Wednesday 30 April 2014

Time to Start Preparing for the New EU Data Protection Law

It's not secret that the UK Data Protection Law is long overdue a major overhall. Today's data protection law was actually devised in the early 1990s, long before the Internet explosion, Google and Facebook didn't exist, while common day concepts like big data mining and cloud computing was even beyond the imagination of science fiction writers of the time. The UK Data Protection Act (1998) is mostly derived from the European Data Protection Directive of 1995 and the 1984 UK DPA. Back in 1995 there was barely one million internet users in the UK, since then the usage of digital personal information has massively changed, it is high time for our data protection laws to catchup.

Human rights is a cornerstone of the European parliament's legal approach, with the right to privacy and the protection of personal data, regarded as a fundamental right for every EU citizen. For years European MPs have sort to introduce tighter privacy and data protection laws, however the global banking crisis and subsequent recession had delayed any action. Commercial concerns in tying European businesses up with too much red tape as they fight to take Europe out of one of the worst recessions in living memory, has taken precedence over digital privacy concerns. But post the Snowden revelations and thanks to the privacy crusading Viviane Reding (Vice-President of the EU Commission), Euro MPs are finally pushed through a huge raft of changes in EU data protection legislation, impacting not only businesses within European Union countries, but any business processing EU Citizen personal information, anywhere in the world.


Following a European Parliament vote on 12th March 2014, the new EU data protection reform has become irreversible. The voting was resounding in favour of adoption, with a massive 621 votes in favour, 10 against and 22 abstentions. The new law now is set in stone, no matter what happens in the EU elections in May 2014. There will be an EU meeting in June 2014, which will set about its adoption by EU members, and with all companies supplying goods and services to EU consumers. It is expected to be passed into actual law in 2016. These data protection changes will be hugely significant and will be problematic for all businesses, so there is no time to dilly-dally in starting preparation to comply.

New EU Relation Key Changes (in Plain English)
Regulation, not a Directive
The current EU Data Protection Law is a Directive, a directive can be open to some interpretation by member states, countries can bend the requirements as they adopt it into their country's law, and not enforce the law to the same extent as other member states. However the new EU DP law is a regulation, a "so it is written, so it shall be done" approach, no leeway at all, everyone has to follow the same rules exactly.

1. Data Breach Notification
All Data Controllers must notify ALL breaches of personal data to the Data Protection Authority within 72 hours.

This is a very significant new requirement, as in the UK only public sector organisations have to disclose breaches, even then there is no specific time limit set to disclose. To avoid major sanctions business will need processes which expedites the reporting and escalating of incidents, together with solid incident management procedures, to ensure any personal data breaches are quickly identified, so they can be disclosed within the 72 hour time limit.

2. Data Breach Sanctions
A number of new sanctions are available against companies that breach personal data, which include the issuing of a warning letter and enforcing periodic data protection audits, but the real game changer are the new financial penalties, which go well beyond the up to maximum £500K fines that can be issued by UK's Information Commissioners Office (ICO) under the current DPA law.

The new fines are up to 100m EUR or up to 5% of annual worldwide turnover in case of an enterprise, whichever is greater.
Also there the new regulations opens the possibility of individuals and associations, in taking legal action against companies responsible for breaching their personal information. I can just see the cheesy 'Data Breach Lawyers for You' adverts.

3. The Right to be Forgotten
This means personal data must be fully deleted upon request by an individual. This could be a real problem for cloud services that host personal data, but for most businesses this requirement will require significant changes, which include new business processes to handle requests in a timely fashion, and a technical capability within IT systems to remove an individual's data. I can also see deleting personal data from backup tapes is going to be a real issue.

Obviously government and some regulated personal data will not be subject to the 'right to be forgotten' regulation. For example where there is regulatory or legal requirements to keep the personal data, so criminals and bad debtors just can't have their criminal records and bad credit history removed upon request using the law. This new privacy law is aimed at the likes of Facebook, Google and big ecommerce websites, to ensure they adequately remove personal information upon request.

4. Individual Consent
Explicit consent must be obtained from individuals in order to store and/or process their personal data. Data controllers must be able to prove consent has been obtained. This new requirement could prove painful for some businesses to adopt.

5. The Data Protection Officer Role
Where a business processes more 5,000 records of personal data (the vast majority of businesses I would say), then the business must appointment a Data Protection Officer, who has responsibility to ensure all personal data is managed by the business in compliance with the law.

6. Personal Data Portability
Individuals upon request must be given a copy of personal data in a format usable for transfer to another processing system. For example if you were to change ISPs or energy suppliers, or your bank, the supplier you are leaving must provide your personal data in an acceptable ready to read format to the supplier that you are moving to.
The will mean businesses will require new processes and a technical capability to achieve.

7. Data Processor Liability Shift
Data Processors, who currently hide behind data controllers that have the lion share of the data protection liability, will be held jointly liable under the incoming new EU Data Protection regulations. So that cloud service provider now comes directly in firing line of sanctions, not just their customers that uses their service.


"In the digital age, the collection and storage of personal information are essential. Data is used by all businesses – from insurance firms and banks to social media sites and search engines. In a globalised world, the transfer of data to third countries has become an important factor in daily life. There are no borders online and cloud computing means data may be sent from Berlin to be processed in Boston and stored in Bangalore." - European Commission memo 13/124

The Benefits of the New EU Regulations
The new EU data protection regulations means significant changes and cost for business, especially in their attitude towards data protection and information security. As a security professional I have to believe this is good, even if it is going to be a bitter pill for the business to swallow. But the law is not all bad news for business, it levels the playing field, in that all businesses must comply with the exact same rules, even businesses processing EU citizen data outside the EU. The new regulation makes third parties responsible and liable for protecting personal data in their care, which is great news for any business that relies on third parties to protect personal data on their behalf.

From an EU citizen's perspective, the new laws are certainly excellent news, especially for those that care about their privacy online, as even the US giants like Facebook, Microsoft and Google will be forced to abide by the new EU laws, whether they are outside the EU or hiding within a weak local data protection enforcement country within the EU. It also means we should be notified within 72 hours when companies lose our personal information, whether the breach was caused by accident or by a hacker. At present only public sector organisations within the UK have to disclose personal data breaches, which is pretty shocking. Citizens being told their personal information has been compromised, means individuals can take action to protect themselves from harm, by changing passwords, cancelling credit cards, checking for fraud activity, or even closing down accounts with companies that do a bad job in protecting personal information. If you think all of the UK banks have never been hacked and had personal data stolen, think again, it is just that they don't have to publicly disclose data breaches at present. Given that, the number of businesses that sweep personal data breaches under the carpet in the UK must be mind-boggling.

But all in all the new financial penalties, coupled with the reputational damage caused by  private businesses disclosing all their personal data breaches, will push a major shift in business leadership attitudes towards the protection of all personal data, which is good news indeed, although some might argue that the privacy horse has already long bolted from the stable.

Thursday 10 April 2014

Heartbleed made Simple

HeartBleed has suddenly become a very well known security vulnerability, because this simple vulnerability in OpenSSL has turned out to be one of the most critical and potentially devastating of all time, with over half million trusted websites said to be vulnerable. Over the last couple of days various security advocates and vendors have been lined up by the media, with ominous warnings of grave danger online due to Heartbleed.

However I have generally found main stream media have focused far too much on trying to sensationalise instead of explaining the vulnerability properly, and not explaining how organisations should resolve the problem, and how users can protect themselves. It is fair to say the media coverage has led to much confusion on Heartbleed, with both organisations and users alike, which I’ll attempt to dispel.

Heartbleed made Simple

Heartbleed, also known as CVE-2014-0160 in techie land, is a Critical Security Vulnerability identified within OpenSSL, a set piece of software which implements SSL/TLS encryption. This encryption software is used on many 'secure' websites (https), VPNs, Email Servers and Mobile Phone Apps. The vulnerability allows an attacker to change a memory instruction within a TLS Heartbeat request. This Heartbeat request is like a regular 'ping' between a server and client, and is used to maintain a secure network connection. An attacker can modify the heartbeat request to return the contents of a target servers memory heap, which can hold private encryption keys, user credentials and confidential information. It is as simple as that, although it typically takes thousands of heartbeat requests by an attacker before an attack successfully returns the information desired.

The Register has posted one of the best detailed technical descriptions on how attackers exploit the Heartbleed vulnerability, so there is no need for me to drill into further technical detail here to explain it - http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/ 


There is also a nice video explanation of Heartbleed by Elastica Inc

Now the Heartbleed vulnerability has become so widely known, thanks to mass media, and given the ease that anyone can exploit it, immediate action by organisations and individuals is required.

Business & Organisations that Operate Secure Websites, Apps, VPNs, etc

1. Immediately identify all usage of OpenSSL Version 1.0.1 to 1.0.1f  in your organisation, and patch it - download here

2. Where OpenSSL version 1.0.1 to 1.0.1f was found and patching has been confirmed:

  • Enforce user account password changes. The assumption to take is that user account names & passwords have been compromised. It is possible for an attacker to be completely undetectable while performing the Heartbleed exploit, therefore there is no way of assuring whether account credentials have been compromised or not.
  • Invalidate all web session keys and cookies (hopefully done as part of the update)
  • Issue new encryption key pairs; assume all private keys are compromised
  • Review the content which may have been leaked due to vulnerability in OpenSSL, then action mitigation where required.
Everyone (Users)
If requested to change your password by an organisation, website, application etc, like a Nike 80s commercial, Just do it!

The media is full of advice for users, particularly advocating users should change all their website passwords. However this is a pointless exercise if the service you are using has not been patched to protect against Heartbleed, or perhaps the service has not even been effected by the vulnerability, as not all encryption makes use of OpenSSL, so check first.
Finally ensure to adhere to good practise password management. Considering using a password management vault system like LastPass, and ensure unique and strong passwords are used with all your website accounts. Particularly with any banking and email accounts, so should one of your weaker website accounts be compromised due to Heartbleed, the attackers don't have access to your more important accounts, which is a common issue when the people use the same password on multiple websites, the attackers understand some users do this and so check for it. 
See my other posts for further advice on password management: