lolloj - Fotolia

Safe Harbor framework update in danger of capsizing

News roundup: Rights groups join critics of Safe Harbor framework update, OPM breach testimony pushback, FBI hiring part of cybersecurity issue for Justice Department. Plus: recycled malware, Microsoft's security push.

As fallout from the Paris terrorist attacks returns the dialog about surveillance and encryption to center stage, this week also saw significant push back from, and to, governments around the world on some of the more significant cybersecurity developments this year.

Specifically, the Safe Harbor decision is drawing more criticism, this time from privacy and civil rights groups over the replacement for the EU Safe Harbor Framework. Meanwhile key players were absent from a congressional hearing this week on the OPM breach even as cybersecurity was cited as one of the top challenges facing the Justice Department. Several states' attorneys general called on the banking industry to rollout chip and PIN payment cards in the U.S. And the FBI denied paying researchers at Carnegie Mellon University to break Tor anonymity -- and CMU responded to the allegations, as well.

Safe Harbor 2.0 framework falling apart

With the ink barely dry on the Schrems decision dismantling the long-standing Safe Harbor framework for data sharing across the Atlantic, this week saw renewed criticism of the proposed Safe Harbor 2.0 framework, this time from U.S. and European Union NGOs.

The FBI failed to hire 52 of the 134 computer scientists that it was authorized to hire.
U.S. Office of the Inspector General (OIG)

Even as cloud giants, such as Amazon and Microsoft, are opening EU regional data centers to work around international differences in privacy and data protection regulations, a coalition of 34 human rights and privacy NGOs from the U.S. and EU submitted an open letter pointing out the inadequacies of the Safe Harbor 2.0 framework to U.S. Secretary of Commerce Penny Pritzker and EU's Commissioner for Justice, Consumers and Gender Equality Věra Jourová.  

The 20 EU and 14 U.S. NGOs stated that the proposed new framework "will do little to reestablish trust for consumers." Furthermore, they said: "The proposals merely revise a set of self-regulatory principles that lack legal effect." They concluded that "A revised Safe Harbor framework similar to the earlier Safe Harbor framework will almost certainly be found invalid by the national data protection agencies and ultimately by the CJEU [Court of Justice of the European Union]."

Last month, the Article 29 Working Party released a statement after the decision striking down the Safe Harbor framework. The group, composed of representatives from each EU member state's data protection authorities, is tasked with overseeing the protection of personal data in the EU. The Article 29 Working Party said that "the question of massive and indiscriminate surveillance" was at the heart of the Schrems decision, and that the group "has consistently stated that such surveillance is incompatible with the EU legal framework and that existing transfer tools are not the solution to this issue."

The group warned: "If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions."

Officials skip hearing on OPM breach

Officials from the Office of Personnel Management (OPM), Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) jointly declined to testify in front of the House Armed Services Committee (HASC) on Tuesday about the OPM breach, Reuters reported.

Mac Thornberry (R-TX), chairman of the committee, issued a statement in response to the agencies' absence, saying that "OPM, DHS and OMB cited the Committee's intent to transcribe the classified briefing as the reason they will not testify." Thornberry went on to say: "Their excuse, that the testimony would be on the record, is disturbing. The Committee transcribes classified briefings regularly."

FBI cyber hiring failures, Tor hack denial

"Enhancing Cybersecurity in an Era of Increasing Threats" was cited as the second greatest challenge facing the Justice Department, according to a new memorandum released by the U.S. Office of the Inspector General (OIG). The memo, titled Top Management and Performance Challenges Facing the Department of Justice, said that the Department of Justice "continues to face challenges recruiting and retaining highly-qualified candidates to do this work." They also reported that "the FBI failed to hire 52 of the 134 computer scientists that it was authorized to hire, and that 5 of the 56 field offices did not have a computer scientist assigned to that office's Cyber Task Force."

According to the memo, recruitment failures are due to the FBI's background investigations being "more onerous than those used by many private sector employers," while also noting that "it was difficult to retain top talent because private sector entities often pay higher salaries."

