Paranoid Technology All things cybersecurity


Lessons on Trust and Apple’s Stance Against the FBI – Learned from the Syrian Refugee Crisis

Our team has been researching trust networks for a while, and this example from the Syrian Refugee Crisis was worth sharing as there are several hidden lessons in the story. You've probably been following the news about the Syrian refugee crisis.  This article is not about the significant humanitarian and political challenges and complexities of that situation, but rather what we can learn from their ordeal about trust-networks and apply it to Information Security, specifically to the current stand-off between Apple and the FBI…

Large numbers of men, women and children are trying to journey from Turkey to Greece every day, hoping for a better life and to escape from the horrors of war...The success to death ratio is quite high, but people keep trying; one can't help but ask oneself, why?  Why do the refugees trust these people traffickers, why do they get on leaky boats and make the trip, knowing there is a good chance that they will never make it? The answer to this question is Trust...


Summing Up Safe Harbor’s replacement, Privacy Shield

monkeysOn February 2nd, the EU Commission and the US announced Safe Harbor's intended replacement - the "EU-US Privacy Shield" - while the EU Commission, trade associations and businesses announced support, numerous privacy advocacy groups (not to mention Data Protection Agencies, including those in France, Germany and Spain) were quick to voice concerns.

Here's what the new framework claims to put in place:

  • US companies now have "robust" obligations to protect European's personal data; the Department of Commerce will monitor these commitments, which are enforceable by US law
  • The US has given the EU written assurance that access to data for law enforcement or national security will be subject to limitations, safeguards and oversight; no more mass surveillance on EU personal data; exceptions are allowed "to the extent necessary"; this arrangement will be monitored by both countries
  • EU citizens now have redress options - meaning, companies have to reply to complaints, Data Protection Agencies can refer complaints to US agencies, and a State Department ombudsperson will be available

While all that sounds like progress, the devil is in the details, hence a few areas of concern:


8 Scary Security Predictions for 2016

2016 Security Predictions
1) Back Doors Open in Corporate Encryption

Paranoid Technology has already opined on why “opening” encryption is bad for businesses and citizens alike, but not much has stopped calls from Washington for a “magic bullet” to let the good guys in and keep the bad guys out.  What’s concerning is the predictions of those like Robert S. Litt, general counsel in the Office of the Director of National Intelligence, who wrote “the legislative environment [for passing a law that forces decryption and backdoors] is very hostile today, it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”; it’s an eery and potentially prescient comment; right now strong encryption is winning, but it’s true that certain events would likely sway public opinion.

2) National Privacy Laws Weaken (Again)

While 2015 finally saw the USA Freedom Act passed, reining in NSA surveillance (including bulk collection of phone records) as of November 29th 2015 (but still not going far enough in the eyes of many civil liberties groups), the end of 2015 also saw Republican lawmakers introduce a new bill that would roll back the USA Freedom Act and reauthorize the government’s collection of phone records through 2017; that said, many lawmakers feel that the rollback is not enough, and senators like presidential candidate Marco Rubio would actually prefer to see a permanent reauthorization of key provisions of the Patriot Act.  The Republican response is a bellwether of what to expect in 2016, especially if there are terrorist or criminal events that demonstrate mass surveillance would have made some difference (see Litt’s crystal ball, above). 


Moving to the Cloud? Don’t Leave Security Behind

Cloud SecurityAccording to Gartner, by 2018 at least 50% of enterprises will adopt cloud-enabled service offerings. Which means that more and more organizations – maybe even your organization – will soon be weighing the pros and cons of private and public cloud options. Yet regardless of which path you choose, your responsibility remains the same. Your organization is ultimately still responsible—and liable—for maintaining the confidentiality, integrity, and auditability of your data. You can safely put data out on both public and private clouds… just watch out for the problems that are caused by one or more of the following:

  • Disclosure of sensitive or regulated data
  • Disclosure of intellectual property
  • Inconsistent user access management
  • Lack of electronic discovery capabilities
  • Compliance issues due to the lack of security controls
  • Application QA issues

To keep reading and for additional details, see the Derivative Technology white paper, “Moving to the Cloud? Don’t Leave Security Behind” or contact us for more information here.

Filed under: General Comments Off

Forget Weak Encryption, Rely on OpSec Fundamentals & Human Intelligence

LooseTweetsHillary Clinton recently joined the growing chorus of politicos suggesting that Silicon Valley tech giants need to stop treating the government like an adversary and calling for collaboration to “find solutions” to encrypted communication. “Finding solutions” meaning weakening encryption so that the US government has a legal means of eavesdropping on what would otherwise be private communications – not only among terrorists, but also among people in the (much) larger population.

This begs the question, is weakening encryption the only means of improving national security? Reviewing the recent attacks, there are a few important things to note: the terrorists in Paris were not using encrypted communications; that said, ISIS does have a sophisticated OpSec manual – which shows their heightened awareness of encryption technologies and means to maneuver around them; plus, several other nation states (the U.S. and Germany among them) shared intelligence with France on either the attacks or on the attackers that wasn’t acted on in a timely manner.

