Category Archives: Privacy

So What Are You Gonna Do – Sue Them?

A security researcher has found, he thinks, years worth of customer data available on Craigslist.  Not exactly the dark web.

The servers were from bankrupt computer store chain NCIX.  The seller had, supposedly, hundreds of servers that were in storage.  The storage company owner was selling the servers after NCIX did not pay their storage bill.

Add to that hundreds of hard drives.

None of this data was encrypted.

Also note that this story wasn’t verified, but we hear stories like this all the time, so even if this was isn’t true, the problem is still real.

This particular seller, according to the story, wasn’t necessarily a complete crook, but he was willing to get money any way he could.  What about if you had a sophisticated crook.  Although we do see this stuff on Craigslist all the time – do doubt sold by clueless people.

In theory people should remove data or wipe encryption keys, but we hear story after story like this.

In the case of this bankrupt retailer who is no longer in business, well, it would probably be hard to prove who did what and even harder to sue them.

For responsible businesses —

You should make sure that there is no data still accessible before you dispose of your computers.  And phones.  And tablets.  And COPIERS (BIG, BIG problem).

Alternatively, remove the hard drives and destroy them. While (assuming you are in a place where this is legal) taking them out back and  putting a few .30-06 rounds into them is fun (and will make them pretty difficult to extract data from unless you are the CIA), many paper recyclers like Iron Mountain will literally shred them for $5 in volume.  That is fun to watch.  I have done it many times.

Many companies will give used hardware to their employees.  This is a particular case to make sure there is no data left, because your employees will likely know the people who’s data might be on those devices.

All this requires is a little care and business process.

Information for this post came from ZDNet.

 

Facebooktwitterredditlinkedinmailby feather

Don’t Sync Your Phone to Your Rental Car

As I have reported before, car manufacturers do not seem to care about whether the last owner still controls that used car that you just bought.  While the issue of previous owners still having the ability to locate, unlock and even remote start some cars, car makers don’t seem to be doing anything about it and likely won’t unless they are successfully sued or a law is passed forcing the issue.

In the mean time, you are on your own in understanding the implications of the security of that used car that you bought.

But it gets worse.

If you rent a car and you decide that you want to play your music over the car’s sound system or use it’s hands free calling, you sync your phone to the car.

The car now owns your data and unless and until you erase, it all of that data is still in the car when you return it to the rental car company.

That would include contacts and anything else the car’s infotainment system sucks in.

So what can you do?

The simplest answer is to not sync your phone, but that might not be convenient.

Since every make and model of entertainment system (not just model of car) uses a different method to erase the data, the process can be/is daunting.

Enter US car industry exec AKA privacy advocate Andrea Amico.  He has created an app that will give you step by step instructions for wiping the car’s data.  You get, apparently, 10 tries for free, then the next bucket costs a whopping $1.99 – pretty affordable, especially if you rent cars frequently.

The good news is that the UK Information Commissioner’s Office (responsible for implementing GDPR protections in the UK) along with other data protection offices put together a resolution on the subject and given a few complaints, the ICO might well fine the car makers a couple million Euros if they don’t shape up.  That could get their attention.  

Stay tuned.

Information for this post came from The Register.

Information on the app can be found here.

Facebooktwitterredditlinkedinmailby feather

Fiserv Security Flaw Exposes Your Banking Data – Even if You Don’t Bank Online

Sometimes even if you try to be safe, it doesn’t work the way you want.

Fiserv provides banking software to over a third of all banks.  They have 24,000 employees and almost $6 billion in revenue.  Many of its client banks are smaller banks and credit unions, but some large banks use Fiserv too.

Apparently, if you signed up for alerts, they sent you an email with a link to the alert, but they violated one of the most basic security rules.  The link contained a pointer to the alert and those alerts were numbered serially as in 1, 2, 3, 4.  What this means is that if you change the alert number in the link the bank sends, you can look at someone else’s alert.

The guy who found it tried to get Fiserv’s attention (one more time a company’s incident response process failed).  He reached out to Brian Krebs.  Brian, who’s web site attracts almost a million unique visitors a month, tested the flaw by opening bank accounts at a couple of small banks and trying it out.

While he could not cross banks to get data from other banks, he was able to see data from other customers of the same bank.

After Krebs reached out to Fiserv – it is amazing what happens when you tell a company’s PR department that you are going to tell a million people that their security sucks -, Fiserv developed a patch within 24 hours.  They deployed the patch to their cloud customers that day and their non-cloud customers that night.

So what does that mean for you?

First, Fiserv does get some brownie points because once Brian (Krebs) contacted them, they developed a patch basically instantly.  

On the other hand, they lose points because the search “report a security bug to Fiserv” returns a lot of hits on this problem, but nothing that tells you who or how to contact in case of a security issue.

For your company, how would a security researcher or a user know how to report a security problem?

If it isn’t very simple, you need to fix that.  It could be as simple as a link on the contact us page or something else.

