In the UK, the government has rolled out the Test and Trace system. According to the website (https://www.gov.uk/government/publications/coronavirus-covid-19-testing-privacy-information/testing-for-coronavirus-privacy-information-quick-read–2) you will be sent a text or email alert with your test result.  The results will indicate whether you have Covid-19 and therefore you and your household can take appropriate action.

If you have Covid-19 you will be invited and can voluntarily take antibody tests and donate blood plasma.  But fundamentally you will be expected to self-isolate.

So far nothing unusual.

Personal Data

It later mentions who is the data controller (Department of Health and Social Care – DHSC) and mentions the type of details they may need include personal data such as name, date of birth, gender and more. This includes special GDPR type data such as ethnicity too.

The laboratory will analyse your test and your test result will be shared with NPEx, but do not worry, NPEx only have your specimen ID. NPEx will then pass you result to NHS Business Services Authority to inform you of your result.

What they will also do is regularly contact you by phone and text to monitor that you are self-isolating.  You have three chances to respond.  If you do not, your local authority is informed to investigate. There are some reasonable excuses not to self-isolate.

However, if they feel your excuse is not reasonable and it suggests you are not complying, then your details are then passed to local police forces.

The fine for a criminal offence is £1,000. Repeated offence up to £10,000.

Ready To Sign Up?

So, what impact will this have?  For some, this sharing of personal data with police may deter some people from being tested.  For some, there a numerous fears that could be put into someone’s mind. How do I get the kids to school?  How do I do my food shopping as there are no deliveries? How will the business cope without me?  How do I get income to cover my expenses this month?

Modern Technology?

The UK test and trace system was rolled out earlier in this year and had a shaky start.  There were reports of test and trace agents sitting around not making calls – I know this is true and I personally know this, as I have seen the training on Zoom and staff with my own eyes. I even helped an individual by buying their headphones and extension network cables (as the service provider did not provide this for work), before a whole of myriad of people were then fired within the first couple of weeks of the Test and Trace system officially “in use”.

Let us not forget the Excel spreadsheet that resulted in 16,000 coronavirus cases being unreported (https://www.bbc.co.uk/news/technology-54423988).

Is using CSV file format really the best way to analyse such results and interchange data in this modern age?  I dread to think how they are exchanging our personal data with the Police!

Hope they do better and remember…

Security is not a compromise.

A colleague sent me a Facebook link, so I thought to share.

A car dealer James Glen Car Sales in Airdrie had a customer who wanted to buy a new car – a £40,000 Porsche.  That customer was based in London. Perhaps that may sound unusual being so far away, but I know a few other people who have purchased cars far away from them.  So, for some of you, this may not sound unusual.

But here’s the thing, the customer said they worked for BB Ltd, but the customer did not want to see the car and only wanted to know what the tyres were like and this is where something does not seem right.

OK, so what happened next?  Well, the dealer received the £40,000 from BBL Ltd to pay for the car.

Did you spot the flaw? 

If not, then just try for a few more seconds before reading on. 

The dealer feeling cautious phoned their bank to check the funds.  The funds were legitimate and could not be withdrawn.

Funds were legitimate, what was the flaw?

The money was transferred from BBL Ltd (not BB Ltd). 

What happened was that the customer asked for an invoice (so had bank details), went online for the dealers date of birth and business address and applied for a bounce back loan in the dealer’s name, for the exact amount of £40,000 to make it look like it was for the car.

The money does belong to the dealership, but actually because the car dealership actually borrowed a loan! The dealer now owns £40,000 to the bank. If the car was sold, the dealer would have lost the car, making it a total of £80,000.

What is a bounce back loan?

Any small business can claim up to £50,000 and (here is where the flaw was exploited) it can be done quickly and easily. Fill out the form with your details and the money can be sent to your account quickly.

What happened to the customer?

The customer was going to send proof the customer actually sent the money, but they never did.

The original car video here on Facebook:  https://www.facebook.com/watch/live/?v=768150723925568&ref=watch_permalink

Lessons learned

The reason for my post is sometimes in our security world there are little things businesses can check to see if things are false. This especially applies to fake emails wanting you to click on those malicious links.  Things to watch out for include:

• Small things such as spelling mistakes.
• The domain name does not look right.
• Unusual behaviour.

If you have not read so far, I’d encourage you to read my article to help you help prevent malware infections:   https://michaelhopewell.co.uk/covid-19-and-malware-infections/

Hope that helps and remember…

“Doing security is not a compromise.”

Until next time.

#cyberattack, #cybersecurity, #dataprotection, #datasecurity, #datasecuritybreach, #gdpr, #gdprcompliance, #informationsecurity, #infosec, #pcidss, #personaldata, #security, #Covid19, #bouncebackloan

All over the world, there are methods and programmes in place to track and trace people with particular virus. In this case, Coronavirus (Covid-19).  The UK is still learning valuable lessons and was in the process of developing a mobile application for test and trace.

Reports from websites (such as https://www.bbc.co.uk/news/technology-53466471) indicate that the Department of Health has admitted to the Open Rights Group (ORG) that it failed to conduct a Data Protection Impact Assessment (DPIA). 

