in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.
  • Tennessee Updates Law That Required Notification For Encrypted Personal Data Loss

    In 2016, Tennessee created something of a legal furor when it became the first state to require data breach notifications (DBN) even if the lost or stolen data was protected with encryption. Earlier this month, a new law took effect that "clarifies [this] confusion" for companies: they are not required to send DBNs if the data was encrypted – assuming that the encryption was not compromised as well. For example, if the encryption key was also breached.  

    Cognitive Dissonance? Or Merely Not Understanding What Encryption Does?

    When Tennessee's amendment to its breach notification law was passed last year, it came as something of a shock to many. There were many milestones in 2016 – as there are every single year, admittedly – and among them was encryption. Specifically, the strength of encryption: last year was when Apple and the FBI went to court over encryption, due to the latter's demand that Apple compromise the strength of the cryptographic protections on iPhones. The demand was a result of the FBI's inability to get into the San Bernardino shooter's smartphone (as well as others, as it turned out).
    The FBI stopped their lawsuit at the last minute, saying that they had found a way into the phone after all; some claimed that the FBI folded strategically, since it looked like Apple would win and create a precedent-setting case.
    Despite the lack of a solid conclusion, it was a milestone regardless: the media covered the situation with unprecedented detail; more people than ever tuned in and learned about encryption and its impact in modern society's digital works; and, perhaps most importantly, politicians who loudly clamored for Apple to bow down to the FBI's demands started backpedaling after finding out why encryption has to be as strong as it can possibly be.
    The case was a culmination of many encryption-related episodes, such as the global adoption of encrypted internet connections by the top social media sites and communications app-makers making changes to software code so even they can't access a client's private communications.
    So, finding out that Tennessee wouldn't consider encrypted data to be secured came like a bolt out of the blue. Especially when:
    The 2016 amended law, however, still mentioned in another section that encryption was a positive means of protecting data. This created confusion for companies... (bna.com)
    Of course, if one thinks about it, this is not necessarily contradictory. A strongbox is also a positive means of protecting data: think of a dossier placed inside a bank vault. If that dossier is stolen, well, it should be a reportable data breach. If the documents are stolen, by definition the protection is gone.
    And, because of how encryption works, that's where this analogy breaks down: if you will, under encryption, the dossier is the bank vault. Heck, each sheet of paper in the dossier can be the bank vault. In other words, if encrypted data is stolen, the thief still has to find a way to break into this particular vault called "encryption."
    Chances are that 99.999% of the time when data is stolen or lost, encrypted content can be accessed only if the thief also has a key (or a password, which is essentially a proxy for the encryption key). Based on this year's amendment, it looks like Tennessee's governing body was trying to address this inherent "weakness" in encryption when it passed its law last year: if the thief has a key, he has access.  

    Perfectly Valid Concern

    As any security professional – and now, most lay people in the US – will tell you, encryption is one of the best ways to protect data. It's not the only way, and it's not infallible, but it is one of the best. Some may even say it is the best way. But again, it doesn't mean it's not infallible. There are ways to get past encryption:
    • Guess the encryption key or the password to the encrypted content.
    • Steal the encryption key or the password.
    • Physically threaten a person for the encryption key or the password.
    • Carry out said threat on a person (but make sure he's conscious so you can get the key or password once they cry uncle).
    • Plant malware on a computer so that you don't have to do any guessing, stealing, or threatening. Technology at work.
    • Do an analysis of the encryption used to see if there are any inherent weaknesses that can be exploited (not for the average person; can be difficult even for government agencies awash with black ops slush funds). Especially if someone leaks said weaknesses on the internet.

    As you see, there aren't too many ways but, with the exception of that last one, it is relatively easy to get past encryption… assuming you can fulfill certain conditions – conditions that are simple but potentially difficult to carry out. (Or, not difficult at all, which is why, when you're going to fire someone, you should rescind from him access to your company's resources before letting him know he's being let go).

    Yet, it seems that most data breach notification laws were passed without taking into consideration things like the above. If stolen data was already encrypted, it was given safe harbor from DBNs.

    In fact, in certain cases, breached data was given safe harbor from DBNs even if encryption was not used because the law had defined encryption too broadly. So, despite violating the spirit of the law, ROT-13 encryption would have met the conditions for excluding oneself from DBNs. This, despite it not being encryption in any sense of the word.

