No One Can Afford an Attack - Find the best Cybersecurity Pros to Protect Your Business Data
Welcome Guest | Sign In

Europe, US Cut 11th Hour Safe Harbor Deal

By John P. Mello Jr.
Feb 3, 2016 5:00 AM PT

Europe and the United States on Tuesday announced a new Safe Harbor agreement that neutralizes the threat of enforcement actions against domestic companies handling overseas data.

Europe, US Cut 11th Hour Safe Harbor Deal

Called the "EU-US Privacy Shield," the agreement aims to protect the privacy of data belonging to European citizens when it's handled by U.S. companies.

"The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies," said Vera Jourová, the European Union's commissioner for justice, consumers and gender equality.

"For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms," she continued.

"Also for the first time," Jourová added, "EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the U.S. has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments."

Fines Averted

Without a new Safe Harbor agreement to protect U.S. companies handling the data of European citizens from EU privacy restrictions, enforcement actions would have begun immediately, noted Neil Stelzer, general counsel for Identity Finder.

"There's no talking of a grace period or a deadline extension," he told TechNewsWorld.

That would have meant European regulators would have pursued high-profile targets that handle lots of data belonging to their citizens -- companies like Google and Facebook.

"Regulators have limited resources, so what they will do is go after big names that will make the papers and try to get big fines issued against them," Stelzer said.

"Those fines in Europe are quite substantial, so they're something you're going to want to avoid," he added.

Safe Harbor Unsafe for Europeans

The European Court of Justice last year ruled illegal an agreement between the United States and the European Union that created a Safe Harbor for U.S. companies handling personal data of overseas citizens.

Under the agreement, essentially the word of a U.S. company that it had adequate safeguards in place to protect the data of Europeans was all that was needed when overseas data was transferred to American service providers.

The agreement was an act of convenience by the European Union to accommodate the discrepancy between strong privacy protections found overseas and weaker ones in United States.

The United States and Europe had until Jan. 31 to forge a new Safe Harbor agreement that could pass court muster. That deadline passed, but they managed to craft an agreement two days later.

Ukraine Power Outage

In December, attackers installed malware on the systems of a power company in western Ukraine. The malicious program, called BlackEnergy3, prevented malware fighters from detecting the attack while the intruders remotely tripped breakers that cut power to anywhere from 80,000 to 700,000 homes for six hours, according to reports.

It's believed to be the first time a cyberattack caused a power outage.

Field staff eventually restored power by resetting the breakers by hand at the targeted substations.

The speed at which power was restored suggests that the role BlackEnergy3 played in the attack has been overblown.

"It is technically possible, but highly improbable, that the BlackEnergy3 malware was used as the direct cyberthreat that led to any denial of service or other consequences to the industrial control systems associated with the Ukrainian power systems," said ICS security expert Joel Langill.

"I do believe, however, that other unrelated cyber events such as communication buffer overflows, network issues, and potential software bugs were in fact key factors that led to the inability of the industrial control system to perform as intended, resulting in the widespread outage," he added.

Old Vulnerability

In another interesting twist about the use of BlackEnergy, the malware was using an attack vector Microsoft patched in 2014, SentinelOne CSO Udi Shamir said.

Patched systems would have alerted a user of the malware and prevent it from infecting a system without user intervention, he told TechNewsWorld.

That means that in order to trigger the malware, a user needed to intervene, either accidentally or deliberately.

"The third option is the malware was resident for many, many months or years, and when zero hour arrived, it just began executing," Shamir said.

Bad Patching

There's fourth possibility, too. The versions of Microsoft Office, which is the entry point for BlackEnergy, weren't patched at all, leaving them even more vulnerable to attack.

"You can't always install the latest patches," Shamir explained. "Most of these SCADA systems are working with legacy software, such as Windows XP."

SCADA -- supervisory control automation and data acquisition -- systems enable the monitoring and automation of physical systems, such as oil and gas pipeline valves, temperature monitoring and cooling systems, energy grids, and traffic lights.

"If you're using Windows XP, which isn't supported by Microsoft anymore, there are no latest patches," Shamir continued.

"Even if you do patch and you have an insider that will execute the malware, you're still doomed," he added.

