Tuesday, November 25, 2014

Most Targeted Attacks Exploit Privileged Accounts

- See more at: http://threatpost.com/most-targeted-attacks-exploit-privileged-accounts/109514#sthash.zFyXXWqX.dpuf

Monday, November 24, 2014

Beth Israel fined $100,000 for patient data breach

The Boston Globe


Beth Israel Deaconess Medical Center will pay $100,000 after a physician’s laptop holding personal information for nearly 4,000 patients and employees was stolen in 2012.
Steven Senne/AP
Beth Israel Deaconess Medical Center will pay $100,000 after a physician’s laptop holding personal information for nearly 4,000 patients and employees was stolen in 2012.
Beth Israel Deaconess Medical Center agreed to pay $100,000 to settle a complaint by the Massachusetts attorney general’s office that its lax data security led to the theft of personal information of about 4,000 patients and employees.
In May 2012, a physician’s unattended laptop was stolen from his desk at the hospital. The laptop contained health information of 3,796 patients and Beth Israel employees, as well as personal information, such as Social Security numbers, of 194 other Massachusetts residents. The attorney general’s office argued the hospital’s lack of security and failure to encrypt patient data was against the law.
“The healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure,” said Attorney General Martha Coakley.
Dr. John Halamka, chief information officer at Beth Israel Deaconess, said the hospital has since improved its security procedures.
“After this incident, we worked closely with the federal and state governments, as well as security industry experts, to ensure that [the hospital] adopts state-of-the-art security policies and technologies,” Halamka said in a statement. “Every device we purchase is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted.”
Beth Israel is not the first hospital to be penalized for poor data security by Coakley’s office. Earlier this year, Women and Infants Hospital of Rhode Island agreed to pay $150,000, and South Shore Hospital settled a suit by the Attorney General for $750,000 in 2012.

Jack Newsham can be reached at jack.newsham@globe.com. Follow him on Twitter @TheNewsHam.

Saturday, November 22, 2014

Ingrijpende privacywet op komst: EU-toezichthouder gegevensbescherming Peter Hustinx blikt vooruit [interview]

Ingrijpende privacywet op komst: EU-toezichthouder gegevensbescherming Peter Hustinx blikt vooruit [interview]

21nov 2014

Buitenlandse opsporingsdiensten, de Nederlandse Belastingdienst en commerciële Big Data-exploitanten grasduinen in persoonsgegevens. De oude Europese richtlijn uit 1995 die het toezicht regelt, wordt eindelijk vervangen. Peter Hustinx, Hoofd van de Europese Toezichthouder voor Gegevensbescherming, richt zijn blik op de vergaande Europese Privacy Verordening.
Het voornemen van ING om – zo leek het – betaalgegevens van klanten door te verkopen aan externe partijen leidde eerder dit jaar tot een storm van kritiek. Het overheersende gevoel: inzage in het huishoudboekje vormt een te grote inbreuk op de privacy. Geschrokken door het oproer van klanten, de Consumentenbond, De Nederlandsche Bank en de Autoriteit Financiële Markten, trok ING het plan snel weer in. De privacy-kwestie zal de ‘megatrend’ Big Data niet remmen. Het verzamelen en samenvoegen van zoveel mogelijk data is de Heilige Graal van marketeers. De Boston Consulting Group voorspelt dat het in 2020 in Europa een economische waarde vertegenwoordigt van bijna 1 biljard euro.

Toezichthouder Peter Hustinx

Overheden laten zich ook niet onbetuigd, bleek uit de onthullingen van klokkenluider Edward Snowden over de voorheen onnavolgbare werkwijze van de Amerikaanse inlichtingendienst NSA. De Nederlandse Belastingdienst is ook volop aan het grasduinen. Zo wist de fiscus in augustus nog in hoger beroep toegang te forceren tot de klantgegevens van de parkeerdienst SMS Parking.
M HUSTINX
Peter Hustinx
De Nederlandse jurist Peter Hustinx (69) is als Hoofd van de European Data Protection Supervisor (EDPS) vanuit Brussel bezig om toezicht te houden op de gegevensbescherming bij alle EU-instellingen – van de Europese Commissie tot de tientallen agentschappen en de Europese Centrale Bank. Daarnaast geeft de EDPS advies aan de Raad en het Europees Parlement bij de totstandkoming van wetgeving waar gegevensbescherming een rol speelt.
De heetste aardappel momenteel: de nieuwe Europese Privacy Verordening die de gedateerde privacyrichtlijn uit 1995 moet vervangen. Het voorstel is in maart met grote meerderheid aangenomen door het Europees Parlement en gaat nu naar de Raad van Ministers die de Verordening, al dan niet geheel of gedeeltelijk, kunnen aannemen. De inwerkingtreding zal naar verwachting pas in 2017 plaatsvinden. De Europese Privacy Verordening is een stuk ingrijpender dan de verouderde richtlijn.
Europese Privacy Verordening
  • Boetes tot maximaal 100 miljoen euro of 5 procent van de wereldwijde omzet bij overtreding van de regels
  • Strengere eisen aan de beveiliging van privacygevoelige informatie en een meldplicht (aan de toezichthouder) bij datalekken
  • Expliciete toestemming van klanten vereist zodra bedrijven persoonsgegevens (Big Data) willen verwerken. Klanten moeten deze toestemming ook weer kunnen intrekken
  • NO-NSA clausule: Bedrijven mogen persoonsgegevens niet meer zonder toestemming van de toezichthouder delen met buitenlandse overheden
  • Het ‘recht om vergeten te worden’ in zoekmachines
  • De verplichting om een Functionaris voor de Gegevensbescherming aan te stellen bij instanties die persoonsgegevens verwerken van meer dan 5.000 mensen in een jaar