Putting aside these other programmatic gaps, let’s assume that weakening encryption is the only means of improving security. For the government to have “back door” access to any encrypted application or systems, the country would need to be operated as an enormous Public Key Infrastructure (PKI), with the government as the top level certificate authority (CA) for all domains and communications; it would issue all certificates for encryption, which would also conveniently enable surveillance.


Cyberinsurance – why security fundamentals & service offerings matter

targetThe cost of cybercrime has become staggering with companies like Home Dept ($234M), Target ($264M), Sony and others being hit, CEOs are revisiting their cyberinsurance policies and wondering if they're doing enough.  While cyberinsurance definitely belongs in the CEO's risk management tool kit, avoid reacting to the latest panic about cybercrime.  Overspending on cyberinsurance means under-spending on critical functions - such as information security, risk, and even human resources - that
may be even more important to protecting your business than insurance.

If you're interested in cyberinsurance, know that insurers will look at your "proof of insurability", meaning the strength of your policy application and their estimate of your organization's risk across key categories.  They expect that you'll have done an in-depth review of your organization risk based on security measures in place and existing gaps.  Remember that you'll pay extra for coverage of weaknesses in your security program, so better to address security hygiene before you apply.

There's a long list of things cyberinsurers will want to know before signing you up.  For a full list, read the Derivative Technology white paper, "Protect your business from cybercrime the cost-effective way: with targeted cyberinsurance".  Or keep reading for more details ...


No more Safe Harbor … now what?

evacuation-route-signThe recent EU ruling on Safe Harbor has US companies who do business in Europe scrambling to figure out what this means to their business, what the future holds, and where to go from here. Here’s a quick run down on what happened, how this came about, and what the implications are for your organization.

On October 6, 2015 the European Court of Justice (“ECJ”) invalidated the 15-year-old Safe Harbor program: a policy framework that allows US-based companies to freely transfer data between continents if they demonstrate compliance with an agreed-upon set of data protection principles. Austrian privacy activist Maximillian Schrems had challenged Facebook’s transfer of European users’ data to its American servers, citing the Snowden case and accusing Facebook of aiding US espionage efforts. And he won.


And Now Look Who’s Going to Get Sued!

code-capture-1While many interesting topics came out of Black Hat recently, the one that caught my eye was in the opening remarks by Jeff Moss and the following article on software liability (’Software Liability is Inevitable’ - on ThreatPost), i.e. the idea that software developers, and the companies who employ them, should be liable for the quality of their code.

What’s that old Shakespeare saying? “The first thing we do, let’s kill all the lawyers!”  While I am generally speaking not a fan of lawsuits as a form of behavior modification, the idea of software liability is an intriguing one.  Who hasn’t been part of a company where’s software’s gone awry and caused anywhere from headaches to actual revenue loss?  What if you could make software developers responsible for that pain?  I can hear the developers groaning now - this is oppression!  Kill all the lawyers!  This is going to squash our creativity! …  Software development is actually going to be harmed, not helped.  No one will want to develop software if they’re afraid of getting sued.  Etc, etc.

But let’s think about it - what are the real Pros and Cons?


A Stich in Time Saves 9 – the CFO Perspective on Cyber Security

deloitte-072115This recent article - CFOs are not confident about their level of security - got me thinking.  If you think about what keeps a CFO up at night, what comes to mind? Rising commodity prices? Company performance?  Is Greece staying in the Eurozone? You would be right, those things do - but according to Deloitte, so do cyber security threats -  only 1 in 10 CFOs feels well-prepared for an attack.  And that’s because they stand to lose a lot - data breaches mean not only potential data loss and angry customers, but also damaged reputations, distrust and new security requirements that the organization hadn’t even considered.  All of these things impact the bottom line.

We all know that risk avoidance comes at a price, and that that cost is difficult to measure.  No company (or government) wants to be plastered in the headlines for losing millions of users’ data; what they would have paid to avoid the whole situation in the first place is an interesting question… Yet what this article doesn’t discuss is what enterprises are investing in cybersecurity in response to this fear, uncertainty and doubt.  For most companies who have suffered, I am willing to bet they had an obvious hole in their security protocol; one that would have been discovered via a regular security audit. Or even worse, maybe they already knew about it, but were holding their breath and hoping (my motto: hope is not a strategy).


Verizon’s 2015 Data Breach Investigations Report

verizon-dbir-2015Verizon's Data Breach and Investigations report for 2015 is out. This year's report contains 70 contributing organizations, 79,790 security incidents, 2,122 confirmed data breaches from 61 countries. The highlights from the report:

- Like the last 5 years the Threat actors attribution in 2015 stays similar ~80% External, ~20% Internal...

- Top Threat actions in 2015, Phishing, Spyware/Keylogging, RAM Scraping, and Credential Theft.

- In 60% of the cases attackers are able to compromise an organization within minutes.

- 23% of recipients now open phishing messages and 11% click on attachments.

- 99% of the exploited vulnerabilities were compromised more than a year after the CVE was published.

- 70-90% of malware samples are unique to an organization.

- 95% of the incidents recorded involve harvesting credentials stolen from customer devices...

- 60% of incidents were attributed to errors made by system administrators...

Looking at the above trends - the usual suspects Patch Management, Information Security Awareness & Training and Network/Log Monitoring tools are still quite relevant...