Tag Archives: GDPR

News Bites for the Week Ending October 19, 2018

Austria Issues First GDPR Fine; Has 115 Fine Proceeding In Q

Austria has issued its first GDPR fine.  4,800 Euros for having a security camera that covers the sidewalk (a no-no) without warning people that they are under surveillance.  Welcome to GDPR.  In the first 100 days of GDPR,  they have 115 fine proceedings in the works.  They also have 58 investigations in process.  Austria’s data protection authority has been notified of 252 breaches and have 721 complaints from data subjects.  Consider also that Austria is a small country.  This is all likely to ramp up over time.  Source: Lexology

Voter Records for 19 States Sold On Hacker Forum

It is a good thing that the Russians and Chinese and everyone else are not interfering with our elections.  It is probably, then, just a vanilla crook who is selling this voter data.  The data, including name, address, phone number, voting history and other information is public in some states and sold by the states themselves in some others. Other states do not release this data.

Being an entrepreneur, the hacker is selling the data for different states for different prices.  Georgia, for example, is $250 while New Mexico is $4,000.  Why?  I have no clue.

The estimate is that the aggregate data is around 35 million records. Source” ZDNet.

Google: Don’t Get Mad, Get Even

Google got hit with a $5 billion fine for forcing EU phone makers to bundle Google apps with Android phones they sell.  Google said that this was an exchange for giving away Android for free.

Since they can no longer do that, they are now going to CHARGE only EU phone makers if they choose to bundle Google apps like the Play Store and Chrome.  Phone makers will have to pay another fee if they want to include apps like Google Maps and Youtube.

This fee is independent of where the phone is made; rather it is tied to where the phone is sold.  It is unclear if users can download those apps themselves if their phone maker chooses not to include those apps.  Of course, if the phone maker does not include the Google Play Store app, it is not clear, exactly, how a user would download those other apps.   Source: Bleeping Computer.

Is Open Source Software More Secure  ?

One of the ongoing conversations in IT circles is the question about whether open source software is more secure than commercial software.

The theory that it is more secure is based on the fact that anyone can look at the software.  It doesn’t mean that anyone has looked or if they have looked that they have found bugs or security holes, but it is technically possible to look.

This week we had 3 separate announcements of very popular open source software with security holes.  While it is a good thing that patches were developed, it means that you as a user are responsible for watching to see if any software that you are using has a patch and deploying it.

In addition, you are also responsible for, somehow, figuring out if any software that you use incorporates that buggy software under the cover.  If that other software is also open source, you are on the hook for that too.  Whether or not anyone has recompiled that software with the new patched version of the underlying software that was released.

The three buggy products are:

  • A four year old bug in libSSH, a library that provides a supposedly secure way to log in to servers and that was classified as SEVERE was patched.  See details here.
  • A critical flaw was patched in the library used by the open source video player VLC (the library is called Live555) and other open source software to stream audio and video.  The bug allows an attacker to execute arbitrary code on your computer.
  • Lastly, a flaw was patched in Amazon’s free IoT operating system called FreeRTOS.  13 bugs were patched that allowed both arbitrary code execution and denial of service attacks. See details here.

So, based on that, my opinion is that open source software is no more secure than commercial software, but the onus is on you to watch out for patches and hope that developers that used that buggy software under the covers patched their software too.

Facebooktwitterredditlinkedinmailby feather

Facebook Hack Compromises 50 Million

Ancient Chinese Proverb: May You Live In Interesting Times.

Well welcome to interesting times.

Today, Facebook said that the accounts of 50 million users were compromised.

The hackers compromised the security “tokens” that Facebook uses to authenticate users and not the passwords themselves.  Facebook revoked those users “tokens” to stop them from continuing to be used.

Later in the day Facebook said that they revoked another 40 million user’s tokens because they might have been compromised.

Finally, to put a cherry on top of things, Facebook admitted that any site that you log into with your Facebook ID may have been compromised too.

So now not only does Facebook have to investigate, but so do sites like Tinder, Instagram, Spotify, AirBnB and thousands of other sites.

Here is why this is interesting.

Hacks are old school. YAWN!