U als Europese toezichthouder, maar ook de nationale toezichthouders, werken met wetgeving die is afgeleid van een richtlijn uit 1995. Is dat nog wel houdbaar in het internettijdperk?
‘Een pak melk dat zuur is, ga je niet opdrinken. Dat doen wij helaas nog wel. De huidige regels in de richtlijn hebben hun houdbaarheidsdatum overschreden. Het was destijds een heel goede stap vooruit om zeker te maken dat alle landen in Europa ongeveer dezelfde maatregelen namen op het gebied van gegevensbescherming. Maar inmiddels 20 jaar later zijn er een aantal dingen gebeurd, zoals het internet, sociale netwerken en mobiele communicatie.’
In de voorgestelde Europese Privacy Verordening is een maximale boete vastgelegd van 5 procent van de geconsolideerde jaaromzet zodra bedrijven zich niet houden aan de nieuwe wetgeving. Wat voor krachten worden er losgemaakt zodra dergelijke boetes worden voorgesteld?
‘We hebben in jaren niet zoveel gelobby gezien, parlementsleden zijn werkelijk gebombardeerd. Er is hele zware druk uitgeoefend door buitenlandse regeringen en Europese en Amerikaanse bedrijven die op het internet in Europa actief zijn. Maar ik merk in de discussie dat er teveel uitgegaan wordt van worst case analyses. Zo zijn er bedrijven die zeggen: je moet dadelijk overal toestemming van klanten voor krijgen zodra we hun data willen gebruiken, dat is het einde van internet.
Nou, toestemming is een belangrijk element, maar het is niet altijd nodig. Een bedrijf kan er alleen niet meer van uitgaan dat ze wegkomen met dingen als “stilzwijgende toestemming” of “opt-out toestemming” – er is een hele reeks van woorden die ze daarvoor gebruiken. Dan onderschat je de problematiek ongelooflijk, want als dát toestemming is, dan weet ik bijna zeker dat het niet bindend is. En de volgende dag moet je het kunnen intrekken, daar heeft men helemaal geen rekening mee gehouden.’
In de nieuwe verordening wordt ook het principe van “one-stop-shop” toezicht geïntroduceerd: het land waar de hoofdvestiging van een bedrijf is gevestigd, krijgt de verantwoordelijkheid over het gehele toezicht op dat bedrijf. Hoe ziet dat er dadelijk uit in de praktijk?
‘Het toezicht is dadelijk zo verdeeld dat iedere nationale toezichthouder bevoegd blijft op zijn eigen territorium, maar er komt een lead authority, een one-stop-shop. Er is nu een hele discussie over ontbrand wát dat precies inhoudt. Is de toezichthouder dan enkel het land waar de hoofdvestiging van een bedrijf is gevestigd, of doet hij het samen met anderen?’
De toezichthouder in Ierland krijgt het dan druk omdat daar veel grote tech-bedrijven zoals Google, Facebook en Apple daar hun Europese hoofdkantoren hebben gevestigd.
‘Als zo’n bedrijf daar gevestigd is, wordt dat land de lead. In Ierland zijn veel bedrijven neergestreken die een grote rol spelen op internet, dat zal met de taal en het fiscale regime te maken hebben. Als je die one-stop-shop als een exclusieve operatie ziet – en dat was aanvankelijk toch een beetje de beeldvorming – dan is het zorgwekkend dat er misschien verschil in behandeling zou kunnen zijn in Ierland en andere landen. Gaan de Ieren wat soepeler handhaven? Onze ervaring is dat onze Ierse collega’s hun werk uitstekend doen.’
Maar bij hen staat wel een groot deel van hun BBP op het spel als ze besluiten om een boete van 5 procent van de jaaromzet van bijvoorbeeld Google te geven. Wie kan aangesproken worden op falend toezicht?
‘Dat is één van de vragen die nu in het laatste stadium veel hoofdbrekens kosten. Ik verwacht dat het toezicht in de verordening gebaseerd gaat worden op een vorm van samenwerking waarbij de lead een stevige rol krijgt, maar waar beslissingen van de lead op een of andere manier in een groep genomen worden. Door samenwerking moet voorkomen worden dat er forum shopping gaat plaatsvinden.’
Hoe realistisch is het volgens u dat grote internetbedrijven besluiten om hun hoofdvestigingen uit Europa terug te trekken?
‘Helemaal uitsluiten kun je dat niet, zo is nu eenmaal de wereld, maar het is niet erg realistisch. Bedrijven als Google hebben een sterke aanwezigheid op de Europese markt. Hun verantwoordelijkheid ligt daardoor hier. Zelfs als hun data in werkelijkheid in Jersey of op de Kaaimaneilanden zijn opgeslagen, of in de cloud en nobody knows where, zijn ze aansprakelijk voor de beveiliging. Als een bedrijf – ik ga geen namen noemen – de gegevens opslaat in de cloud, en accepteert dat de provider niet kan zeggen wáár dat is – moeten er wel afspraken gemaakt worden of deze de juiste beveiligingsmaatregelen heeft genomen. Het is volstrekt onverantwoord om zonder nadere bepaling van controls gegevens in de cloud op te slaan, want dan kom je je verantwoordelijkheden niet na. Dan ben je in gebreke. Als de markt zich bewust is van zijn verantwoordelijkheid dan zal de gegevensbescherming toenemen.’
Wie moet dat verantwoordelijkheidsbesef bijbrengen: de toezichthouder of de markt zélf?
‘Bedrijven moeten het zelf oppakken. In de huidige richtlijnen en toekomstige verordening staat dat het bedrijf de verantwoordelijke is voor naleving: het moet de noodzakelijke maatregelen treffen om te verzekeren dat gegevens worden beschermd. En als zij dat niet doen, moet een toezichthouder er iets aan doen. De nieuwe regels en het nieuwe beleid zijn belangrijk om onachtzaamheid aan te pakken. De nieuwe verordening zal een paar keer hard worden toegepast en dan krijg je: “Waarom krijg ík een boete?” Daarna gaat het zich verspreiden en dan zeggen mensen: het schijnt tegenwoordig zo en zo te moeten gebeuren. Ja, dat was eigenlijk al jarenlang zo, maar dat waren we vergeten. We moeten die olietanker zien te draaien – bedrijven die wel de gouden bergen zien, maar onvoldoende over gegevensbescherming hebben nagedacht.’
***********
Dit is een ingekorte weergave van een interview dat onlangs in Tijdschrift voor Compliance werd gepubliceerd. Het vijfde nummer van 2014 is geheel gewijd aan het thema Compliance en Privacy en gaat onder meer over de Big Data trend en gegevensbescherming. Klik hier voor een abonnement of proefnummer.

