Encrypting Laptop Files: Legal effects

Interesting Defcon17 (an attorney gave a talk in this video):

This Defcon presentation is all about Constitutional rights on your computers.

 

Also the following webpage  at Cnet.com

 

When one thinks someone want to read their laptop content, and then encrypt the data, that may not be enough to prevent the government whose border you enter to read or copy the files. Especially if it is something they really want to view.

Here is also a Slate.com article on this subject, and the relevant paragraph:

“These questions illustrate the contemporary challenges of determining the scope of the Fifth Amendment. It was ratified in 1791 and now is being applied, with the aid of a 1970s-era legal precedent, to 21st-century digital encryption. In the pre-digital age, there was a distinct boundary between the information that resided only in our minds and the information that we committed to paper. The former was afforded strong constitutional protection; the latter, much less so. But modern encryption blurs that boundary by enabling the storage of essentially infinite amounts of information that can be unlocked only by passwords stored in our minds. (If only all criminals hid Post-Its with their passwords under their keyboards.) Put another way, encryption creates the possibility that our digital data and devices will be viewed, in the legal sense, as extensions of ourselves.”

 

The problem is what can law enforcement force you to divulge when part of your files are encrypted? For one thing some law enforcement think you have something to hide, which may cause you to lose your equipment for some time. It all depends on the situation.

 

Digital Security in Risk Assessment

As time goes on your risk assessment needs to be re-evaluated, especially as computer resources change.

If we had a crystal ball what would the future bring?

 

It is lucky there are smart people thinking about this very issue.  In the following Youtube video about a discussion with Dr. Mchio Kaku at St. Petersburg College. Booz & Company’s Chief Marketing and Knowledge Officer Tom Stewart moderated the Big Think panel with Dr. Michio Kaku, Michael Shrage(MIT Sloan School of management), Isabelle Aguilera(former CEO of Google Spain ops), Peter Diamandis (X-Prize founder)   Big Think Panel link

https://www.youtube.com/watch?v=ceEog1XS5OI

Are We Ready For the Coming ‘Age of Abundance?’ – Dr. Michio Kaku (Full)

drmichiokaku

 

Commodity capital is transforming to Intellectual capital.

Small groups have more power and it is the “Age of Abundance”  because there will be    Distributed health, education, solar energy cost  dropping at 30% per year.

What does the world look like when we have abundant energy?  Because it is hard to think in that manner with 30% reduction of electricity year after year. Just like Moore’s law made a dramatic change to the computer companies and the rest of the world, this was not obvious in the sixties. In the sixties the computers were huge as it took 20 years for the first personal computers to cost $3,000 – $5000.

So the digital divide is not the problem as everyone will have a computer (in the form of a smart phone). And the next X-prize will be a tricorder for health, so the doctor will become your smart phone computer.

 

Some of the euphoria of future technologies and potential was brought back to earth by so-called “speed bumps”.

Besides regulations being written for  new technologies, it will be the new criminals in our digital age.

 

While we are building the new world there will be people who will try to just steal what you make. And unfortunately we also have globalization to deal with. As a billion more people come onto the Internet there will be “speed bumps”. Remember when you are on the Internet you are connected to all the criminals , it is as if they are all living next door to you. The speed of light is very fast.

 

Privacy will be an issue, instead of Big brother and Orwell’s 1984, it will be little brother that we need to worry about. The person next door who may snoop on us, or the local city or other ways that have yet to be devised.

 

Interesting to me on a personal note, no one discussed space technologies

 

since we are focused on Internet security it was interesting to hear the panelists discuss the cyber security angle from a crime point of view only. Notice from previous posts that viruses and malware are now being devised by other nation states and their criminals (which the nation state may be turning a blind eye to)

 

As more people come online also as Cisco Internet of things report says 25 Billion devices will be online in 2015.  What is your risk assessment now?

cisco internet of things   there will be more viruses and more spam and criminals coming online. ciscointernetofthings

we have to be ready for the coming wave

 

What is Risk level regarding IT Security concerns?

How does IT Security rank with respect to other company risks?

There are always risks in life for individuals, and so there are risks for companies  as well.

In IT risk revolves around data protection (Denial of Service as well as network or equipment failures), continuity of service, preventing IT security breaches, PC life cycle management, training users,  preventing misuse of equipment by employees.

sandisk-withSD_1376321833  protect data wins the survey…

The Kaspersky 2014 IT survey Gave data protection of highly sensitive data the highest marks for risk level (their words: “Top concerns of the IT function”)

The response to the survey:

1. Protecting Highly sensitive data   34%

2. Preventing IT security breaches    29%

3. Data Protection 28%

4. Continuity of services  (due to Denial of Service – i.e. DOS prevention)  23%

5. PC life cycle management 16%

6. Training users 14%

7. Preventing misuse of equipment by employees 12%

I left out some of the more nebulous items to do with improving IT department, managing IT infrastructure. One could argue that the life cycle management, trainign users, and misuse of equipment could be removed as well.

 

So the key is sensitive data protection, data protection (backups etc) , and security breaches(especially if we add DOS)

 

Data protection is not just backups, it is protecting the data from the hackers of he Internet, which includes malware and viruses.  Most viruses come in through email, they may not be successful, but most viruses come in via email.  Internet users should be trained on how to sue email to reduce this high level threat.

Internet users need to be made aware of tricky website hacked methods.

Tabnapping is One method that preys on user naivete.  The watering hole attack is a form of attack where the hacker will infect a website that your targets visit.

I.e. if your target is a vtelecom company, it might be easier to compromise a website that instructs the telecom industry, rather than the telecom co. website itself.

 

The watering hole attack is difficult to prevent, as now we must prevent on the network lower levels, like on the firewall ingress points. One could prevent it on the Web proxy level, which reduces the Web risks.

Having a very good firewall/IPS system which these days is called a NGFW or next generation firewall would reduce risk levels.

 

Risk level is always reduced on the level of understanding in the IT department, if the IT department ahs a very good understanding in IT security, running various tests continually, testing for DOS, hacking the site with multiple tools is also a must. the problem for an IT department is the effectiveness of their fake attacks. One has to be capable of attacking your network in an independent manner, even for PCI compliance reasons one must have an independent party doingthe pentesting.

 

PCI standards says the following in their pentesting PCI standards v1.13:

“Who performs penetration testing?
The PCI DSS does not require that a QSA or ASV perform the penetration test—it may be performed by either a qualified internal resource or a qualified third party. If internal
resources are being used to perform penetration tests, those resources must be experienced penetration testers. The individuals performing penetration testing should be
organizationally separate from the management of the environment being tested. For example, the firewall administrator should not perform the firewall-penetration testing.

 

PCI security standards created this method to reduce risks, to truly reduce your risk level, one must have an external third party (independent) perform the pentest. It is good to get a second opinion when it comes to security on your network.  besides sometimes the most dangerous attacks come from within, and that is most of he time not from malicious reasons but from negligence or incorrect usage.

 

It is very difficult for your IT people to be on the same Security skill levels as a person who breathes, thinks and does Security every day, and every hour.

Contact us to perform a Pentest of your network.

here are all of our Scans available: A,ΣΩ, and Ψ

 

 

 

 

My IT is outsourced – I don’t worry about security

Recently I had a discussion with an executive, and he said he outsourced his IT functions, so I don’t have to worry about it anymore.  Is that right? So i searched for a theoretical talk…

—————————————————————————————————————————-

Black hat 2014 had several talks about Cyberspace security – Jason Healy discussed how to save Cyberspace

blackhat-JasonHealy

SEP = Someone Elses Problem.

Jason is discussing general cyber security theory, and its complexity. A discussion about how a “Lehman moment” where a 100 year old company can fail.  In the digital age a similar example would be in a few years a normally dependable cloud company fails – what happens.

Unfortunately  the bad guys are winning, and can access any system or network that they want, and have been able to for 35 years (since 1979)

badguysfinishfirst

Of course on the flipside- the general security has been getting better.

 

greatnews-blackhat

But, the Criminals have been winning, and seem to be getting better, there does not seem to be a way for us to stop them.

In fact the problem is  that there are more attack tools that criminals use and create which outstrip our ability to defend.

morepredatorsthanprey

Will the Chip and Pin white House initiative help this? Or will the bad guys just figure out how to hack the system and get around the chip and pin.

the screenshot vignettes  are from the BlackHat YouTube video below

In my opinion the only way for us to “beat” the attackers is to have a constant defense mentality, and we can only do that with a methodology of testing and reviewing.

 

Review your Security Policy to help your employees deal with the days that something happens, there should not be any question, let the employee have someplace to look up the answer – do not let them “figure it out”, because if the employee has to do it on their own the answer is not always the right one.

Testing your Network and servers is paramount, as if there is no test, no one is held accountable.

How do you know if your outsourced IT department is doing the job.

photo1-icarousel  Will they act like the Target IT department?  The information was there -in the mountains of data, there was an alarm of the criminal malware, and if the IT department had been able to check and clean the alarm it would have fixed it. Wow – then no 40 million CC#’s hacked and Target hack would not be in our lexicon.

 

My contention is we are missing a simple piece to get ahead of the criminals so we can have D be greater than O.  Test test test. check your people, the outsourcers, because who is accountable?

 

Contact me to discuss your testing needs:  Tony Zafiropoulos  314-504-3974 tonyz”@”fixvirus.com