28 April 2015

Data protection

Posts relating to the category tag "data protection" are listed below.

02 June 2014

Personal Data Protection in Online Systems - Part 1/2 Security Vulnerabilities

The UK's Information Commissioner's Office (ICO) published a report in mid May about the most common classes of IT security vulnerabilities in online systems that result in failures to secure personal data.

The cover from the ICO report

The seventh data protection principle requires organisations to take appropriate measures to safeguard personal data. It states "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

Protecting Personal Data in Online Services: Learning From the Mistakes of Others describes the issues most commonly found to have been the root causes of inadequate protection of personal data in online systems.

There are some issues clearly related to poor management control such as incorrect decommissioning of business processes and inappropriate locations for processing of data. The other issues are more technical but are all the types of things well-organised and careful organisations ought to be getting right already.

I was interested to check which of these relate to infrastructure (I/S) components and which to applications (Apps). For the latter, also whether the latter appear in the OWASP Top Ten most critical risks.

Issue ICO Security Report Component OWASP Top Ten 1013
I/S App
Failure to keep software security up to date Y Y A9 Using components with known vulnerabilities
Lack of protection from SQL injection Y A1 Injection
Exposure of unnecessary protocols & services Y - -
Exposure of decommissioned software/services Y Y - -
Insecure storage of passwords Y A6 Sensitive data exposure
Failure to encrypt online communications Y Y A6 Sensitive data exposure
Processing data in inappropriate locations Y - -
Use of default credentials including passwords Y Y A5 Security misconfiguration

We can see there is a mixture of infrastructure and application security issues, and that some issues span both of these categorisations.

Simon Rice, ICO Group Manager, blogged about the release of the report, password storage, SQL injection, and answers questions about the report in a video interview.

Tomorrow, I will list the security controls for each issue, as discussed in the report.

Posted on: 02 June 2014 at 07:40 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 May 2014

Media Use and Attitudes 2014

OFCOM, the UK communications sector's regulator and competition authority, has announced its updated report on adults' use of media and attitudes. Partial view of one of the many charts from the OFCOM report Adults' Media Use and Attitudes Report 2014

Adults' Media Use and Attitudes Report 2014 (complete 95 page print version and TV/internet audience size annex) reviews facts and trends about media usage, devices and knowledge by age group. But sections "5.5 Media Regulation" and "6 Online Safety and Security" are most on topic for here. Some headlines from the report:

  • A quarter of adults (27%) believe that mobile content is regulated, and almost a half (46%) believe that the internet is regulated in terms of what can be shown and written
  • Seven in ten internet users feel that the websites themselves should monitor their content to avoid offensive content being posted by individuals
  • A majority of internet users trust government/ council websites (61%) and commercial websites and apps (59%) to hold their personal information securely
  • A majority (57%) of internet users use the same password for most websites
  • Awareness and use is higher for anti-virus software and firewalls and lower for email filters, home WiFi protection, deleting cookies from browsers and anti-spyware.
  • a majority of mobile phone users say they are aware of: screen locks (86%), PIN protection of SIM cards (68%), and software to help locate a lost phone (53%)

See also OFCOM's equivalent report from last year.

Posted on: 16 May 2014 at 07:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

18 April 2014

Data Subject Breach Notification and Privacy Impact

The EC Article 29 Working Party has published an opinion offering guidance to data controllers to help them to decide whether to notify data subjects in case of a personal data breach.

Photograph of a large crowd of people

Opinion 03/2014 on Personal Data Breach Notification provides advice to telecomms companies subject to mandatory breach notification under Directive 2002/58/EC. Whilst most readers of this blog will not work in this sector, the guidance itself is useful for consideration in any sector.

The opinion recommends organisations should be proactive and plan appropriately. It illustrates the effects of confidentiality, integrity and availability effects on personal data and the impact upon individuals.

The document recommends that all the potential consequences and potential adverse effects on individuals should be examined, and that data breaches should be notified to the data subjects in a timely manner, if the breach is likely to adversely affect the personal data or the privacy of the data subjects.

See also the Information Commissioner's Office (ICO) guidance on Incidents and breach notification.

Posted on: 18 April 2014 at 08:43 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 April 2014

Third-Party Tracking Cookie Revelations

A new draft paper describes how the capture of tracking cookies can be used for mass surveillance, and where other personal information is leaked by web sites, build up a wider picture of a person's real-world identity.