Tuesday, November 18, 2014

Run-amok compliance officers cost Bank of Tokyo Mitsubishi $315 million for sanctions report whitewash


                      

The New York State Department of Financial Services (DFS) Tuesday levied $315 million in penalties against Bank of Tokyo Mitsubishi UFJ (BTMU) for misleading regulators regarding its transactions with Iran, Sudan, Myanmar, and other sanctioned entities.
A year-long  DFS investigation found that BTMU compliance officers pressured the bank's consultant, PricewaterhouseCoopers (PwC), into removing key warnings to regulators in a supposedly "objective" report the bank submitted to the DFS.
Under the DFS consent order, BTMU will pay the additional $315 million penalty beyond a $250 million penalty it paid under a previous June 2013 DFS agreement over its sanctioned transactions.
"As such,"the DFS said, "the total monetary penalty that BTMU has paid in this case is $565 million."
At the direction of the DFS, the bank "will also take disciplinary action against individual BTMU compliance personnel involved in the watering down of the PwC report."
The DFS demanded that BTMU fire Tetsuro Anan (manager, anti-money laundering compliance office, compliance division). Anan has resigned from BTMU, the DFS said.
"On multiple occasions, despite being responsible for anti-money laundering compliance, Tetsuro Anan asked PwC to remove from its report specific issues of material concern to regulators about the bank's misconduct," the DFS said.
The DFS also banned two former compliance officers who now work at BTMU affiliates.
Akira Kamiya (deputy president, Mitsubishi UFJ Securities Holdings) and Tetsuji Kamisawa (executive deputy president, Defined Contribution Plan Consulting of Japan) can't do work involving any New York banks (or other financial institutions) regulated by the DFS, including BTMU's New York branch.
Benjamin M. Lawsky, head of the DFS, said: “We continue to believe that fines -- while often necessary -- are not sufficient to deter misconduct on Wall Street. We must also work to impose individual accountability, where appropriate, and clearly proven, on specific bank employees that engaged in wrongdoing.”
In August, the DFS suspended PwC Regulatory Advisory Services for two years for helping whitewash the BTMU sanctions and anti-money laundering compliance report.
PwC was also required to make a $25 million payment to the State of New York.
As part of Tuesday's order, BTMU will relocate its U.S. Bank Secrecy Act/Anti-money Laundering Compliance (BSA/AML) and Office of Foreign Assets Control (OFAC) sanctions compliance programs to New York, the DFS said.
Those programs will have U.S. compliance oversight over all transactions affecting the New York Branch, the DFS said, "including transactions performed outside the U.S. that affect the New York Branch."
BTMU said in a statement Tuesday it is "committed to conducting business with the highest levels of integrity and regulatory compliance, and to continually improving its policies and procedures."
*     *     *
The New York State Department of Financial Services consent order In the matter of Bank of Tokyo Mitsubishi UFJ, Ltd. New York Branch dated November 18, 2014 is here (pdf).
_______
Richard L. Cassin is the publisher and editor of the FCPA Blog. He can be contacted here.
- See more at: http://www.fcpablog.com/blog/2014/11/18/run-amok-compliance-officers-cost-bank-of-tokyo-mitsubishi-3.html#sthash.kwvVrjxU.dpuf

Banks have lost so much consumer information to hackers this year that two members of Congress are asking them to come clean with the extent of the damage

Congress to banks: Admit you've been hacked!

November 18, 2014: 10:08 AM ET

The gun range where you can buy booze
  • 12
    TOTAL SHARES
  • 1
NEW YORK (CNNMoney)

Banks have lost so much consumer information to hackers this year that two members of Congress are asking them to come clean with the extent of the damage.

Tuesday morning, 16 financial institutions will receive letters from Sen. Elizabeth Warren and Rep. Elijah E. Cummings asking them to admit that they have been hacked, explain how it happened and be transparent about what they lost.
In many cases, companies that are hacked never reveal it to their customers. Or they release vague, useless information that hides the seriousness of the breach.
Related: Hackers attack U.S. energy grid
Earlier this year, hackers broke into JPMorgan. The bank said hackers gathered information on more than 80 million customers. But sources close to the investigation told CNNMoney the hackers hit at least six other companies -- none of which came forward about it.
"The increasing number of cyberattacks and data breaches is unprecedented and poses a clear and present danger to our nation's economic security," Cummings and Warren wrote in the letter.
They noted that faith in banks' ability to keep consumer data safe "is central to earning and maintaining consumer confidence in our economic system." The letter referenced a recent USA Today report that hackers have stolen more than 500 million financial records over the past year.
Earlier this year, CNNMoney noted that half of American adults have been hacked.

Monday, November 17, 2014

Corporate data security trust restoration

Corporate data security trust restoration

SafeNet : 14 November, 2014  (Special Report)
Paul Hampton, Payment & Crypto management expert at SafeNet explains the four steps required to restore trust in corporate data security
Corporate data security trust restoration
Results from the latest Breach Level Index report show there have been more than a thousand worldwide data breaches so far this year that compromised nearly 563 million data records of customers’ personal and financial information. Particularly worrying for consumers, is that the retail industry accounts for more than 30 per cent of all data records breached and has thus become the embodiment of the data breach epidemic. These are shocking figures, and should be a serious cause for concern, especially in the lead up to Christmas, when many more shoppers will be using their cards, and could be putting themselves at risk.

Until now, consumers have appeared apathetic about identity compromise security breaches. But new research indicates unrest. A SafeNet survey of more than 4,500 adults across five of the world’s largest economies – U.S., U.K., Germany, Japan, and Australia has found that nearly two-thirds (65 per cent) of respondents would never, or were very unlikely to, shop or do business again with a company that had experienced a data breach where financial data or information was stolen. The research also indicated that only half of adults surveyed feel that companies take the protection and security of customer data seriously enough.

