Sunday, September 26, 2010

I’m going to be where?

It looks like I have a busy fall, I will be attending all kinds of events around the US and Canada.  Meet me for a beer (or bourbon) and let’s chat if you will be at any of them.  Or, go to the events because they are great events- and know I’ll be there and you can hide from me.  Whatever works for you.*not my actual legs

I will be at both InterOP and SC World Congress in New York with other folks from Astaro.  Yes, I’ll be on Booth Babe duty.  No, they promised I will not have to wear fishnets and pumps this time.  (Just try to get that image out of your head).

I will be at three of this fall’s Security BSides events.  I just missed the one in Kansas City, sounds like it was another good one.  I will be at those in:

Unfortunately, due to a scheduling conflict I will not be at BSides Delaware, but it looks like it will be yet another winner- and it is conveniently located for a lot of people in the industry.

I am helping with the HacKid Boston event coming up in just a few weeks.  This will be a fun and educational event for the kids and parents, I am really looking forward to helping make it happen (and I don’t even like kids).

And, of course, there is SecTor and the SecTorBus road trip.  There is still a seat or two open, let me know if you would like to join us for that adventure.

A couple of days before BSides DFW the Houston NAISG chapter is holding HouSecCon,

But other than that, and a few local speaking engagements, I don’t have much going on.  Except I *might* be working on a Security BSides Berlin as well as the second ones in Austin and Boston.  Oh, and ShmooBus III.  But other than that, not much.



Wednesday, September 22, 2010

I know what the law says. Or do I?

I recently attended an event where Scott Schafer, Chief of the Consumer Protection Division of the Massachusetts Attorney General’s office, reiterated the AG’s take on some aspects of MGL 93H, the Massachusetts data breach reporting law.  Specifically, Assistant AG Schafer put forward a very strict interpretation of the definition of breach in 93H, covering when you must report a breach.  The AG’s office has an interpretation of when you must report a breach that is substantially different than most people I have spoken with on the topic.


[Insert giant disclaimer here: I am not a lawyer, I am not your lawyer, this is not advice, legal or otherwise, except to advise you to contact your lawyer, etc.]

The issue revolves around breach notification when encrypted Personal Information (PI) is lost.  Here is 93H’s definition of breach:

““Breach of security”, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”

The key bit for me being:

“unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key…”

My reading of that (and that of most people I have spoken with) is reflected in the following with my emphasis added to the text by way of red font and bracketing:

“unauthorized acquisition or unauthorized use of [unencrypted data] or, [encrypted electronic data and the confidential process or key…]

That is, losing unencrypted PI is a breach; as is losing both encrypted PI and the key to decrypt it.  I had interpreted losing encrypted data without losing the key as not meeting this definition of a breach, and thus not requiring notification.

An excerpt of 93H from Assistant AG Schafer’s slide deck shows the emphasis he placed on the phrase (underlining is as it was shown on his slide deck):

“Unauthorized acquisition or use of unencrypted data or, encrypted electronic data and the confidential process of key that is capable of compromising…”

The exclusion of “and the confidential process or key” clause from underlining is telling.

The AG’s office states that any loss of personal information is a breach and must be reported, whether encrypted or not.  The explanation is that we cannot be sure that the key has not been lost or otherwise compromised.  Two examples were given to support this position:

  1. A laptop containing PI was lost.  Although encrypted, the encryption key was taped to the laptop.
  2. An encrypted laptop containing PI was reported stolen by an employee, but the employee was actually using the laptop and using the PI for fraud.

In each case, the organization responsible for the protection of the data has a problem.  In the first case, it was unclear if the organization knew the key was on the laptop, or if there had been any user education, or even if there were policies prohibiting affixing he key to the encrypted device.  In the second case, a crime was committed, and the organization was one of the victims of the crime- but is that relevant to disclosure under 93H?

I want to make it clear that I am all in favor of strong consumer protection laws, and was one of the few people who consistently spoke out against weakening 201 CMR 17.00 at hearings as the OCABR debated the various changes to that regulation.  I am, however, opposed to vague or misleading language.

Do not look down here for answers- I think this will take some prosecutions and subsequent court decisions to set precedents and give us the guidance we need.

By the way, this discussion only applies to the idea of encryption providing “safe harbor” in the case of breach reporting.  Encryption is required for all portable devices containing PI, 201CMR17.00 is very clear on this (although “where technically feasible” provides wiggle room).



Monday, September 13, 2010

SecTorBus will roll, will you?

There will be another road trip this fall, to the excellent SecTor Security Education Conference in Toronto.  The conference portion of SecTor runs on Tuesday and Wednesday, October 26 and 27.  (there are also classes in the education portion).

Take one:




add a handful of hackers, then drive to image




and look out world.

The tentative schedule calls for the RV to make the run from Northern Virginia to the Boston Area on Sunday, October 24, Boston to Toronto on Monday.  Return trip to Boston will be Wednesday night, Boston to NoVa will be later on Thursday after a bit of rest.

Big thanks to Astaro- they have come through again to sponsor the trip, so it will be free to join us on the ride.  You will need to cover  your own conference, food and lodging expenses, but if you haven’t already registered for SecTor let me know, there should be a discount code soon for SecTorBus riders.  Due to local regulations, we cannot sleep in the RV in Toronto, so you will need a room (or a friend with a room).

Keep in mind that Toronto is in Canada, which is like a whole other country.  There will be border crossings, which means you will need a passport if you wish to make a round trip.

Once again we will be renting an RV, we should have plenty of power for laptops, and where there is coverage on the US side we will have a rolling 3g hotspot compliments of Astaro.

If you would like to join us, drop a note to jdaniel |at| for more info.