04 May 2014

Consumer Privacy USA: The Risk of Viceroy Tiger and Keyhole Panda...

There is a flurry of Operational Risk Management (ORM) activity around the DC beltway and across Silicon Valley in order to gain new consumer confidence.  The confidence that their personal metadata and information is being protected with encryption software and that privacy policies are in place to notify users, when their information is requested by the government.  Interesting.

Much of this wasted bandwidth is focused on competitive strategies.  If LinkedIn gets 3 or 4 stars from the EFF "Who Has Got Your Back Report" then our social media company should aspire to do the same. Transparency to the consumer end user on how data is protected and when you are notified of it being lost, leaked, hacked or handed over to law enforcement is the buzz right now.  Why?
Apple, Facebook, others defy authorities, notify users of secret data demands 
By Craig Timberg, Published: May 1 
Major U.S. technology companies have largely ended the practice of quietly complying with investigators’ demands for e-mail records and other online data, saying that users have a right to know in advance when their information is targeted for government seizure.
This increasingly defiant industry stand is giving some of the tens of thousands of Americans whose Internet data gets swept into criminal investigations each year the opportunity to fight in court to prevent disclosures. Prosecutors, however, warn that tech companies may undermine cases by tipping off criminals, giving them time to destroy vital electronic evidence before it can be gathered. 
Fueling the shift is the industry’s eagerness to distance itself from the government after last year’s disclosures about National Security Agency surveillance of online services. Apple, Microsoft, Facebook and Google all are updating their policies to expand routine notification of users about government data seizures, unless specifically gagged by a judge or other legal authority, officials at all four companies said. Yahoo announced similar changes in July. 
As this position becomes uniform across the industry, U.S. tech companies will ignore the instructions stamped on the fronts of subpoenas urging them not to alert subjects about data requests, industry lawyers say. Companies that already routinely notify users have found that investigators often drop data demands to avoid having suspects learn of inquiries.
Enterprise business are now waking up to the reality of investing in more robust Operational Risk Management (ORM) practices within their Enterprise Architecture Framework.  Areas that have been neglected in the architecture for data transport are now finally being updated.  Even the fact that the latest versions of SSL capabilities are being exposed as a result of the "Heartbleed" vulnerability, has finally motivated many to upgrade to TLS 1.2 and add Forward Secrecy.  Even LinkedIn, who gets multiple stars from EFF (and only a "B" from Qualys SSL Labs) doesn't even use TLS 1.2 nor does the average consumer even understand why Forward Secrecy is an important capability or why Google uses it within the popular Gmail service.

The privacy policies and opt-out capabilities the consumer really needs, are from the private sector companies that are currently trading your personal information.  Your browsing history. Your purchases at national retailers.  When was the last time you gave your phone number to a cashier at the register, to earn buy 1 get 1 coupons or a discount at the local gasoline pump?  Where do you think all of this activity-based behavior about you the consumer is being resold?

The marketing of privacy and security will continue to become a product or service differentiator.  The government agencies will continue to follow the law to obtain your information.  The magistrate judges will make sure of this.  The adversaries however, are becoming more productive and will find new exploits to attack your infrastructure in new ways, on vectors that you have not even thought of yet.

Who are some of the adversaries?  A few worth noting:

  • Iran:  Cutting Kitten
  • India:  Viceroy Tiger
  • China:  Comment Panda, Deep Panda, Foxy Panda, Keyhole Panda, Union Panda, Vixen Panda et al

These cyber adversaries are in many cases focused on cyber espionage and the theft of your Intellectual Property or Research and Development.  This leaves hundreds of other capable crime-ware driven organizations across the globe, who are targeting other valuable data to perpetuate their fraudulent activities.  So what have you done at the Board of Directors level and the Executive "C" Suite, to pave the way for more effective collaboration with the G-man?

Collaboration with the FBI, Secret Service, SEC, FTC, OFAC, U.S. Attorney, State Attorney General or even the local county prosecutor is a prudent and wise Operational Risk Management strategy. "Complacency"--this could be one of the greatest vulnerabilities that your share holders and stake holders have ignored.  A proactive organization has established protocols, implemented best practices and tested policies.  They are already in place to work collaboratively with local, state and federal government.  These organizations will ultimately be the marketplace front runners.
“In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance. Michaels is committed to working with all appropriate parties to improve the security of payment card transactions for all consumers.”
This is just one more example of what is becoming the new normal.  The Operational Risk Management (ORM) professionals in your organization are ready and willing to support corporate executives and the Board of Directors new found enlightenment.  Your new government partners will even share information with you, on the latest modus operandi of "Keyhole Panda"...