Title page from 'Cookies that give you away: Evaluating the surveillance implications of web tracking'

Dillon Reisman, Steven Englehardt, Christian Eubank, Peter Zimmerman, and Arvind Narayanan at Princeton University's Department of Computer Science investigated how someone with passive access to a network could glean information from observing HTTP cookies in transit. The authors explain how pseudo-anonymous third-party cookies can be tied together without having to rely on IP addresses.

Then, given personal data leaking over non-SSL content, this can be combined into a larger picture of the person. The paper assessed what personal information is leaked from Alexa Top 50 sites with login support.

This work is likely to attract the attention of privacy advocates and regulators, leading to increased interest in cookies and other tracking mechanisms.

The research work was motivated by two leaked NSA documents.

Posted on: 09 April 2014 at 10:02 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 April 2014

Regulation of Software with a Medical Purpose

I seem to have a series of regulation-related posts at the moment. Perhaps the time of year. An article on OutLaw.com discusses how mobile apps and other software medical purpose may be subject to regulation.

Photograph of shelves in a shop displaying rows of medications

The UK's Medicines and Healthcare Products Regulations Agency (MHRA) is responsible for regulating all medicines and medical devices in the UK by ensuring they work and are acceptably safe. It has issued new guidance on "medical device stand-alone software (including apps)" which is defined as "software which has a medical purpose which at the time of it being placed onto the market is not incorporated into a medical device". Thus "software... intended by the manufacturer to be used for human beings for the purpose of:

  • diagnosis, prevention, monitoring, treatment or alleviation of disease,
  • diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap,
  • investigation, replacement or modification of the anatomy or of a physiological process,
  • control of conception..."

Guidance on Medical Device Stand-alone Software (Including Apps) describes the scope, requirements and software-specific considerations. Product liability and safety considerations are also mentioned.

This introduces the potential need for registration, documentation, self-assessment, validation, monitoring and incident reporting, especially if the software performs any form of diagnosis or assessment. The OutLaw.com article provides a good analysis and views from experts.

Posted on: 04 April 2014 at 10:11 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

31 March 2014

Regulator Weighs into the Consumer Software Sector

The US Federal Trade Commission has brought two companies to task over inadequate data protection in their mobile apps.

The settlements require Fandango and Credit Karma to establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years. The settlements also prohibit Fandango and Credit Karma from misrepresenting the level of privacy or security of their products and services.

In the proceedings against Credit Karma Inc, the complaint describes the company's website and mobile app which consumers can use to monitor and evaluate their credit and financial status. And, in the proceedings against Fandango LLC the complaint describes how the company has a website and mobile application that allow consumers to purchase movie tickets and view showtimes, trailers, and reviews.

The cases describe a number of problems with security but focus on how the apps had disabled SSL certificate validation leading to the possibility attackers could redirect and intercept network traffic, decrypt, monitor, or alter any of the information transmitted from or to the application, including personally identifiable information. The FTC also said the companies mis-represented the security of the apps to consumers.

The consent orders require the companies not to misrepresent how the apps maintain and protect the privacy, security, confidentiality, or integrity of information. Additionally they must establish and implement, and thereafter maintain, a comprehensive security program including in summary:

  • Designated employee to coordinate the security programme and be accountable for it
  • Assessment of security and privacy risks and safeguards that mitigate these
  • Security throughout the software development lifecycle including employee training and management; secure engineering and defensive programming; product design and development, secure software design, development, and testing; review, assessment, and response to third-party security vulnerability reports; and prevention, detection, and response to attacks, intrusions, or systems failures
  • Implementation, testing and periodic re-assessment of security controls, systems and procedures
  • Due diligence and assessment of service providers
  • Monitoring, review and improvement of the security programme.

Furthermore, these programmes are to be independently assessed initially and then biennially for 20 years by an independent third-party professional who is suitably qualified. The orders mention the assessor may be a "Certified Secure Software Lifecycle Professional (CSSLP) with experience in secure mobile programming; Certified Information System Security Professional (CISSP) with professional experience in the Software Development Security domain and secure mobile programming, or a similarly qualified person or organisation approved by the FTC.

It looks like the year for comprehensive security software development lifecycle initiatives such as Open SAMM, MS-SDL and the Bits Framework.

Posted on: 31 March 2014 at 09:11 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 March 2014

Web Security Incident Records and Classifications

I just went through the list of recent enforcement actions taken by the ICO.