This is the first mega hack after the effective date of GDPR.  Sure British Airways lost 380,000 credit cards, but this is 50-90 million users just on Facebook alone.  We DO NOT KNOW if other sites were affected that share logins, but if they do, this could affect dozens to hundreds of companies and hundreds of millions of accounts.  All of them COULD be fined under GDPR.  If that happens, they will likely sue Facebook.  Of course Facebook’s software license agreement with other sites like Tinder and Spotify probably says that they use the software at their own risk, but the courts MAY rule that this is negligence and not covered by that disclaimer.  If such a disclaimer exists.  Would companies like Spotify and AirBnB actually agree to terms like that?  Maybe.  That is why this is such an interesting day.  BTW,  my token was apparently hacked as login was revoked.  So was Zuck’s.  Karma. 🙂

Remember that fines could go (but likely would not go) as high as 4% of Facebook’s global revenue.

Facebook is already talking to Helen Dixon.  Helen is Ireland’s Data Protection Commissioner and in a large sense, Facebook’s destiny in this breach – and their wallet – is in Helen’s hands.  I would say, right now, her hands are full.

So what should you do?

Depends on your level of paranoia. 

First, I would change my Facebook password and the password on any other sites that use the same password.  Since we do not THINK that passwords were taken but rather tokens, this is a precaution.

Second, enable two factor authentication.  Facebook’s two factor process is really simple.  When you log in you get a pop up on your phone asking if it is you.  If you click yes, you are logged in.

Third – and this is the most painful one – those sites that you log into with your Facebook userid and password – create a local account.  I know.  It is a pain in the ….. but so is having multiple accounts compromised.  Even if they figure out in this case that didn’t happen, what about next time?  Security. Convenience.  Pick one and only one.

Information for this post came from Business Insider.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending Sep 7, 2018

China Using Fake Linkedin Profiles to Recruit Americans as Spies

US intelligence officials are warning LinkedIn users that China is being “super aggressive” at recruiting Americans with access to government and commeACrcial secrets.

The Chinese are creating fake LinkedIn profiles, friending people and trolling to see if they would be valuable if flipped or conned out of information.  The Brits and Germans are seeing similar activity.

Intelligence officials are asking LinkedIn to be more aggressive at terminating offending accounts.  Twitter has recently cancelled 70 million accounts.

LinkedIn users should be on alert.  Source: The Hill .

Firefox Ups the Advertising War in Version 63

Many web sites that we visit have dozens of trackers on them.  For example, the Wall Street Journal, has 46 of them on its homepage alone (see below).

All of these trackers increase page download time and since each one of these tracker websites needs to be individually contacted and fed information to track us, it increases the time to load a page and the amount of data that we use.  While individually, the numbers may be small, if you look at, say, 100 pages in a day and every one of them calls 46 trackers (many don’t), that would be like visiting 4,700 web pages a day, just to read 100.

Firefox, which is owned by the non-profit Mozilla Foundation, unlike Chrome (Google) and Internet Explorer/Edge (Microsoft), doesn’t care much about offending advertisers.

For years now browsers have supported a user specified DO NOT TRACK flag and web sites have, pretty much uniformly, ignored the flag and tracked us any way.

Come version 63 of Firefox a new feature will be tested and in version 65 it will become the default.

The feature will block trackers by default.  Users will be able to turn the feature off and also unblock one site at a time.

uBlock and uBlock Origin are among the products out there that do similar things, although advertisers can, I think, pay them to get on their “not blocked” list.  The difference here is that it is built in, TURNED ON BY DEFAULT – you do not need to buy or install anything.

The ad war just ratcheted up a bit.  Source:  The Register.

Google Buys Offline Transaction Data from Mastercard

Bloomberg says that Google signed an agreement with Mastercard (and likely other credit card companies) that give them some access to offline purchases.  Both Google and Mastercard say that they don’t know what items you bought, only where, when and how much you spent.  They are using this data to give advertisers confidence that their online ads are working based on showing you an ad and then you go spend money in the advertiser’s store.  They also are buying loyalty card data with a different program and that could provide much more detailed data including exactly what you bought.  Both companies are being tight lipped about exactly how the program works, so we don’t know precisely what data Mastercard is sharing or how many millions Google paid to get that data.  Source: Tech Crunch.

