Tag Archives: GDPR

News Bites for Friday June 1

8 new Spectre-Class Vulnerabilities

Researchers have reportedly found *8* new Spectre-class vulnerabilties.  Intel has classified 4 of them high risk and 4 of them medium risk, although they are not releasing any details on them – yet.  The entire set is being referred to as Spectre Next Generation or Spectre-NG.  At least one of them is rumored to be able to capture data from other virtual machines, like passwords, running on the same computer – as would be the case in Microsoft Azure, Google Compute or Amazon EC2.

Supposedly Intel is planning on releasing some patches this month and some more in August.  Until then and until we get more information, it is a bit of a black hole.

As we saw with the earlier Spectre vulnerabilities, some chips could be patched while others could not.  That is likely the case here.

We also saw that it was hard to exploit the old Spectre vulnerabilities.  Apparently, for at least one of these new vulnerabilities, it is realtively easy to exploit.  Combine that with the suspicion that some chips may not be fixable …. not good.

It is rumored that at least some of these flaws affect ARM chips as well;  it is unknown if they affect AMD chips, which have their own set of flaws not affecting Intel.

Ultimately, this should have been expected.  As chip makers pushed harder and harder to make their chips faster – faster than the previous generation and faster than their competitors, they took calculated risks.  Now those risks are coming back to haunt them  (Source: The Hacker News).

The General Data Protection Regulation (GDPR)

The GDPR went into effect in the EU on Friday and it is likely to have an effect not only on EU residents but also people around the world. It significantly increases resident’s control over their information and how it is used.

The United States has a completely different view on the subject; specifically, businesses can pretty much do whatever they want with information that they collect about you and me.  Check out Facebook or Google if you have any questions about that.

Other countries such as Japan, South Korea, Brazil, Thailand, Bermuda and others seem to be lining up with the EU’s way of thinking because doing that allows for a more seamless transfer of information between the EU and those countries and that translates to more business.

The U.S. has negotiated an agreement with the EU called Privacy Shield, which was negotiated after the last agreement, Safe  Harbor, was shot down by the EU’s High Court.  Privacy Shield is now in front of the High Court and no one knows what that outcome will be.

With Friday’s law in place, a number of U.S. media companies like the LA Times and Chicago Tribune have blocked EU users from accessing their web sites rather than become compliant.  Not sure that is a great strategy, but maybe.  That strategy is especially suspect if more countries adopt EU-like laws.  If they do then companies that are not compliant may be limited to being visible in the United States.  That also means reduced business opportunities for those companies.

Literally, as soon as the law came into effect, complaints were filed in multiple countries against large U.S. companies like Facebook.  Stay tuned for the outcome of those complaints.  Like the Chinese proverb says: may you live in interesting times.  This qualifies (Source: Reuters).

Vermont Data Broker Regulation Now In Effect

Until now data brokers like Acxiom (yes, you have never heard of them and that is not a coincidence) collect and aggregate data from hundreds of sources and generate thousands of data points per person.  They know that you bought some particular medicine last week and infer what the disease it.  That isn’t covered under HIPAA because, they have not talked to your doctor.  They create their own variant of a credit score, but since it is not actually a credit score, it isn’t regulated.

Well as of last week, Vermont has become the first state in the country to regulate data brokers.  Hardly the end of the road for brokers, but, at least, there are now some security requirements for these folks.

Now they will have to meet security requirements, control access to the data, and, report breaches.  And, using their data for fraud is now a crime on its own.  Will other states follow?  Who knows; stay tuned (Source: Tech Crunch).

Blockchain Will Solve All Known Problems – As Soon As They Perfect The Software

From the title of this item, you can probably figure out where I stand on the Blockchain mania.

Chinese hackers have discovered a flaw in the EOS (blockchain) Smart Contract software that allows them to execute arbitrary code on on the the EOS nodes, from there to control an EOS supernode that manages other nodes and from there control other nodes.  Ultimately, potentially, completely compromising the integrity of the blockchain.

Other than that, it is perfect.

This is not a flaw in the cryptography.  Only a flaw in the software.  Kind of like forging your signature on a paper contract, only in that case, they can’t forge it from, say, China.  In this case, they can.

So as people drool in bliss over blockchain, remember that the blockchain is not loops of steel chain, but rather software and as soon as any piece of software exceeds about 2 lines of code, it is likely to have bugs in it.

It will likely be 10-20 years before there is sufficient case law to figure out who is liable for the software bugs, but you can count on one party claiming it is not them and that is the software developers.  The law still, pretty much, thinks you draw up contracts with a quill pen and and ink well, so don’t count on much help from the law if you wind up in the middle of a fraudulent smart contract.

Oxnard Investigating Data Breach

The city of Oxnard is investigating a breach of credit card information used by customers to pay their water bill.  The breach was caused by multiple vulnerabilities in their vendor’s (Superion) software which allowed bad guys to steal credit cards.  The breach started on Saturday and lasted until Tuesday.  As breaches go, that is an amazingly fast detection to remediation cycle (Source: VC Star).

President’s Executive Order on Cyber Security Produces Results

One year ago, in May 2017, the President signed an Executive Order on cyber security .  One year later we have the results of that EO.  The Office of Management and Budget released a report that says that 71 of 96 federal agencies participating in the assessment were either at risk or at high risk due to the use of old technology and the lack of competent cyber security help.  I feel more secure already (/End Sarcasm).  Only 25 agencies were found to be effectively managing risk.

Obviously, it is a hard problem to fix, but generating another report really doesn’t help the problem much.

Only 40% of the agencies participating were able to see if their data was being stolen.

After a year’s worth of work and who knows how many millions of tax dollars, at least from what was released, I do not see a Plan of Action with Milestones.  That is the hard part, that is what is required and that is what is missing.  Another agency kills a few more trees and likely nothing changes.  We will see if that is true, but from this report, I don’t see anything changing (Source: Federal Computer Weekly).  Unfortunately for you and me.

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday May 25, 2018

FCC Investigates Securus

Now that LocationSmart who’s data was used illegally by a Sheriff to track other law enforcement officers and was then hacked is out of the closet, their somewhat shady but possibly completely legal business practices are no longer in the shadows and the FCC has begun an investigation.  We shall see if the FCC does anything – stay tuned.  They say that they are working to verify that their data was always used with people’s consent.  If it was, I bet the consent was pretty subtle (Source: Ars Technica).

Comcast/Xfinity Web Site Leaks Customer Info

A bug in Comcast’s Xfinity web site that customers use to set up their Internet connection leaks customer address and WiFi network name and password, which, apparently, Comcast stores unencrypted.  All it takes is the account number and the house number of the street address.  IF the customer is providing his own router, then Comcast does not know that information and would not be able to leak it.  The “bug” will return the user’s address and password, among other info, even if the service has previously been activated.  Comcast says that there is nothing more important than their customer’s security;  they removed the feature from their web site after they were told about it (Source: ZDNet).

Apple Allows Users To See Their Own Data on Eve of GDPR

Two days before the law forced them to, Apple has debuted a new web site called PRIVACY.APPLE.COM .  Right now it only works where they have to do it or face a fine of up to $9 billion.  That is a pretty good motivator.  Apple says it will be available later in other places.  Among the data that you will be able to see is :

  • App Store, iTunes Store, iBook Store, and Apple Music activity
  • Apple ID account and device information
  • Apple online store and retail store activity
  • AppleCare support history, repair requests, and more
  • Game Center activity
  • iCloud bookmarks and Reading List
  • iCloud Calendars and Reminders
  • iCloud Contacts
  • iCloud Notes
  • Maps Report an Issue
  • Marketing subscriptions, downloads and other activity
  • Other data

Source: Cult of Mac

Chinese Hackers Find Over a Dozen Bugs in BMW Cars

Chinese security researchers have disclosed 14 vulnerabilities in a host of BMW vehicles including the 3 series, 5 series, 7 series, i series and X series.

4 flaws require physical access; another 4 can be exploited with indirect physical access.  Some of them can be exploited remotely via the entertainment system, the telematics system while others exist in the head unit.

Some of the bugs can be patched “over the air”, but others require the owner to bring the car into the dealer to fix.

One thought.  Given these researchers work for the Chinese government, how many vulnerabilities did they find and not tell us about?  That is not a far fetched scenario (Source: The Hacker News).

