Slashdot Mirror
Calif. Attorney General: We Need To Crack Down On Companies That Don't Encrypt
tsamsoniw writes "California Attorney Kamala Harris says her office will start cracking down on companies in the Golden State that don't encrypt customer data and fall victim to data breaches; she's also calling on the state to pass a law requiring companies to use encryption. That's just one of the recommendations in the state's newly released data breach report, which says 131 companies in California suffered data breaches in 2012, affecting 2.5 million residents."
EBG13 SGJ!
We Need To Crack Down On Companies That Do Encrypt
We have reached the point in time where attorneys general have realized that companies need to encrypt customer data? Either that happened faster than I expected or I'm getting old faster than I realized.
encrypted or the credit card companies won't do business with you. (PCI compliant or something like that)
That leaves social security number and email address/password, but really, you should not use the same password for your Gmail account and Oily Pete's V1agra Online. As for social security, never give it out to anyone under any circumstances unless it's a bank (real one, not a Nigerian prince bank) and you're asking for a loan or opening a checking account.
Just drill that into the head of the IQ challenged members of society and we won't need yet another gov't agency trying to control what people do on the internet.
Server side encryption in could is no good. It prevents Calvin reading Susy's diary, but nothing much more than that.
And no proprietary closed up systems, but publicly verifiable implementations end to end, or it's not even worth trying to get people trust on it.
Usually at some point the server needs to be able decrypt the data so it can be displayed to a user, so the key needs to be handy. So if you have the key and data on the same sever it's of little security value.
If you want to have this data in some kind of database, there is a good chance you want to be able to search and index this data. Possible to index and pre-sort encrypted data without giving away the content?
Yes, maybe encrypt some sensitive parts, but encrypting all customer data is counter productive.
Don't just encrypt private details.
Get rid of users private data, so there is nothing to steal in the first place.
Use eccentric authentication*. Replaces passwords with anonymous client certificates.
Check my: http://eccentric-authentication.org/
Create new column types called varhcar2rot13 where the data is inserted it gets a ROT13 encryption applied when read out it automaticly decrypts it.
Sell to California companies for major money.
We need to crack down on government agencies that spy.
Double rot13 for the win! ;)
One thing: Encrption of laptop drives and external usb/harddisk is usefule against stupid loss/theft . Encryption of company servers is only buring cpu cycles, since the key is available to users that have to use ist
...and in other news, CA police will be cracking down on people who don't lock their house doors and who don't lock their car doors.
I detect someone doesnt know what a HSM nor what one is used for.
Here, have a wikipedia link and learn something today http://en.wikipedia.org/wiki/Hardware_security_module
Using encryption is easy. Managing the encryption keys however, not so much. The number of developers I see posting questions (to StackOverflow) on encryption with NO IDEA on basic key management is very worrying.
So instead of burning cpu cycles, you are burning crypto processor cycles plus you have the cost of buying the hardware in the first place and possibly the bus overhead of sending data to/from the device.
If the server gets compromised while its running, the data is accessible because the server needs access to the data in order to function.
If the server gets physically stolen its likely the crypto hardware will be stolen with it. If you store the key somewhere it can be automatically obtained and used then the key can be stolen too, if you enter the key manually on bootup (ie how you would on a laptop) then you require physical intervention if the server reboots for any reason.
Encryption has its uses, but its not a magic bullet, and poor/inappropriate use of encryption is damaging - not only does it waste resources unnecessarily, but it also brings a false sense of security and encourages lazy thinking... People will simply implement the bare minimum required to comply with the law, which will probably mean encrypting the data while leaving the key on the same box.
You will also end up with a "one size fits all" attitude, which is clearly ridiculous...
You need to consider *what* data your storing, *why* your storing it and *what* needs to access it.
You can segregate the data so that some is only accessible by those systems that need it.
You can tokenize the data, eg for repeat billing of a credit card you can store a token agreed only between you and your payment processor.