Screen shot of the submitted response that reads 'Would it be possible for the ICO to classify the vulnerabilities/weaknesses related to software (e.g. websites) in monetary penalty notices, enforcement actions and undertakings? i.e. any published vulnerabilities (CVEs), misconfigurations (CCEs) or software weaknesses (CWEs) that were exploited. Where an incident involves a mis-directed email or fax, or an unencrypted laptop, the root cause is easily identified, but in software-related incidents, there is not the same degree of clarity from the ICO. This information would be invaluable for research, help raise awareness, and assist other organisations to focus their efforts. References https://cve.mitre.org/ http://cce.mitre.org/ http://cwe.mitre.org/ http://scap.nist.gov/'

Periodically I collect information from there and submit incidents to the Web Hacking Incident Database (WHID) using their submission form.

It was disappointing to note the lists of monetary penalty notices, enforcement actions and undertakings on the ICO web site have been truncated and there is no archive. The site's search can be used for some, but I still had to access the helpful Breach Watch to access some past ICO documents. I submitted website feedback about this to the ICO.

The WHID incident submission form asks for the attack method, weakness exploited and outcomes. In many cases this will be unknown, but this prompted me to make a request to the ICO that they classify incidents to raise awareness and help others and help the prioritisation of risk reduction measures. There wasn't an appropriate place on the main ICO web site to do this, so I submitted the suggestion (see image above) on the latest blog post by their Group Manager, which also mentions the recent British Pregnancy Advice Service data breach (BPAS). Awaiting moderation.

Update 9th April 2014: Just noticed, my comment has been published.

Posted on: 27 March 2014 at 11:24 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

13 March 2014

OWASP Top Ten 2013 A9 and Principle 7 (Security) of the Data Protection Act

The UK Information Commissioner's Office (ICO) has made a clear statement that it believes unpatched software is no longer acceptable.

30% of PCs still use Microsoft XP. If your business does after 8 April 2014 it may be breaching #DPA

The ICO does not provide much prescriptive guidance about Principle 7 of the Data Protection Act (DPA) 1998 concerning security, and data controllers and processors have to read all the guidance and enforcement actions to get a feel for what is expected. Thus for example, for many years the ICO has taken a very dim view of losing mobile devices that have unencrypted storage media.

It seems the time has come for addressing published software vulnerabilities in a timely manner is also to be included in the bare minimum controls the ICO expects to be in place to protect personal data.

In a tweet and referenced post on the ICO's blog Simon Rice, Group Manager for the ICO's technology team, has highlighted how having unpatched vulnerabilities, that are not mitigated in any other way, in software and infrastructure could be considered a breach of the DPA 7th principle.

Read more about vulnerabilities in software components from OWASP, and also how one UK charity was fined last week by the ICO after a data breach involving a vulnerability in a website content management system (CMS).

Posted on: 13 March 2014 at 12:21 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 March 2014

Apple iOS Security

Apple has released an update to its previous 2012 guide to iOS security.

Cover page from the new Apple security guide to 'iOS Security' published February 2014

The new version, iOS Security, February 2014 has 50% more content, with new sections about:

  • System software Authorization
  • Secure Enclave
  • Touch ID
  • FIPS 140-2
  • A whole new section on App Security
    • App Code Signing
    • Runtime Process Security
    • Data Protection in Apps
    • Accessories
  • Single Sign-on
  • AirDrop Security
  • A another new section on Internet Services
    • iMessage
    • FaceTime
    • Siri
    • iCloud
    • iCoud Keychain

And updated content in the previously existing System Architecture, Encryption and Data Security, Network Security and Device Access sections.

Posted on: 04 March 2014 at 08:33 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

29 January 2014

Privacy Notices and Supplier Contracts

Over Christmas I caught up with a backlog of news stories, tweets and bookmarked items. One relating to privacy notices surprised me, despite being quite an old item.

Photograph of a locked wooden door with an adjacent metal enclosure housing a keypad, video camera, microphone and loudspeaker - a sign on the door reads 'Keep locked shut' and another handmade sign reads 'Visitors - Please press buzzer and show ID to  the camera - thank you'

It seems Google's terms of service (UK version) for Google Analytics include certain privacy requirements on its users (web site operators).

The web post identifies obligations placed on web site operators:

  • Have a privacy policy
  • Abide by all applicable laws relating to the collection of information from visitors
  • State the usage of third party tracking and usage of cookies for tracking

There are additional requirements for users of AdWords and AdSense. A handy reminder that your suppliers can be the source of additional information security and privacy mandates.

After all, if you have an incident, you don't want to be found breaking contractual obligations as well.

Posted on: 29 January 2014 at 08:35 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Data protection : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Requested by 54.145.174.178 on Tuesday, 26 May 2015 at 14:32 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk