand, you might be right, but still get your butt shoved back in an airplane seat to go home — at your cost — instead of starting your vacation, so you do have to consider whether that is a battle that you are willing to fight.

Also remember that getting in the face of airline personnel, border agents and police can get you thrown into jail, particularly in some foreign countries, but even in the U.S. This week an airline passenger on a Miami to New York flight had to be zip-tied by an off-duty copy after she assaulted a flight crew member. The passenger said that the cops weren’t going to do anything, just before they zip-tied her into her seat. She was arrested when the plane landed in New York and is being charged with several felonies. Credit: Yahoo

Credit: Cybernews and MSNBC

Government is No Better at Managing Supply Chain Risk Than we Are

The GAO, formerly known as the General Accounting Office, works for Congress and does studies of how horribly inefficient the government is. In theory, that is so Congress can create new laws to make them do what any sensible organization would do without the laws. Here is one example.

The GAO reviewed the security practice of 23 government agencies with regard to information and communications technology products (what you and I call networks and computers). They identified 7 practices for managing these risks and then they graded the agencies on how they were doing. What they found was:

  • Few implemented the practices
  • None had FULLY implemented the practices
  • 14 had implemented NONE of the practices

Feel better? The only downside is the government gets hacked too – as we have seen very publicly lately.

Here are some of the highlights from the report.

Here is where these agencies get their stuff from. This is not where the sales office is, but rather where the stuff is made.

Figure 1: Examples of Locations of Manufacturers or Suppliers of Information and Communications Technology Products and Services

The one practice that was implemented by the most agencies – that only included 6 of 23 agencies. OUCH!

So then they tallied up the results. Here is what they found:

\\vdifs02\FR_Data\WatsonA\Desktop\Bar.tiff

Notice all the white? That is the part where the agencies are not implementing any part of the practice to reduce their risk. The vast majority of the agencies are asleep at the switch.

The most common excuse given was “no one told me how to do this” or something close to that. So, a billion dollar agency, apparently, needs to be treated likely a toddler and told how to do its job. Lets ignore for the moment that NIST issued guidance in 2015 and the OMB told all agencies to implement supply chain risk management (SCRM) in 2016. But no one held their hand. Or, until now, swatted their behind.

Most agencies, when called on the carpet by the GAO said, oh, my bad, I will fix that (yeah, maybe). A few said bug off. Those are the ones who should not be allowed to use computers or networks.

Here are the 7 areas that the GAO asked about. See how many of these you are doing company wide.

  1. establishing executive oversight of ICT activities, including designating responsibility for leading agency-wide SCRM activities;

2. developing an agency-wide ICT SCRM strategy for providing the organizational context in which risk-based decisions will be made;

3. establishing an approach to identify and document agency ICT supply chain(s);

4. establishing a process to conduct agency-wide assessments of ICT supply chain risks that identify, aggregate, and prioritize ICT supply chain risks that are present across the organization;

5. establishing a process to conduct a SCRM review of a potential supplier that may include reviews of the processes used by suppliers to design, develop, test, implement, verify, deliver, and support ICT products and services;

6. developing organizational ICT SCRM requirements for suppliers to ensure that suppliers are adequately addressing risks associated with ICT products and services; and

7. developing organizational procedures to detect counterfeit and compromised ICT products prior to their deployment.

Credit: the Government Accountability Office

Security News for the Week Ending April 23, 2021

USTRANSCOM Starts CMMC Lite Now

The DoD’s transportation command, the folks who are in charge of getting all the stuff that the military needs from where it is to where it needs to be, has announced that they are implementing a light version of CMMC NOW instead of waiting for the five years that it is going to take DoD to fully roll CMMC out. The plan for TRANSCOM is to be able to confirm or deny cyber compliance, they say. This is even though the DoD delayed its report to Congress on vendors’ compliance with CMMC. It was due in March but now won’t be ready until June. TRANSCOM’s plans come at the same time that some are complaining that security is too hard and too expensive – even though they have been certifying for three years that they were fully compliant with the standard. Now that someone is actually saying “prove it”, they are saying it is hard. The move to actually protect own nation’s service members and information from our adversaries will not be easy, as we learned when the SolarWinds attack was revealed, but that doesn’t mean that we should not do that. Credit: Federal Computer Week

FCC Allocation of New Bandwidth for WiFi – A Duel to the End

Last year, as WiFi usage skyrocketed, the FCC allocated 1200 MHz of bandwidth in the 6 GHz range for unlicensed WiFi. But the problem is that someone’s ox will always get gored since there is no “unallocated” bandwidth. While this is great news for WiFi 6, the new WiFi standard (and WiFi 6E in particular), the people who currently use that bit of spectrum (like some carriers and first responders), are not thrilled. Last October, the DC Circuit Court of Appeals denied a request for an emergency stay, even though the court said that they would hear the arguments later. Last month the arguments started in court, saying that this FCC order would interfere with them. Now oral arguments begin. No one knows how this will end, but the fight is just starting. If, however, the courts refuse to issue a stay, it is going to be a moot point.

