XMedius Executive Vice President and CTO, Sebastien Boire-Lavigne, takes a look back at the big data-security stories of 2018 and discusses what they might mean for 2019.
GDPR Came and We All Survived
If 2018 can be summarized to one thing, it’s that it marks the beginning of a new era of the “rule of law” on data collection on the internet and the end of the wild west approach of “collect first and ask questions later.” This is a good thing. While GDPR is Europe-centric, its effects are far-reaching, given how the global information technology supply chain is integrated. GDPR is now the de facto global privacy standard.
While some predicted chaos in the wake of the GDPR, it didn’t happen. Much like the Year 2000 (Y2K) bug, most businesses took measures to largely mitigate their risks. While authorities are stepping up their investigation activities, they are focusing their effort on well-known large tech companies and few fines have been distributed, yet.
In Austria a fine of €4.8k was issued to an entrepreneur who was filming the sidewalk. In Germany, the social network knuddel.de was fined €20K for a leak of millions of emails and usernames. While most fines are modest, authorities are showing their willingness to punish organizations that simply ignore the law and should know better. AggregateIQ Data Services, linked to the now infamous Cambridge Analytica and to Facebook, faces a fine in the UK of £17m (the highest allowed) for processing data of millions of people without their consent.
More fines are coming in 2019 and it should be a clear reminder that authorities are serious about the application of the law. If you haven’t started working on your privacy program, it’s time to get on with it or the wake up may be brutal for your business.
Where GDPR Needs to Go Now
But GDPR is not perfect. While the principles are sound, I think the implementation was a failure. Businesses had to pump countless billable hours into consulting, creating policies & legal framework to comply with the regulation. That was good for lawyers and security consultants, but thousands of businesses needlessly ended up paying lawyers to produce slight variations of the same documents without much added value for anyone.
Not only that, but now we have to enter into countless small variations of data processing agreements (DPAs) with customers and suppliers as part of normal businesses, requiring yet more lawyers. True formal normalization of DPAs is really something the authorities must look into.
The inflated implementation costs of GDPR are also likely to continue for small organizations with requirements for privacy impact assessments (PIA) of nearly “standardized” processes that all businesses must have, like pay processing & benefits handling. Authorities should come up with specific guidelines for those “standardized processes” that would allow small businesses to be exempt from making formal PIA, which adds little value.
In short, while the implementation was a bit messy, GDPR is a world defining legislation that restores the balance of power of citizens on the internet. That being said, there should be efforts from the authorities to minimize the cost on businesses to achieve the desired outcome. Not only in Europe but also everywhere around the world, authorities should make great effort to harmonize their privacy legislations with GDPR so that businesses don’t have myriads of privacy legislations to comply with.
We can always dream…
Faxploit, Don’t Kill the Messenger…
A security group in Israel made waves earlier this year with their discovery of a way to attack otherwise secure networks via fax systems. This discovery, nicknamed “Faxploit,” got a lot of press coverage, but many mainstream publications didn’t dig deep enough into the details to discover whether it actually was something to be scared about.
While this will not come as a surprise to security specialists, the Faxploit case certainly drives home that nothing that is connected to a network is safe from hackers. All the same, a lot of things that were said about Faxploit grossly misrepresented the fax protocol as being broken.
What They Didn’t Hack
While it is obviously possible that some fax implementations may be broken, the security firm that found the vulnerability tried for weeks and failed to exploit the T.30 fax protocol to gain control of the fax machine.
Indeed, that good old black & white fax protocol uses small buffers and consistency checks that makes it particularly difficult to abuse by hackers. This is no surprise, since the technology was designed to be sent over unreliable analog networks and the protocol is built to ensure that every single piece of information it receives is checked for consistently.
What They Really Hacked
So how did they do it? They used the “recent” color fax extension of T.30 to deliver a booby-trapped JPEG payload to the printing engine of the multi-function device (MFD). Unlike black & white faxing where the data stream is reconstructed piece by piece by the receiving end, color fax extension acts more or less like a pure “dumb” file transfer protocol. Hence the unprotected delivery of a specially-crafted JPEG to the printing engine. The printing engine must decode the JPEG in order to print it, and they used a vulnerability in a JPEG decoding library to gain a foothold on the fax device.
So, if we’re being accurate the fax engine was in fact the vector of the attack on the printing engine of the MFD. Much like, for example, emails can be used as a vector to deliver a word document that will then invade a computer by executing nefarious macros.
Some of you will rightfully ask how modern browsers decode countless JPEGs all the time and do not get compromised. In this case, the manufacturer of the MFD was using a proprietary JPEG library that was not “battle tested” like open source libjpeg used by most browsers. As with everything in security, the devil is in the details.
What to Learn from Faxploit
As we can see, multi-function devices, fax, printers and the like present a different security risk profile than the desktop/laptop environment and are often a forgotten aspect of information security.
Desktop/Laptops are the target of most attacks, but they are easier to patch, protect and monitor. In contrast, MFPs, printers, and fax machines are often closed systems with little or no updates. That makes them a good target for hackers to establish a persistent foothold in your network.
It is good practice to segregate these devices into a separate network, with limited access to the desktop & server environment. This is even more true for fax-enabled devices that are connected to an external network (i.e. the PSTN). Although not as powerful as the Internet, it’s important to remember that the PSTN still acts as a peer-to-peer network.
The takeaway? No need to kill the fax, just make sure you apply basic security practices to all your devices.
How did your organization weather the data security storms of 2018?
Help prepare yourself for the future by introducing XM Fax or XM SendSecure to your IT systems. These two secure document transfer solutions that are convenient, cost-effective, and very secure. They can even aid compliance with GDPR, HIPAA, SOX, and many other regulations.
Sébastien Boire-Lavigne is the Executive Vice President and CTO of XMedius, where he has been a driving force in the company’s technology strategy. Among the accomplishments in his 20+ year journey with XMedius, SBL has led the development of the cutting-edge XMedius Fax-over-IP technology, Cloud platforms, and XM SendSecure solutions.