Facebooktwitterredditlinkedinmailby feather

EU’s GDPR May Cause Challenges For Businesses

According to a survey conducted by storage software vendor Veritas,  2 in 5 or 40% of what the EU calls “data subjects” (and what the rest of us call people) plan to request businesses to tell them what data they have  within the first six months after the GDPR goes into effect later this month.

Even if the 40% turns out to be 10%, that is going to be an amazing hardship for businesses.

Under GDPR, businesses have about 30 days to provide that information.  They need to figure out which John Smith is requesting the data, on what systems (local, in the cloud and with vendors) they have that person’s data, collect and format that data in a manner that is consistent with the GDPR requirements and deliver it.  All within less than 30 days.

Which companies have to deal with GDPR?

In general, companies that collect data on EU people – customers or just people who visit their website.

Different companies face different risks.  The companies at the highest risk are those located in Europe.  Those are followed by ones that have operations (business units) in Europe.  At the lowest risk are companies based in the U.S. who may interact with a few EU data subjects.

Other responses from the survey include:

  • 56% plan to approach financial firms with data privacy requests
  • 48% plan to approach social media firms
  • 46% plan to approach retailers
  • 24% plan to approach employers and
  • 21% plan to approach healthcare providers
  • 65% of those who plan to contact these businesses will ask for access to the data those companies have
  • 71% of those who contact businesses will ask them to delete the data

Information for this post came from Computing.co.uk .

Based on that, what should you do?

First, if you live in the US, this doesn’t apply to you unless a company chooses to voluntarily do that.

BUT, if you are a business and you have customers in the EU or have a division in the EU and you have not already started working complying with the rules, you likely will not be able to comply by the May 25th deadline.

What we don’t know is what the EU regulators plan to do.

Given there are tens of millions (or more) of businesses, the odds of any one business getting zapped are low.

UNLESS someone or more than one complains about you to the regulator.

And we don’t know how many resources each regulator plans to allocate to this process.

It will certainly be interesting to watch.  Unless you are the one that the regulator picks on.

 

Facebooktwitterredditlinkedinmailby feather

None Of Your Business

Max Schrems – the same Max Schrems that battled Facebook and won and the same Max Schrems that got the Court of Justice of the European Union to strike down Safe Harbor – that Max Schrems – has a new mission.

The General Data Protection Regulation, the new privacy law that takes effect in the European Union next May, allows for “Group Actions” – kind of, sort of, like class actions.  Max’s new organization – NOYB for None of Your Business, plans to take on companies that are not following the GDPR law and make their life miserable.  Ask Facebook.  He is very tenacious.

His plan is to raise a half million Euros between now and May and then go on the attack.

GDPR allows for people to sue, but it is complicated and expensive.  What if an NGO existed solely for the purpose of collecting these people, aggregating their claims and going after the offenders?  It now exists and it is called NOYB.

Schrems has been pretty successful in the past, so I would not under estimate him.

If I were a company operating in the EU, I would definitely keep Schrems and NOYB on my radar screen.

In the mean time I would be working very hard to be in compliance with the regulations.

May 2018 is only 6 months away and the requirements of the GDPR may mean that you have to change data collection, data processing, data storage and data transmission practices as well as hiring a data protection officer.  Those are only some things that are required.

Stay tuned.  If history is any indication, Max could be trouble.

Information for this post came from the IAPP.

Facebooktwitterredditlinkedinmailby feather

New EU Privacy Law Could Bankrupt Your Company

The European Union has passed a new privacy law called the General Data Protection Regulation and it goes into effect in May of 2018.

For companies that do not do business or have customers in Europe, this regulation may not effect you.   However, if you have customers in Europe, even if you do not have offices in Europe, you are still bound by the regulation.

There are a number of things about the regulation that are very different than the way U.S. companies treat your data and mine.

What is unclear is whether multi-national companies will operate differently in different countries.

For example under GDPR, a company has to get express permission to collect, store, use and transfer data that they have about you.  Will Facebook, for example, have a different user agreement for customers in Europe than in the United States?  This is still unclear, but given their appetite for stealing our data, it would not surprise me if they did treat the two groups of users differently.

On the other hand, for smaller companies who do not make a lot of money from your data, it may be easier to treat everyone uniformly.

