Category Archives: Legal

Security News for the Week Ending January 17, 2020

Orphaned Data in the Cloud

Researchers at security firm vpnMentor found an unsecured S3 bucket with passport, tax forms, background checks, job applications and other sensitive data for thousands of employees of British consultancies.  Many of the firms involved are no longer in business.

The researchers reported this to Amazon and the UK’s Computer Emergency Response Team (UK CERT) on December 9 and the bucket was taken offline by Amazon (likely at the request/order of UK CERT) on December 19th.

For people who were affected, if these companies are out of business, there is no one to sue.  Under GDPR, it is unclear who the government can go after if the companies no longer exist.  I suspect that the problem of orphaned data is only going to become a bigger problem over time.  This includes data stored by employees who have left the company and who did not “register” their data trove with their company’s data managers.  Another reason to get a better handle on where  your data is stored.  Source: UK Computing

 

Ransomware 2.0 Continues and Expands

I recently coined/used a term called ransomware 2.0 where the hackers threaten to publish and/or sell data exfiltrated during ransomware attacks.  While we saw threats in the past, we did not see any follow through.  In part, this is likely due to the fact that they did not, in fact, exfiltrate the data.

However, first with Maze and now with REvil, hackers are following through and publishing some data and selling other data.  REvil is the ransomware that is afflicting Travelex.

Companies will need to change their ransomware protection strategy in order to protect themselves against this form of attack.  Backups are no longer sufficient. Source: Bleeping Computer

 

The Travelex Saga (Continued)

FRIDAY January 17, 2019

Travelex says that the first of its customer facing systems in Britain is now back online.  The automated ordering system that some of its bank customers use is now working, but its public web site is still down.  Virgin Money, Tesco Bank and Barclays still say their connections are down.  Source: Reuters

WEDNESDAY January 15, 2019

Likely this incident falls under the purview of GDPR and  the UK’s Information Commissioner’s Office says that Travelex did not report this to them within the legally mandated 72 hour window.  Travelex says that no customer data was compromised  in the attack (even though the hackers were publicly threatening to sell and/or publish the stolen data and that Travelex was said to be negotiating with them).   When asked if they paid the ransom, Travelex said “There is an ongoing investigation. We have taken advice from a number of experts and we are not going to discuss this.”  Translated, this means that we know we are going to get our butts kicked in court and by the ICO, so we are just going to be quiet now.  If the ICO finds that they did not report and there was a GDPR covered event, they could fine them up to 4% of the global annual revenue OF THEIR PARENT COMPANY, Finablr.  Their revenue is estimated to be around $1.5 billion.  That of course, is just one of the costs.  Their public web site is still down and has been down for 16 days now.  Source: UK Computing

MONDAY January 13, 2019

Travelex says that they are making good progress with their recovery, whatever that means.  They say that services will be restored soon.  Their website, however, is still down. Trtavelex is still saying that they have not seen evidence that customer data that was encrypted was exfiltrated, although the hackers who say that they are responsible claim that they will be releasing the data on the 14th (tomorrow) if they don’t get paid.  Source: ZDNet

 

Nemty Ransomware Joins the Ransomware 2.0 Crowd

The ransomware 2.0 community (steal your data before encrypting it and threaten to publish it if you don’t pay up) is becoming more crowded every day.  Now Nemty says they are creating a website to post stolen data of companies that have the nerve not to pay them.  Backups are no longer sufficient.  Source:  SC Magazine

Facebooktwitterredditlinkedinmailby feather

Top EU Court Says ‘National Security’ Does Not Override Everything Else

This is not a done deal yet, but it is a very interesting development and one, if it holds, that could have significant impact on a lot of countries, including the U.S.

Over the last few years, a number of countries have enacted laws that allow their intelligence apparatuses to override many privacy laws and hoover up vast quantities of data without any particular justification – just in case.   They say that they don’t know what they might need – until they do.  And, there is some justification to that story.  Some.  Justification.

The EU high court, technically called the Court of Justice of the European Union or ECJ can appoint an advocate to advise it on matters where they feel that is  justified.

In this case, Privacy International, a privacy rights organization, sued both the UK and France, saying that their respective laws that require businesses to hand over anything they ask for just because they say the magic words “national security”.

