STE WILLIAMS

CloudFlare has rolled out Universal DNSSEC, despite widespread controversy alleging it would provide an excellent platform from which intelligence agencies could spy upon and intercept global internet traffic.

Universal DNSSEC will be available to CloudFlare customers for free. The company announced that it will do “all the heavy lifting by signing your zone and managing the keys … All you need to do is enable DNSSEC in your CloudFlare dashboard and add one DNS record to your registrar.”

The CDN and DNS flogging company claimed “DNSSEC guarantees a website’s traffic is safely routed to the correct servers so that a site’s visitors are not intercepted by a hidden ‘man-in-the-middle’ attacker.”

DNSSEC, or DNS Security Extensions, is certainly a countermeasure against DNS cache-poisoning attacks, such as those famously highlighted by security researcher Dan Kaminsky back in 2008.

It uses cryptographic checks to make sure that IP results returned by a DNS query point to the corresponding domain name.

The technology, however, remains highly contentious. Earlier this year, we reported on the ongoing debate regarding DNSSEC. While CloudFlare has provided arguments in defence of its use, onlookers have remained unquiet.

CloudFlare has attempted to explain how DNSSEC works, the root-signing ceremony, how it will “solve the final hurdles for widespread DNSSEC adoption by using elliptic curve cryptography, the complexities that the protocol involves, and DNSSEC’s usefulness for registars.

Is anyone at all confused about why Cloudflare wants you invested in DNSSEC? Their job is to convince you to let them run your infra.

— Thomas H. Ptacek (@tqbf) November 10, 2015

Allegations regarding DNSSEC’s ability to help nosey intelligence agencies were levelled by Thomas Ptacek, founder of Matasano Security, earlier this year. Ptacek’s blogpost alleged that DNSSEC was unnecessary, a government-controlled public key infrastructure, cryptographically weak, expensive to adopt, expensive to deploy, unsafe, incomplete, and architecturally unsound.

Ptacek also stated that “DNSSEC doesn’t have to happen.”

If you’re running systems carefully today, no security problem you have gets solved by deploying DNSSEC. But lots of other problems — software maintenance, network operations, user support, protecting your secrets from NSA/GCHQ — get harder.

It is not only CloudFlare disagreeing with Ptacek, however. Zachary Lym, the lead UX engineer at Namecoin, wrote in response that “DNSSEC is vital to the security of the internet” and offered a counterpoint to each of Ptacek’s claims.

CloudFlare has stated that “Universal DNSSEC is designed to work seamlessly with all other CloudFlare security and performance features, including Universal SSL, a global CDN, and automatic web content optimisation.” ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/13/cloudflare_dnssec/

London security researcher Paul Amar has built a tool capable of exploiting Twitter’s extended direct messaging function for covert botnet command and control.

Amar created Twittor which allows attackers of white or black hats to create a fleet of compromised machines that can communicate, receive instructions, and update over the social network.

Twitter removed its 140 character limit for private direct messages between accounts in August.

It’s a stealthy attack, since the Twittor command-and-control network traffic looks the same as legitimate tweeting, so bots are hard to seek out and destroy, Amar says.

Twittor bots are limited to 100 direct messages a day. New bots can be created with additional accounts however.

The Python based Twittor can be downloaded on Github.

Amar has published other tools included a cross-site request forgery hacking toolkit and contributed to a Shodan Firefox extension. ®

Bootnote: Walla and rhubarb are the retrospective US and British terms in the media industry given to indistinct background chatter on TV and radio.

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/13/twitter_dm_character_limit_liberation_spells_opportunity_for_botnets/

Web scum are offering another ransomware as a service model under which ill-gotten gains are split between VXers and buyers.

The CryptoLocker service by FAKBEN ransomware noted by Salted Hash is the creation of an individual or VXer group that is flogging its ransomware through a Tor Hidden Service.

No technical information is offered regarding the capabilities of the ransomware — which is claimed to be some version of the well known CryptoLocker — and should serve as a warning for all would-be criminals thinking of signing up.

Most ransomware fail because of encryption implementation flaws that white hats can exploit to retrieve decryption keys for free.

Punters will need to buy in for the paltry price of US$50. The VXers claim they will keep 10 percent of the total ransom paid.