Deep Learning

Traditional malware-detection methods -- signatures, simple machine learning or human-in-the-middle analysis -- aren't fast enough or powerful enough to protect a systems these days.

"That led us to deep learning because it can be used to teach a detector general patterns for identifying if something is malicious or not," said Andrew Gardner, senior technical director for machine learning at Symantec.

With traditional malware analysis, someone has to look at a malware sample; create labels, or metadata, for it; and store it in a database.

If the malware is encountered again, a detector will be able to identify it from those labels. If the malware has been changed in just the slightest way, though, it will be undetected.

With that kind of literal analysis, you can teach an analysis tool to identify Felix the Cat, but it's not going to identify other cats, such as Garfield, Morris or Simba.

Malware writers are well aware of that deficiency, so they write malicious software that's capable of constantly altering itself to avoid detection.

Future of Security

"With deep learning, we can take huge amounts of unlabeled data and use a small number of labels to create labels for the whole data set," Gardner told TechNewsWorld.

"That's pretty powerful because it removes a critical bottleneck: the human expert labeler," he said.

Now when the analysis tool is taught to identify Felix the Cat, it will be able to identify all cats, whether it has seen them before or not.

"I expect that in the future we will see more companies look at adopting deep learning security data because I can't think of any other way that they can feasibly process all the data that they collect," Gardner said.

"At Symantec," he continued, "we collect about a petabyte of data a day. That's an enormous amount of data. There's no way you could label all that data with human intervention."

Breach Diary

  • Jan. 25. Lawsuit against Georgia over a data breach that exposed personal data of 6 million voters in the state is dismissed at the request of the plaintiffs, who said their motivation for pursuing the litigation was to get the state to acknowledge the breach.
  • Jan. 25. VTech Holdings announces its Learning Lodge website and app store have resumed normal operations for most of its customers. In November, a data breach exposed personal data for 12 million people, including 6.4 million kids.
  • Jan 25. Affinity Plus Federal Credit Union reports a 64 percent decline in fraud since distributing EMV chip-enabled payment cards in October.
  • Jan. 25. Uber confirms a bug in its computer systems caused the tax information for one of its drivers to be viewed by other drivers.
  • Jan. 26. Online Trust Alliance reports that 91 percent of data breaches during the first eight months of 2015 could have been prevented by patching a server, encrypting data or ensuring employees not lose their laptops.
  • Jan. 27. Wendy's reveals it's investigating reports from its payment industry contacts of fraudulent activity on payment cards after they were used at the company's restaurants.
  • Jan. 27. TalkTalk announces that three workers at a call center in India have been arrested in connection with stealing customer data and using it to scam those customers. Customer records were also compromised in October in a data breach affecting more than 156,000 customers.
  • Jan. 27. NCH Healthcare, which operates hospitals in Collier County, Florida, notifies employees and medical staff their credential information is at risk after data breach at Cerner Data Center in Kansas City, Missouri.
  • Jan. 27. ThreatTrack Security releases a survey of 207 security professionals in the United States that found fewer were investigating data breaches not disclosed to their customers (11 percent compared to 57 percent in 2013) and fewer need to clean up malware from executives visiting porn sites (26 percent compared to 40 percent in 2013).
  • Jan. 28. Defense Minister Harjit Sajjan announces Canada's electronic spy agency, the Communications Security Establishment, has stopped sharing some of its data with key international allies after discovering the data included personal information about the country's citizens.
  • Jan. 28. Royal Bank of Canada announces it accidentally mailed hundreds of retirement account receipts to the wrong customers. Information on receipts includes names, addresses and social insurance numbers of account holders.
  • Jan. 28. Privacy Commissioner of British Columbia releases a report finding education ministry of the Canadian province failed to protect the personal information of 3.4 million students when its staff lost a portable hard drive in the fall of 2015.
  • Jan. 28. The Fraternal Order of Police, the largest police union in the United States, asks FBI to investigate a data breach of the organization's computers in which hundreds of megabytes of bargaining contracts and other records were stolen and posted to the Internet by a British hacktivist who calls himself TheCthulhu.
  • Jan. 29. Lincolnshire County in the UK reveals it's been presented with a ransomware demand for 1 million pounds. Its computer systems have been offline for four days after it discovered ransomware malware on them. It says systems will be online after its data is restored from its backup system.