What does all this mean? The traditional data security mind set does not work anymore.With companies collecting ever-increasing amounts customer information and with digital interactions becoming more diverse, vast amounts of data about who we are, what we do, and what we like is being stored online. We entrust our entire identity as individuals to the companies who gather this information and need to be reassured that it is being kept safe.

For decades, the prevailing wisdom about cybersecurity has been that a perimeter “wall” should be built around the corporate network to keep intruders out. More recently, newer technologies such as real-time threat protection have been implemented to bolster security.  However, as the current breach epidemic shows, these approaches haven’t stopped today’s sophisticated cybercriminals.

Companies can seize upon these four approaches to help restore customer trust in corporate data security:

* Out With the Old, In With the New: Today’s security strategies are dominated by a singular focus on breach prevention that includes firewalls, antivirus, content filtering, and threat detection. But, if history has taught us anything, it is that walls are eventually breached and made obsolete. Companies should assume that prevention and threat detection tools can only go so far, and should be used as part of a layered approach to data security that can defend data once criminals get into the network. The next and last level of defence needs to be around the data itself and surrounding it with end-to-end encryption, authentication and access controls that provide the additional layers to protect both corporate and customer information.

* Protect Customer Data As If It Were Your Own: If companies want to earn and retain customer trust, they must view the protection of sensitive data not as a compliance mandate, but as a responsibility essential to its success. Meeting the minimum legal requirements is no longer enough. If a breach hits, and companies have encrypted financial data, but not the 10 million records containing customer names, addresses and social security numbers, they’ve broken the bond of customer trust in its brand. Being a better steward of customer data is not just good PR, it makes good business sense, too.

* Transparency Is the Road to Trust: Put security front and centre and tell customers about the security measures that companies have put in place to protect their data. With the recent dust-up about surveillance, the largest online companies are now much more open about what they are doing to protect customer information. If a company is doing something better than the rest of the industry, like encrypting data end-to-end, then it will be seen as a trusted innovator.

* Security Is a Two-Way Street: Just as customers are informed about what companies are doing to protect them, they should also be told what to do in order to protect themselves. If a customer experiences identity theft or a data breach while doing business with a company, that brand suffers. A better-educated consumer is a safer consumer of services.

As data breaches become increasingly severe and consumers become more educated on what is (or isn’t) being done to protect their data, their attitudes about what is acceptable will change. And with it, the corporate mind set on security must change. So far, customers may not have been concerned about having their credit card numbers stolen, because there are built-in protections for them. However, distress sets in if their location information is being used so thieves can rob their houses. Companies need to wake up to this new reality sooner rather than later, or else risk consumers severing ties with them and taking their business to trustworthy competitors.
Read more: http://www.prosecurityzone.com/News_Detail_Corporate_data_security_trust_restoration_22689.asp#ixzz3JJoQb3AA

Saturday, November 8, 2014

15 reasons not to start using PGP

15 reasons not to start using PGP

Because of popular demand, here's the collection of reasons to stop using PGP, or at least not to start.
Pretty Good Privacy is better than no encryption at all, and being end-to-end it is also better than relying on SMTP over TLS (that is, point-to-point between the mail servers while the message is unencrypted in-between), but is it still a good choice for the future? Is it something we should recommend to people who are asking for better privacy today?
The text concludes mentioning some of the existing alternatives, so, again, this is NOT about not using encryption as some critics like to presume!!!

1. Downgrade Attack: The risk of using it wrong.

With e-mail the risk always remains that somebody will send you sensitive information in cleartext - simply because they can, because it is easier, because they don't have your public key yet and don't bother to find out about it, or just by mistake. Maybe even because they know they can make you angry that way – and excuse themselves pretending incompetence. Some people even manage to reply unencrypted to an encrypted message, although PGP software should keep them from doing so.
The way you can simply not use encryption is also the number one problem with OTR, the off-the-record cryptography method for instant messaging.
This opens up for a great possibility for attack: It's enough to flip a bit in the communication between sender and recipient and they will experience decryption or verification errors. How high are the chances they will start to exchange the data in the clear rather than trying to hunt down the man in the middle?
The mere existence of an e-mail address in the process is a problem. Modern cryptographic communication tools simply do not provide means to exchange messages without encryption, so if something goes wrong at least there is no doubt it could be you doing it wrong -- and giving up on privacy becomes at least a very conscious choice.
Update: And it's not like it's a problem only for the less careful or less tech-savvy. A notable cryptographer recently sent out confidential mail unencrypted. People told him, but he didn't believe it. He wrote himself encrypted mail and indeed, there it was, the mail in the clear. Turned out that one specific version of enigmail was in some strange way incompatible with a specific version of Thunderbird, sufficiently to pretend a completely normal user experience, yet the mails would go out unencrypted, leaving just a remark somewhere in the messages log. There was no way even for the most experienced user to protect himself from a software attack of this kind. This can happen to you, too. Anytime you upgrade your operating system. But only with encryption-on-top systems like PGP.

2. The OpenPGP Format: You might aswell run around the city naked.

Thanks to its easily detectable OpenPGP Message Format it is an easy exercise for any manufacturer of Deep Packet Inspection hardware to offer a detection capability for PGP-encrypted messages anywhere in the flow of Internet communications, not only within SMTP. So by using PGP you are making yourself visible. Stf has been suggesting to use a non-detectable wrapping format.
Update: Gregory mentions that by using the –hidden-recipient flag you can tell PGP to, at least, hide who you are talking to. Hardly anyone does that: "PGP easily undoes the privacy that an anonymity network like Tor can provide" (by including the recipient's public key in the message).