    Tennessee's foul-up may have caused confusion and consternation for many over the past year, but it should be applauded for what it was: a law that further empowers constituents of that state.

    Related Articles and Sites:
    https://www.bna.com/new-tenn-law-n57982086309/ https://www.databreaches.net/new-tenn-law-no-breach-notice-needed-if-data-encrypted/
    http://www.americanbar.org/publications/youraba/2016/may-2016/state-data-breach-notification-laws-just-got-crazier.html
    http://www.arma.org/r1/news/newswire/2016/05/24/tennessee-enacts-tough-data-breach-law
     
  • Israel Introducing Data Breach Notification Law

    It was reported last week that Israel introduced mandatory data security and breach notification requirements into its law books. The law is expected to go into full effect next year.

    Business of all types – be they global, multinational companies or the barber shop down the street – will be affected by the new regulations. But not equally.

    At mondaq.com, an expert notes that there will be four "security level" categories which appear to be divided either by the number of people who can access the information or by the nature of the business itself. For example, the aforementioned barbershop's data security requirements would be different from data brokers (and even these are subdivided by the number of records that are stored).  

    Encryption Required?

    Of the four security levels, the lowest one (that is, the least onerous one to a business) is the sub-basic level:
    up to 3 persons with access permission –mild requirements, including a database description document, annual review of redundant data, basic physical security, reasonable means to prevent unauthorized access, keep records of data breaches, appropriate measures with portable devices (e.g. encryption) and secured internet communications. (my emphasis)

    The higher security levels build on top of this. And while encryption is given as an example (not as a requirement) pertaining to "appropriate" security measures for portable devices, it's pretty obvious that it doesn't stray too far from being a requirement.

    Indeed, on the internet, it actually is a requirement. The law stipulates that "secured internet communications" must be used, and the only way to secure the to and fro of data flows on the internet is via an encrypted connection. Or, if an encrypted connection is not possible or available, by encrypting data before it's being sent out (e.g., cryptographically securing an attachment before sending it via email).  

    Breach Notifications Where Appropriate

    Data breach notifications to the government will be mandatory, but only if one pertains to the mid- or high-security level. And even then, the former only needs to report "substantial breaches" whereas the latter will need to report every breach they encounter.

    The government may force a business to get in touch with clients who were affected by the data breach, if it is deemed necessary and appropriate.

    Overall, it's a little different from what people are used to in the US when it comes to data privacy and breach notification laws. However, if you're doing a lot of business with Israeli companies, you will have to follow it.

    Which is not a particularly bad proposition since it will possibly allow you to meet EU requirements as well: Per bna.com, the passing of the Israeli law coincides with the European Union's own privacy laws that go into effect in 2018.  

     

    Related Articles and Sites:
    https://www.databreaches.net/companies-now-face-israel-data-security-breach-notice-rules/
    http://www.mondaq.com/x/582376/data+protection/Data+Breach+Notification+Introduced+into+Israeli+Law

     
  • New Mexico Now Has A Data Breach Notification Bill

    New Mexico will be the latest US state to add a data breach notification law to its books. Once the bill officially becomes a law, only two states – Alabama and South Dakota – will remain outsiders to the crazy idea that people should be notified if their personal data is hacked.

    You can read the bill in all its glory at this link (it's a PDF file), but the introduction to it gives you a good idea of what's up:

    RELATING TO CONSUMER PROTECTION; CREATING THE DATA BREACH NOTIFICATION ACT; REQUIRING NOTIFICATION TO PERSONS AFFECTED BY A SECURITY BREACH INVOLVING PERSONAL IDENTIFYING INFORMATION; REQUIRING SECURE STORAGE AND DISPOSAL OF DATA CONTAINING PERSONAL IDENTIFYING INFORMATION; REQUIRING NOTIFICATION TO CONSUMER REPORTING AGENCIES AND THE OFFICE OF THE ATTORNEY GENERAL; PROVIDING CIVIL PENALTIES; EXEMPTING NEW MEXICO AND ITS POLITICAL SUBDIVISIONS FROM COMPLIANCE WITH THE DATA BREACH NOTIFICATION ACT.