You can store rarely referenced data with public/private keys, leaving only the public key online and keeping the private offline for use when necessary.
No, pushing a one size fits all "encrypt your data" mandate is stupid and will only make things worse, each individual case needs to be designed by someone who understands the needs and is technically competent.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
She seems to make a good point, and according to The Wiki she's pretty hot. I feel bad for her significant other (assuming she has one), I bet she's totally nuts.
I want to delete my account but Slashdot doesn't allow it.
There is DNSSEC with DANE.
Create your self signed server certificate and publish it in DNS. Sign it with DNSSEC.
You can't beat free. See http://datatracker.ietf.org/doc/rfc6698/
Good laws of this sort are those which do not impose technical solutions but rather provide general systems level requirements.
The problem with "duh use encryption" there is no guarantee of any kind simply applying encryption makes a system more secure against a specific threat.
Every time you get into the weeds you are guaranteed to codify errors and hurt those who choose to innovate using different but better or equally valid approaches.
I've dealt with cleaning up some nasty data breaches over the years, I've had conversations with Attorney Generals when the breaches were bad enough. Companies fear Attorney Generals about as much as they fear being on the wrong end of the international news.
I've been involved with companies where data breaches happen where Attorney Generals while and while not get involved. The difference is night and day for things like encryption, notification of consumers, risk mitigation and other such steps. Pause and think about it for a moment, do you really think California is breached that much more often than other locations, or do people simply find out because the companies fear being on the wrong end of the Attorney Generals pointy stick?
Attorney Generals that give a damn are good things, they give the security professionals at the companies in their states the leverage they need to actually do the things that they want to do (encryption etc).
While you are correct about the impact of anything currently running on the server, you are dead wrong about physical theft. An HSM should be hardened against picking the key out of it and should actually destroy the key if tampering is detected. Encryption on the server is still of limited benefit since the data key could probably be abused in most remote exploits on a running system, but for powered down security, such as physical breach, it is very significant, even if the chances of someone breaking in and stealing a server are generally much lower than a remote intrusion (though not as much as you might think since many attacks are internal).
AJ Henderson
Tradition normally holds that a person who does a bad act is the guilty party. These days that is becoming rather twisted. If a person steals data then doesn't the guilt fall upon the thief? What they are doing is similar to the rather absurd gun law that can find a person negligent for simply using one lock to secure a gun. A home owner locks his windows and doors and drives off to the market. Mr. bad guy breaks in the back door and steals the gun and later that day shoots someone. Out of the blue the law also comes down hard on the home owner for not using enough security of that firearm. Frankly it is not good policy. All of the guilt falls upon the bad guy who broke in according to me. If anything the police department shares some of the guilt as they failed to protect my home. The general public also shares the guilt when they pass laws that make it next to impossible to deal with bad people. But whether it is data or guns I think the thief is the one who should pay.
If there is room for guilt it would be in situations such as a finance company dumping records in a dumpster completely neglecting to shred the records. As it is understood that dumpster diving is legal and a common practice.
Society seems to avoid punishing the guilty.
We need to make companies liable for any information they are so careless as to lose. Intruding on their business process is the wrong way to go about it: punitive liability judgements (and tighter disclosure laws) are the right way.
Part of the problem here is this horribly mistaken meme that everyone and everything is hackable. It makes people feel not responsible, and it's only true in the sense that evert newborn baby has started dying, or that the universe will cool/stop. Not concerned with this meme? Well, your country is spending billions on stupid and futile "cyber-warfare" efforts, rather than simply buttoning up the security of the electrical grid, banking network, etc.
Our goal should be for companies to think of sensitive customer data like radioactive waste: they want to ship it elsewhere, not have it sitting around in unsealed, leaky barrels in their offices. Secure access to data is obviously a specialized skill, so why not have companies devoted to doing that alone?
