Tech Law

SPOTLIGHT ON SECURITY

EU Court Decision Threatens US Cloud Dominance

Edward Snowden’s legacy gained another chapter last week when the European Court of Justice rejected an agreement between the United States and European Union that created a Safe Harbor for U.S. companies handling personal data of overseas citizens.

In essence, the agreement provided that a U.S. company’s word that it had adequate safeguards in place to protect the data of Europeans was all that was needed to permit overseas data transfers to American service providers.

The agreement was a convenient way for the European Union to accommodate the discrepancy between its strong privacy protections and the much weaker ones in the United States.

In light of Snowden’s revelations about massive, indiscriminate collection of people’s data and snooping on cloud service providers by U.S. intelligence agencies, the Safe Harbor protections were no longer good enough, the European court ruled.

The Safe Harbor framework that was designed to protect the data of European citizens could be ignored by government authorities in the United States, the court said. Moreover, neither individuals nor privacy authorities in Europe had any recourse to challenge actions by U.S. government agencies.

“For all those reasons, the Court declares the Safe Harbor Decision invalid,” it said in a ruling with far-reaching consequences for the U.S. high tech industry.

No Grace Period

“Companies that were able to use Safe Harbor as a framework for data protection and meet EU directives no longer have that option,” noted HyTrust Senior Vice President Fred Kost.

“The ECJ decision is effective today with no grace period, leaving companies exposed to potential legal risk,” he continued.

“If companies want to completely comply, it likely means that they must examine what data they have from nations in the EU and begin moving the data to infrastructure housed in those nations or demonstrate that it is inaccessible if stored on infrastructure outside those nations via encryption or access controls,” Kost explained. ” The risk to companies lies in how quickly enforcement or legal action is taken.”

The decision “could be a disaster for Internet users everywhere,” observed Berin Szoka, president of TechFreedom.

“The decision allows European regulators to start building a Great Privacy Wall around Europe to stop data from flowing to the U.S. — not because Facebook or any U.S. company did anything wrong, but because U.S. national security and law enforcement agencies can too easily access private data,” he added.

White House Action Needed

The Obama administration must act immediately to forge a new Safe Harbor agreement if the Internet is to continue as an open, global medium, Szoka argued.

“A Safe Harbor 2.0 will require greater transparency about data collection and rigorous compliance — not just by U.S. companies, but by U.S. government agencies, which were not bound by the 2000 Safe Harbor agreement,” he pointed out. “If Congress had moved faster to pass privacy reforms after the Snowden leaks, this decision might have been avoided.”

European citizens and policymakers ought to be concerned about data privacy protection in the United States, but the European court’s decision is not the way to address those concerns, maintained Daniel Castro, vice president of the Information Technology and Innovation Foundation.

“It will disrupt not just the thousands of U.S. and European companies that currently depend on the Safe Harbor to do business across the Atlantic, but also the broader digital economy,” he predicted.

Commerce Disrupted

“Aside from taking an ax to the undersea fiber optic cables connecting Europe to the United States, it is hard to imagine a more disruptive action to transatlantic digital commerce,” added Castro.

As the importance of cloud computing grew, it was expected that United States would have overwhelming dominance of the global market. That changed after Snowden’s revelations.

“You can blame Snowden, but it would be better to blame the people who made it so,” said Yorgen Edholm, CEO of Accellion.

“The U.S. is used to taking care of its own problems first and ignoring the problems of others. This is the first time I’ve seen that cause a fundamental hiccup,” he told TechNewsWorld.

“In a way, this Safe Harbor decision may be a good thing,” Edholm added. “When serious business is at stake, the U.S. moves much more quickly than when it’s a question of principle.”

LinkedIn Sockpuppets

Social media’s dark side emerged again last week. A group of Iranian hackers used LinkedIn to collect potential targets for nefarious activities, according to a report from Dell SecureWorks’ Counter Threat Unit.

The gang known as “Threat Group 2889” created phony profiles on LinkedIn and used them to network with targets in the Middle East.

“The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas,” the report says.

The hackers created two types of profiles, the report explains. They used “Leader” profiles to network with potential targets. They created “Support” profiles to network with the Leaders, giving them additional legitimacy.

“Profiles for Leader personas include full educational history, current and previous job descriptions and, sometimes, vocational qualifications and LinkedIn group memberships,” the Counter Threat Unit reported. “Of the eight Leader personas identified by CTU researchers, six have more than 500 connections.”

After the CTU notified LinkedIn of the bogus profiles, LinkedIn removed them from the service. However, the CTU acknowledged that there probably were more sockpuppets on the service that remained unidentified.

Attack Platform

The Threat Group 2889 hackers “are trying to establish a trust relationship that they can use as a platform to launch spearphishing attacks or entice a victim to open an application that will deliver malware,” explained Tom Finney, security researcher with Dell SecureWorks.

The hackers aren’t interested in linking up with just any old LinkedIn member, he said. The sockpuppet profiles are designed to attract contacts in the mobile telephone industry and government.

“They may want to intercept calls or call data,” Finney suggested.

LinkedIn warns its members about connecting with strangers on its network, but those warnings aren’t always heeded.

“I guess it’s just human nature,” Finney said. “There’s a competition to see who can have the biggest network and most connections. Human beings are vulnerable to that kind of desire.”

Although there’s been no indication of other hacker groups using LinkedIn for espionage, Finney would not rule out the possibility.

“It’s the perfect platform to identify targets and chat with them,” he said. “It’s a shortcut to understanding who you should target, and it gives you the means to target them. It’s a modern take on a spy’s tactic of going to conferences and embassy balls.”