FAKBEN Team offers a unique and professional service that is based on the rental of our CryptoLocker ransomware which can be downloaded through the executable file, that is built with your custom settings, and then sent to a specific victim to ask for ransom money….

When the person pays for files decryption (sic) is important to be loyal and give him/her the key for the decryption. When money is payed (sic) we will take 10 percent for the service and then the other amount will be sent to the address you specified before.

Custom ransoms can be set to a limit of $1,000,000 before database errors are thrown. A basic GUI will show the number of infected machines and ransoms paid.

The group says the ransomware will launch in coming days.

Writing ransomware is a complex business and many would-be VXers have quickly failed. This example is reminiscent of the Tox ransomware-as-a-service which fell to ruin shortly after it surfaced.

More recently Kaspersky boffins declared the Coinvault and Bitcryptor ransomware “dead” with alleged authors arrested and all 14,000 decryption keys released. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/13/ransomwareasaservice_surfaces_wants_10_percent_profit_cut/

No application escaped without a Shellshock attack in 2015, either, report finds.

Content management systems were attacked three times more often than other Web applications — especially WordPress, which was hit 3.5 times more often, according to Imperva’s new Web Application Attacks Report.

WordPress, the most popular CMS, has taken a beating this year, marred by a variety of vulnerabilities — particularly, weaknesses in plug-ins, of which the CMS has over 30,000 — and an increase in brute-force attacks.

Imperva’s report found that CMSes are far more susceptible to remote command execution (RCE) attacks than non-CMS applications. They further discovered that WordPress is five times likelier than other CMSes to be hit by remote file inclusion (RFI) attacks. 

“CMS frameworks are mostly open source, with communities of developers continuously generating sequences of plugins and add-ons, without concerted focus towards security. This developer model constantly increases the vulnerabilities in CMS applications, especially for WordPress which is also PHP based,” the report said.

Healthcare applications, meanwhile, have less to worry about from RCE and RFI. Their main problem is, overwhelmingly, cross-site scripting (XSS). Fifty-seven percent of attacks against health apps are XSS, while other applications only get hit with XSS one- to 16% of the time. According to the report, XSS may be a popular way of stealing PII from healthcare apps by hijacking sessions.

Different industry verticals’ apps are prone to different attacks. Travel, leisure, and financial services are hit hardest by RFI; computers/Internet and shopping by HTTP; and restaurants/dining by directory traversal attacks.

One thing nobody escaped from was Shellshock. The Shellshock RCE bug — which grants remote command access to Linux- and Unix-based systems that use the Bash command shell — showed up as a critical zero-day back in September 2014. Exploits appeared in the wild, and folded into exploit kits overnight.

Seven months later, in April 2015, Imperva saw another wave of attacks compromising Shellshock, which had not been patched, either.

“Shellshock attacks were detected in all applications in very similar numbers, indicating wide-scale blind scanning of the Internet with Shellshock attacks. …  we saw that ShellShock scans were aimed at everyone without discrimination,” according to the report. “The second wave, seven months after the publication of Shellshock, showed a wide and intensive campaign persistently attacking most of the applications in our research. During the campaign period, most of the applications were exposed to thousands of Shellshock attempts every single week.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/healthcare-apps-wordpress-most-popular-web-attack-targets/d/d-id/1323125?_mc=RSS_DR_EDT

If you want to limit how much governments and companies know about you and your private life, then use Tor, download specific apps and plug-ins, encrypt your hard drive, and use a password manager.

Those are among the tips provided by NSA whistleblower Edward Snowden in an interview with “digital bodyguard” Micah Lee. The interview, published on The Intercept, is interesting in that it provides a practical guide for protecting your privacy from the very mass surveillance that Snowden revealed in his huge leak of US government documents.