Specifically, this case says that the UK’s Investigatory Powers Act (also referred to as the Snooper’s Charter) and France’s Data Retention law go too far.

What happened yesterday is that the Advocate General advising the high court released his opinion.

The opinion says screaming terrorist is insufficient to violate people’s rights under the European Directive on privacy and electronic communications.

Very importantly, the ECJ has not handed down it’s opinion yet;  this is just the advise from the AG.  HOWEVER, the ECJ does agree with the AG about 80 percent of the time.

*IF* the ECJ does agree with the AG, that will mean several things:

  1. UK’s Snooper’s Charter is likely illegal under EU law and will need to be revised if the UK wants to enforce it in the EU.
  2. Likely France’s Data Retention law would violate EU law.
  3. For those of us in the U.S., it would likely mean that the U.S. government’s use of large scale data vacuum cleaners also does not comply with E.U. law.

The AG said that whatever the government does by itself is OK IF IT IS INTENDED TO SAFEGUARD NATIONAL SECURITY AND IS UNDERTAKEN BY THE PUBLIC AUTHORITIES THEMSELVES, WITHOUT REQUIRING THE COOPERATION OF PRIVATE INDIVIDUALS.  So, for example, they could intercept data on fiber optic Internet cables but they can’t ask AT&T to let them tap those cables (which they did) and cannot ask Google or Facebook to hand over their encryption keys.

What the AG is saying is that rather than vacuuming up terabytes of data per hour, that hoovering needs to be done “on an exceptional and temporary basis” and only when justified by “overriding considerations relating to threats to public security or national security”.

When the U.K. leaves the E.U. – maybe this month – it doesn’t have to be bound by E.U. law, but if it doesn’t agree to abide by E.U. law, then companies in the E.U. will not be able to send data to the U.K. and U.K. companies will not be able to collect any data of E.U. residents.

Probably more important for U.S. companies is this.

A few years ago, when the E.U.  started enacting privacy laws, they said that laws in the U.S. were not adequate to protect the privacy of E.U. citizens so data collected by U.S. companies could not be sent to the U.S.

In response to that, the U.S. and E.U. came up with this agreement called Safe Harbor which supposedly protected the privacy rights of E.U. residents.

Unfortunately, this same court ruled that Safe Harbor didn’t really protect the rights of E.U. citizens.  This threw U.S. businesses that suck large quantities of data out of the E.U. into a bit of a tailspin.

After Safe Harbor was struck down, the U.S. got out a large tube of lipstick and put it on Safe Harbor.  The new agreement was called Privacy Shield and it is under review by this same court right now.

If the ECJ agrees with the AG in this different case, it seems like a REALLY small step to say that Privacy Shield doesn’t hack it either, which would create tailspin 2.0.

That would require that the U.S. and E.U. try a third time to come up with something that the courts will hold as adequate.

Various authorities have gotten their respective countries to pass laws that say as long as they claim “national security” privacy laws do not apply.  Countries who have done this include the U.S., U.K. and Australia, three of the “five eyes” countries.

This battle is far from over, but this is a very interesting development.  Source: The Register

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 27, 2019

Russia Claims to Have Successfully Disconnected from the Internet

Russia has been planning to install an Internet kill switch for a couple of years now.  Of course, we have no clue what that means.  Likely, it means that they have their own DNS servers so that they do not have to resolve web site addresses using servers controlled by the US and EU.  But that means any web sites that are outside of Russia will not work if they do this.

More likely, this process, which forces all traffic through government controlled gateways, is designed to surveil its citizens even more than it already does.  Details at ZDNet.

Pentagon Tells Military Not To Use “At Home” DNA Tests

I am not sure that Ancestry.com or 23AndMe are terribly happy about the message, but the Pentagon put out a memo this week telling members of the armed services not to take at home DNA tests unless otherwise notified.

The cover story is that the tests might be unreliable and not reviewed by the FDA.  The next story is that negative results might require members of the armed forces to disclose things that could end their military careers.

The real story is they are worried about state actors getting their hands on the DNA of our service men and women for nefarious purposes.