3. Transaction Data: Mallory knows who you are talking to.

Should Mallory not possess the private keys to your mail provider's TLS connection yet, he can simply intercept the communication by means of a man-in-the-middle attack, using a valid fake certificate that he can make for himself on the fly. It's a bull run, you know?
Side note: Did you ever see a mail returned to you because of an invalid TLS certificate? And you can bet the net is full of invalid certificates. In most cases the mail will be delivered anyway, so Mallory doesn't even have to fake a valid certificate. He can use an invalid one, too.
Even if you employ PGP, Mallory can trace who you are talking to, when and how long. He can guess at what you are talking about, especially since some of you will put something meaningful in the unencrypted Subject header.
Should Mallory have been distracted, he can still recover your mails by visiting your provider's server. Something to do with a PRISM, I heard. On top of that, TLS itself is being recklessly deployed without forward secrecy most of the time.

4. No Forward Secrecy: It makes sense to collect it all.

As Eddie has told us, Mallory is keeping a complete collection of all PGP mails being sent over the Internet, just in case the necessary private keys may one day fall into his hands. This makes sense because PGP lacks forward secrecy. The characteristic by which encryption keys are frequently refreshed, thus the private key matching the message is soon destroyed. Technically PGP is capable of refreshing subkeys, but it is so tedious, it is not being practiced – let alone being practiced the way it should be: at least daily.

5. Cryptogeddon: Time to upgrade cryptography itself?

Mallory may also be awaiting the day when RSA cryptography will be cracked and all encrypted messages will be retroactively readable. Anyone who recorded as much PGP traffic as possible will one day gain strategic advantages out of that. According to Mr Alex Stamos that day may be closer than PGP advocates think as RSA cryptography may soon be cracked.
This might be true, or it may be counter-intelligence to scare people away from RSA into the arms of elleptic curve cryptography (ECC). A motivation to do so would have been to get people to use the curves recommended by the NIST, as they were created using magic numbers chosen without explanation by the NSA. No surprise they are suspected to be corrupted.
With both of these developments in mind, the alert cryptography activist scene seems now to converge on Curve25519, a variant of ECC whose parameters where elaborated mathematically. "They are the smallest numbers that satisfy all mathematical criteria that were set forth" explains Christian Grothoff of GNUnet.
ECC also happens to be a faster and more compact encryption technique, which you should take as an incentive to increase the size of your encryption keys.
Unfortunately, thanks to RFC 6637 GnuPG will soon support ECC with the suspicious NIST curves. Should it better break with OpenPGP and support Curve25519 instead?
Nadia Heninger tells us some more on the topic, and concludes that there is no proof that mathematical discoveries cannot cause a cryptographic meltdown anytime: "Just because nothing has happened for two decades doesn't mean that something cannot happen." It is up to you to worry if it's more likely that RSA or ECC could be cracked in future. Should a mathematical breakthrough drop from the sky, probably both would be affected.
As a side note, OpenPGP requires the use of SHA1 for its fingerprinting. That means the way most people are authenticated in PGP may someday fall apart.

6. Federation: Get off the inter-server super-highway.

NSA officials have been reported saying that NSA does not keep track of all the peer-to-peer traffic as it is just large amounts of mostly irrelevant copyright infringement. It is thus a very good idea to develop a communications tool that embeds its ECC- encrypted information into plenty of P2P cover traffic.
Although this information is only given by hearsay, it is a reasonable consideration to make. By travelling the well-established and surveilled paths of e-mail, PGP is unnecessarily superexposed. Would be much better, if the same PGP was being handed from computer to computer directly. Maybe even embedded into a picture, movie or piece of music using steganography.

7. Discovery: A Web of Trust you can't trust.

Mike Perry has made a nice collection of reasons why the PGP Web of Trust is suboptimal. It is in many ways specific to the PGP approach and not applicable to other social graphs like secushare's. Let's summarize: The PGP WoT
  1. is publicly available for data mining,
  2. has many single points of failure (social hubs with compromised keys) and
  3. doesn't scale well to global use.
So these are actually three more reasons not to use PGP, but since you can use PGP without WoT we'll count them as one.
Update: Just found out that when you look up a key your amazing PGP client will by default do a cleartext HTTP request to the key server. Thus anyone can see who your conversation partners are. Maximum total privacy failure!

8. PGP conflates non-repudiation and authentication.

"I send Bob an encrypted message that we should meet to discuss the suppression of free speech in our country. Bob obviously wants to be sure that the message is coming from me, but maybe Bob is a spy … and with PGP the only way the message can easily be authenticated as being from me is if I cryptographically sign the message, creating persistent evidence of my words not just to Bob but to Everyone!" (Thanks, Gregory, for providing this eleventh reason ;-)).

9. Statistical Analysis: Guessing on the size of messages.

Especially for chats and remote computer administration it is known that the size and frequency of small encrypted snippets can be observed long enough to guess the contents. This is a problem with SSH and OTR more than with PGP, but also PGP would be smarter if the messages were padded to certain standard sizes, making them look all uniform.

10. Workflow: Group messaging with PGP is impractical.

Have you tried making a mailing list with people sharing private messages? It's a cumbersome configuration procedure and inefficient since each copy is re-encrypted. You can alternatively all share the same key, but that's a different cumbersome configuration procedure.
Modern communication tools automate the generation and distribution of group session keys so you don't need to worry. You just open up a working group and invite the people to work with.

11. Complexity: Storing a draft in clear text on the server

Update: These days mail tools are too complicated. Here come enigmail that is in charge of encrypting mails before they leave Thunderbird. But wait, didn't Thunderbird just store a draft? Yes, and since I happen to have IMAP configured it stored the draft to my server. Did it bother that I had checked the flag that I intend to encrypt the mail? No, the draft is on the server in the clear. I look around and find out that Claws has been having the same bug. I'm not surprised, after all it's the most natural way of doing things. One person implements IMAP, another implements PGP support, and they never bump into each other and realise that the default behaviour of a mail agent that supports both is to do what it should in no way ever do: send the unencrypted mail to the server. This makes the entire effort to use PGP useless. I looked around for warnings, but even the best manuals for doing PGP correctly are aware of a lot of problems, but not this one. I am only on day three of really using PGP, and I already discovered a security flaw that no-one has talked about much ever before. Is this normal? I have Thunderbird 17.0.8 and you?
P.S. I recommend you to turn off saving mail drafts to the server.