Next, how come when the guy who found it reported it, it did not get escalated to the right group?  Is this a training problem?  How would that work in your company?  Train people.  Report it to the incident response team.  Do not over think it.  JUST REPORT IT.  This is shades of the DNC hack.  We don’t want people to over think it.  Just give the incident response team whatever information you got and let them handle it from there.

Web sites will have bugs.  How you deal with them and how quickly is what can distinguish you from the next guy.

Source: Krebs On Security .

Facebooktwitterredditlinkedinmailby feather

Australia Introduces Bill Requiring Tech Companies Worldwide to Include Encryption Back Doors in their Software

This could get interesting.  The Australian Telecommunications and other Legislation Amendment (Assistance and Access) Bill 2018 would require tech companies to decrypt communications on request and even require tech companies to build back doors into their software if they don’t already have them.

Of course, like all governments (think GDPR), the bill does not stop at Australia’s border and would, in theory, require companies worldwide to comply.  It is not clear what leverage they have against a company that does not have a legal entity in Australia.

It is not clear how they would get Hamas or ISIS to obey their law, so while the law, if enacted, would weaken protections for law abiding citizens worldwide and would possibly allow them to intercept the communications of dumb terrorists, it will do nothing to protect us against smart terrorists – the ones we really need to be concerned about.

The bill defines a designated communications provider as any foreign or domestic communications providers, device manufacturers, component manufacturers, application providers and traditional carriers and carriage service providers.

That means that everything from your email to a physical device that supports encryption is up for grabs.

In explaining the bill the government mentions companies like Facebook, Instagram, Signal, Telegram and even web site logins.

The bill calls for three levels of hacking to be provided on demand:

  1. Technical assistance request – this one is voluntary.  If a company wants to, it can cooperate.
  2. Technical assistance notice – this one requires a company to decrypt stuff that they have the technical ability to decrypt.
  3. Technical capability notice – this one requires the company to build a new back door into the security of their product and somehow secretly get the user to install the new hacked version of the software.  However, the bill says that this back door cannot remove encryption.  HUH?!

The first two are not a big deal.  The last one is a killer.

Australia’s Minister for Law Enforcement and Cyber Security said that this bill would allow law enforcement to access your data without compromising the security of the network.

The Minister did not want to go anywhere near the words encryption back door, but technically that is the only way to accomplish what they are asking for.  The Minister said that tech companies would be able to provide access without weakening security,  He didn’t suggest how this is possible.  It is not.

He said that we are ensuring we don’t break the encryption systems of the company;  so we are only asking them to do what they are capable of doing.  Item 3 above tells companies to do what is not currently possible, so either he has not read the bill, doesn’t understand the bill or is lying.  Take your pick.   The Minister of Magic is convinced that he can do that without breaking the encryption of the technology companies.

On the other side, the tech companies like Apple, Facebook and Google danced around the conversation giving it a wide berth.  They do have a challenge since they don’t want to appear to support terrorists while, at the same time, they know what the government is asking is impossible without compromising the security and privacy of their customers worldwide.  If they give this capability to Australia, what is their justification for not giving it to China or Russia or any other country that asks?

The Australian Prime Minister, Malcolm Turnbull said “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”  Apparently, he thinks the laws of physics are optional in his country.

Currently, this is only a bill, so who knows what will happen, but if passed, companies will need to make some very uncomfortable decisions.

Since Australia is a small market, one option for bold companies would be to block the use of their services to residents of that continent.  Remember that there are fewer people in Australia than, say, in Canada or even in just the sate of Texas and a little more than half the population of California.  That being said, businesses rarely like to turn away customers, even if it means violating their core principals, so it will be interesting to see what companies like Apple choose to do.

Information for this post came from CNet.

 

Facebooktwitterredditlinkedinmailby feather

HIPAA Privacy Rules and High Tech Services

Health IT Security wrote an article beating up Amazon on it’s HIPAA compliance process.  The article was not favorable and also interesting.

The issue that they are talking about was a medic-alert style bracelet that someone bought on Amazon.  After this person bought it, the vendor put a picture of it, with the lady’s name, birth date and medical condition on it in an ad on Amazon.  The customer found out about it when her physician called her saying he had seen it.

When the buyer contacted Amazon, she was told they would investigate.  She later received an email from Amazon saying that they would not release the outcome of the investigation.

So the lady reached out to her local NBC TV affiliate.  It is amazing what a little bad PR can do.  The TV station contacted the Amazon vendor and they apologized and said they would fix the problem.  The TV station confirmed that the offending material was removed.

But this post is not about health jewelry.

It is to clear up a possible misunderstanding on the part of the average consumer.

While Amazon may yet get into trouble for not understanding and complying with HIPAA, this is not a HIPAA issue.

For consumers that use apps and other tech products there is an important lesson here.

Amazon does *NOT* have a HIPAA problem.

In fact, as of today, Amazon’s web site does not need to be HIPAA compliant because they are neither a covered entity nor a business associate under the terms of HIPAA.  Covered entities include organizations like doctors, hospitals and insurance companies.  Business associates are companies that handle HIPAA type information on behalf of one or more covered entity.

That means that they have no HIPAA requirement to protect your personal information.