Let us refer to the ICO’s website statement:

“You must do a DPIA before you begin any type of processing that is “likely to result in a high risk”.

Strictly speaking, doing a DPIA at the beginning of a project is not mandatory. However, surely a DPIA should have been performed prior to any processing?  The nature of such innovative technology is to collect name, date of birth, postcodes, who they live with, places they visited, names and contact details of other people who were in close proximity.  Therefore, how can you design a system without a DPIA?   As a software developer in a previous life, one of the things we learn is that it is better to get requirements in at the earliest opportunity because it costs more money down the software development lifecycle to fix problems.  One of the things I teach people is to get your functional AND SECURITY requirements in place. Using techniques such as threat modelling and embedding security considerations should be the normality nowadays (alas, I keep on dreaming).

You must do a DPIA before you begin any type of processing that is “likely to result in a high risk“

The government is arguing there is no evidence of data being used unlawfully.  ORG is stating that DPIA is a legal requirement that has not been produced.  Who should we believe?  If it is shown no DPIA was done by the time it was rolled out, all I can think about is rolling my eyes and question how can anyone design and focus on rushing a pilot app and then think “oh, maybe we should think about doing a DPIA”.

One thing I do find curious is that the ICO confirmed to the BBC it was providing guidance as a “critical friend”. What does that mean?   I do not know the extend of co-operation, but I would be surprised if ICO were working with the government instead of acting as an independent regulator.

I’m sure there is more to come in the consequence months and when the world has Covid-19 under control.  There will be lots of lessons learned. It’s just a shame that we could not learn from other countries in previous years who experienced previous forms of Coronavirus.

Sadly, often it is the case where I’m called into a business where they are now thinking about security, this “thing called GPDR” or “PCI DSS”.  I take a deep breath in, smile and away we go on their security or compliance journey.

And remember… Doing security is not a compromise.

During these dark times during Covid-19 we are hearing more stories of cyber attacks. The result of cyber attacks can vary, but as we know it affects one of the elements of the security trio (Confidentiality, Availability and Integrity). One such entity fell foul recently.

The University of California San Francisco (UCSF) was in a race to stop malware from spreading.  Why?  Because this malware seemed to encrypt data.

By encrypting data, this affected UCSF in the following ways:

• Accessing information they urgently need to help develop a cure for Covid-19.
• Risking sensitive personal information on the dark web.
• Stress and hassle to negotiate with attackers.

UCSF were in negotiations with the Netwalker criminal gang.  This is not an isolated case and all over the world negotiations are happening.   Like any criminals, it is advised not to negotiate because they can simply do it again and know it is a numbers game.  Someone will pay up at some point.

Fundamentally, UCSF is reported to have made billions, so the attackers upped their ransom to $3m.

The decryption software was provided and the data the attackers had were removed off the dark web.  One problem is that they will have a “promise” from the attackers the data would be deleted.

Come on… why would attackers do that?  Their incentive is to attack to gain monetise their exploits in the first place.

How can we protect ourselves?

Attackers need a way into your system. Often, this may be in the form of an email that if a staff members click on the links may inadvertently download malware on your systems and so then it begins….

Just remember that being a University, it is not just employees that we would need to worry about. It is the thousands of students that access the University computers and it is not surprising educational entities struggle with protecting their systems.

What is the most valuable commodity in the world?

UCSF finally paid, albeit a lower amount than what was asked at $1.14m in Bitcoin. But this is a lessons to us all.  Let us remind ourselves what is the most valuable commodity in the world? Gold? Oil? As you have guessed it, it is information.

Just imagine if your business, whether you a solo-entrepreneur, medium size business or large scale business, we all suffer one thing which is the weakest chain in security – people. You need make the users of your systems aware of the dangers of cyber criminals and ensure usage policies are sufficient.

And finally, backup, backup, backup! By regularly performing backups of your data, this will at least provide damage limitation.

And remember…. Security is Not A Compromise!

Stay safe.

#StayHomeSaveLives, #cybersecurity , #infosec, #informationsecurity, #security, #datasecurity, #datasecuritybreach#personaldata#gdprcompliance#dataprotection#pcidss#gdpr#cyberattack#dataprivacy

A business owned by Kent County Council was struck. Commercial Services Group (CSG) was compromised which meant that, unlike the name, some systems were out of commercial service.

From what is currently made public, £800,000 worth of Bitcoin ransom was requested, again showing another successful ransomware attack. However, no ransom was paid. Some of the information was then leaked to the Internet.

CSG confirmed no personal data was lost, which is good.  “Only” business and corporate information was compromised. However, the company is now firefighting to get its systems back online.

With an annual revenue of circa £350million and with 700 staff, this attack is a big hit as CSG offers commercial services to authorities, emergency services and schools, utilities, and more. It is not a good time during Covid-19.

It bears the hallmarks…

A statement made that the ransomware attack managed to avoid 3-levels of professional IT security. What does that even mean? A spokesperson mentioned that it “bears the hallmarks of starting with a phishing email that was used to introduce a virus that then compromised the network for further attack”. Well that’s kind of the idea if you want to get through the techie defences by hacking the human.