    Possibly Problematic

    There is a potential problem, though. One of the definitions (my emphasis for the below) for the purposes of the bill:
    "personal identifying information": (1) means an individual's first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable: [redacted]

    In the above, an effort is being made to preclude what is not personal information. For example, your SSN that was encrypted is not personal identifying information, and so its loss would be excluded from the data breach notification requirements.

    The problem lies in the passage "otherwise rendered unreadable or unusable," which could very well work against the spirit of the law. For example, the process of hashing data with a known one-way function renders information unreadable in a very technical sense. However, data transformed in this fashion is not considered secure because extracting usable information can be quite easy.

    You're probably very aware that there have been many data breaches in the last ten years or so. In most cases where stolen passwords were involved, the "security" behind said passwords was a hash – and, with the exception of a handful of instances, security professionals agreed that people needed to change their passwords ASAP, especially if the password was re-used at other sites.

    Why? Because hashing, unlike encryption or redaction (read: deleting stuff), can be defeated with enough trial and error. And computers are great at trial and error.

    The fact that the controversial passage is attached to the definition of personal identifying information, as opposed to the definition of encryption, doesn't change the situation because it leads to the same problem: since personal data that is "otherwise…unreadable" is not legally personal identifying information, it can be argued that hashed personal info (just like encrypted personal info) can be excluded from the purview of this law.  

     

    At Least They Got Encryption Right

    Including self-defeating language like this to the books is disappointing, especially when the drafters of the bill went through the trouble of defining encryption correctly:
    "encrypted" means rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security

    When data breach notification laws were passed in the past, there were instances where encryption was defined in such a way that equated it with hashing. Doing so is a security faux pas because companies could argue that their hashed data was "encrypted" per the legal definition, and thus be excluded from notifying customers.

    It bears repeating, hashing is not considered a proper security mechanism in the event of a data breach – it isn't "a security technology or methodology generally accepted in the field of information security."

    As time went by and lawmakers gained more experience and knowledge, the law correctly began to reflect what was and wasn't proper data security.

    It looks like we need to do better, however.

     

    Related Articles and Sites:
    https://www.dataprivacymonitor.com/data-breach-notification-laws/new-mexico-passes-data-breach-notification-and-protection-bill/
    https://www.databreaches.net/new-mexico-passes-data-breach-notification-and-protection-bill/

     
  • WikiLeaks Shows That Encryption Works, Even Against Spooks

    Last week, the world saw another bombshell announcement from WikiLeaks. Per their tweets and resulting confidential data dump, it was readily apparent that the CIA had amassed techniques for breaking into many kinds of digital devices imaginable: smartphones and computers, yes, but also things connected to the internet, like smart TVs (perhaps they've looked into hacking internet-connected refrigerators as well).
    But, unlike the initial announcements that were passed around like crazy, it looks like the CIA does not have easy access to the encrypted data. If anything, one could say that a large reason why Langley has so many hacking tools is that they need to get around encryption somehow. Seeing how encryption is nearly impossible to break – it is possible, apparently, but a number of conditions must be met, including the physical presence of the device – it becomes easier to hit cryptography where it is weakest: before the data is encrypted (or once it's decrypted).

    The Inherent "Weakness" in Encryption

    There is an inherent "weakness" in cryptography: encrypted data cannot be read by human beings (or machines, for that matter) in encrypted form. The information has to be decrypted at some point if it's to be useful to someone; that is, so it can be read, copied and pasted, processed, etc.
    And that's where the CIA are targeting their efforts: since the encrypted data has to be decrypted at some point, let's read it then but no sooner. Mind you, other intelligence agencies around the world are probably doing this as well; it can't only be the guys in Langley, especially when you consider that they're one of the best financed and equipped SIGINT bodies in the world, and they are having problems breaking encryption.
    This is good news and bad news. It's good news because you know that encryption works. Your encrypted laptop was stolen at the airport, and the device contained sensitive information? You can rest easy, knowing the odds of a data breach are at the nanoscale end of things.