The guide covers everyone from the typical concerned citizen to someone who may be handling highly sensitive documents. Here are the highlights:

If you’re just an average user concerned about your privacy

• Use Tor when browsing. You don’t have to use Tor all the time (it does slow things down considerably and some sites will also block Tor traffic). But if you are looking at or for something that you feel is sensitive, then either set up your browser to work with Tor or use the Tor browser.
• Use an ad-blocker. Says Snowden: “As long as service providers are serving ads with active content that require the use of Javascript to display, that have some kind of active content like Flash embedded in it, anything that can be a vector for attack in your web browser – you should be actively trying to block these.”
• Use a password manager. It doesn’t matter how many surveys and reports come out that tell people to use different passwords and complex passwords, a huge percentage of us maintain borderline idiotic approaches. The simple answer is: get a password manager. It will protect you.
• Use two-factor authentication. Many services such as Gmail, Twitter, Dropbox, Hotmail, and Facebook offer this now for no charge. So even if your password does get exposed, you still have a backup such as a text message to your phone to secure your information.
• Use apps that protect your information. Snowden suggests the smartphone app Signal, which encrypts both your phone calls and texts. It’s free and easy to use. Although of course, following a high-profile argument with the FBI, it would appear that Apple’s messaging service is also pretty secure (although Snowden would probably have doubts).
• Use the HTTPS Everywhere browser plug-in. This comes from the Electronic Frontier Foundation (EFF) and will try to force all browser communication to be encrypted.
• Encrypt your hard drive. This is comparatively easy these days but you have to be careful to do two things: one, have a longish phrase to make it worthwhile; and two, make damn sure you remember that phrase. There will be a slowdown in performance but nothing too bad if you have a modern machine.
• Be smart with your security questions. Stop using your mother’s maiden name for everything. Likewise your first school. The key is to mix things up as much as possible so if someone does get into one of your accounts, they can’t use the same information to get in everywhere else.

On this issue – the average Joe – there was a cautionary tale just today on why these things are necessary even if you’re not a journalist working on confidential material or a whistleblower or someone protecting valuable secrets.

Business journalist Jeff Bercovici lost nine years of Facebook data when he forgot about an old Hotmail email address, didn’t use two-factor authentication, and presumably used a weak password. Someone in Turkey accessed that account and used it to take over his Facebook profile.

By the time Jeff got back, the man had deleted all of his Facebook data. A huge pain and shame, but that information could just as easily have been used to access different accounts and even steal his identity. Jeff tweeted about the experience.

Meet the guy who took over my @facebook account. How the eff was this possible? pic.twitter.com/XBzi3GOdjA

— Jeff Bercovici (@jeffbercovici) November 11, 2015

If you are handling confidential information

One of the more interesting takeaways from Snowden’s reflections on private security is that you don’t need to become a paranoid maniac across your entire life – you just have to learn to segment your activities into levels of risk and not unnecessarily share information that you don’t need to.

“You don’t need to hide everything from the adversary,” he told Lee. “You don’t need to live a paranoid life, off the grid, in hiding, in the woods in Montana. What we do need to protect are the facts of our activities, our beliefs, and our lives that could be used against us in manners that are contrary to our interests.

“So when we think about this for whistleblowers, for example, if you witnessed some kind of wrongdoing and you need to reveal this information, and you believe there are people that want to interfere with that, you need to think about how to compartmentalize that. Tell no one who doesn’t need to know.”

If you are sending or receiving highly confidential documents, then what you need to protect is not the fact you went to the supermarket on Tuesday but the connection to the person you are receiving/providing the information to. By concealing that connection then, in Snowden’s words, “whoever has been engaging in this wrongdoing cannot distract from the controversy by pointing to your physical identity. Instead they have to deal with the facts of the controversy rather than the actors that are involved in it.”

So what tools does he recommend for that kind of interaction?

For providing documents he recommends SecureDrop – which is already used by a range of media organizations – and using it over the Tor network.

He also suggests using a computer that can ideally be thrown away afterwards so no trace is left, and using an operating system that leaves no traces on the machine – he gives the example of Tails.

If you want to pretend to be James Bond

Let’s be honest, very, very few of us will ever have material that is so valuable that the security services will pull out all the stops to get at it.

Government representatives typically have their security looked after by others, such as being given clean laptops or phones/tablets when visiting countries like China or Russia. The very few journalists that embark on projects involving state secrets also tend to be brought up to speed by experienced hands.

But if you want to do this yourself – and what self-respecting sysadmin doesn’t love mucking about with this sort of stuff? – then there is some advice for hardcore privacy. And a big part of that is not in tools but in mindset.

“It all comes down to personal evaluation of your personal threat model, right? That is the bottom line of what operational security is about,” says Snowden. “You have to assess the risk of compromise. On the basis of that, determine how much effort needs to be invested into mitigating that risk.”

Never leave your machine unattended. Have a bootloader for your machine on an external device that you keep on your person. Use a virtual machine (Snowden likes Qubes). And think about whether you need your mobile phone on you revealing where you are and where you have been every moment of every day.

All in all, it’s a pretty interesting interview capturing years of experience and thought from someone who has spent more time than any of us thinking about such issues. You can catch the full thing here. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/12/snowden_guide_to_practical_privacy/

Black Hat Europe keynoter Haroon Meer tells security pros to work smarter, think out of the box, and speak out to the C-suite.

BLACK HAT EUROPE — Amsterdam —  Black Hat Europe keynote speaker Haroon Meer, founder of Thinkst, took some shots at a few sacred security cows Thursday during the opening session at RAI Amsterdam Thursday. His presentation, “What Got You Here Won’t Get You There,” exhorted hundreds of cyberdefenders in the audience to focus on what’s important in the many battles they face and, more importantly, ignore the distractions.

“Every day we seem to pump out more code, connect more machines, and collect more data than ever before,” he said. “Malicious actors have been making out like bandits and intelligence agencies have been owning (and pre-owning) the planet while your average large-company Infosec team is still struggling with the problems we knew about in the 90s.”

At the same time, corporate boards are becoming more involved in assuring people that everything is under control.  But “the truth is,” Meers said, “they have very few answers; when it comes to the major breaks [in recent years] organizations have spent a lot of money and they just couldn’t stop them.”

Worse, only the largest companies — the top 100 of the Fortune 500 — have a “genuine shot” at ever successfully playing the game of cyber defense, he said. “After that, the rest are the “toasted 400” and they don’t even know they’re toast?!  Everyone I know understands that every attack going back to 2003 still works the same way.”

Meer, riffing on the popular 2007 self-help book by executive coach Marshall Goldsmith, noted several reasons for the current state of insecurity: the increasing complexity of the IT environment, the widespread availability of hacking tools in the mainstream, and the growing awareness of the value of data. “Even junior staff members know now that access matters,” he said pointing to Julian Assange of WikiLeaks fame.

Meer was not without solutions. But, first he said the industry has to throw away a lot of pre-conceived notions: “What you think helps, doesn’t. And worse, it’s probably harmful.” His list of the “wrong ways”:

Penetration testing: The industry performs them routinely, but it doesn’t seem to help, according to Meer. One reason is because he said pen testers don’t focus enough on important attack vectors — for example, web browsers. But he also said the industry also is overly dependent on pen tests “because they are easy. It feels like you are doing something and it delivers a result.”

Defining risk: “We have to stop referring to breaches in terms of numbers of records lost,” he said, noting that there is a “big difference between the loss of 80 million records at Anthem and a defense contractor losing the plans to a brand new fighter jet.”

Big Data: “More data won’t fix everything when we still cannot even connect the dots we have now.”

Choosing complexity over simplicity: “People want complexity when simple works,” he said pointing to proven tools like honeypots and The Enhanced Mitigation Experience Toolkit. “Take the best of what you can find that will do the job you need to do.”

Saying “no” to new ideas.  At Etsy, Meer said that management encourages security teams to think out of the box with “crazy ideas” and then to enable them. “What we need is to become solutions engineers, to focus on incident response and create not buy solutions,” he said.

Finally Meers strongly advocated that security professionals become more social, visible, and vocal; to stop being the folks “in the corner.”  

“Your job is to make management get it,” he said. “If you can’t do that, then you should change jobs because either they’ll never get it, or you’ll never break through.”

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting … View Full Bio

Article source: http://www.darkreading.com/operations/solving-security-if-you-want-something-new-stop-doing-something-old-/d/d-id/1323123?_mc=RSS_DR_EDT

Sophisticated obfuscation techniques have allowed malware to evade AV systems and security vendors for a long time, says Trustwave.

Security and compliance management service provider Trustwave has sounded the alert on what it described as a sophisticated malware tool for stealing credit and debit card data from point-of-sale systems.

The malware, dubbed “Cherry Picker,” has apparently been floating around since 2011. But it has remained largely undetected by antivirus tools and security companies because of the sophisticated techniques it uses to hide itself from sight.

Trustwave described Cherry Picker as being configurable for different purposes and using a new technique for scraping cardholder data from the memory of the POS systems it infects. Cherry Picker’s use of encryption, configuration files, command line arguments, and obfuscation have also allowed the malware to remain undetected for a long time, Trustwave said.

“The introduction of [a] way to parse memory and find [cardholder data], a sophisticated file infector, and a targeted cleaner program have allowed this malware family to go largely unnoticed in the security community,” Trustwave said in a report on the threat to be released Friday.

Attacks on vulnerable point-of-sale (POS) systems have proved to be a very effective way for criminals to steal credit and debit card data in recent years.

Many POS systems store unencrypted cardholder data in memory very briefly before the data is transmitted to the payment processor for approval. Over the years, cyber crooks have developed and perfected malware tools that are capable of searching for this data in the POS system’s memory and siphoning it out using a variety of methods.

In a report last November, security vendor Symantec identified POS malware as one of the most commonly used methods by cyber criminals to steal payment card data. The POS malware threat has been quietly brewing since at least 2005. But it is only with the massive data breaches of 2013 and 2014, which compromised over 100 million payment cards, that the full scope of the problem has become evident, Symantec said. The growing availability of relatively inexpensive, ready-to-use POS malware kits has added to the problem.

One issue with many POS systems is that payment card numbers are not encrypted within the system’s memory — giving malicious hackers a brief window of opportunity to get at the data. 

While a lot of organizations encrypt cardholder data on the way to the payment processor and while in-transit within its own networks, they don’t do the same with memory-resident data on the POS, the Symantec report noted. Point-to-point encryption and the use of payment systems based on the Europay Mastercard Visa (EMV) smartcard standard can help mitigate this vulnerability, it added.

The author, or authors, of Cherry Picker have kept incrementally upgrading the tool since it first surfaced in 2011. The malware is now in its third generation and is noteworthy for several reasons, says Eric Merritt, a security researcher at Trustwave.

For instance, few other pieces of malware go to the extent that Cherry Picker does in cleaning up after itself, Merritt says. It is rare for malware writers to spend much effort on hiding their tracks once their task is complete. “They are fairly lazy,” in that regard he says. “But this one went to great lengths to make it look it had not infected the system.”

Merritt says it’s hard to know for sure how many merchant systems Cherry Picker might have infected because of how well the malware has evaded detection.

Cherry Picker’s technique of infecting a legitimate file on the POS system and executing from inside the compromised file suggests a high degree of sophistication on the malware author’s part as well, Merritt says. “It is an interesting piece of malware in that it combines simple techniques and extremely sophisticated techniques,” for stealing card data and remaining virtually hidden from detection for the past four or five years.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/cherry-picker-pos-malware-has-remained-hidden-for-four-years/d/d-id/1323128?_mc=RSS_DR_EDT

A distributed denial-of-service attack (DDoS) is a cheap but effective way to take out your target’s website by flooding it with so much traffic that the web server becomes overwhelmed and the website crashes.

There are those who use DDoS attacks as a kind of online protest, such as hacktivist groups like Anonymous.

Then there are those who do it to “amuse” themselves, like the Lizard Squad who took out Playstation and Xbox servers on Christmas Day last year.

And then there are other DDoS attacks that come from cybercriminals who don’t care about politics or hijinks – they just want money.

Recently a cybergang calling itself the Armada Collective has been attempting to extort money from victims by threatening DDoS attacks unless a ransom is paid in bitcoins.

One Swiss company, the encrypted webmail provider ProtonMail, recently paid $6000 in bitcoins after receiving a ransom from the Armada Collective, it said. The site was still DDoSed.

And now, the latest site to fall victim to a DDoS attack is that of former Naked Security writer Graham Cluley.

We don’t know why Graham was targeted, but on Twitter he noted that he didn’t receive a ransom demand, so it must have been “personal.”

Unfortunately, it doesn’t take much skill to launch this kind of attack.

Anybody with a little bit of money and the will to wreak havoc can launch DDoS attacks with simple DDoS-for-hire web tools that harness armies of zombified computers to bombard your website with thousands or millions of illegitimate web requests.

DDoS attacks are simple but destructive – if your website goes down for any period of time, your customers can’t get through and you end up losing new sales, losing customers, or missing out on ad revenue, depending on what your website’s purpose is.

