Monthly Archives: March 2014

Problem solving is mapping what you know to what you need to know.

what you know = knowledge 

mapping = creativity 

what you need to know = innovation 

Privacy has been described as an “adjustment process” in which humans continuously adjust the views of themselves that they present to others.

Steering Committee on the Usability, Security, and Privacy of Computer Systems; National Research Council. Toward Better Usability, Security, and Privacy of Information Technology : Report of a Workshop.

 

Privacy Protection Principles, compare ISO29100, with Singapore and Hong Kong legislations

ISO 29100:2011 Privacy Framework is now a public available document and it offers a comprehensive framework. Hong Kong and Singapore Gov both enacted privacy regulations, I compare both regions’ privacy protection requirements with ISO29100. Below is a summary table. Will write more on each comparison later.

ISO 29001:2011 Eleven Privacy Principles  Singapore Nine Data Privacy Obligations  Hong Kong Six Data Protection Principles 
Clause 5.2 Consent and choice
The Consent Obligation (PDPA sections 13 to 17): An organisation must obtain the consent of the individual before collecting, using or disclosing his personal data for a purpose.
DPP3: unless the data subject has given prior consent, personal data shall be used for the purpose for which they were originally collected or a directly related purpose.
Clause 5.3 Purpose legitimacy and specification The Purpose Limitation Obligation (PDPA section 18): An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned. DPP1: personal data shall be collected for a purpose directly related to a function and activity of the data user; lawful and fair collection of adequate data; data subjects shall be informed of the purpose for which the data are collected and to be used.
Clause 5.4 Collection Limitation The Purpose Limitation Obligation (PDPA section 18): An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned. DPP1: personal data shall be collected for a purpose directly related to a function and activity of the data user; lawful and fair collection of adequate data; data subjects shall be informed of the purpose for which the data are collected and to be used.
Clause 5.5 Data minimization  No direct equivalent requirement  No direct equivalent requirement
Clause 5.6 Use, retention and disclosure limitation The Retention Limitation Obligation (PDPA section 25): An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that (i) the purpose for which the personal data was collected is no longer being served by retention of the personal data, and (ii) retention is no longer necessary for legal or business purposes. DPP2: all practicable steps shall be taken to ensure the accuracy of personal data; data shall be deleted upon fulfillment of the purpose for which the data are used.
Clause 5.6 Use, retention and disclosure limitation The Transfer Limitation Obligation (refer to PDPA section 26): An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA.

“Prohibition against transfer of personal data to place outside Hong Kong except in specified circumstances” is in legislation but not yet in operation 

Clauses 5.7 Accuracy and quality The Accuracy Obligation (PDPA section 23): An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete if the personal data is likely to be used by the organisation to make a decision that affects the individual concerned or disclosed by the organisation to another organisation. DPP2: all practicable steps shall be taken to ensure the accuracy of personal data; data shall be deleted upon fulfillment of the purpose for which the data are used.
Clause 5.8 Opennes, transparency and notice The Notification Obligation (PDPA section 20): An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the personal data.  
Clause 5.8 Opennes, transparency and notice i)  The Openness Obligation (refer to PDPA sections 11 and 12): An organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available. DPP5: formulates and provides policies and practices in relation to personal data.
Clause 5.9 Individual participation and access d)  The Access and Correction Obligation (PDPA sections 21 and 22): An organisation must, upon request, (i) provide an individual with his or her personal data in the possession or under the control of the organisation and information about the ways in which the personal data may have been used or disclosed during the past year; and (ii) correct an error or omission in an individual’s personal data that is in the possession or under the control of the organisation. DPP6: individuals have rights of access to and correction of their personal data. Data users should comply with data access or data correction request within the time limit, unless reasons for rejection prescribed in the Ordinance are applicable.
Clauses 5.10 Accountability (include data breach notification)  No direct equivalent requirement  No direct equivalent requirement
Clause 5.11 Information Security f)  The Protection Obligation (PDPA section 24): An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. DPP4: all practicable steps shall be taken to ensure that personal data are protected against unauthorized or accidental access, processing or erasure.
Clause 5.12 Privacy Compliance  No direct equivalent requirement  No direct equivalent requirement

TLS design weakness affecting client side authentications

A team of security research discover a weakness in TLS design, quote form their website

“A is malicious, it can choose a non-prime group such that the resulting PMS is fully under its control.
if a malicious server Amounts a UKS attack to obtain two sessions (one with C and the other with S) that share the same MS, ciphersuite, and SID, it can forward the abbreviated handshake unchanged from one connection to the other
The easiest mitigation is for web browsers to refuse a change of server identity during renegotiation
Major browsers fixed this. However, there are numerous non-browser TLS clients. It will take lots effort to patch them. This type of weakness is difficult to identify and fix, as the impact is not obvious or cannot be seen by the user.
With almost 20 years passed since TCP/IP invented, most of the low hanging security issues are identified and addressed. We are going to see more occurrence of this type of fundamental and subtle design weaknesses.
The battlefield for security professional is just added another 100 miles !

Microsoft tries to address PKI issues in IE11 (SmartScreen and SNDS)

Digital certificate is widely used and the Internet cannot work without it. However, PKI (the framework digital certificates based on) has lots of issues. Last year in ISO SC27 meeting at ENISA there was a special meeting on PKI. Many issues are only raised without a conclusion, same as most issues brought international meetings.

Microsoft with a 10% – 20% footprint (depends on which report ) of browser market is taking steps in managing this madness. In a recent blog post, “A novel method in IE11 for dealing with fraudulent digital certificates” explain their strategy. I think Microsoft action is very responsible and will help to mitigate issues with fraudulent digital certificates. Certificate and its associated private key is very sensitive and must be handled with security in mind. In my over 10 years audit experiences, I had seen many engineers or administrators treated private key same as a configuration file. In most enterprise, there is general lack of documented procedures or best practises to administrate digital certificate. Malicious attackers may abuse this weakness and create fraudulent certificates.

In IE11, Microsoft uses SmartScreen Filter to detect and report high risk uses of certificate. Three scenarios are explained in the blog post:

1. A website is using a certificate that is capable of being used as a subordinate CA. This would indicate the certificate has been issued wrongly

2. If a website suddenly presents a different certificate only to a certain region where a different CA issued the certificate. This might indicate a possible MITM attack in a specific country or region

3. There was a sudden and significant change in the fields a CA includes in certificates it issues. For example, omission or change in the OCSP responder location. This would indicate a CA was either compromised, or has not followed standard operating procedures.”

There is a practicality issues with item 2 above with a 24×7 website. Suppose Apple adm update the SSL certificate on midnight, APAC region users will be the first batch of users using this updated and also different certificate. Will IE11 warn user regarding this new SSL certificate although it is updated due to normal refresh? I hope Microsoft will add intelligent to their detection algorithm and take consideration of the effective date of old SSL cert.

Another important control Microsoft implemented is ” domain registrants could be notified by email when new certificates with their domain names appear in our database. The domain registrant would have the option to report suspicious certificates to us and notify the CA to revoke the suspicious certificate.” In short, Microsoft is sharing the uses of certificate of specific domain to who claimed to the domain owner. The domain owner will need to take action accordingly. This is a responsive strategy by increasing transparency. (There is a new trend in security industry on sharing info and responding timely, in additional to defence in depth principle. Will write on this trend later when I finish reading “Responsive Security” by Meng-Chow Kang)

It is a prefect design in theory. My first question is who read such warning email! Is the email recipient understand the risks when reported by SNDS? Time will tell.