... are essential to the servers that handle the data. They can't actually operate on the encrypted data. They have to UN-encrypted it first (and RE-encrypted it to put it back if there any changes). So what does this mean to me? It means I have to grab the encryption key(s) when I break in to get the data.
This reminds me of an incident with a state web site. Someone broke in and did some defacing. The state's top IT director answered a reporter's query with "This needs to be investigated because we bought a top of the line firewall that should have blocked the hacker".
now we need to go OSS in diesel cars
I think you have some misconceptions about the CPU cycles involved in encryption. It's basically free. It's just a few clock cycles per byte.
The part everyone is concerned about is key stretching, where a CPU needs to do about half a second worth of processing to hash a password. There is simply no reason to do key stretching on the server. That's a dumb architecture. Instead, make the clients do it. By default, Microsoft does the key stretching on the server, and it's only for about a millisecond, if that.
I think encryption provides more security than you suspect. If an attacker only has access for a short period of time, like an hour, then probably over 90% of your user accounts would be safe. It's one thing for an attacker to steal your backup media, or get ssh access and scp some files, and quite another for him to hack your server and monitor what goes on in memory in real time. Copying files can be done by anyone. Even the secretary or janitor is a potential leak. Getting root access and inserting a memory monitor around your application, and decoding what's going on requires a skilled programmer and a lot of effort. Guys in China who do this professionally maybe can do it in their sleep, but chance are that you and I would have to work pretty hard at it.
There are two problems I see happening all around that this law could help fix. First, companies always want full access to user data. No encryption is the standard knee jerk reaction at big companies, because they want to be able to do data-mining on user data. Apparently, there is no penalty of consequence to companies that lose control of user data, and clearly the user data is valuable to the company. Some companies even sell it. Because of this, we have a stupid level of non-encrypted data, even data that really isn't valuable for data mining, such as credit card info. The second problem I see a ton is that management just takes IT's word for it that they are secure, while IT mostly ignores management because management isn't capable of understanding security anyway. It's the nature of employees in every profession to be lazy about tasks that will never be checked, and it's the nature of management to consider their company above the rest in terms of how well they are run.
Just guessing... if this law is enforced, California could reduce user info leaks by maybe 100X. Probably 10X just for making management want user data encrypted, and another 10X for making employees care.
Is this law a good idea? Beats me... Why not just post a list of every data leak the way police have a crime blotter in the local news rags? If we could make users aware of how badly their data is managed, companies would come around to caring more about it.
Celebrate failure, and then learn from it - Nolan Bushnell
Yea, I work in the security industry and I don't really agree. I hear what you're saying about considering each application and you're not wrong, but I think the potential benefits of this easily outweigh the negatives. It will apply pressure to companies who really do need to encrypt their data and just cannot get the will from the business to do it.
Its not a magic bullet, but especially in the absence of any legitimate way to wipe data from databases in a secure manner it's a reasonable compensating control to put in place. It really depends on the actual implementation whether or not the encryption will help if the server is compromised while it's running. If companies encrypt at the database or table level and implement things decently then at least it's not just a matter of compromising the server and copying the entire database off to get the information. Web based attacks are probably going to compromise the database's security, but at least information secured in this way would be safe(er) from network based worms and other malware. That is not a trivial or uncommon attack vector, and I think it's worth serious consideration.
The other aspect of this is that it would force a lot of companies to implement real key management procedures in order to not lose access to their data. Once they need to do that to maintain the business, they'll be much more receptive to rotating and expiring keys, etc. because it's a low hanging fruit. Right now key management is kind of a nightmare and not something I see a lot of companies handling effectively. If you have to deal with key management in order not to take down your entire business being more selective about who has access to those keys, split knowledge, etc. become a much more realistic proposition. That will demonstrably increase security as well as compliance with other regs/standards.
I'm both a Libertarian and a security professional...I am suspicious of government regs but I think they are needed in this case. The industry is not keeping up with the security landscape well enough, and this stuff is far enough out of the public's line of view that it has the potential to negatively impact their lives out of nowhere, and there is no ability for them to audit or verify a companies security measures before engaging with them. I think that is a threat to the public welfare, and something that does fall within the role of government. Implementing encryption in this way is not going to be that onerous, and it will have a tremendous impact on people who really REALLY do need to encrypt their data at the price of a bit of a hassle for those who don't. As this becomes more widespread key management and implementation of encryption will also become easier, making it less onerous for people who don't necessarily need extremely tight security.
Will that include the decryption key?
now we need to go OSS in diesel cars
.... nothing to the NSA
Dude, we steal the server, hem and all, set it up in our lab, then we have all the time in the world to try bus based exploits.
So? Signatures happen on the HSM, which also stores the key material; only the cleartext data going in and the signatures going out are on the bus.
And if you mess up in the lab, the HSM kills its keystore and game-over. (Or, if it doesn't, the folks on the other side were insufficiently paranoid / excessively cheap and it's Their Own Damned Fault).
How many mails have you received that were official and digitally signed (not a signature)?
I work in a company where people are pretty security savy, but email somehow is an exception.. When I ask how they know the mail came from John Doe, they tell it is sure because the email address is John.Doe@example.com.
When I ask them how person X knows that it came from our company, the answer is "Because the email address is info@example.com.". So while IT enjoys themselves to add useless disclaimers (I AM the intended person to receive it. Otherwise I would not have gotten it. It might that you did not intend it on your end, but that is YOUR problem.) instead of adding digital signatures, I must change my password every 37 minutes, so I must write it down and the whole thing becomes LESS secure.
As long as IT people treat security as a technical and not a social issue, this will never be solved.
Don't fight for your country, if your country does not fight for you.
No, it won't. It will cause every non-corporate-run website run by individuals within the state of California to shut down because of the inability to pay the exorbitant costs suddenly required to keep the sites open.
I run a completely zero-profit website. The only personally identifiable information my site stores is a username and password. Everything else is voluntary. It is not involved in any financial transactions. It should not be affected by laws like this in any sane universe. The problem is that legislators don't understand technology, and will say, "Yes, but users could use the same username and password on multiple sites." And yes, they could. And if my database is compromised, I would have to send out letters to all... well, currently one users... informing myself of the breach. (Have I mentioned that this site is just getting off the ground?)
The big problem is that the database uses a shared hosting plan and a shared database server run by my ISP. I have no control over whether the database is encrypted on disk or in transit between the shared hosting server and the database server. In order to add that protection, I would have to crank my hosting plan up to a dedicated server at a monthly cost that is equivalent to several years on my current hosting plan and buy a multi-subdomain SSL cert that also costs (annually) as much as several years worth of service. And then, because I cannot possibly dedicate the time to manage my own server on an ongoing basis (hence the shared hosting plan as opposed to a VPS for the web server side), I would have to hire someone to manage that on an ongoing basis.
So if this law is not very narrowly tailored to sites that contain SSNs, financial information, and medical information, I'll have no choice but to shut my site down. I can't afford to personally spend potentially many thousands of dollars each year to run a website out of the goodness of my heart.
In my experience, any security practice that is not onerous also has little effect on security. Physical theft of spinning storage is an exceptionally rare cause of data breaches. Backup tapes are stolen occasionally. Offline copies of the database that sysadmins allowed their employees to take home with them on a laptop are also stolen occasionally. However, data theft caused by attackers remotely cracking into servers overshadows both of those loss mechanisms by orders of magnitude. Because remote data compromises are completely unaffected by encrypting the database on disk, use of encryption is very nearly worthless in the grand scheme of things. Requiring encryption on disk is a bit like trying to prevent automobile accident deaths by requiring children to wear bicycle helmets while in the car just in case the kids didn't wear their seatbelts.
Furthermore, it is completely unnecessary. There are already laws that require encryption for anything that could be considered high-risk. HIPAA has strict requirements for how health-related data can be stored. PCI DSS compliance requires encryption of credit card data. And so on. Any company that sanely should be required to use database encryption is already compelled by law to do these things. Anyone who is not already compelled to do them should not be, because it really isn't an earth-shattering event if a hashed password database gets compromised, and the odds of it being compromised through physical theft border on nonexistent anyway. My database is more likely to be destroyed by a meteor im
Check out my sci-fi/humor trilogy at PatriotsBooks.
This is way, way, way overdue. Due diligence is what it is. And not encrypting sensitive data is not due diligence.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
Way to much text.
Security:
-Something you know (password)
-Something you have (HSM? hardware with key).
-Something you are (biometrics, or gummy bear)
You steal the server, you steal the HSM. It is like requiring a hardware token with a laptop, and then storing the token with the laptop. A HSM does have it uses, but it is again key management that is the trick.
The words tamper resistant HSM sombdy uses.. realize that it is like, kill the data, so nobody can steal it. NOT always the best scenario :) :'(
You are mistaken. Security is not something you know, have or are. That's authentication. HSM has nothing to do with authentication. It is key management and secure storage. Your understanding of how an HSM is used is also mistaken. The idea with an HSM is that it does all encryption and decryption operations without ever releasing the key and takes care of requiring proper authorization before performing decryption operations.
When initially configuring an HSM, a key should be created and backed up in a secure manner. The key should be encrypted by one or more additional keys and these keys and final version of the encrypted key should be sent to multiple different secure sites (one key per site). Some redundancy should also be done in case one of the sites is destroyed and each site should only have one key so that all the pieces must be compromised for the key to be compromised.
The final, unencrypted key is loaded in to the HSM. While the server is running, the HSM is authorized from the boot to perform decryption operations. This can be done via a network boot or by direct action when the server boots (the later is more secure but more of a pain). Thus, a running server has access to the HSM and can operate on the data. However, if the server is stolen, the ability the credentials must be entered to unlock the HSM and access the data (credentials which are unavailable) thus the only option is to try and break in to the HSM. Since the hardware is tamper resistant, any mistake will result in the keys being cleared and the encrypted data is protected unless it can be brute forced (effectively impossible as far as we know). If the server is recovered, the backup keys are accessed, the original key is decrypted and reloaded on the HSM and all is back to normal.
AJ Henderson
Only in this case, convenience wins out...
Needing a staff member to physical intervene in order to boot the server is far too much of an inconvenience, so it will be configured either to obtain the key from the HSM automatically on boot (and thus the attackers could do the same), or it will be a network based system as you mention in which case when you steal the server you need to steal the key server too.
Even if you do have someone physically enter the key, you have the added inconvenience of managing who has the keys... You don't want too many people as the chance of losing/leaking goes up, but too few and the chances of the guys with the key being unavailable when needed goes up. You end up with things like the keys on stickers attached to the front of the machine, which again provides no benefit if the server is physically stolen.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
You don't physically enter the key, you physically enter credentials that activate the HSM. Even if you have the ability to activate the HSM, getting the key out is (near) impossible. It is limited to doing decryptions with whatever restrictions are on the data (for example, you could require that user password be entered to access user data if the system stores data accessed by user accounts.)
Also, even if you do have to use a network based device, it means that they have to either a) steal the networked device (which could have further security than the entire server room has and could even be remote) or b) have to fake the device into providing the key. Even if they could steal the device that did the remote authorization of the HSM on boot, if that device required authorization to perform the remote authorization then it would be useless. It wouldn't be that hard or inconvenient to require an administrator to authorize a server restart.
AJ Henderson
In which case you're no longer relying on encryption, your now relying on obfuscation provided by the HSM... Just takes someone with the right skills/equipment to crack it, and once one person works it out they can provide details of the hack to others.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
The big problem is that the database uses a shared hosting plan and a shared database server run by my ISP. I have no control over whether the database is encrypted on disk or in transit between the shared hosting server and the database server.