12. Overhead: DNS and X.509 require so much work.

This may seem unrelated, but PGP builds upon e-mail, and e-mail unnecessarily enforces a dependency on DNS and X.509 on us (the TLS and HTTPS certification standard that makes us need certificates, signed by an /authority,/ and then can be fooled and broken anyway). Both cost money to participate in and have to be meticulously administered. Anyone who tried to do it, knows: Mail (and also Jabber) server administration is annoying and expensive.
All the modern alternatives are either based on DHT technology, social graph discovery or opportunistic broadcast. All of them are powered by the mere fact that you are using the software. Frequently there will be sponsored servers providing for faster service, as it has become the standard for Tor, but the administration of such servers is trivial: Just unpack the software and run it (exit nodes are a special case).
Why are you accepting being enslaved by e-mail?

13. Targeted attacks against PGP key ids are possible

PGP has a bad habit of using truncated fingerprints as key ids, organizing keys in its database by short key id and dealing keys with the same short key id as probably being the same, although it isn't so hard to make a new key pair that resolves to the same key id as an existing one. This seems to be a problem even with long key ids. Now people say you should use the full fingerprint, but I remember a time when it was said that the purpose of fingerprints is just for simplifying the comparison of keys among human beings. Computers should always ensure the identity of a public key by comparing nothing less than the public key. By using short ids for maintaining keys the PGP software implementations are doing it wrong.
One possible consequence of this is that users could be tricked into accepting a false replacement key from a key server or in some other way confuse their key management to the point of corrupting a communication path that used to be safe and allowing a man in the middle into the game. People who have just their short key id printed on their business card could suffer targeted man in the middle attacks: The MITM just needs to intercept the keyserver look-up, which as we know is unencrypted by default, and produce the false recipient data. The MITM must then also intercept in- and outgoing SMTP traffic in order to re-encrypt the mail conversation on the fly to the actual key the recipient expects and vice versa. This can in fact be automated to undermine the PGP infrastructure on a large scale, but it would not go unnoticed whereas a targeted attack most likely would.
You can make the attack slightly more difficult by using encrypted key server look-ups (= learn to configure gpg to use sane defaults), but since the key servers do not use PGP to authenticate themselves you can still suffer a MITM attack on the TLS certification level (see X.509 above). And of course there is also the possibility of the key server itself being used in a targeted operation against you. In practice the only currently secure way to communicate a key on a business card is to print its entire fingerprint along with the look-up id – and not forget to actually check it (happened to me, so I bet it happens to you).

14. TL;DR: I don't care. I've got nothing to hide.

So you think PGP is enough for you since you aren't saying anything reaaally confidential? Nobody actually cares how much you like to lie to yourself stating you have nothing to hide. If that was the case, why don't you do it on the street, as John Lennon used to ask?
It's not about you, it's about your civic duty not to be a member of a predictable populace. If somebody is able to know all your preferences, habits and political views, you are causing severe damage to democratic society. That's why it is not enough that you are covering naughty parts of yourself with a bit of PGP, if all the rest of it is still in the nude. Start feeling guilty. Now.

15. The Bootstrap Fallacy: But my friends already have e-mail!

But everyone I know already has e-mail, so it is much easier to teach them to use PGP. Why would I want to teach them a new software!?
That's a fallacy. Truth is, all people that want to start improving their privacy have to install new software. Be it on top of super-surveilled e-mail or safely independent from it. In any case you will have to make a safe exchange of the public keys, and e-mail won't be very helpful at that. In fact you make it easy for Mallory to connect your identity to your public key for all future times.
So installing a brand new software that only provides for safe encrypted communications as actually an easier challenge then learning how to use PGP without messing it up.
If you really think your e-mail consumption set-up is so amazing and you absolutely don't want to start all over with a completely different kind of software, look out for upcoming tools that let you use mail clients on top. Not the other way around.

But what should I do then!??

So now that we know n reasons not to use e-mail and PGP, let's first acknowledge that there is no obvious alternative. Electronic privacy is a crime zone with blood freshly spilled all over. None of the existing tools are fully good enough. We have to get used to the fact that relevant new tools will come out all the time, and you will want to switch to a new software twice a year. Mallory has an interest in making us believe encryption isn't going to work anyway – but internal data leaked by Mr Snowden confirms that encryption actually works. We should just care to use it the best way.

There is no one magic bullet you can learn about.

You have to get used to learning new software frequently. You have to teach the basics of encryption independently from any software.
In the comparison we have listed a few currently existing technologies that provide a safer messaging experience than PGP. The problem with those frequently is, that they haven't been peer reviewed. You may want to invest time or money in getting projects reviewed for safety.
Pond is currently among the most interesting projects for mail privacy, hiding its padded undetectable crypto in the general noise of Tor. Tor is a good place to hide private communication since the bulk of Tor traffic seems to be anonymized transactions with Facebook and the like. Even better source of cover traffic is file sharing, that's why RetroShare and GNUnet both have solid file sharing functionality to let you hide your communications in. Bitmessage even tries to get it working on top of a Bitcoin-like architecture. Very daring. Other interesting developments are Briar and our own, secushare, but they aren't ready yet.
Mallory will try to adapt and keep track of our communications as we dive into cover traffic, but it will be a very hard challenge for him, also because all of these technologies are working to switch to Curve25519. GNUnet intends to only support Curve25519 to impede downgrade attacks. Until the next best practice comes out. It's an arms race. Time to lay down your old bayonet while Mallory is pointing a nuclear missile at you.

Thank you, PGP.

Thank you Mr Zimmermann for bringing encryption technology to the simple people, back in 1991. It has been an invaluable tool for twenty years, we will never forget. But it is overdue to move on.

No wait, let's use PGP just a little bit longer.

Jacob Appelbaum recommends to use PGP over Pond instead of over E-Mail. Indeed, in that case most weaknesses listed above are no longer a problem. Also you don't depend totally on the safety of Tor and Pond, so it doesn't matter if Pond hasn't been peer-reviewed yet as long as it works. You can even use PGP in a non-repudiable way, since Pond takes care of authentication. Actually this should work with any of the P2P alternatives to SMTP.

Questions and Answers

Some questions were posed on libtech which deserve an answer:

What's the threat model here?

What if Mallory isn't a well-funded governmental organization but is the admin who runs your employer's email servers?
That's a good point. The reason why I don't pay attention to lesser threat models is that the loss in quality of democracy we are currently experiencing is large enough that I don't see much use for a distinction of threat models - especially since alternatives that work better than PGP exist, so they are obviously also better for lesser threat models.
For example, I don't think that a dissident in Irya (ficticious country) is better off if no-one but Google Mail knows that he is a dissident. Should at any later time in his life someone with access to that data find it useful to use it against him, he will. And who knows what the world looks like in twenty years from now?
Not saying give up and die. Saying if you can opt for better security, don't postpone learning about it. If you can invest money in making it a safe option, don't waste time with yet another PGP GUI project or the crowdfunding hype of the day.
If employers, schools, parents, skiddies can find out who you are exchanging encrypted messages with, that can be a very real threat to you. Using a tool that looks like it does something totally different.. on your screen, over the network and even on your hard disk.. can save your physical integrity.

Is this about PGP or rather about e-mail?

I don't think it makes much difference for the end user whether SMTP federation or actual PGP is failing her. It's slightly more about SMTP.

What about S/MIME?

"S/MIME unfortunately suffers from many of the same issues as OpenPGP, and then some more." I don't find S/MIME worth mentioning anymore. It has so failed us.

We need a new open standard first!

Open standards are part of the problem, not the solution. It is a VERY BAD development that it has become en vogue to require standardization from projects that haven't even started functioning. It has been detrimental to the social tool scene: None of them work well enough to actually scale and replace Facebook, but the scalability problems are already being cemented into "open standards," ensuring that they never will function. Same thing happened with Jabber as it turned into XMPP.
You must ALWAYS have a working pioneer tool FIRST, then dissect the way it works and derive a standard out of it. Bittorrent is a good example for that. It's one of the few things that actually works. Imagine if Napster and Soulseek had developed an open standard. It would only have delayed the introduction of Bittorrent, promoting an inferior technology by standardization.

Why don't we fix all of these problems with PGP and e-mail?

Even if all the effort is done that a project like LEAP is striving for, you will still be receiving SPAM and unencrypted mail, just because you have a mail address. You will still have a multitude of hosts that are still "unfixed" because they don't care to upgrade. You will still carry a dependency on DNS and X.509 around your neck just to be able to be backwards compatible to an e-mail system of which you hope you won't have to send or receive any messages since they will damage your privacy. And I still don't see by which criteria a dissident should pick a trustworthy server. I know I can rent one, but even if I have a root shell on my "own" server, it doesn't mean it is safe. It's better not to need any!
So what is this terrific effort to stay backward compatible good for? I don't see it being a worthwhile goal. There is so much broken about it while a fresh start, where every participant is safe by definition, is so much more useful. Especially you don't have that usability challenge of having to explain to your users that some addresses are superduper safe while other addresses are lacking solid degree of privacy.
One major problem with the new generation of privacy tools is, they are so simple, people have a hard time believing they are actually working.

Tuesday, November 4, 2014

Critical infrastructure organizations need to step up their cyber security threat preparedness

Critical infrastructure organizations need to step up their cyber security threat preparedness





A recent Ponemon report shows that 67% of critical infrastructure organizations suffered breaches in the last year, yet only 28% of respondents ranked security as one of the top five strategic priorities for their organization. This is of high concern due to importance of these critical infrastructures.
Critical infrastructure organizations include utility, oil and gas, alternate energy and manufacturing companies.  If any of these organizations’ ICS and SCADA systems were attacked, the negative repercussions would be significant.  For example, an attack on the SCADA system of a gas company would halt gas supply to everyone who received gas through that system.
Additional key findings from the research indicated that only 17% of companies have fully deployed their IT security programs and only 15% find their threat intelligence effective and actionable to stop or minimize the impact of a cyber attack.
The worse part is that although these companies recognize security threats, they are not committing to preventing attacks.  It turns out that only one in six of the organizations surveyed find their IT security program mature.  Deployment and execution are in the middle stages, but not fully taken on.  The study also found that the organizations who suffered an attack within the past year attributed it to internal accident or mistake, yet they have no employee training program (only 6% are training their employees on cyber security).
78% of the surveyed organizations believe that a successful attack is at least somewhat likely within the next 24 months and just 21% believe regulations and industry-based security standards have helped to decrease ICS and SCADA risk levels.
Critical infrastructure organizations need to step up their security soon if they are going to avoid a disastrous situation.  It is imminent to reach a mature level of security before attack takes place and to implement security training for all employees, develop an incident response plan, have the necessary policies and procedures in place, and ensure all their vulnerabilities are covered.
How mature is your organization’s level of security? Are you prepared for the risks ahead?

Photo Courtesy of wavebreakmedia

Saturday, November 1, 2014

The FBI can bypass encryption

The FBI can bypass encryption
The FBI has employed malware like Magic Lantern and CIPAV to foil encryption and identify people using encryption-based anonymity software like Tor.
The FBI has employed malware like Magic Lantern and CIPAV to foil encryption and identify people using encryption-based anonymity software like Tor.
Fri Oct 31, 2014 5:1PM GMT
6