It looks like the military is actually starting to understand risks of the 21st century.  Good work.  Note this is not voluntary or optional. Source: MSN

Telemarketing Firm Lays off 300 Before Christmas Due to Ransomware

A Sherwood, Arkansas telemarketing firm laid off 300 people just before Christmas after a ransomware attack shut down their systems.  The attack happened about two months ago and even though they paid the ransom, they have not yet been able to restore the systems.  Apparently, at this point, they have run out of money. The company finally put out a memo explaining what was happening and told employees to call on January 2nd to see if they were going to get their jobs back.  Merry Christmas.  Source: KATV

British Pharmacy Fined $350K for Failing to Protect Medical Records

It is not just the big companies that are getting fined.  In this case a British pharmacy was fined $350,000 for leaving a half million records unprotected and exposed to the elements.  In addition, the pharmacy was issued an order to fix its security practices in 90 days or face more fines.  We are seeing less willingness by courts and regulators on both sides of the Atlantic to deal with companies missteps when it comes to security and privacy.   Source The Register.

Georgia Supreme Court Says Victims of Medical Clinic Hack Can Sue

Moving to this side of the Atlantic, the Georgia Supreme Court says that victims of an Atlanta area medical clinic that was hacked can sue the clinic for negligence.  As I said, courts are becoming much less understanding as to why companies are not effectively protecting the data entrusted to them.  This decision reverses the Court of Appeals decision and is only binding in Georgia, but courts in other states may use this as a precedent in their decision process.  Source: Atlanta Journal Constitution

Facebooktwitterredditlinkedinmailby feather

What Does California’s New Privacy Law Mean to the Average Person

California’s new privacy law, CA AB 375 or the California Consumer Privacy Act (CCPA) along with it’s attendant modifications and rules goes into effect next week.  As companies scurry around to meet the January 1, 2020 deadline, here is some information on what CCPA means to the average resident of California and elsewhere.

While CCPA is still a bit of a work in progress, we need to put a fork in it anyway.

Why is it important?

This is the first time anyone, anywhere in the United States, has any “rights” to their data. While residents of the European Union have enjoyed rights to their data for about 18 months, and the world has not ended. This is a new adventure in the United States.

What Data Does This Cover?

It covers all the things you would expect like drivers license numbers, bank account information and your Social Security number, but it also covers a lot of other information.  All biometrics are covered (like your iris scan, fingerprints and DNA).  Also your IP address and other identifiers used to track you on the Internet.  Even how you smell is covered.  Data extracted DIRECTLY from public government records is not covered.

Can I Tell Those Social Media Giants to Delete Me?

You can, but I guarantee that they are going to try and discourage you or fool you.  You don’t REALLY want us to delete your stuff – how about if we take your name off it; surely that is good enough.  But you can ask them to delete it and they MUST do it.

What if they don’t do it?

The law allows for a $2,500 fine per violation or three times that if it is intentional.  But the catch is that fine can only come from the Attorney General and he doesn’t seem that keen to enforce it.  He is, however, a politician, so if there is political pressure or if he thinks that attacking some company will help get him reelected, it is game over.  The law didn’t give him extra budget or people to enforce it.

What about if there is a breach?

That is a chicken of a different color.  If there is a breach, any California resident can sue (or be part of a class action) for up to $750 per person affected, without having to show that they were damaged, or more if they can show that.

Expect there to be a cottage industry of attorneys in California going after breached companies.

Also, this right cannot be waived, so those shrink wrap agreements that no one reads – the ones that ban class action participation or lawsuits vs. arbitration – when it comes to this, they can’t be enforced.

Can I still use Facebook if I tell them not to sell my data?

They might be able to strip down the services, but only to the extent that they can show how much your data is worth to them.  If they want to charge you, they also have to show how much your data is worth.  Optics being what it is, I doubt very many businesses want the negative PR.  They are just hoping that not very many people opt out.

What if I don’t live in California?

Technically you can’t take advantage of the law.  BUT, you can see what is in the CCPA documents – what data they are collecting and how they are using it, for example.

Also, some companies are offering CCPA coverage to all residents of the U.S.  Microsoft is one of those companies.  In that case, the companies are voluntarily giving you the same rights, even though the law doesn’t force them to .

