The final quarter of HPE’s financial year 2018 has just come to a close and the press announcements and analyst reports are...
May the 4th be with you
May 25th be upon you!
Many people who are Star Wars fans took advantage of the calendar date to wish people a happy day. “May the Force be with you!” became “May the forth be with you, man!” With May 25th less than 3 weeks away, Star Wars fans again will be enlightened to another movie in the franchise coming out “SOLO: a Star Wars Story”. The hopes are that the Han Solo character played by Alden Ehrenreich, can fill the shoes of Harrison Ford, who embodied the role.
There’s also an important event taking place on May 25ththat many of us IT professionals have read, heard, or are preparing for – the upcoming General Data Protection Regulation (aka GDPR). Any company that deals with customer data has some sort of consideration to take (big or small) in regards to GDPR, even though the regulation is primarily intended to protect the data of European residents. At comforte, we wrote about GDPR over a year ago in a blog (https://www.comforte.com/blog/blog-article/get-ready-for-gdpr-psd2-heres-what-you-should-know/) and we also have a GUIDE on our resources page through our website (https://www.comforte.com/resources/guides/). Look for more information coming out shortly as well.
Rather than go through the details of GDPR and debate its affect on the future of data protection and privacy, one thing that GDPR seems to have done is disrupt the regulation space. “Fear of this Battlestation” was a reference in Star Wars referring to the ‘Death Star’, and “fear of the GDPR fines” for missed compliance which may total up to 4% of a company’s annual revenue. Wow, can they actually fine that much? When the first cybersecurity event occurs after May 25, or maybe when a company is called upon to verify whether they are complying with the GDPR (regardless of having a cybersecurity event), all eyes will be watching as to whether this becomes a new way of enforcing data protection, or an acceptable risk companies take.
What remains important, and a fundamental component of almost every regulation released, is some sort of data protection requirement. As companies consider how to protect customerdata, they should also continue to review how to protect all sensitive data– including user ids and passwords. Here’s a recent example showing how gaps in data protection need to be considered to ensure proper security.
On May 3rd, Twitter announced that it discovered a bug and notified over 300 million users suggesting they change their passwords. I tweet about things happening in IT, Cybersecurity, and Payments, and received the following direct email sent by Twitter:
Hi @JDComforte (https://twitter.com/JDComforte), When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone. Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password.
Twitter uses the bcrypt algorithm to hash passwords, and hashing passwords is very commonly used and accepted as a safe way for service providers to store passwords. Twitter, however, discovered that the bug caused users’ plaintext passwords to be written to a logbefore bcrypt completed the hashing process.
Does this sound familiar? At comforte, we’ve seen customers on NonStop systems who have applications that write data to temporary files, internal log files, store-and-forward files, and such, and often, data in those files are written in plaintext. The comforte SecurDPS Enterprise solution addresses this issue, which is often an area where other data protection solutions do not cover. You can learn more from our team by contacting us here (https://www.comforte.com/contact/).
For my final Star Wars analogy, when the Bothans stole the plans to the Death Star, was it from one of these files? We may never know, but maybe on May 25th, the latest Star Wars movie may reveal more holes in data protection from the Star Wars universe!