    Lack of Transparency is a Net Negative for All

    At the same time, it's bad news because, for the CIA to do their job, they can't reveal the software weaknesses they're exploiting; doing so would lead to companies patching up these problems.
    Considering that exploiting these weaknesses is technically the easier way to spy on someone's communications, logic dictates that others must be taking advantage of this weakness as well; people tend to go for the low-hanging fruit.
    This, in an indirect manner, makes the CIA complicit in weakening security for all Americans, because, undoubtedly, the same weaknesses they're hiding from the public is being used by others to spy on Americans, more specifically Americans in power. (Sure, officials at the highest echelons of government have to have their devices vetted – but the past couple of years have shown this is not how it actually works in real life, a fact that reached a fervor this past US election).

    This is Why Backdoors are a Bad Idea

    The silver-lining on all of this may be that the government is nailing the coffin on a contentious issue: encryption backdoors.
    The CIA's actions prove what academics have argued for nearly three decades, if not more: a security weakness is an invitation to be exploited. The hardware and software industry did not tell the CIA about the security defects in its products; rather, the agency just knew there must be some (because there's always a weakness somewhere) and found them on its own.
    The above is your proverbial search for a needle in a haystack (or needles in haystacks), except that you don't know whether said needles exist. You make an assumption that they do and go from there. If after some time you don't find any needles, you move to the next haystack.
    Now imagine what would happen if the US government had succeeded in requiring, by law, a backdoor in encryption. You know that backdoor is somewhere. If you will, the US required that needle to be placed in the haystack. It's a matter of time until you find it; time spent looking for it is not time wasted.
    Thankfully, the nonsense regarding backdoors was quickly laid to rest. Now, if only the CIA would agree that keeping known vulnerabilities a secret is a bad idea… just like they did when it comes to encryption backdoors.
     
    Related Articles and Sites:
    https://www.nytimes.com/2017/03/09/opinion/the-truth-about-the-wikileaks-cia-cache.html
    https://www.wired.com/2017/03/wikileaks-cia-hack-signal-encrypted-chat-apps/
    https://www.nytimes.com/aponline/2017/03/11/technology/ap-us-tec-wikileaks-cia-tech-encryption.html
    http://www.rollingstone.com/culture/wikileaks-cia-document-dump-what-you-need-to-know-w471532
    https://9to5mac.com/2016/02/22/michael-hayden-fbi-apple-encryption/
     
  • Michaud Case In Playpen Hack Gets Dropped By Feds

    One of the most controversial US legal actions in the past couple of years, arguably, is the FBI's approach in arresting hundreds of child pornographers who were frequenting a site in the Dark Web. Because surfing the nether regions of the internet requires the use of a special, secure browser called Tor, the FBI exploited a weakness in the Tor browser to identify the site's frequenters.
    The security flaw remains a closely guarded secret, unknown outside specific law enforcement circles. While the FBI is loath to classify it as such, making use of the flaw has the underpinnings of a malware installation. The authorities prefer to call it a "network investigative technique" (NIT). Needless to say, there's a debate on the legality of exploiting the security loophole.
    More than 100 people are being prosecuted as part of the FBI's sting operation. One of them was Jay Michaud, whose case is possibly the first to have spotlighted the situation. Yesterday, the Department of Justice announced that they are dropping their case against Michaud, whose lawyers strongly contested the legality of the FBI's tactics. Not surprisingly, this latest development is attracting controversy as well.  

    Drop Charges vs. Reveal Exploit

    Why did the DOJ drop their case against Michaud? As the prosecutor for the DOJ noted, to avoid disclosing how the NIT works:
    "The government must now choose between disclosure of classified information and dismissal of its indictment," Annette Hayes, a federal prosecutor, wrote in a court filing on Friday. "Disclosure is not currently an option. Dismissal without prejudice leaves open the possibility that the government could bring new charges should there come a time within the statute of limitations when and the government be in a position to provide the requested discovery."
    In May 2016, the judge overseeing the case ordered the government to reveal the source code behind the NIT.
    This week, the government has decided that letting a "suspected" child pornographer go – possibly temporarily; dismissing a case "without prejudice" means that the same case can be brought back in front of a judge – is a better deal than revealing how the FBI is doing what they do. This decision has caused a lot of talk and speculation, including:
    • The NIT is used extensively in everything, including foreign spying. They're letting the small fish go so they can keep pursuing the really big fish.
    • The FBI and DOJ don't know what they're doing: what is the use of a tool that lets criminals walk because of the same tool that led to their identification and arrest?
    • The guys behind the Tor browser will find the security flaw before the statute of limitations runs out. The government can then reveal the flaw they exploited and once again pursue their cases.
    They all sound plausible, but that last one sounds like a pretty good strategy because, when it comes to child porn, there is no federal statute of limitations (and supposedly the majority of such cases are prosecuted at the federal level). In other words, the government could wait as long as necessary before bringing Michaud to court, be it a month or a decade.
    They could even pursue other cases, possibly set precedent that benefits the DOJ, and come back for Michaud.
    In the meantime, over 100 people have pleaded guilty to charges related to child porn regardless of the legal status of the NIT– and, the thinking probably goes, even more will do so down the line, as long as the NIT can be used. In which case, it's obvious that the DOJ knows exactly what it is doing.
     