Upcoming Security Events

  • Feb. 3. Building an IT Security Awareness Program That Really Works. 2 p.m. ET. InformationWeek DarkReading webinar. Free with registration.
  • Feb. 4. 2016 annual Worldwide Infrastructure Security Update. 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Feb. 4. Best Practices in Cybersecurity Supply Chain Risk Management -- The Boeing Story. 2 p.m. Webinar sponsored by Exostar. Free with registration.
  • Feb. 5-6. B-Sides Huntsville. Dynetics, 1004 Explorer Blvd., Huntsville, Alabama. Free.
  • Feb. 9. Start With Security. University of Washington Law School, 4293 Memorial Way NE, Seattle. Sponsored by Federal Trade Commission. Free.
  • Feb. 11. Pulse on Advanced Threats: Findings from Arbor Networks' Worldwide Infrastructure Security Report. 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Feb. 11. SecureWorld Charlotte. Charlotte Convention Center, 501 South College St., Charlotte, North Carolina. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • Feb. 11. Data Breach & Privacy Litigation Conference. Julia Morgan Ballroom, 465 California St., San Francisco. Registration: attorneys and companies, $795; litigation service provider, $1,195; law firm assistant, $375; legal marketing attendee, $595.
  • Feb. 11-12. Suits and Spooks DC. The National Press Club, 529 14th St. NW, Washington, D.C. Registration: $599; government and academia, $499.
  • Feb. 16. Architecting the Holy Grail of Network Security. 1 p.m. ET. Webinar sponsored by Spikes Security. Free with registration.
  • Feb. 17. Stopping Breaches at the Perimeter: Strategies for Secure Access Control. 1 p.m. ET. Webinar sponsored by 451 Research and SecureAuth. Free with registration.
  • Feb. 18. Will the Real Advanced Threat Stand Up? Attack Campaigns in 2016 and Beyond. 1 p.m. ET. Webinar sponsored Arbor Networks. Free with registration.
  • Feb. 20. B-Sides Seattle. The Commons Mixer Building, 15255 NE 40th St., Redmond, Washington. Tickets: participant, $15 plus $1.37 fee; super awesome donor participant, $100 plus $3.49 fee.
  • Feb. 28-29. B-Sides San Francisco. DNA Lounge, 375 11th St., San Francisco. Registration: $25.
  • Feb. 29-March 4. RSA USA 2016. The Moscone Center, 747 Howard St., San Francisco. Registration: full conference pass before Jan. 30, $1,895; before Feb. 27, $2,295; after Feb. 26, $2,595.
  • Feb. 29-March 4. HIMSS16. Sands Expo and Convention Center, Las Vegas. Registration: before Feb. 3, $865; after Feb. 2, $1,165.
  • March 10-11. B-Sides SLC. Salt Palace Convention Center, 90 South West Temple, Salt Lake City. Registration: $65.
  • March 12-13. B-Sides Orlando. University of Central Florida, Main Campus, Orlando, Florida. Registration: $20; students, free.
  • March 14-15. Gartner Identity and Access Management Summit. London. Registration: 2,550 euros plus VAT; public sector, $1,950 plus VAT.
  • March 17-18. PHI Protection Network Conference. Sonesta Philadelphia, 1800 Market St., Philadelphia. Registration: $199.
  • March 29-30. SecureWorld Boston. Hynes Convention Center, Exhibit Hall D. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • March 31-April 1. B-Sides Austin. Wingate Round Rock, 1209 N. IH 35 North (Exit 253 at Hwy 79), Round Rock, Texas. Free.
  • April 20-21. SecureWorld Philadelphia. Sheraton Valley Forge Hotel, 480 N. Guelph Rd., King of Prussia, Pennsylvania. Registration: conference Pass, $325; SecureWorld Plus, $725; exhibits & open sessions, $30.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: before April 16, $2,950; after April 15, $3,150; public sector, $2,595.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Which type of online advertising is most likely to attract your favorable attention?
Straightforward display ads
Ads based on my interests
Informational articles on products/services
Video ads
Ads designed to grab my attention, e.g. pop-ups, autoplay
None -- I avoid all online ads