LoopPay Breach

Samsung finally entered the mobile payments fray earlier this month with its Samsung Pay offering, but it didn’t take long for the service to be involved in a security kerfuffle.

Computer intruders had penetrated a company that contributes a key technology to Samsung Pay, and camped on the outfit’s systems for months before being discovered, The New York Times reported.

The company, LoopPay, makes a technology that allows Samsung Pay to work both with new and old payment systems, which gives it an advantage over competitors that work only with newer systems equipped to support NFC wireless technology.

Samsung immediately denied that the breach jeopardized its mobile payment product in any way, and its position appears unassailable.

“The hack attack at LoopPay’s corporate network has no bearing on the integrity of Samsung Pay, and any claims to the contrary are a confused mixing of apples and oranges,” said Lance Eliot, global vice president of information technology at Interactions.

“The hackers were likely seeking to steal intellectual property, but seemingly were not successful. Meanwhile, there has been no break-in of the actual payment capability itself,” he told TechNewsWorld. “Consumers can sleep well at night and not be worried about using Samsung Pay.”

Breach Diary

  • Oct. 6. Cisco disrupts ransomware ring using hosting provider in Dallas to control about half the computers in the world infected with the popular Angler Exploit Kit.
  • Oct. 7. HP Enterprise Security and the Ponemon Institute release annual Cost of Cyber Crime report. Average cost of cybercrime to U.S. organizations is US$15 million, the report notes, a 20 percent year-over-year increase.
  • Oct. 7. Andrew Duqum files lawsuit in U.S. District Court in Missouri against Scottrade over data breach that placed personal information of 4.6 million customers at risk.
  • Oct. 8. Investigators probing 2014 data breach at Uber Technologies have found indications connecting CTO Chris Lambert of rival ride-provider Lyft to the attack, The Wall Street Journal reports.
  • Oct. 8. White House announces it will not seek legislation to require companies to weaken their use of encryption to enable law enforcement to examine data of suspected criminals and terrorists.
  • Oct. 8. U.S. Public Interest Research Group, Consumer Federation of America, the Electronic Privacy Information Center, and the Privacy Rights Clearinghouse send letter to Federal Trade Commission and Consumer Financial Protection Bureau requesting they investigate Experian data breach that compromised personal information of 15 million T-Mobile customers.
  • Oct. 9. Dow Jones & Co. sends letter to some 3,500 customers informing them that intruders gained access to the company’s computer systems to steal contact information in order to create fraudulent solicitations.
  • Oct. 9. WikiLeaks publishes what it claims is the final version of Trans-Pacific Partnership. Opponents of the measure say it is a threat to global freedom of expression.
  • Oct. 9. Gov. Jerry Brown signs into law the California Electronic Communications Privacy Act, which bars any law enforcement agency from obtaining a person’s data without obtaining a warrant from a judge.

Upcoming Security Events

  • Oct. 17-18. B-Sides So Paulo. Pontifcia Universidade Catlica de So Paulo, So Paulo, Brazil. Free.
  • Oct. 19-21. CSX Cybersecurity Nexus Conference. Marriott Wardman Park, 2660 Woodley Rd. NW, Washington, D.C. Registration: before Oct. 14 — member, $1,595; nonmember, $1,795. After Oct. 14 — member, $1,795; nonmember, $1,995.
  • Oct. 21. Building a Next Generation Security Operations Center. 2 p.m. ET. Webinar sponsored by Sqrrl. Free with registration.
  • Oct. 27. The Right Security for the Internet of Things. 2 p.m. ET. Webinar sponsored by TechOnline. Free with registration.
  • Oct. 28. The Cyber-Centric Enterprise. 8:15 a.m. ET. Virtual conference. Free with registration.
  • Oct. 28-29. SecureWorld Dallas. Plano Centre, 2000 East Spring Creek Parkway, Plano, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 28-29. Securing New Ground. Conference sponsored by Security Industry Association. Millennium Broadway Hotel, New York City. Registration: after Sept. 7 — member, $1,095; nonmember, $1,495; CISO, CSO, CIO, $300.
  • Nov. 4. Bay Area SecureWorld. San Jose Marriott, 301 South Market St., San Jose, California. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 7. B-Sides Dallas/Fort Worth. UT Dallas, Science Learning Center building. Free.
  • Nov. 10. FedCyber 2015 Annual Summit. Tyson’s Corner Marriott, 8028 Leesburg Pike, Tyson’s Corner, Virginia. Registration: $395; academic, $145; government and military, free.
  • Nov. 11-12. Seattle SecureWorld. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 13-14. B-Sides Delaware. Wilmington University, New Castle Campus, 320 North Dupont Highway, New Castle, Delaware. Free with registration.
  • Nov. 24-25. Cyber Impact Gateway Conference. ILEC Conference Centre and Ibis London Earls Court, London, UK. Registration: Before Oct. 9 — end users, Pounds 1,799 plus VAT; solution providers, Pounds 2,799 plus VAT. Before Oct. 30 — end users, Pounds 1,899 plus VAT; solution providers, Pounds 2,899 plus VAT. Standard — end users, Pounds 1,999 plus VAT; solution providers, Pounds 2,999 plus VAT.
  • Dec. 12. Threats and Defenses on the Internet. Noon ET. Northeastern University, Burlington Campus, 145 South Bedford St., Burlington, Massachusetts. Registration: $6.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Tech Law

What's your outlook for the business climate in 2025?
Loading ... Loading ...

Technewsworld Channels