Slashdot Mirror

← Back to Stories (view on slashdot.org)

National Data Breach Law Advances

Posted by kdawson on from the pre-emption-could-be-bad dept.

Trailrunner7 writes "Two separate bills that would require organizations to notify consumers when their personal information has been compromised have made their way out of committee in the Senate, a critical step toward the creation of a national data-breach notification bill. But the Data Breach Notification Act, S.139, exempts federal agencies and other organizations subject to the bill from disclosing a breach if the data involved in the breach was encrypted. This is a clause that has caused some controversy, as some experts say that simply encrypting data does not render it useless. Also, S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.' That is a very broad exemption that could become a sticking point as the bill moves along. The terms 'access controls' and 'other such mechanisms' encompass a huge number of technologies."

4 of 51 comments (clear)

  1. Redaction Reaction Recitation by Mr_Blank · · Score: 2, Informative

    I am not sure the proposed law does much if redaction is all it takes to get a pass. From Law.com:

    Electronic Redaction Doesn't Always Hide What It's Supposed to Hide
    Paralegals need to know how to keep information confidential

    Dana J. Lesemann. The Recorder. May 05, 2006

    With the issue of intentional government leaks of classified information frequently in the news, the problem of unintentional leaks of classified and sensitive information is frequently overlooked. The examples are numerous and startling.

    Last year, U.S. military commanders in Iraq released a long-awaited report of the American investigation into the fatal shooting of an Italian agent escorting a freed hostage through a security checkpoint. In order to give the classified report the widest possible distribution, officials posted the document on the military's "Multinational Force-Iraq" Web site in Adobe's portable document format, or PDF. The report was heavily redacted, with sections obscured by black boxes.

    Within hours, however, readers in the blogosphere had discovered that the classified information would appear if the text was copied and pasted into Microsoft Word or any other word-processing program. Stars and Stripes, the Department of Defense newspaper, noted that the classified sections of the report covered "the securing of checkpoints, as well as specifics concerning how soldiers manned the checkpoint where the Italian intelligence officer was killed. In the past, Pentagon officials have repeatedly refused to discuss such details, citing security concerns." Soon after, the report was removed from the Web site.

    Copies of the improperly redacted report, however, live on. We at the consulting firm of Stroz Friedberg, too, were able to remove the redaction and save the clear text in a Word document. Forensic examiners in our office found that the document had been produced directly from Microsoft Word using Adobe Acrobat 6.0's PDFMaker. The redacted text simply had been highlighted in black. As a result, to reveal the classified information, the steps are simple: Highlight the text with the "select text" button on the PDF toolbar, copy the text by typing "control C," open a new document in a word-processing program and paste the text into the new document.

    Read more...

  2. Encryption doesn't mean the data is secure by mlts · · Score: 5, Informative

    Encryption is not a cure all for security needs. It is merely a tool, similar to locks on the door, guards with M16s, and CCTV cameras. Poorly implemented, it could mean little to a clued attacker, and businesses need to realize that the clued attackers are far more common that they think.

    One example: Say someone uses the hardware encryption on a tape drive. Tape drives can have encryption set in multiple ways. It can be manually set for all tapes, or the backup application can manage keys and set the encryption pet tape. If an organization is slipshod about the way they use the encryption and use one key for all tapes, and have that key information written on the proverbial slip of paper on the monitor, then an attacker can grab the tapes, perhaps grab a tape drive or buy one, and decrypt the info to their hearts content. Compare this to an organization which uses more stringent backup procedures so that even if a tape is stolen by an insider, it won't be decodable.

    Another example: BitLocker. If implemented right, BitLocker is solid against most known threats (avenues like rubber hoses and RAM scanning via IEEE1394 are different). However, if someone installs BitLocker and then disables all key protectors, to a competant attacker, the BitLocker protection is dealt with. Same with people using BitLocker on machines without TPMs using USB flash drives, and not making sure the flash drive is stored securely.

    There are various implementions of encryption. ECB is a bad version (because an attacker can figure out what a block matches to). A good implementation might use multiple diffusers and an algorithm like XTS so an attacker can't compare sector 55 with sector 157 and determine if the contents are similar. So, even though a program might use AES, if salts and other crypto concepts are not used, it severely weakens security.

