Based in silicon valley, california, security brief is a blog by chris louie. his posts discuss current information security affairs

GDPR: Big Tech Firms Win, Security Researchers Lose

GDPR: Big Tech Firms Win, Security Researchers Lose

gdpr.jpeg

On May 25, 2018, a mere 11 days form now, the General Data Protection Regulation (GDPR) takes effect. This law was enacted by the European Parliament requiring companies to get affirmative consent for any personal information they collect on residents of the European Union (EU). The text of the strict regulations for data processing and handling were not what got the attention of outside observers; it was the eye-popping fines for violators that garnered the most attention. Organizations that fail to follow GDPR face fines of up to 20 million Euros ($24 million US Dollars at the time of writing) or four percent of the organization’s global annual revenue, whichever is greater. Any organization who’s sites or services could be offered and accessible in the EU would be required to comply with GDPR, even if they are not based in an EU member state.

The GDPR regulations make exceptions for organizations that have less than 250 employees, not requiring them to hire a Data Protection Officer (DPO) as well as loosens restrictions and reporting requirements in an effort to lessen the burden of compliance. However, many smaller organizations that are over 250 employees, such as the popular unroll.me inbox declutter tool, are simply exiting the European market. In an article and blog post, Unroll.me simply states that it cannot comply with all GDPR regulations and would rather completely exit the EU market than face potential fines. Unroll.me is not alone in not wanting to keep their doors open to the EU market while risking massive fines for non-compliance. Popular online game Ragnarok Online is also pulling out form the EU market, rather than attempt to be compliant. A company called GDPR-Shield.io is taking things a step further and offering a service where website owners can save thousands of dollars on GDPR compliance by pasting a snippet of JavaScript code on their web page to block residents in the EU from accessing their webpage.

gdpr shield.png

As a security practitioner, I cannot recommend pasting random JavaScript code snippets on your webpage. The website is also serving a 503 error at the time of writing.

There is no doubt that there are many winners with the enactment of GDPR: consumers gaining more protection and control of their data, consulting companies (legal and technical) assisting with compliance efforts, and large tech firms that can use their weight and market dominance to effectively force users to accept their terms. GDPR was passed in part to prevent tech giants like Facebook and Google from pressuring users into handing over personal information in exchange for continued use of their services, but the law is appearing to have the opposite effect. Google and Facebook have been bombarding their users, vendors, partners, and third-party affiliates with pop-ups asking them to accept the new terms that are GDPR compliant. Most users will opt to click “Agree” or risk being cut off from a service they deem as vital. Lesser known companies such as Unroll are less likely to get that “Agree” click since users may decide not to hand over personal information in exchange for a non-vital service. This pushes companies to do their advertising business with Google and Facebook since they will have the highest number of GDPR compliant users to target. My personal e-mail inbox has been receiving updated terms and conditions all month.

privacy update.png

While GDPR is aimed to provide greater protection for user data and privacy, it also necessarily protects bad actors. The Internet Corporation for Assigned Names and Numbers (ICANN), the organization tasked with managing the global domain name system, has proposed redacting key bits of personal data from the WHOIS database in order to be compliant with GDPR. The WHOIS database is a very powerful security research tool that allows the public to find information about a website or IP address such as the individual who registered the domain, physical address, phone number, and the e-mail address associated with the registration. These key bits of data are important for determining a risk score such as algorithms used in anti-spam technology. Some spammers attempt to hide their identity by registering with a privacy service, a third party that registers the domain on behalf of the actual registrar, but that in itself increases the likelihood that a message may be spam. Not all bad actors are sophisticated or employ good Operational Security (OpSec) and may use their real information or consistently use false information to make tracking their movements easier. For example, based on WHOIS records, we have reason to believe that attack campaign A is linked to attack campaign B since both campaigns used command and control domains registered to the same dummy corporation.

Disallowing the use of WHOIS data for security research purposes will be a big blow to the industry that ICAAN is attempting to address by allowing trusted partners access to the WHOIS database for research purposes. The vetting process will not be in place within the next 11 days and likely will not be implemented until the end of 2019, giving security researchers over a year and a half in the dark.

whois.png

Now more than ever it is important for security vendors to adopt a zero trust model and not rely on reputation-based security. An important source of that reputation data is about to be removed and leave many organizations vulnerable to attack unless they stop relying solely on reputation. GDPR has some massive fining mechanisms at its disposal and I predict that they will make an example of a company so that others will fall in line. 

WannaCry's Long Tail: Setting the Stage for the Next Major Wormable Attack

WannaCry's Long Tail: Setting the Stage for the Next Major Wormable Attack

Adobe WONTFIX PDF Vulnerability Leaking Users' Passwords

Adobe WONTFIX PDF Vulnerability Leaking Users' Passwords