Calif. Attorney General: We Need To Crack Down On Companies That Don't Encrypt

tsamsoniw writes "California Attorney Kamala Harris says her office will start cracking down on companies in the Golden State that don't encrypt customer data and fall victim to data breaches; she's also calling on the state to pass a law requiring companies to use encryption. That's just one of the recommendations in the state's newly released data breach report, which says 131 companies in California suffered data breaches in 2012, affecting 2.5 million residents."

Re:Encryption

EBG13 SGJ!

NSA

We Need To Crack Down On Companies That Do Encrypt

Re:NSA

[Chrisq]

Mozilla Firefox and other browsers treats self encrypted certs as WORSE than unencrypted and put big scary messages up

I think it is reasonable action for a certificate you don't know the source. You can always add the certificate to your browser and avoid the error. The rationale for the pop-up is that an unknown self-signed certificate is as bad as no encryption - totally open to a main-in-the-middle attack, but people have a higher expectation of security from SSL.

Re:NSA

[tajribah]

Is "as bad as no encryption" a reason for yelling on the user and presenting it like the worst security problem ever? Even if I accept the premise that it is as bad as no encryption, the obvious conclusion is that the browser should present it the same as no encryption.

Actually, it is not as bad. It still keeps you safe from passive attacks (like your ISP collecting all data for a three-letter agency, which analyses them later).

Re:NSA

[FriendlyLurker]

people have a higher expectation of security from SSL.

I think the GPs point was that it does not have to be a all or none - that you can have SSL of a self signed cert without the error message and without giving any "expectation of [high] security" (to quote GP "no full secure icon")

The rationale for the pop-up is that an unknown self-signed certificate is as bad as no encryption

In light of the Snowden revelations and subsequent fallout, this rational has very few legs to stand on. Unencrypted is less desirable than plain text. The only argument I have seen against this rational is that people may be lulled into a false sense of security if they believe self signed certs are as secure as CA issued ones, falling for MITM attacks for their bank traffic etc. The counter to that is that is simple and sensible: no, not if the browser does not try to tell them they have a top secure connection - and treats it like it is a plain text connection.

self-signed certificate is... totally open to a main-in-the-middle attack

The current SSL system is also totally open to a main-in-the-middle attacks by state sponsors, as has been reported here various times. And yes self signed certs are also very vulnerable to the same attack - but the point here is to encrypt the majority of data. State sponsers can always target but with blanket always on encryption they are unable to perform mass illegal capture and storage.... that is the point of not raising an error message on self signed certs.

Any way I cut these arguments, browsers appear to be in the wrong on this one - throw in cosy relationships with CAs, state departments etc and we could have a conspiracy here.

Re:NSA

[Bert64]

On the other hand, a self signed certificate which you have explicitly accepted is in many cases *BETTER* than a ca verified cert. In the former case you have explicitly chosen to trust a single party, whereas in the latter you are reliant on a large number of organisations.

wait

[Yaur]

We have reached the point in time where attorneys general have realized that companies need to encrypt customer data? Either that happened faster than I expected or I'm getting old faster than I realized.

Encrypt everything

Don't just encrypt private details.

Get rid of users private data, so there is nothing to steal in the first place.

Use eccentric authentication*. Replaces passwords with anonymous client certificates.

Check my: http://eccentric-authentication.org/

Re:Encryption

[Bert64]

So instead of burning cpu cycles, you are burning crypto processor cycles plus you have the cost of buying the hardware in the first place and possibly the bus overhead of sending data to/from the device.

If the server gets compromised while its running, the data is accessible because the server needs access to the data in order to function.

If the server gets physically stolen its likely the crypto hardware will be stolen with it. If you store the key somewhere it can be automatically obtained and used then the key can be stolen too, if you enter the key manually on bootup (ie how you would on a laptop) then you require physical intervention if the server reboots for any reason.

Encryption has its uses, but its not a magic bullet, and poor/inappropriate use of encryption is damaging - not only does it waste resources unnecessarily, but it also brings a false sense of security and encourages lazy thinking... People will simply implement the bare minimum required to comply with the law, which will probably mean encrypting the data while leaving the key on the same box.

You will also end up with a "one size fits all" attitude, which is clearly ridiculous...
You need to consider *what* data your storing, *why* your storing it and *what* needs to access it.

You can segregate the data so that some is only accessible by those systems that need it.
You can tokenize the data, eg for repeat billing of a credit card you can store a token agreed only between you and your payment processor.
You can store rarely referenced data with public/private keys, leaving only the public key online and keeping the private offline for use when necessary.

No, pushing a one size fits all "encrypt your data" mandate is stupid and will only make things worse, each individual case needs to be designed by someone who understands the needs and is technically competent.

Re:I thought credit card info had to be already

[blueg3]

Since when is credit card data, e-mail address, and password the only "customer data" a company keeps about you?

