Massachusetts New Privacy Law (201 CMR 17.00): Are You Ready?

March 1, 2010 has come and gone. If you are a person who owns or licenses personal information about a resident of the Commonwealth of Massachusetts, the law has changed for you. Perhaps one of the strictest laws to date for protection of personal information, the bar has been set and soon other states will be following suit. Please note: This applies to anybody who has personal information of any resident of the Commonwealth of Massachusetts - not just Commonwealth businesses!

Essentially, this regulation establishes minimum standards to be met in connection with safeguarding of personal information contained in both paper and electronic records. While similar in nature to other regulations including PCI and GLBA, this regulation goes much further. For startes, here’s the definition of “Personal Information”:

Personal information, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

(a) Social Security number;
(b) driver’s license number or state-issued identification card number; or
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

With that, the breakdown on the requirements include:

(1) Develop, implement, and maintain a comprehensive written Information Security Program that contains administrative, technical, and physical safeguards.
(2) The Information Security Program shall include, but not be limited to:

(a) Designating one or more employees to maintain the program
(b) Identifying and foreseeing internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks including:

1. ongoing employee training;
2. employee compliance with policies and procedures; and
3. means for detecting and preventing security system failures.

(c) Develop security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.
(d) Imposing disciplinary measures for violations of the Information Security Program rules.
(e) Preventing terminated employees from accessing records containing personal information.
(f) Oversee service providers, by:

1. Taking reasonable steps to select and retain 3rd party providers that are capable of maintaining appropriate security measures to protec PII (Personal Identity Information) consistent with these regulations and any applicable federal regulations; and
2. Requiring 3rd party service providers by contract to implement and maintain such security measures for personal information.

(g) Reasonable restrictions upon physical access to records containing PII, and storage of such records and data in locked facilities, storage areas, or containers.
(h) Regular monitoring to ensure that the comprehensive Information Security Program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of PII; and upgrading safeguards as necessary to limit risks.
(i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may implicate the security or integrity of records containing PII.
(j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of PII.

In addition, every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum shall have the following elements:

(1) Secure user authentication protocols including:

(a) control of user IDs and other identifiers;
(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
(d) restricting access to active users and active user accounts only; and
(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(2) Secure access control measures that:

(a) restrict access to records and files containing PII to those who need such information to perform their job duties; and
(b) assign unique identifications plus passwords; which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the seucirty of the access controls;

(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
(4) Reasonable monitoring of systems, for unauthorized use of or access to personal
information;
(5) Encryption of all personal information stored on laptops or other portable devices;
(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
(7) Reasonably up-to-date versions of system security agent software which must include
malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

If you would like to read more information about these requirements, please visit http://www.mass.gov/consumer.

This is only the beginning of more state regulations and requirements to come. Other states that have privacy laws include:

• Connecticut - Ct. H.B. 5658.
• Massachusetts - 201 Mass. Code Regs. §§ 17.01 - 17.04.
• Michigan - Mich. Comp. Laws § 445.84.
• New Mexico - N.M. Stat. §§ 57-12B-2 - 57-12B-3.
• New York - N.Y. Gen. Bus. Law § 3990dd(4).
• Texas - Tex. Bus. & Com. Code § 35.581 (effective through March 31, 2009); Tex. Bus. & Com. Code § 501.051 - 501.053 (effective April 1, 2009).

3rd Party Applications Open Holes Too!

For years, we’ve heard the ire of security professionals worldwide over the vulnerabilities of the Microsoft Operating Systems.  Many touted Linux or even Macintosh as the answer.  Unfortunately, there is scant support for these operating systems in the way of desktop applications in particular.  This kept many businesses from making such a move. 

The answer from a security perspective was to keep the OS religiously patched, and run bloated up-to-date desktop anti-virus programs.  However, the one thing that is often overlooked in this approach is 3rd party applications.

I, for one, install at least the following applications without fail on every new desktop I build or rebuild:

• Adobe Reader
• Adobe Shockwave
• Adobe Flash Player
• Jave Runtime Environment
• Microsoft Media Player
• Quicktime Player

I’m sure there are many other IT professionals that do the same.  Unfortunately, these often get overlooked when it comes to patching.  There is no simple “Automatic Updates Service” that can be enabled for many of these like there is in MS Windows. 

What many don’t realize is that new vulnerabilities are discovered in these applications just as frequently (if not more so) as there are in Windows.  In many cases, these vulnerabilities can be exploited far easier than many Windows updates.  In addition, many are more dangerous in that they are usually targeted to specific businesses.  Imagine an exploit that a criminal could run by spamming a corporation with a PDF attachment.  This PDF attachment would then execute custom code that could then install backdoor applications for a hacker to use.  Trade secrets or private information?  Not anymore….

Next, there are the inappropriately patched systems.  For example, how many people realize that simply upgrading the Java Runtime Environment does not necessarily close the holes the old version created?  Did you know that you have to actually manually uninstall the old versions of Java?  By default Java’s installer does not do this thereby leaving the exploitable code on your system.

This is why patch management systems are so crucial for companies.  I’m sure when you lock the doors at night, you also close the shipping doors, the windows, and any other points of entry.  Likewise, you should be closing the points of entry into your data infrastructures as well.  If you can’t close them, for one reason or another, you should at least be aware of these points of entry and make efforts to minimize the risk your exposing your business to.

Spend an Hour Now…Earn Double That Later!

As I’ve been traveling the country lately, I’ve been learning more and more about how the PCI-DSS requirements are affecting businesses.  There does still seem to be quite a bit of mis-informatin as well as a lot of questions.  As a result, I’ve been changing the focus a bit.

I really do think companies should spend more time in training on PCI.  There is no better training, in my opinion, than that provided by auditors who have actually been in the field conducting audits.  By investing in training, staff and management can get a better understanding of security implications, the audit process, and why the PCI requirements are so important.  As a bonus, doing so will also aid in meeting PCI-DSS requirement 12.6 - “Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.”  This training should be provided to everyone in the company, not just a select few.  I’ve found that companies that take this approach get better cooperation from their employees and have an easier time making it through the audit.

Next, management should get involved regularly in user groups and public forums.  Myself, and many other auditors like me, frequently respond to posts on sites such as the PCI Knowledge Base.  The beauty of these public forums is that others can benefit from similar inquiries.  In addition, we’ve all seen how different auditors have different points of view on various topics.  This unfortunately feeds some of the misinformation.  Public forums, like the PCI Knowledge Base, can help combat that as auditors will discuss their reasonings behind their points of view and challenge one another in hopes of coming to a more unified/educated approach.

I know time is valuable, but spending a few hours now on these suggestions will offer great returns in both the security of your data and offering a more pleasant experience during your audits.

Clarifications on WPA/TKIP Vulnerabilities

Recently, a research paper published from Japanese academics demonstrated a newer, faster, and more reliable way to crack wireless networks that use WPA/TKIP protocols.  In the best case, such a network can be compromised in less than 1 minute now.

So, what does this mean?  First, we need to understand what WPA/TKIP is.  Essentially, WPA/TKIP is a method of securing wireless networks.  Wifi Protected Access/Temporal Key Integrity Protocol (WPA/TKIP) was created to fix shortcomings of an early form of wireless encryption known as WEP (Wired Equivalent Privacy).   Just as the name applies, WEP was designed to simulate an equivalent form of protection that would be found on any wired network.  As we know, WEP failed miserably, and today such networks can be compromised by anyone with even the most basic understanding of computers with simple applications that are readily available online.   As a result of these weaknesses of WEP, TKIP was created.

Until recently, TKIP has been a viable alternative to WEP.  Then, in November of 2008, Martin Beck and Erik Tews discovered an attack against TKIP.  Essentially, they found an exploitable hole that exploited WPA/TKIP installations that also implemented IEEE802.11e (or Quality of Service) features.  Together, with their fellow students and the aircrack-ng team, they revealed how to send bogus data to an unsuspecting WiFi client on a WPA/TKIP network.   However, since this attack does not reveal the actual key, and since exploits were “minimal” this did not gain much public attention.  Examples of attacks that could be exploited using Beck and Tews’ attack would be ARP poisoning causing confusion in routing traffic and Denial-of-Service attacks that would lock out all clients from a wireless network.

What was overlooked though is the fact that it showed that there are real flaws in TKIP.  And, as is the case in wireless networking and security, it’s only a matter of time before others start expounding upon this research and come up with other ingenious ways of exploitation.  For example, not even a year after this another group of students (Finn Michael Halvorsen and Olav Haugen) from the Norwegian University of Science and Technology Department of Telematics released another cryptanalysis of TKIP.  There thesis and source code for modifications to aircrack-ng’s tools can be found here.  Essentially, they expounded upon Beck and Tews’ earlier study and determined ways of exploiting the network beyond ARP poisoning and DoS attacks.  Examples include:

DHCP DNS Attack:  Basically, in this attack a victim client would accept a packet from the hacker that would allow the attacker to respond to DNS queries with fake DNS replies; thus, forcing an unwitting victim to visit unintended websites or other network locations.  From there, further attacks could be attempted.

NAT Traversal Attack:  In this example, an attacker could inject a fake packet to the client that appears to originate from an external IP address at a specific port.  The victim machine would then respond to this request forcing the route to establish a NAT mapping between the internal computer and external ports and IP addresses.  The external machine will now be able to send traffic directly to the internal victim client on the open port in the firewall.  This could then for instance be used to exploit some unpatched vulnerability at the client or reveal Internet IP address of the network which would be useful in other scenarios as well.

Even still, many did not take this seriously.   The answer many gave to counter the above was to simply disable the QoS features on wireless networks or make other simple “modifications” to their setup to combat and prevent the attacks outlined above.  Well, now Japanese students Toshihiro Ohigashi and Masakatu Morii of Hiroshima University and Kobe University discovered an even more efficient means of attacking TKIP and published their findings here.  The Beck-Tews attack would normally take about 12-15 minutes to exploit and also required QoS to be implemented on the wireless network thereby limiting the scope of attacks and what could be targeted.  These new discoveries, however, allow attackers to exploit all TKIP implementations much faster.

You can easily imagine how the new findings will allow future researchers, academia, and hackers to go beyond the attacks outlined above.  It’s only now a matter of time before further compromises and attacks are discovered that could take even further advantage of networks that have implemented TKIP across their enterprise.  With this knowledge, I hope it is understood that TKIP should not be used further on wireless networks that need to be secured.  There are still technologies such as WPA2/AES that have not been compromised and are readily available on commercial grade wireless access points and equipment.   If you haven’t done so already, make the switch.