Category Archives: Legal

GSA Proposing Changes To Fed Contracting CyberSec Rules

Defense contractors are wrestling with new contracting rules that went into place, sort of, as of December 31, 2017, with the requirement to be in compliance with NIST SP 800-171.

NIST SP 800-171 defines over 100 cyber security requirements that defense contractors and sub-contractors must comply with.  Prime contractors must ensure that their subs are in compliance with this and both primes and subs can be barred from government contracts if they fail to comply or lie about their compliance status.

For those familiar with the government contracting rules, this was implemented by creating a new DFAR.  NARA, the National Archives and Records Administration said last year that they planned to create the equivalent of a DFAR for the civilian government, called a FAR, and now they have begun the process.

The GSA has published a notice that they intend to create a set of contractor cyber security rules, similar to NIST SP 800-171.

Part of what GSA is doing is codifying existing rules to ensure that they are mandatory in the contracting process, but that is only part of it.  These rules call for protecting the confidentiality, availability and integrity of government information and also the reporting requirements for cyber incidents.  The reporting time frame for incidents for defense contractors is now 72 hours – way stricter than any state regulation.

Once this process is complete, which will happen toward the end of this year, these requirements will become mandatory for all GSA contracts.

Last year defense contractors started worrying about implementing good cyber security practices;  this year it is the civilian government contractors that need to pay attention.  Smart contractors will begin working on enhancing their cyber security program based on the concepts inside NIST SP 800-171 in order to get a head start of the requirements.

Information for this post came from Fedscoop.

Facebooktwitterredditlinkedinmailby feather

Senators, Staffers Next on Russia’s Cyber Hit List

According to the cyber security firm Trend Micro, the members of the U.S. Senate and their staff could be the next target of the Russian hacking group Fancy Bear – the same group linked to the DNC hack an election meddling across the Middle East  and Europe.

Trend says that digital breadcrumbs found so far in spear phishing campaigns link back to the Russian hacking group,

And, in a way, it makes perfect sense.  If the Russian’s objective is to meddle in elections across the globe, then the U.S. mid-term elections later this year would be a perfect target.  Spear phishing emails are pretty low tech but they lead to compromised userids and passwords (and was pretty lethal during last year’s elections).  Also consider that politicians and bureaucrats are addicted to email.  That makes them  a perfect target.

Some of the emails pretend to be Microsoft Exchange messages warning of expired passwords.  Low tech but pretty effective, unfortunately.

The researchers said that these spear phishing attacks looked a lot like the attacks rolling up to last year’s French elections.

If it ain’t broke, don’t fix it.  If it worked against the DNC,  if it worked against the French.  It is well known art.  It may well work against the Senate.

Senator Sasse (R-Neb) said that he thinks Putin is very happy that Washington is obsessed with partisan politics and is ignoring 2018 and 2020.  He is likely right.  To really fix things will require a lot of work and at least some money – something Washington doesn’t seem to be concerned about.  And it is a very distributed problem.  There are 50 states, 3600+ counties, the feds, government organizations, social media – a lot of targets of opportunities.

Which is not terribly surprising given that, before last year’s election there were only 5 people between both houses that had a computer science degree (I don’t know how the election changed things, but it likely didn’t change much).

Given all of the events coming up in the next year, including the Olympics and elections world wide and the apparent lack of interest in doing anything about it, we should assume that Russia will continue to be successful in their efforts influence politics – conspiracies or not.

Information for this post came from FCW.

Facebooktwitterredditlinkedinmailby feather

Faxes are Secure, Right?

It is hard to believe that, in this day and age, people are still using faxes, but they are surprisingly popular, still, in businesses.

And extremely error prone.  There is no error checking mechanism in a fax machine.

You type in a number, stick the pages in and they are transmitted to the other end.  Where ever or whoever that might be.

Sometimes, if the other end is not where you were expecting, it is not a problem.  Maybe they throw the faxes in the trash.  Maybe they shred them.  Maybe, if you lucky, they call the sender and tell them that the faxes did not reach the intended recipient.

But what if you are a health authority and the information is confidential patient information.  And the actual recipient is a computer shop – not one where the patient is.

This was reported in Canada this week.  The Saskatchewan Health Authority sent confidential patient information to local computer shop.  The store owner said that his fax machine received a 21 page fax from a  local hospital destined for a local doctor.

The hospital has a solution to the problem – the computer shop should change its fax number (and somehow notify its customers of this).  Wonderful solution.  The shop owner was actually pretty accommodating about that.  Pay for the costs of the change and he would do that.

The computer shop says that it has received numerous faxes from the Health Authority over the last year.

We hear about this often.  Sometimes in the case of lawyers, they and even the courts, accidentally fax information to the opposing counsel or even unrelated third parties.  In situations like that, a simple mistake can result in a waiver of attorney client privilege.  That can get very messy.

In the cases where the party sending the fax is typing in the number directly, mistyping a digit will send the fax to the wrong place.

In some cases, the fax number is stored in the fax machine’s address book, but was entered incorrectly.

In a few cases, we have even heard of situations where the recipient phone number has been forwarded to another number, accidentally.

Given all these opportunities for error, why do companies continue to use fax machines, especially for sensitive information?

The simplest answer is that fax machines are universal.  Doctors and others have been using them for 50 years and don’t like to change.  Fax machines – at least simple ones – are pretty cheap and the training process is pretty simple.

But another reason is the perception that faxes are secure.  They are not.  There are a few, really high end fax machines that encrypt the faxes, but they are probably like one in 100,000 that can do that and that the users know how to use that.

Mostly it is because people don’t like change.

We use encrypted email all the time.  But it is a bit of a hassle. We use different encrypted email products with different clients.    You have to look at multiple email apps to make sure that you haven’t missed any emails.

So people, always looking for the easiest, least hassle solution, resort to faxes.

In the case of faxing medical records to the wrong person, even accidentally, it is likely a violation of privacy laws.

In this case, the computer shop owner notified the sender multiple times (remember the sender suggested that the shop owner change his phone number) and the sender refused to do anything.

Well now the computer shop owner has notified the  Saskatchewan information and privacy commissioner.   I don’t know what the penalties are going to be, but perhaps, now, given a combination of bad PR and fines, the hospital will come up with a better solution.  That are not very hard to find.

Are you still using fax machines to send sensitive information?

Information for this post came from CBC.

Facebooktwitterredditlinkedinmailby feather

Section 702 Renewal Could Have Huge Negative Impact on Business

As I said in an earlier post, after 9-11 Congress passed some major new surveillance laws.  The idea was to increase surveillance in a move to try and find more terrorists.  Congress also wasn’t completely sold on the idea, so the law sunsets every few years and Congress has to renew it.  This is one of those renewal years.

But there is a wrinkle.  Congress is still not sold on the idea.  The law was set to expire at the end of December and rather than allowing it to lapse while they were on vacation, Congress renewed the law prior to leaving town.  Renewed that is, for four weeks.  The law is set to expire, again, next week.

There are several bills in various stages of approval that range from a permanent renewal with no restrictions to a limited renewal with restrictions.

Apparently one of the sticking points is something called “About” collection.  This was abandoned last year, but some of the bills in Congress now reincarnate it.  About collection, some say, is a back door to allow the FBI via the NSA to collect information ABOUT Americans without a warrant, using some slight of hand saying the information was collected incidental to someone or some thing they were interested ABOUT.

Congress has 9 days to either figure it out or kick the can down the road.  Again.

But here is the negative business impact.

For U.S. companies that do business in Europe, many of them, especially smaller ones, need to be able to bring that data back to the United States.  Due to Europe’s much stricter privacy laws, they can’t do this unless the agree to offer E.U. citizens the same protections that they would get in Europe.  Enter Privacy Shield, son of Safe Harbor.  Privacy shield is an agreement between the U.S. government and the E.U. government regarding what we will and will not do with respect to protecting E.U. citizen’s privacy.  About 2.400 U.S. companies currently follow the Privacy Shield agreement and more are in process.

But the E.U. lawmakers are not very fond of Section 702.  In fact, they have said so publicly.  In fact, they have threatened to go to E.U. court to have Privacy Shield declared null and void.

And that is exactly what will likely happen (and did happen to Safe Harbor) if the U.S. extends Section 702 as is.

I am not clear that some U.S. Senators and Congresspeople understand that;  they would much rather deal in crisis.

So here is one possible outcome.  Congress renews Section 702 with no reforms, the E.U. goes to court and gets Privacy Shield declared unconstitutional and American businesses get to scramble to figure out how to continue to do business in Europe.  This is worth billions to U.S. businesses.

It probably won’t be that bad.  The court will probably give the U.S. 6-12 months to figure out a solution.  Then bureaucrats in the U.S. and E.U. will need to try and figure out how to deal with it and Congress may have to amend Section 702.

Alternatively, Congress could be proactive.  Not. Counting. On, That.

If you sell into Europe, you might want to contact your Congress-critters.

Otherwise, get some popcorn and watch the fun.

Information for this post came from The Hill.

Facebooktwitterredditlinkedinmailby feather

FBI Says Tech Industry Should Follow Financial Services in Saving Messages

FBI Director Christopher Wray suggested that the tech industry follow the model of the financial services industry.  Some of the big banks have created a messaging app with delete capability so to keep the regulators happy, they agreed to save a copy of each message for 7 years.

Lets apply that to the tech industry

Whatsapp currently serves up 55 billion messages plus 4.5 billion photos plus 1 billion videos a day.

iMessage serves up 40 billion messages a day.

Lets assume a message, with overhead is 1,000 bytes, a photo is 3 megabytes and a video is 20 megabytes AND lets ignore every other secure messaging platform.  The math is:

(95 billion x 1kB + 4.5 billion x 3mB + 1 billion x 20mB ) x 365 x 7

That equals 33,595,000 Billion bytes per day or

12,262,175,000 billion bytes per year or

85,835, 225,000 billion bytes in 7 years.

That would be 85,000,000,000,000,000,000 characters, if I did the math right.  Lets ignore compression for the moment since videos and photos don’t compress and they are the bulk of the disk space.

Assuming a 5 TB disk drive, that would only require 17,167, 045 disk drives to hold the data.

Double that if you would like just one backup copy.

That assumes zero growth during that time, which, as we know, growth is in the double digits per year.

That is a lot of disk drives for someone to buy.  And maintain.  And pay for the electric and people to keep them running.  Roughly the size and cost of the NSA’s Utah data center, which cost about $4 billion to build, estimates say and probably, a hundred million dollars a year to run.

Scale IS a problem here.  A big problem.

Lets say you scale that back and say that you only keep messages for a year.  Now you only need two and a half million disk drives, assuming zero growth.

If we assume that people don’t keep all their messages, someone else is going to have to and that will be VERY expensive.  Even if you build a back door into phones, if people delete their messages, that back door doesn’t help you.

I’m not saying there is no answer, but there is no simple or inexpensive or privacy protecting way.

And, of course, if you force Apple to build a back door into iMessage, some dude in Pakistan will build his own app that doesn’t have a backdoor.  Now you have to police every phone on the planet for a long list of apps that changes daily.  Again, possible, but not cheap or inexpensive.

NOTE: These numbers are only for examples.  They could be off by a factor of 10 in either direction – or more.

Information for this post came from The Washington Post.

 

Facebooktwitterredditlinkedinmailby feather

DHS Issues New Rules For Searching Electronic Devices

In 2015 some 380 million international travelers arrived in the U.S. and only 8,503 of those travelers had their electronic devices searched – only .002 percent.  That is a pretty small number.

In 2016 there were 390 million international arrivals and CBP examined the devices of 19,033 of them – a little more than double the number from the prior year.  Still it is a very small number.

In the first half of FY 2017 14,993 travelers had their devices searched.   Assuming the second half of the year matches the first half, just about 30,000 travelers will have their devices searched.  That will be about 350% of the 2015 numbers.