And KCS says it will “take learning from the incident” as it took over four weeks for the majority of systems affected to be put back online. That’s quite of a long time in terms of an incident response plan and if they were testing their plan at least annually.

KCS was informed from the ICO that no legal action would be taken against it. Case is closed.

What can we all learn from this?

#StayHomeSaveLives, #cybersecurity , #infosec, #informationsecurity, #security, #datasecurity, #datasecuritybreach#personaldata#gdprcompliance#dataprotection#pcidss#gdpr#cyberattack#dataprivacy

I’ve been reading some recent online posts and recent questions from some of my clients. Despite the information available people are not clear whether Point-To-Point Encryption (P2PE) is for them and apprehensive to roll out such P2PE solutions. On the other end, some merchants see it as a “silver bullet” and jumping as quickly as possible to implement a P2PE solution and in my opinion have not clearly understood what this means to them.

This is just a quick post to help you and your business understand what P2PE means for your business and hopefully aid you evaluate the P2PE option for your business. With any change we need to evaluate the benefit and drawbacks.

How does the PCI-validated P2PE solution benefit me as a merchant?

Remember that you are not mandated to use a P2PE solution. As a merchant, we need to remind ourselves that our objective is working towards and maintaining PCI DSS compliance. In the “As Is” situation, you are eligible for completing an SAQ or undertaking a formal assessment, you will have a set of questions/requirements to answer. Depending on your business you may have constraints (business reasons or technology reasons) where you cannot satisfy all the PCI DSS requirements directly.

More often, it is that it is simply not cost-effective to meet all those requirements directly and your business may not have the resources available to maintain PCI DSS compliance. So this is where P2PE helps, whereby by using a PCI-P2PE validated solution you have a level of assurance that the cardholder data is protected from end-to-end (that is protected from terminal all the way to the P2PE solution provider). As weakness lies in People, Process and Technology the main risk is to the endpoint (the terminal) and people – most importantly for a merchant this means that if a P2PE solution is implemented correctly, the network between the terminal and solution provider is taken “Out Of Scope”. Therefore, for P2PE SAQ and formal validation of merchant environments using P2PE, the set of questions is far less, less complicated and more maintainable. Weighing up the original capital expenditure (Capex) and business As Usual (BAU) operational expenditure (OPEX) costs for using a P2PE solution may be more cost-effective and pragmatic that meeting all the original PCI DSS requirements as applicable – using P2PE could be for you as a merchant.

The disadvantage of P2PE as a merchant?

First, I must say if a merchant chooses to use a P2PE solution, this DOES NOT mean they have outsourced their responsibility – they still have a set of responsibilities as per the SAQ P2PE or formal assessment as applicable (ask a QSA about this).  Merchants are obliged to follow the P2PE Implementation Manual (PIM). If implemented correctly and all applicable requirements (such as those within an SAQ P2PE are met), then it can be deemed the network out of scope accordingly.

Secondly, the PIM contains details about understanding how to manage terminals, such as keeping a frequent inventory that is often ignored. Merchants will need to have a process in place to track all the terminals in use, not in use, in transit etc. This may not be as simple as it seems and takes some thought and working with any third parties including logistics service providers or logistics staff.

Actions for merchants:

• Undertake a gap analysis for the current scope. Where possible, engage with a PCI QSA to ensure an accurate gap analysis.
• Review the solutions/controls to remediate the outstanding PCI DSS requirements.
• Explore P2PE solution providers and how much CAPEX and OPEX for P2PE terminals. Compare this to the cost to remediate and operate without P2PE.

How does providing a P2PE solution benefit me as a service provider?

Service providers have a tough time. In short, this means evaluating the P2PE domains. A question that needs to be posed is whether or not the additional rental uplift to charge per month for providing a P2PE-validated solution vs a non-validated solution to worthwhile – this question can only be answered by the service provider. What I can say is that service providers are underestimating the workload involved. Service providers must work closely with third parties for example any key injection facilities, CAs/RAs, application developers, decryption environment providers and ensure proper key management, monitoring and reporting mechanisms much more than the normal expectation. For service providers providing large terminals estates, the effort could be worthwhile.

Conclusions

4-5 years ago, I was a fan of what was back then deemed “End-To-End Encryption” (E2EE). Coupled with tokenisation, this can be a good way to reduce the scope for compliance, which can lead to:

• Less resources required as the network is not in scope.
• Less cost compared to maintaining all the original applicable PCI DSS requirements.
• More focus on people and security awareness training.

P2PE is similar to E2EE, but a validated solution to more rigorous requirements as per the P2PE standard.

I am still a fan and I would like to see more solutions on the market. However, due to the uplift in becoming a P2PE service provider we still see few providers (I personally know the effort as I have successfully gone through the journey and validated a P2PE entity listed on PCI SSC website). However, those service providers who do become listed will have a competitive advantage.

Did you find this post useful? Feel free to share and link to this article.