They *MAY* have a requirement to protect it under state law in your state, but they also may not.  This depends on the particular law in your state.  In this case they may be in more trouble for publishing her birth date (which may be covered under her state’s privacy law) than her medical condition.

It does mean that they have no requirement to protect your healthcare information under Federal law because other than HIPAA, which does not apply here, there is no Federal law requiring anyone to protect your healthcare information that I am aware of.

This also includes Apple, Google and any app that is available on either the Apple or Android stores.  Apple and Google are likely covered entities because of the way their employee health insurance plans work, but that is completely separate from iphones, android phones and apps.

So, if one of those apps collects information from a hospital for you, for example, and makes it available to you, they can certainly use the diagnosis, for example, that you have diabetes to show you ads for diabetes medicine or supplies.

It is also possible (although I think this may be pretty dicey) that they could sell your healthcare data.  Depending on the state that you live in, healthcare data may not be protected AT ALL under the state’s privacy laws.  This is likely because legislators are usually lawyers and lawyers rarely understand tech and often don’t understand privacy and they think that your healthcare data is protected under HIPAA.  it is, but only under certain circumstances.  The net effect is that it MAY BE perfectly legal to sell your health care information.

If anyone thinks differently, please post a reply and I will publish it.

Information for this post came from Health IT Security.

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites For Friday July 6, 2018

NSA Deleting All Call Detail Records (CDRs) Acquired Since 2015

While the NSA is not providing a lot of details about what went wrong, the NSA is saying that it is deleting all CDRs acquired since 2015 because of technical irregularities that resulted in it receiving data that, likely, would be illegal under the current law.  They have been accused of breaking the law many times, but this is one of the few times I can remember that they admitted to breaking the law.

Because, they say, it is infeasible to sort out the legal data from the illegal data, they are deleting lots of data.

Gizmodo, in a bit of editorializing, asked if the “technical irregularities” were related to the “programming errors” the FBI said caused it to wildly inflate the number of encrypted phones that they could not access in various criminal cases.

While admitting that they screwed up is important, what would be better would be to get it right as they hoover up all of this data.  (Source:Gizomodo)

3 Weeks Until NOT SECURE Starts Showing Up In Your Browser

I wrote about this a few months ago, but now it is going to happen, so it is worth a reminder.

For all of those web sites that said that HTTPS was not important or a hassle or costs money, as of July 23, 2018, Google is going to flag your site as NOT SECURE in the address bar, every time someone visits your site.

While some visitors will ignore the warning, others will get freaked, especially if your site is not one that they visit often.

Now is the time – like in the next 21 days – to set up an HTTPS certificate for your web site.

By the way, in typical Google fashion, in a few months they will start presenting a pop up box that visitors will have to click through to say, yes, I know this site is not secure, but I want to go there anyway.  Not a great way to attract new visitors.  (Source: The Register)

Bank of England (BoE) Tells British Banks to be on a War Footing

Bank regulators in the UK have told financial service firms to come up with a detailed plan to restore services after a disruption and to invest in the staff and technology to do so.  Bank Boards and senior management should ASSUME that systems and processes that support the business will be disrupted and focus on backup plans, responses and recovery.

Lyndon Nelson, deputy chief executive of the BoE’s regulator said that firms need to be on a “WAR footing: withstand, absorb, recover.”  This is something the Brits understand from World War II, but which the United States hasn’t quite figured out.

In addition to cyber attacks, the BoE said that firms should be ready for disruptions caused by failed outsourcing and tech breakdowns.

As the U.S. relaxes it’s stress tests, the BoE said that it will stress test banks with “severe, but plausible” scenarios.  The BoE will set a time limit for recovery.

It looks like the UK regulators are way ahead of US regulators, but maybe we can learn from them.  (Source: Bloomberg)

US Firms Hit Another Hurdle in GDPR Compliance

Some people say – and no one has proved the contrary – that GDPR was designed to go after big U.S. firms, while dragging along all the little ones with it.

This week, in honor of July 4th (not really), the European Parliament voted in favor of a resolution that says that if the U.S. does not fulfill it’s obligations under Safe Harbor by September 1 of this year, Europe should suspend the deal.  This is in addition to the attacks on Safe Harbor that are currently going on in the EU court system.

Taken together, U.S. firms doing business AND who transfer data between the E.U. and the U.S. should be rightfully worried.

Some of the obligations that the U.S. is behind on include filling vacant posts on the Privacy and Civil Liberties Oversight Board, which has been basically dormant under the current administration,  the lack of a permanent ombudsman, the impact of the President’s executive orders on immigration, the re-authorization of Section 702 of the FISA act and a number of others.

The current relationship between our president and the EU doesn’t help things.

This could turn into a standoff, or, in the worst case scenario, the E.U. could shut off the data spigot for U.S. companies to legally move data from the E.U. to the U.S. for processing, storage and analysis.  While large companies may (repeat MAY) be able to deal with this, smaller companies will be greatly challenged and some may have to abandon the European market to E.U. based businesses, something that would make a lot of E.U. businesses very happy.

Stay tuned!  (Source: The Register)

 

Facebooktwitterredditlinkedinmailby feather