Meanwhile, the controversy over whether the FBI paid researchers at Carnegie Mellon University to de-anonymize users of the Tor network continues this week. The initial, and only, response from the FBI was that "the allegation that we paid [Carnegie Mellon University] $1 million to hack into Tor is inaccurate," Ars Technica reported last week.

The researchers work for the Software Engineering Institute (SEI) of CMU, of which CERT is a division, claimed to have broken Tor anonymity, both for clients and for hidden services, with a minuscule budget of just $3,000. Details of the attack were set to be made public at a presentation at Black Hat 2014, but the presentation was shut down by CMU lawyers.

This week, CMU finally released a statement about the allegations, which it also called "inaccurate." The university's statement read: "In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance."

While neither the FBI or CMU are confirming or denying that the SEI deanonymized users of the Tor network, or that the FBI used data from the SEI to identify Tor users, the unstated message seems clear: any data passed from CMU to the FBI would have been the subject of a subpoena, and would have been provided to the FBI without any payment.

States right on EMV chip and PIN?

Now that EMV migration in the U.S. has started in earnest, though perhaps less than satisfactorily, Attorneys General of eight states and the District of Columbia have called on banks and credit card issuers to "expedite the implementation of chip and PIN technology in the United States."

The state AGs of Connecticut, Washington, D.C., Illinois, Maine, Massachusetts, New York, Rhode Island, Vermont and Washington signed the letter, which read in part: "Put simply, chip and PIN technology should be implemented in the United States just as it is in many countries around the world, and without any further unnecessary delay. Payment system participants must commit to offering the greatest amount of protection and assurance to American consumers and business."

In Other News:

  • Sequels and reboots and re-runs aren't just for Hollywood, as several blasts from the past are reverberating this week. Florida-based network integrator iPower Technologies reported finding the Conficker worm (vintage 2009 or so) on "multiple body cameras" marketed for use by police departments shipped from Martel Electronics. The worm was active but easily detected, though it could have been harmful to any old systems that hadn't been patched in eight years. iPower president Jarrett Pavao wrote that "as the Internet of Things continues to grow into every device we use in our businesses and home lives each day, it becomes even more important that manufacturers have stringent security protocols." He went on: "This discovery has a huge impact, as these devices are being shipped every day to our law enforcement agencies." In another malware rerun, Malwarebytes reported that the oldie-but-baddie Blackhole exploit kit was seen back in action in drive-by attacks. Although the author of the kit was arrested in 2013 and the use of the kit dropped off after that arrest, the new appearance is largely the same as the original, even to reusing the PDF and Java exploits. Jérôme Segura, senior security researcher at Malwarebytes, wrote: "The only difference is the malware payload being dropped, which is current and had very low detection on VirusTotal." Segura said that "the author behind this Blackhole edition was working on new landing pages, so it is possible there might be additional changes in the future." Finally, a malware sequel: AlienVault's Peter Ewane reports that the newly spotted KilerRat remote access Trojan seems to build on the njRAT trojan left off. KilerRat, according to Ewane, "is a very feature rich RAT with an active development force that is rapidly gaining in popularity amongst the middle eastern community and the world."
  • A flaw in the JavaScript engine in Chrome was reported to leave fully updated Android devices susceptible to remote exploit with no user interaction; the attack can be executed if users simply visit an attack website. Chinese expert Guang Gong demonstrated the remote code execution attack on a smartphone running Android 6.0, but as the flaw exists in the Chrome browser, the vulnerability affects other versions of Android.
  • Now that Windows 10 is feature-complete and ready for the enterprise, Microsoft CEO Satya Nadella stood up on Tuesday morning in Washington, D.C. to talk about the company's newly invigorated security commitments for the cloud and the enterprise. At the event, Microsoft revealed new solutions and commitment to security, including managing mobile productivity with Enterprise Mobility Suite (EMS) and Microsoft Intune, innovations in enterprise security and compliance with Office 365, new capabilities in EMS and an Advanced Threat Analytics product.

Next Steps

Find out more about how Safe Harbor may affect your organization, even if you think it doesn't.

See why one EU official is optimistic about the Safe Harbor framework update.

Discover what lessons were learned as a result of the OPM breach.

Dig Deeper on Compliance