After Google gets you Hooked, they Are Changing the Rules

For Google Photos, effective June 1, 2021 and for Google Drive, effective February 1, 2022, All that free unlimited storage is gone. NEW files uploaded to your account after the effective dates will count to your storage quota, whatever that quota is. To ease the sticker shock, existing files will be grandfathered in. You can see what your storage usage is, here.

Google and Microsoft are Fighting – Can You Imagine That?

Google is trying to figure out how to track people to sell advertising as state privacy laws make that more difficult. Their newest invention is something named Federated Learning of Cohorts. It has been widely criticized by privacy folks. In short, it puts users in anonymous (supposedly) buckets by behavior and tries to show you ads based on what FLoC you are in. It is turned on in Chrome 90 and I don’t see a way to turn it off. Microsoft did not include it in their new build of Edge. Take that Google! Credit: Bleeping Computer

EU Creates AI Rulebook

The European Commission released a draft version of a new regulation on the use of AI – the first time a regulator has proposed to do this. The EU says this rule is to create transparency in the use of AI and ban “systems considered a clear threat to the safety, livelihoods and rights of people”. Whatever that means. It also is proposing stricter rules on the use of biometrics such as facial recognition. Here is the draft rule.

Security News for the Week Ending February 26, 2021

DoD Working on CMMC-Fedramp ‘Reciprocity’ by Year End

CMMC, the DoD’s new cybersecurity standard is designed to measure security practices of companies and the servers in the computer rooms and data centers. But what about the stuff in the cloud. That is covered by another government standard called FedRAMP. But those two standards have different rules and contractors who have both need to figure out how to comply with two competing standards. DoD is working on this and plans to have a solution by September. One challenge is that FedRAMP allows for a ‘To-Do’ list – stuff we will fix when we get to it and CMMC does not. Harmonizing these two standards is critical for defense contractors. Credit: Defense Systems

The Risk of NSA’s Offensive Security Strategy

The NSA has, for decades, favored offensive security (hacking others) over defensive security (protecting us). The Obama administration created a process called the vulnerabilities equities process to try and rationalize keeping bugs secret to use against others vs. telling vendors so that they could fix them. Check Point research published a report talking about one failure where the Chinese figured out the bug we were using, one way or another and used it against us. That is the danger of offensive security. Read the details here. Credit: The Register

HINT: When Your Vendor Tells You it is Time to Upgrade – Listen

Airplane maker Bombardier is the latest entry into the club of companies who were compromised with Accellion’s decades old FTA file transfer system. What was likely stolen was intellectual property. Accellion has been trying to get customers off this decades old platform for 5 years. Now they say they are going to formally end-of-life the old software in April. 300 customers did not listen. At least 100 were compromised. Credit: ZDNet

Microsoft Asks Congress to Force Companies to Disclose Breaches

Microsoft’s president Brad Smith testified at a Senate Intelligence Committee hearing this week about the SolarWinds breach. Smith said that the private sectors should be legally obligated to disclose any major hacks. None of the other CEOs who testified argued with Smith. The details of who, how, when, etc. are note easy to figure out as is the penalty for breaking the law. I suspect that the overwhelming majority of breaches are never reported to anyone because there is no incentive to do so. Credit: The Register

DHS-CISA Reveals Authentication Bypass of Rockwell Factory Controllers

Rockwell industrial automation controllers used in places like factory floors can be compromised by a remote hacker if they can install some malware on the network. The bug has a severity score of 10 out of 10. The compromise would allow hackers to upload firmware of their choosing and download data from the controller. The bug was initially disclosed to Rockwell in 2019. Credit: Security Week

Security News for the Week Ending January 15, 2021

US Bulk Energy Providers Must Report Attempted Breaches

The Solar Winds attack, from what little we know about it, was bad enough, but what if it was Russia’s trial run for taking down the power grid like they did in Ukraine or taking out the water supply or gas supply? NERC, the electric utility regulator, released CIP -008-6 which requires relevant bulk power providers to report attempted hacks in addition to successful ones.