Ten Fold Increase in Security Breach (Reporting) Since GDPR

British law firm Fieldfisher is reporting that prior to GDPR they were dealing with around 3 breach cases a  month and post GDPR they are dealing with one case every day.

This is likely not due to hackers upping their game, but rather companies that would have previously swept a breach under the rug are now reporting it, fearing that 20 million Euro sword aimed at their head if they don’t report and get outed.  That outing could be from an employee who disagrees with the idea of keeping a breach secret.

The breaches that Fieldfisher is seeing are both small, technical breaches and larger breaches similar to the British Airways breach this week that compromised 300,000+ credit cards. Source: Computing.

Data on 130 Million Chinese Hotel Guests for Sale on Dark Web

Data on guests of the Chinese hotel chain Hauzhu (3800 hotels) is available on the dark web for around $50k (8 bitcoin).  The data – 240 million records – includes everything from name, address, phone, email to passports, identity cards and  bank account information.  Make sure you have a good Internet connection if you buy it – the data is about 140 gigabytes in size.  While the Chinese are trying to shut down all forms of cryptocurrency since they can’t control it, that doesn’t stop foreigners from buying the data.  Source: Next Web.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending Friday August 10, 2018

Lack of Vendor Cyber Risk Management Hurts over 750 Banks

TCM Bank, a company that helps hundreds of small banks issue credit cards had a problem with their third party vendor – the bank’s fourth party vendor risk.

The small bank wants to issue credit cards so they hire TCM and TCM hires someone else and that company leaked the bank’s customer data.

TCM said less than 25% of applicants had their data compromised – fewer than 10,000 consumers.  That, I gather, is supposed to make us feel better, but somehow, it doesn’t.

The small community bank, who has the least security expertise is liable for the fourth party breach.  The Feds – the FFIEC or the OCC or the FDIC plus the state regulators will be asking lots of embarrassing questions.  Those banks, who likely do not have a good vendor cyber risk management program, will be left holding the bag.

Many companies have a fourth party vendor cyber risk management problem.  Most are completely unaware.  Source: Krebs on Security

It is Amazing What a Potential 20 Million Euro Fine Will Do

In the UK alone, there were about 400 breaches reported to the ICO (information commissioner’s office) in March and another 400 in April.  In May, the month that GDPR came into effect at the end of the month, there were 750 breaches reported.  In June, the first full month that GDPR was in effect, there were 1,750 breaches reported.

It is unlikely that hackers decided to become more active in alignment with GDPR, so what is likely is that the threat of a massive fine is causing people to report breaches.  We shall have to see what the trend looks like and what happens in other countries.  Source: Bankinfo Security

The Pentagon is Creating a “Do Not Buy” List

The Pentagon’s Acquisition Chief admitted last week that the Pentagon is creating a secret Do Not Buy list of companies known to use Russian and Chinese software in their products.

The Pentagon plans to work with defense industry trade associations to effectively blacklist those companies.

The new Defense Authorization bill also requires companies to tell if they have less the Ruskies or Chinese look at their source code.  Source: Bleeping Computer.

 

Some Samsung Phones Sending Random Pictures To Random Contacts

Reports started surfacing last month about some Samsung phones sending one or more pictures to contacts in the user’s contact list without the user even being involved.  In one reported case the user’s entire gallery was sent.

Given that many people have at least some adult pictures on their phone, if this is really happening, the results could be dicey to say the least.

In addition, if you have any pictures with business proprietary information – say a snap of a white board from a meeting – that could be a problem too.

Samsung said they are aware of it.

T-Mobile, the carrier in at least some of the cases, in a perfect example of taking care of their customers said “It’s not a T-Mobile issue” and told people to talk to Samsung.  Note to self – even though T-Mobile may be less expensive, a great customer focused attitude like that goes a long way to kill that value.