Bill Blunden. Counterpunch.org

Encryption has gained the attention of actors on both sides of the mass surveillance debate. For example in a speech at the Brookings Institution FBI Director James Comey complained that strong encryption was causing US security services to “go dark.” Comey described encrypted data as follows:
“It’s the equivalent of a closet that can’t be opened, a safe deposit box that can’t be opened, a safe that can’t ever be cracked.”
Got that? Comey essentially says that encryption is a sure bet. Likewise during an interview with James Bamford whistleblower Ed Snowden confidently announced that:
“We have the means and we have the technology to end mass surveillance without any legislative action at all, without any policy changes… By basically adopting changes like making encryption a universal standard — where all communications are encrypted by default — we can end mass surveillance not just in the United States but around the world.”
If you glanced over the above excerpts and took them at face value you’d probably come away thinking that all you needed to protect your civil liberties is the latest encryption widget. Right? Wow, let me get my check book out! Paging Mr. Omidyar…
Not so fast bucko. There’s an important caveat, some fine print that Ed himself spelled out when he initially contacted film director Laura Poitras. In particular Snowden qualified that:
“If the device you store the private key and enter your passphrase on has been hacked, it is trivial to decrypt our communications.”
This corollary underscores the reality that, despite the high profile sales pitch that’s being repeated endlessly, strong encryption alone isn’t enough. Hi-tech subversion is a trump card as the Heartbleed bug graphically illustrated. In light of the NSA’s mass subversion programs it would be naïve to think that there aren’t other critical bugs like Heartbleed, subtle intentional flaws, out in the wild being leveraged by spies.
The FBI’s tell
James Comey’s performance at Brookings was an impressive public relations stunt. Yet recent history is chock full of instances where the FBI employed malware like Magic Lantern and CIPAV to foil encryption and identify people using encryption-based anonymity software like Tor. If it’s expedient the FBI will go so far as to impersonate a media outlet to fool suspects into infecting their own machines. It would seem that crooks aren’t the only attackers who wield social engineering techniques.
In fact the FBI has gotten so adept at hacking computers, utilizing what are referred to internally as Network Investigative Techniques, that the FBI wants to change the law to reflect this. The Guardian reports on how the FBI is asking the US Advisory Committee on Rules and Criminal Procedure to move the legal goal posts, so to speak:
“The amendment [proposed by the FBI] inserts a clause that would allow a judge to issue warrants to gain ‘remote access’ to computers ‘located within or outside that district’ (emphasis added) in cases in which the ‘district where the media or information is located has been concealed through technological means’. The expanded powers to stray across district boundaries would apply to any criminal investigation, not just to terrorist cases as at present.”
In other words the FBI wants to be able to hack into a computer when its exact location is shrouded by anonymity software. Once they compromise the targeted machine it’s pretty straightforward to install a software implant (i.e. malware) and exfiltrate whatever user data they want, including encryption passwords.
If encryption is really the impediment that director Comey makes it out to be then why is the FBI so keen to amend the rules in a manner which implies that they can sidestep it? In the parlance of poker this is a “tell.”
Denouement
As a developer who has built malicious software designed to undermine security tools I can attest that there is a whole burgeoning industry which prays on naïve illusions of security. Companies like Hacking Team have found a lucrative niche offering products to the highest bidder that compromise security and… a drumroll please… defeat encryption.
There’s a moral to this story. Cryptome’s John Young prudently observes:
“Protections of promises of encryption, proxy use, Tor-like anonymity and ‘military-grade’ comsec technology are magic acts — ELINT, SIGINT and COMINT always prevail over comsec. The most widely trusted and promoted systems are the most likely to be penetrated, exploited, spied upon, successfully attacked, covertly compromised with faults hidden by promoters, operators, competitors, compromisers and attackers all of whom warn against the others while mutually benefiting from continuous alarms about security and privacy.”
When someone promises you turnkey anonymity and failsafe protection from spies, make like that guy on The Walking Dead and reach for your crossbow. Mass surveillance is a vivid expression of raw power and control. Hence what ails society is fundamentally a political problem, with economic and technical facets, such that safeguarding civil liberties on the Internet will take a lot more than just the right app.
Bill Blunden is an independent investigator whose current areas of inquiry include information security, anti-forensics, and institutional analysis. He is the author of several books, including The Rootkit Arsenal , and Behold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex. Bill is the lead investigator at Below Gotham Labs.
GJH/GJH


Cloud Data: Who owns it

Cloud Data: Who owns it?

Cloud Data: Who owns it?My 11 month old daughter, Rachael, is at that stage: “Mine! Mine!
In her world reasoning is pointless, so I let her have it all—–for now. I am still awe-struck by the gift that she is.
We tend to observe and respect stages. And we are often patient—-for a while.
Cloud data has also had its stages.  We have been enamored because it has provided so much freedom and flexibility.
But the novelty is disappearing when we consider cloud data ownership.
That new baby syndrome is fading.
Bob Greenlees’s article Stuck in the clouds: The issue of Data Ownership outlines the dilemma:
 While the immediate benefits of cloud services are typically clear to new users, individuals and businesses alike are becoming increasingly aware of a looming issue: vendor lock-in. As these users amass large amounts of data in their cloud-based accounts, from email to pictures and everything in between, they are learning that exporting that data can pose a significant challenge.
Vendors often rely on the fact that once you are comfortable using their services it is difficult to leave and move that data out or to another service. For individuals, this can mean that their cherished digital data such as pictures, videos, music, email and more may be locked away without reasonable methods of exporting or transferring it to a different service.
The issue is often even more severe for businesses; certain data such as email, customer relationship management (CRM) information, documents, contacts, calendars and company intranet sites are crucial to the daily operations and continued success of a company.
The reduced control that often comes with adopting a cloud service, as contrasted with an on-premise solution, means that this data can remain entrenched within the confines of the current cloud service. This inconvenient reality can manifest itself in several ways, including difficulty exporting the data, moving data to a new employee account when another leaves the company, or moving the data for all accounts to a new cloud service. Innovation, customer satisfaction and overall experience should be the reasons to stay with a cloud service, not vendor lock-in.
Sounds like a really great marriage gone bad, doesn’t it?
Use this list to vet your cloud service provider (CSP) perspective on cloud data ownership :
  • What risks should your organization be aware of?
  • What legal tools ensure the protection of your organization’s data?
  • Can the CSP ensure that the data once returned is no longer held by CSP?
  • Can the CSP ensure that its data is not shared with any third parties?
  • Can the CSP ensure that your organization’s data is not used for the CSP’s commercial purposes?
  • What experience does the CSP have with the administration of your industry data and its legal constraints?
 Contact us for your cloud data project consultation