You’ve heard about the GDPR, right?

As I’ve spoken with people (security people and “civilians”), I’ve found many who had no idea that the GDPR was a thing.  I know Americans tend to have a very US-centric view of the world, but the GDPR is critical for any business with a presence, customers, or clients in or from the EU.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC with an effective date of 25 May 2018 (so about a year to get ready).

The GDPR clearly expresses the central difference between the views of American and EU.  The GDPR “[p]rotects [the] fundamental rights and freedoms of natural persons and in particular their right to protection of personal data.”

In the US, personal data is typically seen as the property of the holder of the data.  The EU expressly views personal data as the property of the person.  This difference makes the GDPR distinct from US data breach notification laws.

There are a number of key items to review in the GDPR:

  • Increases extra-territorial applicability
  • Conditions for consent strengthened
  • Privacy policies may “no longer be able to use long illegible terms and conditions full of legalese . . . the request for consent must be given in an intelligible and easily accessible form. . .”
  • Breach notification must be made within 72 hours

The GDPR guarantees the Data Subjects’ Right to Access.  The Data Subject may:

  • “Obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. . .
  • Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.”

The GDPR also formalizes the “Right to be Forgotten”

“Data Subjects have the right to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.”

Non EU companies that do business in the EU or have customers that are citizens of the EU or live in the EU will have to comply with these regulations for their EU data subject.  Any non-compliant organizations will face heavy fines.

So, get ready folks.  You don’t have much time to explore and internalize the GDPR.

InfoSec SouthWest and other conference

It has been an interesting few months.  Since joining Gardere last November I’ve presented more than I can remember doing so in the past.  Now, in general I don’t really like presenting.  It isn’t one of my greatest fears, but it also isn’t a big deal.

What I do enjoy about the past few months of presentations, though, is the audiences.  I’ve been lucky enough to present to CIOs, clients, college students, and numerous lawyers through internal and external Continuing Legal Education (CLE) events.

Now, I’m a security guy right?  Why not present to security people?  Because it is less important to present to people that already “get it”.

The technology world, and specifically the security world need to be exposed to people outside of security.  The lawyers need to understand how to protect their clients and firms.  CIOs need to hear that security is important from someone other than their CISO.

Normal human beings need to understand how to protect themselves.

It has been very rewarding.

This weekend (in Austin) is the InfoSec SouthWest (ISSW) conference.  This will bring together some amazing security professionals.  I’m not presenting at ISSW but really looking forward to hearing people smarter than me educate me about security philosophy and technology.  There is always room to learn and grow.

Apple increases encryption of iOS devices

As reported by The Register, Apple released iOS 10.3 today.  Included in the update is a new file system designed specifically for iOS devices.  The Apple File System (APFS) is designed for macOS, iOS, tvOS, and watchOS.

APFS brings strong “full-disk encryption” to protect files and metadata from exposure.  The interesting part is that APFS uses a multi-key encryption.  One key protects the data and a separate key protects metadata.  Separating these keys makes the attacker’s job more difficult.

Last year there was a very public debate around the role of encryption and backdoors for law enforcement investigations.  Apple fought FBI requests to decrypt an iPhone used by terrorists in California.  The FBI eventually found a way to decrypt the phone without Apple’s aid.

Doubling down on encryption, Apple is now making the process to gain access to iOS devices even more difficult.  It seems that relevant XKCD is even more relevant for Apple devices.

Bugs in the clouds

Amir Etemadieh (Zenofex) of Exploitee.rs has a great write up on a series of vulnerabilities in the Western Digital My Cloud storage appliances.  Zenofex is an amazing vulnerability researcher and all around good guy.

I’m not singling out Western Digital.  I think they make some good products.  The types of flaws that Zenofex found in this appliance are the same type that many IoT and personal “cloud” appliances contain.  The devices are made to be super easy for a consumer to setup and they allow the owner to connect to them from anywhere (many times with a smartphone app).

This ease of setup and access, though, means that they really should be hardened and secured like real commercial production system.  Hardening these types of systems should include changing passwords, closing unnecessary ports, validating and testing interfaces, using encryption at rest and in transit, etc.

This type of hardening is well beyond the average consumer and things like validating web applications for injection attacks is beyond many security professionals.

So, again, I’ll harp on manufacturers.  They need to build in security by default.  They need to test and validate their apps.

Folks like Zenofex do all of us a great service by finding these types bugs in consumer products, but it should not be up to a curious researcher.  It is the responsibility of the vendors to sell products that are safe for deployment.