    Finally, TrueCrypt. If someone thinks that TrueCrypt fixes all their security issues and doesn't concern themselves with attacks over the wire, an attacker can either slap a keylogger on a machine, or just read the volume decryption keys from memory, then at a later date grab the disks if there is too much data to fetch from remote. If TrueCrypt is used with proper protection against network attacks (firewall, etc.) then it provides excellent protection.

    I am concerned that a law exempting breaches from being disclosed would only work in the blackhat's favor. In theory, someone could rot13 the data on the drive, or AES it with an all zero key to make the security that comes with encryption meaningless.

  3. Root cause analysis by iztehsux · · Score: 4, Informative

    You'd think that large corporations would already have incentive to secure their data, aside from being required to do so. I would imagine that the cost of taking some basic measures to up your game would be much cheaper than paying out large sums of money in lawsuits to people who had their credentials compromised. Simple things like full drive crypto on laptops, or sanitizing database inputs to prevent SQL injection are not difficult to do, yet would prevent against a laptop theft from a car or someone dumping your entire database. Cryptography is good, but not invincible. Motivated attackers can use distributed cracking tools, rainbow tables, or merely exploit a weak avenue and wait for password re-use. I'd like to see requirements for companies notifying individuals if there has been a breach, but I'd also prefer that simple security measures were put in place so that disclosure laws didn't need to be invoked very often.

  4. 30+ years of experience suggest limits on secrets by Anonymous Coward · · Score: 1, Informative

    A few years ago, at one of the last National Information Security Systems Conference meetings, one of the speakers noted that for 30+ years, people had been trying to make multilevel secure databases, with lots of very clever methods tried.
    All these efforts failed.
    It was found that you could keep all those secrets securely, but performance in retrieving any of them went off a cliff. If you wanted good performance, there were always open channels.
    The relevance is that Nature may be trying to tell us here that keeping too many secrets at a time and still use them quickly is an infeasible thing. Encryption is one way to do access control, and unless the key handling is discussed, it tends to be snake oil. Consider that encrypting your giant database of sensitive info with a, say, 512 bit key and the best algorithm you can find still means that it takes only 128 characters of hex to hold that key. This small key can be written on a slip of paper and carried out, or handled with stego to foil inspectors who empty pockets/purses. If you lose the giant database, and believe all is well because it is strongly encrypted, if one of a myriad of folks who need access to the data legitimately manages to get a copy of the key and spirits it out of your organization, that data is lost. Point is that people tend to watch encrypted data less than cleartext data, believing it to be safe. Yet if a key for it is widely enough needed, it will be an Achilles' heel of the scheme and the crypto can actually facilitate theft.
    The main lesson that has been ignored is that most of the information is sensitive because it is abused as authentication signals, rather than merely identification. Your phone number is (mostly) not sensitive because nobody expects that only YOU can possibly know it. Now, with the continual failing of el cheapo schemes to authenticate, and gradual recognition of the weaknesses of e.g. fingerprints (vulnerable to theft of patterns) and the like, it becomes apparent that some hardware in customer hands, which is not connected to computer networks,is one of the few promising avenues. It must be used with protocols that identify in both directions and which allow transaction signing (since remote access connections are not 100% guaranteed never to be broken into), and the protocols need to be designed so that they work whether eavesdropped upon or not. With such beasts, only the small secrets needed to validate them need be kept, not a myriad of pieces of "personal" information that everyone can get to with a little internet research.
    Alas, the government does not seem to understand this and continues to act as though the solution is to find yet larger whips and spears with which to flog those who (again) release this sensitive data, rather than make it intrinsically un-useful to anyone trying to steal identities, money, etc. Various other institutions likewise seem not to "get" this. The effect of such is that fraud of all kinds abounds, is cheap, easy, and hard to prosecute. Also the intellectually out-of-gas legislators and bureaucrats who are floundering about trying to "solve" the problem look likely to succumb to turning the country into a totalitarian regime in their efforts. Lord help them and us if they do; they will not solve the problem, but if a fanatic on any subject who is not inhibited by conscience gets in power, all these "remedies" will come back to haunt millions and perhaps make the efforts of Stalin or the like seem like amateur acts.