Luckily it seems to be happening on new phones which, if Samsung can figure out what is happening, they may be able to develop a patch and those patches would likely be available to the users of the new phones.  If this is happening on older phones, users may just be out of luck, since most vendors don’t provide any patches for phones older than about 2 years. This assumes that the users bother to install the patches that are available, which is probably less than a 50/50 bet.  Source: Gizmodo.

More Problems for Huawei

While US Gov Tries to Ban Huawei Devices, the UK Gov only said it was “disappointed” at the lack of progress Huawei has made in improving security.  Curiously, this is the fourth report over the last 8 years that the UK government has issued and the first three said that any risks had been mitigated.  The reason for the change of heart is unknown.

In the meantime, Australia is considering banning Huawei gear, like the U.S. is doing.

One of Britain’s concerns is that Huawei is using third party software – in this case the operating system the gear runs on – that will no longer be supported in two years.  Given the normal lifespan of telecom equipment, that is a major problem.

Hauwei said that there were “some areas for improvement”.

Given the concerns over Chinese government influence and possible backdooring of Hauwei equipment, it seems like it would just be a better idea to find another vendor.  Source: BBC .

 

Facebooktwitterredditlinkedinmailby feather

Complying with GDPR and California’s CCPA – Step 3

For those companies who have customers in California – independent of where the company is located – or are doing business in Europe, you have new privacy regulations to deal with.  While California’s law doesn’t go into effect for another 16 months and it is possible that there will be changes to the law before it goes into effect, it is important to start getting ready for the law because complying with all of the requirements will take a significant effort.  For businesses operating in Europe, you should already be compliant with GDPR.

Step 1 was to create a vendor data inventory (see article here).

Step 2 was to create a vendor cyber risk management program (see article here).

Now, here is step 3.

Step 3 – Map the flow of data between systems and between vendors.

Both CCPA and GDPR have requirement to delete data, stop processing data and provide a copy of data that you have, in a machine readable format if possible, if the user requests it.

You have to do this quickly and you have to track and document what you have done.

If you do not know what data you have, who you share it with and all of the places it may be stored, you are unlikely to be able to comply with these laws and you could wind up getting sued.

Where it is stored, for example, could include on web servers, on internal servers, on workstations and at cloud service providers.

Building and maintaining a map will assist in designing the process of complying with those requests when we get to those steps.

If you need assistance with this, please contact us.

Facebooktwitterredditlinkedinmailby feather

Complying with GDPR and California’s CCPA – Step 2

Last week I started a series on steps to comply with both the E.U.’s General Data Protection Regulation or GDPR and California’s new privacy law, the California Consumer Protection Act or CCPA.  To find Step 1, go to this post: https://mtanenbaum.us/complying-with-gdpr-and-californias-new-privacy-law-ccpa-step-1/  .

This week, on to Step 2 – CREATE A VENDOR CYBER RISK MANAGEMENT PROGRAM .

Some companies have a vendor risk management program.  For the most part, these programs focus on compliance – is the vendor appropriately licensed?  Do they have liability insurance?  Possibly, depending on your industry, are they on any of the Treasury Department’s terrorist watch lists?

None of this deals with cyber risk.  That requires a completely different set of questions and a completely new process.

The process starts with the VDI list created in step 1.

Using that list, you can then rank each vendor as to the cyber risk that vendor represents to the company.    The ranking can be simple – red, yellow, green or high, medium and low.

Now that you have the vendors sorted, you need to review the vendors based on that risk ranking.  Start with the high risk vendors.  For most companies, that alone will be a significant task.  Create questionnaires; send them out; review the results.   Some vendors will have certifications like our Business Cybersecurity Certification or the SSAE 18.  Those need to be reviewed.  For SSAE 16 and 18 certifications, you need to look for what areas of the business they excluded, although it may be a shorter list to see what areas they included.  You will likely need to follow up with vendors to get your answers back.

For some high risk vendors you may want to conduct a site visit, especially if they are critical to your business.

Once you have done that, you need to work with the vendors to remediate any deficiencies.  You need to set up a system to track each vendor’s progress or, possibly, lack of progress.

Once that is done with the high risk vendors, you can move on to other vendors, but plan on this first step taking a while.  Probably a long while.

Facebooktwitterredditlinkedinmailby feather