You're freaking out over nothing. Hosting providers are not going to leave people high and dry. Actually, it would be nice if they started encrypting their databases. Shared hosting will live on and solutions will be generated.
In order to add that protection, I would have to crank my hosting plan up to a dedicated server at a monthly cost that is equivalent to several years on my current hosting plan and buy a multi-subdomain SSL cert that also costs (annually) as much as several years worth of service.
You're being extremely, extremely silly. SSL certs can be had for next to nothing. Do they provide as much assurance as better certs? No, but they encrypt the traffic and the root cert is trusted by common platforms. Depending on the law you could use self signed certs as well.
Everything you're saying here is hyperbole.
And then, because I cannot possibly dedicate the time to manage my own server on an ongoing basis (hence the shared hosting plan as opposed to a VPS for the web server side), I would have to hire someone to manage that on an ongoing basis.
So if this law is not very narrowly tailored to sites that contain SSNs, financial information, and medical information, I'll have no choice but to shut my site down. I can't afford to personally spend potentially many thousands of dollars each year to run a website out of the goodness of my heart.
Even if everything you're saying here about the requirements of certs and VPSes is true (which its not), you're still wildly inflating the costs. I run a site with a cert and a fully managed VPS that I can take as much interest in or leave up to support as I want. The cost is under $400/year for the hosting and like...I think like 6 bucks a year for the cert? That's super high, because I am a bit picky and because I run a site that needs a bit of performance overhead, but the service is actually amazing.
In my experience, any security practice that is not onerous also has little effect on security.
Then your experience is extremely limited.
Physical theft of spinning storage is an exceptionally rare cause of data breaches.
Which is why I didn't cite that among my reasons for supporting this.
However, data theft caused by attackers remotely cracking into servers overshadows both of those loss mechanisms by orders of magnitude.
Right, and to restate, depending on how the encryption is implemented (database/table/row level) this may help with that...especially with breaches resulting from the installation of malware.
Because remote data compromises are completely unaffected by encrypting the database on disk,
You're looking at one particular type of very common breach. There are others.
There are already laws that require encryption for anything that could be considered high-risk. HIPAA has strict requirements for how health-related data can be stored.
Actually, no it doesn't. There is no requirement to encrypt data at rest within HIPAA. Have you even read the reg, or are you just making assumptions based on what seems like it must be true? (Hint: you're making the assumptions)
PCI DSS compliance requires encryption of credit card data.
Sigh. I feel like I'm writing an email at my job.
PCI is an industry regulation, not a government one. Compliance with it can be very subjective, and auditing of compliance can also be very subjective. Actually, no external audit is even required if you're under a certain number of transaction
I don't disagree that it is not relying on the encryption exclusively. You have to trust the HSM to do it's job correctly. It's a little more than obfuscation though as it is an independent, hardened system with limited I/O, intrusion detection and a hair trigger for self destruction. It may be possible to still extract the key, but there would be a fair degree of luck involved and there is no redo button if you make a mistake trying to extract it. That's a fair bit better than simple obscurity, particularly since it is designed to be as near impossible as possible to remove the key.
AJ Henderson
Put another way, calling an HSM security by obscurity is a bit like saying that having a server protected by armed guards 24/7 with a block of C4 strapped to it inside the basement of the Pentagon is security through obscurity, since, if someone knew every security measure and was very, very lucky, they might be able to make it through everything.
For that matter, by the same token, encryption itself is security through obscurity since there might be some technology or math trick out there that can decrypt it quickly. In security, we have to deal with risk and mitigation. The traditional sense of security through obscurity being no security only applies when there are known vulnerabilities that you are counting on someone not knowing. In the case of an HSM, there is no known vulnerability for extracting the key, even with physical access. Thus, it isn't security through obscurity.
AJ Henderson