In Graham’s article about how ProtonMail initially caved to the extortion demands, but then had a change of heart, Graham wrote something very sensible about how we should treat extortionists, blackmailers and ransom-takers:

No-one should ever pay internet extortionists.

For those who receive a ransom demand, it might seem like a few thousand dollars is a fair price to pay when your customers are complaining they can’t access your services, and your business is hurting.

But if we pay the extortionists’ demands, that will only give them more reason to do it again.

Follow @NakedSecurity

Follow @JohnZorabedian

Image of attacking cursor arrows courtesy of Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Uz4S5Gs8jOo/

Microsoft’s new plan to keep the US government’s hands off its customers’ data: Germany will be a safe harbor in the digital privacy storm.

Microsoft on Wednesday announced that beginning in the second half of 2016, it will give foreign customers the option of keeping data in new European facilities that, at least in theory, should shield customers from US government surveillance.

It will cost more, according to the Financial Times, though pricing details weren’t forthcoming.

Microsoft Cloud – including Azure, Office 365 and Dynamics CRM Online – will be hosted from new datacenters in the German regions of Magdeburg and Frankfurt am Main.

Access to data will be controlled by what the company called a German data trustee: T-Systems, a subsidiary of the independent German company Deutsche Telekom.

Without the permission of Deutsche Telekom or customers, Microsoft won’t be able to get its hands on the data. If it does get permission, the trustee will still control and oversee Microsoft’s access.

Microsoft CEO Satya Nadella dropped the word “trust” into the company’s statement:

Microsoft’s mission is to empower every person and every individual on the planet to achieve more. Our new datacenter regions in Germany, operated in partnership with Deutsche Telekom, will not only spur local innovation and growth, but offer customers choice and trust in how their data is handled and where it is stored.

On Tuesday, at the Future Decoded conference in London, Nadella also announced that Microsoft would, for the first time, be opening two UK datacenters next year. The company’s also expanding its existing operations in Ireland and the Netherlands.

Officially, none of this has anything to do with the long-drawn-out squabbling over the transatlantic Safe Harbor agreement, which the EU’s highest court struck down last month, calling the agreement “invalid” because it didn’t protect data from US surveillance.

No, Nadella said, the new datacenters and expansions are all about giving local businesses and organizations “transformative technology they need to seize new global growth.”

But as Diginomica reports, Microsoft EVP of Cloud and Enterprise Scott Guthrie followed up his boss’s comments by saying that yes, the driver behind the new datacenters is to let customers keep data close:

We can guarantee customers that their data will always stay in the UK. Being able to very concretely tell that story is something that I think will accelerate cloud adoption further in the UK.

Microsoft and T-Systems’ lawyers may well think that storing customer data in a German trustee data center will protect it from the reach of US law, but for all we know, that could be wishful thinking.

Forrester cloud computing analyst Paul Miller:

To be sure, we must wait for the first legal challenge. And the appeal. And the counter-appeal.

As with all new legal approaches, we don’t know it is watertight until it is challenged in court. Microsoft and T-Systems’ lawyers are very good and say it’s watertight. But we can be sure opposition lawyers will look for all the holes.

By keeping data offshore – particularly in Germany, which has strong data privacy laws – Microsoft could avoid the situation it’s now facing with the US demanding access to customer emails stored on a Microsoft server in Dublin.

The US has argued that Microsoft, as a US company, comes under US jurisdiction, regardless of where it keeps its data.

Running away to Germany isn’t a groundbreaking move; other US cloud services providers have already pledged expansion of their EU presences, including Amazon’s plan to open a UK datacenter in late 2016 that will offer what CTO Werner Vogels calls “strong data sovereignty to local users.”

Other big data operators that have followed suit: Salesforce, which has already opened datacenters in the UK and Germany and plans to open one in France next year, as well as new EU operations pledged for the new year by NetSuite and Box.

Can Germany keep the US out of its datacenters? Can Ireland?

Time, and court cases, will tell.

Follow @NakedSecurity

Follow @LisaVaas

Image of US flag with man peeking through courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GJVtdHI0vhE/

If you were born in California since 1983, the state owns your DNA.

The data of every Californian born since that year is kept in a bland office building in Richmond, a city located in the eastern section of the San Francisco Bay Area.

That data’s not just passively kept, mind you: it’s also being sold, to third parties, for research purposes, according to CBS local station KPIX.