Of course there is no way to extrapolate what that means for 2018, but if the trend continues, it will likely increase.

One of the complaints that people have expressed is that there are no obvious rules governing whether a device can be searched.  With all kinds of personal and sometimes embarrassing content on people’s phones and computers, DHS has decided to publish some general guidelines.  Far from rules, but better than what was known before.

The Supremes have ruled in the past that Customs does not need either a warrant or reasonable cause to search your devices.  If you are a U.S. citizen you can’t be denied entry into the country if you refuse to unlock your device, but if you NOT a citizen, they could send you back to from where you came.

In both cases they can detain you for a while – no definite time, which may encourage you to cooperate.

And, they can also search your device when you leave the country, but I suspect that is much less frequent.

The right to their arbitrary searches is rooted in the Constitution and was based on the concept of looking through your luggage for contraband.  Extending that to your phone seems like a bit of a stretch, but the Supremes have weighed in and said it is OK.

Under the new rules, agents can search information stored ON the device, using the software on the device.  This, in theory, says that they can’t read your GMail by opening your Mail app since that is not stored on your phone – or maybe it is.  The way they have decided to deal with that is either CBP agents will ask you to put the phone in Airplane mode or if they don’t trust you to do that, they will do it for you.

Unless they have reasonable suspicion – whatever that means.  Then they can use advanced search techniques – which I assume means that they can use forensic tools.

They can ask you for your passcode and detain a device that is encrypted (and, I assume, that you won’t decrypt).

The document also says that agents should take care not to make changes to the device.  I assume that the first thing someone would say if CBP claims they found something incriminating is that it was planted.  Advanced searches should be done in the presence of a supervisor, if available.  Searches should also be done in the presence of device owner unless there are reasons not to allow this.

If the device owner says that information on the devices is protected by attorney-client privilege, the agent is supposed to ask for clarification as to what specific files or folders contain that information.  Prior to searching  those folders, the agent has to contact the CBP assistant chief counsel, who will coordinate with the U.S. Attorney’s Office on how to proceed.  While they will still search that information, they will segregate it so that it might, possibly, be better protected.

At the completion of the CBP review, any copies of information will be destroyed unless they need to be preserved in accordance with a litigation hold.

All of this process needs to be documented on specific CBP forms.  That alone will probably discourage agents from poking around.  Filling out government forms is no fun.

Business confidential and trade secret information needs to be protected as well.

All of that information can still be shared with other agencies as long as they have processes in place to protect it – undefined processes.

If they ask for your passcode and you give it to them, they may keep those passcodes in case they need them later.  Another reason not to reuse passwords.

If the device owner will not unlock the device, CBP can try to break into it.

Officers may detain devices and/or information on them for a reasonable period, usually 5 days, but that can be extended for a week at a time with approval, if needed.

If CBP keeps your device, they need to give you a receipt.

If CBP needs to get assistance from another agency for breaking into the device or evaluating the information on it, they need to get a supervisor’s approval and they need to tell the owner unless the purpose for sharing is counter-terrorism related.

So what should you do?

That kind of depends on your level of paranoia and what is stored on your device.

In general, try to avoid taking sensitive or embarrassing information across the border.  For many companies, that means issuing burner phones and burner laptops (this is actually a more common practice than you might think).  Upload encrypted data to the cloud before crossing the border in any direction and wipe and overwrite the files off the local device.

If CBP retains the device or takes it out of your sight, depending on your level of paranoia and the sensitivity of your mission, assume the device is compromised or bugged and treat it accordingly.

Mostly, it depends on your view of what is on the device and how much you trust or distrust the government.

Given the government’s inability to keep much of anything confidential, I would not assume that the government should be counted on to protect anything that they observe or copy.  This is not because they are evil, but because they are part of a large bureaucracy.  Large scale operations have some benefits, but privacy is not one of them.

Overall, it is a good, small, step forward that they have documented these rules, but there are a lot of loopholes in them.

Remember that this coming from someone is who way more paranoid than the average bear, so take that into consideration.

Information for this post came from CBP and CNN.

Facebooktwitterredditlinkedinmailby feather