Other requirements of the regulation include –

  • Companies must report breaches within 72 hours of realizing it.  In the U.S., things are much looser.  You must report breaches sorta, kinda, reasonably quickly.  In many states what that means is undefined.  In other states it might be 30 to 90 days.  It is not 72 hours in any state for a general business.  Effective January 1, 2018, defense contractors will have to report breaches to the DoD within 72 hours and financial institutions in New York will have the same reporting requirement with a bunch of exceptions, but those two groups represent a tiny percentage of the total population of businesses.
  • The definition of personal data is way broader than any definition in the U.S.  For example, the Internet address (IP address) you are using is considered personal data.  So is your genetics.
  • Probably the biggest change is the potential fines.  The EU could fine a company up to 20 million Euros or 4 percent of their annual global revenue, WHICHEVER IS GREATER.  For a large company, that could be billions of dollars.  For a small company, the fine alone could bankrupt the company.

In addition, there are a number of other conditions that the law requires.

There are plenty of businesses in the United States that have European customers and many of them will be totally unprepared for the changes that come about in less than a year.

Obviously, the place for all businesses to start is to inventory what data the company collects, where it is stored, what it is used for, how long it is kept and who it is shared with.  That, by itself, is a huge challenge for most businesses.  This does not just apply to “corporate”.  If some department collects data and doesn’t have the proper consent, the company could be fined.  If that department shares the data with a third party and that was not disclosed, again the company could be fined.

This would include data that is stored on laptops, in the cloud and on home PCs.  Most companies will not be able to figure that part out.

If you share data with a third party – a vendor or supplier, you have to be able to prove that they are following the rules as well.

For British citizens, even though Great Britain is leaving the E.U., the government says that they are going to implement the same law.

For businesses that are subject to this law and who have not already started planning for this, there is not a lot of time to get caught up.  There is a lot of work to be done.

Information for this post came from the BBC.

Facebooktwitterredditlinkedinmailby feather

Banks and Consumers Differ How Secure Their Data Is

According to a study by the mega-consulting firm Capgemini, only 21% of banking and insurance executives were highly confident in their ability to detect a breach, never mind defend against one.  On the other hand, 83% of consumers trust their bank’s and insurance company’s ability to protect their data.   So 4 out of 5 consumers think their bank has security handled, but only 1 out of 5  banks think their bank has security handled.

One out of four banks say that they have been hacked but only 3 percent of consumers think their bank has been hacked.  That is a pretty big gap.

In Europe, the general data protection regulation (GDPR) goes into effect next year.  At that point, banks will have 72 hours to disclose any breach.  That might change perception dramatically.

Almost half of consumers won’t use the online services that banks and insurance companies offer due to security fears.

Almost three-quarters of consumers would switch banks in the event of a data breach.

While reality might differ from how these people answered the survey, the fact that 47% of consumers say they won’t use low cost (to the banks and insurance companies) online services and 74% of them say they would switch providers if there was a breach should be a concern to service providers.

At least in Europe, service providers will soon have a lot less leeway to sweep breaches under the rug.  That means that they might want to consider “upping” their ability to both detect and defend from cyber attacks.

For U.S. entities, while they may not have the same “force of law” that GDPR will provide, at least some hackers seem to enjoy “outing” companies whom they have breached.  Sometimes that is preceded by attempting to extort money from the companies that they have breached, but sometimes the hackers are on a mission and just want to hurt the companies – that is the motivation for the hack in the first place.

U.S. entities that think that the soon to be in force GDPR regulations won’t effect them may be wrong.  According to the regulation, any bank (or other business) world wide that does business in the E.U. falls under this regulation.  That means that a U.S. based bank, for example, that has a branch in Munich or Paris, would need to disclose any breach within 72 hours.

At least for multinationals, the bar regarding cyber security is going to be raised next year.  A lot!

Under GDPR, the worst case maximum fine a company could face is 4% of their annual global turnover (AKA global revenue) or 20,000,000 Euros, WHICHEVER IS GREATER.  That should be a strong incentive for anyone who falls under the rule of GDPR.  Lets say that the authorities want to be nice and only fine a company 1% of their global revenue (remember this is revenue, not profit) or maybe 1,000,00 Euros.  Sounds like a bargain, huh?

Given that it will take most institutions have a long way to go to truly secure their enterprises, now would be a jolly good time to start that project.  May 2018, when GDPR goes into effect, is only 15 months away.

Information for this post came from Info Security Magazine.

 

Facebooktwitterredditlinkedinmailby feather