There will likely be a lot more  information coming out, so stay informed.  This is likely a dawn of a new era.

Unless Congress passes a weak national privacy law which overrides stricter state laws.  Congress is talking about this, but it is a very sticky political subject so I am not counting on this.  Still, no one is safe while Congress is in session.  Source: CNet

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Universities Collect Thousands of Location Data Points Per Student Per Day

To call this big brother is watching would be polite.

Universities are using apps on students phones and either Bluetooth beacons or WiFi to track students location including class attendance and, I would guess, how much time their spend in local bars.

The attendance part is to “encourage” students to attend class.  Students who do not “clock in” by turning on Bluetooth or Wifi on their phones and making sure the university’s app is running are counted as not attending lectures and lose points, which, in turn, affects their grade.

Some universities are even using the data to create a personal risk score for each student, allowing them to intervene, if they want to.

Students say they can’t do anything about the surveillance other than to drop out of college.

They also use the tech to make sure that athletes attend classes, which is required for them to remain eligible for their scholarships.

The system can send an email to the professor if the student skips a class or comes in, say two minutes late.

It can also tell if the student leaves before the end of the class.

It also allows the colleges to see if, for example, black students skip classes or go to bars more than white kids.  They have thousands of data points per student per day.  The possibilities to discriminate, as they say, are endless.

I guess if you spend too much time in the cafeteria, they will enroll you in more gym classes?

While college students have always been thought of as lab rats, how long will it be before employers use this to track employee behavior.  How many breaks do they take;  do they show up late or leave early.  Employees who are in high demand can tell employers to take a long walk off a short pier, but many (most?) employees don’t have that luxury.  Source: WaPo

 

 

Facebooktwitterredditlinkedinmailby feather

Oh What a Tangled Web Spies Weave

After the 9-11 attacks on The World Trade Center Twin Towers, the Pentagon and Shanksville, PA,  Congress quickly and without much discussion, passed the Patriot Act, the single biggest spying operation likely ever.  Under the Patriot Act, the government was able to collect information on Internet traffic, mostly of foreigners.  The amount of data that they collected and are collecting is staggering, forcing the NSA to build a huge new data center in the Utah desert.

The law was supposed to expire in 4 years, but Congress has renewed renewed the act twice, once under President Bush and once under President Obama.  A couple of parts were allowed to expire and a few tweaks have been made to the law, but basically it continues to operate.  Parts of the act were due to expire on December 31, 2019, but Congress snuck a three month extension to the parts that were due to expire into the recently passed government funding bill, so as to give Congress more time to discuss it.   In general, this is probably a good idea, but sneaking it into another bill, a popular habit of Congress when they think their votes might attract undo attention, is something that I am not so fond of.

One section that is due to expire is Section 702, which allows for bulk data collection.  Actually it is metadata – information like WHO you are calling, when and for how long, but NOT the actual conversation.

In theory, the FBI is only supposed to access this data in cases of terrorism or suspected terrorism, but in their excitement over a new data source, they accessed it at least tens of thousands of times in cases that had nothing to do with terrorism.

A federal court ruled that the way the FBI was using this database was likely unconstitutional, but they did not make them stop it.  What they did say is that you need to do a better job of creating paperwork to justify document what you are doing.  This involved a case of a US citizen who was jailed for and admitted to giving material support to a terrorist organization – someone who would not generate a lot of sympathy.

Still, it is useful to shed some light on the inner workings of the government.  The appeals court said that gathering the data under section 215 was likely legal, but using that data to obtain information on a US citizen without a warrant is a no-no.  This aligns the court with two recent Supreme Court decisions on the subject of privacy.

The interesting thing is that, apparently, it is pretty difficult for the NSA to collect data only on foreigners, so difficult that last year they had to purge the entire database and right now, the NSA says that they don’t need or want this ability any more.

However, the Director of National Intelligence, a role who’s fundamental job is to collect and analyze as much data as is possible, says not only should Congress renew it, but they should make it permanent so they don’t have to justify it every 4 or 5 years.  See details here.

We are likely to hear more about this in the next couple of months, so if privacy and government spying is an issue that is import to you, then becoming educated and communicating with your elected officials is something you should do.

Facebooktwitterredditlinkedinmailby feather