All cybersecurity incidents, whether actual compromises or attempts to comprise, have to be reported to the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), now known as National Cybersecurity and Communications Integration Center (NCCIC), as well as the Electricity Information Sharing and Analysis Center (E-ISAC). Unfortunately, the feds have not clearly defined what an attempt is. Credit: CSO Online

Researchers Say Bitcoin Hacks in 2020 Netted $3.78 Billion

In fairness, that is at today’s Bitcoin value, but lets say it is only $2 billion. Does that make you feel better? The most lucrative target was individual Bitcoin wallets, but hackers went after exchanges and apps too. Credit: ZDNet

FAA Changes Rules on Mask Wearing on Airplanes

Up until today, if passengers would not follow flight crew’s instructions to wear masks and were unruly, threatened or intimidated flight crews, the FAA tried to counsel them or hit them with civil fines. Now they have changed the rules and anyone who does that will be charged with interfering with a flight crew, which caries the penalty of up to 20 years in prison and a $35,000 fine. Or both. Ouch. Credit: Vice

Apple Changes Rules That Exempted Themselves from Security Rules

In MacOS 11 Apple created a rule that exempted 53 of its own apps from having to go through the Mac’s firewall. After all, Apple does know best. Apple claimed the exemption was temporary. Why? Because Apple made some changes in MacOS and they didn’t have time to iron out all the bugs in their apps before they shipped the software. That’s comforting. Once 11.2 ships, Apple’s apps will no longer be exempted. Oh, by the way, they forgot to tell their users that they were exempting their buggy apps from the firewall. Because? Don’t know. Probably would not be good PR. Credit: ZDNet

Signal Messaging App Creaking Under The Load

Years ago Facebook bought the privacy oriented messaging app WhatsApp which has become very popular. Last month Facebook created new terms which require users to allow Facebook to mine your WhatsApp data which is sort of unpopular with people who signed up for a privacy oriented app. Under the covers, WhatsApp is really just Signal, Moxie Marlinspike’s privacy oriented messaging app with some lipstick on it. As a result of Facebook’s not understanding that users would be displeased with the change to their terms of service, apparently tens of millions of people are moving from WhatsApp to Signal. Combine that with the shutdown of Parler, and Signal, which is a non-profit, is having trouble managing the load. Last week Elon Musk told his 40+ million followers to use Signal. It is likely that they will get things sorted out but any time a company gets 25-50 million new customers all at once, while it is a good problem, it is a problem. Stay tuned. Credit: The Register

Chain of Evidence

This seems to keep coming up, so maybe spending a little time on the subject might be helpful.

The security or privacy team creates this form for users to acknowledge something or approve something and then hand it off. Marketing gets in the middle of it to make it look pretty. Developers then take a few shortcuts to get it done on time.

Problem solved. Or is it?

Eventbrite was involved in a dispute with a customer. They wanted to invoke the arbitration clause in their terms of service. Okay. So far, so good.

But they run three versions of their application: A desktop website. A mobile website and a mobile app. They all had a terms of service acknowledgement, so are we still good?

Here is where they got into trouble.

Three platforms, three different acknowledgement forms.

Three different color schemes.

Three different button locations.

Then when they went to court they close cropped the screen shot hoping the judge wouldn’t figure out there was a whole bunch of distracting stuff next to the terms of service link.

Did marketing intentionally reduce the contrast of the link so people would not actually read what they were agreeing to?

Then there is the issue of the fact that there were, over the years, multiple versions of that screen.

So here is a question for you to ponder.

COULD YOU TELL A COURT WHAT VERSION OF THE RELEVANT SCREEN WAS IN PRODUCTION AT THE TIME THE USER AGREED TO THE TERMS?

I didn’t think so.

Then there is the issue of which platform the user agreed to the terms on.

COULD YOU TELL A COURT WHICH PLATFORM A USER AGREED TO YOUR TERMS ON?

Then there is the issue of time.

In this case the user signed up 5 years ago.

So what you need to do is know what version of the software was running whichever platform the user was on at the time the user actually acknowledged whatever it is you are concerned about and keep track of that for say, 5 years or 10 years or more. You need to be able to produce a visual image of what the screen actually looked like, including colors and positions. For each platform.

Are you good?

Oh, yeah, one more thing. Are your log files forensically sound? Could you swear under oath that the data that you had could not have been manipulated or even accidentally changed by a DBA or admin? Do you even keep logs for long enough? Do you collect all of the right data? You get the idea.

For the legal version of this conversation, read Professor Goldman’s blog here, but you probably have enough of a headache now.

Likely, you need to partner with your legal team to make sure that you get this right. It basically cost Eventbrite their case.

Could you defend your case if you had to?