    Related Articles and Sites:
    https://arstechnica.com/tech-policy/2017/03/doj-drops-case-against-child-porn-suspect-rather-than-disclose-fbi-hack
    https://www.federalcharges.com/child-pornography-laws-charges/
     
  • Data Breach Results In Loss Of $350 Million in Yahoo-Verizon Deal

    Last week, Verizon finally decided to go forward with the acquisition of Yahoo, the perennial would-be comeback internet search and media company.
    The deal, announced last year, saw an unusual delay when Yahoo revealed that it had been hacked, the largest data breach in history as of then. This was followed a couple of months later by the discovery and announcement of another internet intrusion and data theft at Yahoo. And thus, the internet's Purple One is now the dubious record holder of two of the biggest data breaches in US history.
    Yahoo's revelation of the hack has been accompanied by rumors that the top brass had known about the intrusion for years and declined to announce it, in an effort to maintain its public image.  

    Due Diligence or Lax Security Management?

    The timing of the breach announcement certainly was conspicuous. It could be read as either (a) Yahoo happening upon the data breach as they carried out their day-to-day operations or (b) that either Yahoo or Verizon found out about it as they were doing their due diligence as part of the acquisition or (c) Yahoo was finally forced to give up the ghost on the situation.
    While nothing has been proven yet, there are currently twenty-plus lawsuits, plus an SEC investigation that is currently under way.
    In addition, one cannot forget the fact that the US does not have a federal law governing data breaches and the notification thereof. Instead, laws that cover such issues exist at the state level, for approximately 45 states. The FTC has also been known to pursue internet-related data breaches with a certain level of enthusiasm. And let's not forget the state Attorney Generals who have taken a great interest in such issues as well.
    Basically, if the allegations that Yahoo sat on the data breach and did nothing for years is revealed as true, there's is no lack of potential ways for Yahoo (or its reincarnation) to be in trouble.  

    $350 Million Discount

    Which appears to have worried Verizon greatly. For months now, there were rumors that the communications company would nix the deal. Last week, though, Verizon announced they'd go ahead with the acquisition provided that they get a steep discount ($350 million) and that most of the lawsuits' burden is shouldered by what remains of Yahoo when the business is concluded.
    For investors, this is better than nothing, of course. As a business concern, Yahoo has been treading water for years now and investors have been anxious for a way to unload their shares (other than selling it in the open market, that is). But, Verizon's discount represents close to a 10% haircut. That's a huge number in financial circles. Undoubtedly, there are many angry investors with deep pockets who will be looking to recover their perceived losses one way or another. If the allegations about management's collusion are revealed to be true… well, let's just say that it's not going to be pretty.  

    Another First

    This is one of the few cases where a data breach has directly affected a company's financial well-being. That is, it's not due to a civil lawsuit, or the authorities bringing an action against a company, or a situation where a company announces a data breach and people don't care; like at Target, which hasn't been affected by its "greatest hack in history" data breach. The same customers continue to shop there.
    Nope, this is a clear-cut case where a company has a data breach (two, to be exact) and is directly penalized for it.
    You can expect to hear more from this fiasco.
     
    Related Articles and Sites:
    http://www.marketwatch.com/story/the-revised-verizon-yahoo-deal-puts-liability-on-altaba-2017-02-21
     
More Posts Next page »