Re:Encryption is easy. Key management, not so much

[cryptizard]

That has nothing to do with the problem. We are already assuming that the companies have personal data, they just want to encrypt it to prevent third parties from obtaining it. The problem is that you need to decrypt the data at some point in order to make use of it, so the key must sometimes intersect with the data. Where do you keep it so that someone who gets the data won't also get the key?

Re:technical challenges

[blueg3]

So... explain how that helps when someone hacks into the server and requests data using the same mechanisms and level of authority as the server software (which must ultimately manipulate unencrypted data).

Because that's what happens.

Re:Smart and Hot - where's the crazy

[IamTheRealMike]

The crazy is in thinking she can regulate better security onto any random industry. It doesn't work like that. Security is too complicated to magically fix by insisting on blind usage of a particular tool.

If you look at the article, a huge number of the breaches are to do with credit card leaks. Well, duh, credit cards are a pull model not a push model. Bitcoin is more sensible, but the California DFI is busy harassing Bitcoin companies. So if she really cares about upgraded security, maybe she should get the DFI off the back of people building more secure, cryptographic financial systems that compete with the incumbents? That's much less fun than coming up with new laws though.

Dictate penalties and properties not methods

[WaffleMonster]

Good laws of this sort are those which do not impose technical solutions but rather provide general systems level requirements.

The problem with "duh use encryption" there is no guarantee of any kind simply applying encryption makes a system more secure against a specific threat.

Every time you get into the weeds you are guaranteed to codify errors and hurt those who choose to innovate using different but better or equally valid approaches.

Attorney Generals are good things

[onyxruby]

I've dealt with cleaning up some nasty data breaches over the years, I've had conversations with Attorney Generals when the breaches were bad enough. Companies fear Attorney Generals about as much as they fear being on the wrong end of the international news.

I've been involved with companies where data breaches happen where Attorney Generals while and while not get involved. The difference is night and day for things like encryption, notification of consumers, risk mitigation and other such steps. Pause and think about it for a moment, do you really think California is breached that much more often than other locations, or do people simply find out because the companies fear being on the wrong end of the Attorney Generals pointy stick?

Attorney Generals that give a damn are good things, they give the security professionals at the companies in their states the leverage they need to actually do the things that they want to do (encryption etc).

Re:Encryption

[AJH16]

While you are correct about the impact of anything currently running on the server, you are dead wrong about physical theft. An HSM should be hardened against picking the key out of it and should actually destroy the key if tampering is detected. Encryption on the server is still of limited benefit since the data key could probably be abused in most remote exploits on a running system, but for powered down security, such as physical breach, it is very significant, even if the chances of someone breaking in and stealing a server are generally much lower than a remote intrusion (though not as much as you might think since many attacks are internal).

Re:Encryption

[WaywardGeek]

I think you have some misconceptions about the CPU cycles involved in encryption. It's basically free. It's just a few clock cycles per byte.

The part everyone is concerned about is key stretching, where a CPU needs to do about half a second worth of processing to hash a password. There is simply no reason to do key stretching on the server. That's a dumb architecture. Instead, make the clients do it. By default, Microsoft does the key stretching on the server, and it's only for about a millisecond, if that.

I think encryption provides more security than you suspect. If an attacker only has access for a short period of time, like an hour, then probably over 90% of your user accounts would be safe. It's one thing for an attacker to steal your backup media, or get ssh access and scp some files, and quite another for him to hack your server and monitor what goes on in memory in real time. Copying files can be done by anyone. Even the secretary or janitor is a potential leak. Getting root access and inserting a memory monitor around your application, and decoding what's going on requires a skilled programmer and a lot of effort. Guys in China who do this professionally maybe can do it in their sleep, but chance are that you and I would have to work pretty hard at it.

There are two problems I see happening all around that this law could help fix. First, companies always want full access to user data. No encryption is the standard knee jerk reaction at big companies, because they want to be able to do data-mining on user data. Apparently, there is no penalty of consequence to companies that lose control of user data, and clearly the user data is valuable to the company. Some companies even sell it. Because of this, we have a stupid level of non-encrypted data, even data that really isn't valuable for data mining, such as credit card info. The second problem I see a ton is that management just takes IT's word for it that they are secure, while IT mostly ignores management because management isn't capable of understanding security anyway. It's the nature of employees in every profession to be lazy about tasks that will never be checked, and it's the nature of management to consider their company above the rest in terms of how well they are run.

Just guessing... if this law is enforced, California could reduce user info leaks by maybe 100X. Probably 10X just for making management want user data encrypted, and another 10X for making employees care.

Is this law a good idea? Beats me... Why not just post a list of every data leak the way police have a crime blotter in the local news rags? If we could make users aware of how badly their data is managed, companies would come around to caring more about it.