That biometric data, taken by a heel prick at birth to screen for 80 hereditary diseases, represents a wealth of information on an individual, from eye and hair color to pre-disposition to diseases such as Alzheimer’s and cancer.

Besides being sold – in purportedly de-identified form – to third parties, it’s also available for law enforcement requests.

None of this is new, mind you.

Dr. Jeffrey Botkin of the Secretary’s Advisory Committee on Heritable Disorders in Newborns and Children, which advises the Department of Health and Human Services on newborn screening, in June 2014 told Newsweek that this is a “long-standing issue and a controversy to a certain extent in the newborn screening field.”

The screening tests are generally mandatory under state law. When the program was first developed in the 1960s, Botkin said that the thinking behind it was that …

…the advantages for newborn screening were so compelling, it was appropriate or acceptable to have states simply mandate screening.

As of July 2014, 43 states allowed parents to decline the screening process based on religious beliefs or philosophical reasons, but the option is rarely exercised.

That’s probably due in no small part to the fact that parents only hear about the program during the hectic time when a mother in labor enters the hospital.

As Newsweek has reported, in most states, the blood spots are transferred to long-term storage banks run by state departments of health and retained for at least a few years.

In 12 states, they’re kept for 21 years or longer.

But California is one of just four states where dried blood samples become the property of the state: along with Iowa, Michigan and New York, it participates in a virtual repository, government-owned and -operated, that enables researchers to access the data and sometimes the blood spots themselves.

It’s not that the screening doesn’t help families. A prime example is the family of Luke Jellin, whose heel prick at birth led doctors to diagnose a rare metabolic disease.

KPIX quotes Luke’s mother, Kelly Jellin, a member of the Save Babies Through Screening Foundation:

Had he not been tested he would have been severely brain damaged, possibly would have had heart and kidney problems. If blood spots hadn’t been saved, they wouldn’t have been able to make the test that saved my child’s life.

Why isn’t this opt-in?

This all may surprise parents of the newborns, given that the tests are administered without parents’ informed consent.

Cases such as that of Luke Jellin notwithstanding, the question remains: why doesn’t the California Department of Public Health (CDPH) obtain permission before taking, saving, sharing and selling these blood spots?

When KPIX asked the CDPH for an interview on the issue, the request was denied.

In denying the interview request, the CDPH also failed to answer the question of why consent isn’t required for the test.

It turns out that information about the tests is buried on page 12 of the brochure about the Newborn Screening Program that hospitals give parents of newborns before they go home.

KPIX interviewed one mother, Danielle Gatto, who says she scarcely remembers the nurse mentioning tests performed at her two daughters’ births.

And she certainly didn’t turn away from her newborn to instead focus on a ream of paperwork, she noted:

I don’t think that any woman is in a state of mind to sit down and start studying up on the literature they send you home with.

The CDPH says that parents have the option of having the DNA samples destroyed: here’s the form to get that done.

Are the blood spots really de-identified?

The CDPH’s premise that DNA samples have been de-identified is questionable, one expert said.

Yaniv Erlich with Columbia University and the New York Genome Center told KPIX that there’s no way to guarantee that the samples can be rendered anonymous.

He’s actually found it quite easy to cross-reference anonymized DNA with online data and connect it to a name, he said:

You need to have some training in genetics, but once you have that kind of training the attack is not very complicated to conduct.

Erlich is, in fact, a supporter of sharing genomic information, for the sake of advancing biomedical research:

This is the only way that we can help families with kids that are affected by these devastating genetic disorders.

For her part, Gatto is unnerved by the unknowns of what could be done with the treasure trove of information stored in DNA samples and thinks that the state should at least ask for consent before storing and selling DNA:

We are at the beginning of a frontier of so much genetic research, there is no knowing at this point in time what that info could be used for. The worst thing as a parent is to think that a decision that you are making today may negatively affect your children down the road.

Her husband, Assemblyman Mike Gatto, introduced a DNA privacy bill this year that would have required signed consent on newborn screening.

The bill was killed after opposition – such as this letter from the University of California – from the state and the industry.

Danielle Gatto has requested that her daughters’ blood spots be destroyed.

Follow @NakedSecurity

Follow @LisaVaas

Image of Scientist and DNA samples courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gatpcfF7Lfo/