The CLOUD Act – can Americans be trusted in Europe?

This week I’ve attended an event and one of the other attendees has voiced an interesting thought, which deserves a brief footnote here, for future reference.

Since March 2018 the US Government had passed the so called Cloud Act, which basically “allows federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.

Scary?

According to my vis-a-vis, this means that no EU company can now trust their data to cloud services offered by US companies – even if the datacenters themselves are located in EU, the US government basically now can demand access to any data of EU residents.

Details?

The devil, is, as usual, in details, Let’s read a little deeper:

[CLOUD Act] asserts that U.S. data and communication companies must provide stored data for U.S. citizens on any server they own and operate when requested by warrant,

but provides mechanisms for the companies or the courts to reject or challenge these if they believe the request violates the privacy rights of the foreign country the data is stored in.

It also provides an alternative and expedited route to MLATs through “executive agreements”; the executive branch is given the ability to enter into bi-lateral agreements with foreign countries to provide requested data related to its citizens in a streamlined manner, as long as the Attorney General, with concurrence of the Secretary of State, agree that the foreign country has sufficient protections in place to restrict access to data related to United States citizens.

Summary

  1. It only applies to US Citizen data.
  2. Local privacy laws and individual data privacy agreements allow for rejections and challenges of such requests.

So, EU citizens stay at exactly the same level of protection as before, the new fears are unfounded. What do you think? Do you trust your data to the cloud?

 

 

 

Advertisements

Fighting the recent Apple DEP “vulnerability” with Workspace ONE UEM (AirWatch)

There’s been recently a wave of news along the  “OMG Apple DEP is insecure we are all doomed” line. While there is indeed a few flaws in Apple Device Enrollment Program, I want to show how to fight it with Workspace ONE UEM (AirWatch) in a simple 3-step process

Step 1: Go to your DEP profile in Settings -> Devices -> Apple -> Device Enrollment Program

Step 2: Ensure Authentication is ON

DEP-FUD-WS1-Auth

Step 3: You are done. Really, this “vulnerability” is only serious in two cases:

  • Using no authentication, implicitly trusting anything that comes from the Internet over DEP
  • Staging (specifically using the staging process with the staging user) sensitive information – certificates, etc. Just don’t – have all the sensitive bits assigned to the end-user who has to authenticate.

So, now you are armed with knowledge!

More reading:

Securing work contacts while keeping caller ID 03: iOS with Boxer

I had a week of customer meetings, each (literally!) asking the same question: “How can I prevent WhatsApp from grabbing the corporate contacts on my device?”

In this series of posts we will explore the options of deploying corporate email/contacts/calendars with the goal of maximal work/personal contact separation, while trying to minimally impair the user experience (such as the Caller ID).

Table of contents:

(more…)

Securing work contacts while keeping caller ID 02: Android

I had a week of customer meetings, each (literally!) asking the same question: “How can I prevent WhatsApp from grabbing the corporate contacts on my device?”

In this series of posts we will explore the options of deploying corporate email/contacts/calendars with the goal of maximal work/personal contact separation, while trying to minimally impair the user experience (such as the Caller ID).

Table of contents:

(more…)

Securing work contacts while keeping caller ID 01: Android vs iOS

I had a week of customer meetings, each (literally!) asking the same question: “How can I prevent WhatsApp from grabbing the corporate contacts on my device?” This happens more often than you think – the infamous GetContact collected over 3.5B contacts in just a few months, all of which were officially available for sale! With GDRP in effect, how much could this cost?

Of course, both iOS and Android offer means to securely lock down enterprise data on BYOD devices. But this comes at a price of usability, the most cited problem being the caller it. We know that in the modern day an unhappy and discomforted user is essentially a backdoor waiting to happen. How can we keep this balance between security and productivity?

In this series of posts we will explore the options of deploying corporate email/contacts/calendars with the goal of maximal work/personal contact separation, while trying to minimally impair the user experience (such as the Caller ID).

We will explore several approaches, their limitations and shortcomings for iOS and Android. This post lays the foundations and provides a TL:DR style summary/comparison of my current findings.

Table of contents:

(more…)

Does Android P private DNS really contribute to privacy? Or to Enterprise control?

Private DNS is a new feature in Android P, which allows you to globally override the DNS settings (received from your carrier, hotspot provider etc.). This means that the said carrier’s or provider’s DNS servers will not be able to log your browsing habits.

Read more here (Android Police).

Screenshot_20180422-175014.png
Private DNS configuration (c) Android Police

This looks like privacy, but isn’t necessarily so…

(more…)

iOS Trustjacking protection with EMM

Trustjacking is a new “scary” attack on iOSnew “scary” attack on iOS devices, exploiting user’s lack of understanding or what’s going on. When plugging into an unknown computer or charger user may choose to “trust” it, which allows the remote device quite a degree of access to iPhone/iPad data. Many don’t realize that this trust remains after the device is disconnected and may be exploited, for instance, via Wi-Fi, if Wi-Fi sync is enabled. Many others also think that this trust is necessary for charging.

ios20blog2021-e1524555570975.png
What is really should read: “Your settings and data will be accessible from this computer even after disconnected. You DON’T need this for charging”

Basically, Apple should have looked at how Android 6+ has a “charge only” USB mode by default, fixed the wording and be done with it.

Protecting from this attack is extremely simple on Supervised (DEP) devices via EMM.

Here’s how it’s done via AirWatch, but any other major EMM will have something similar – this is Apple’s standard OS feature.

iOS Trustjacking AW
iOS Trustjacking protection: it only takes one tick

As a bonus, this will prevent not just the Trustjacking attack, but many other threats and leaks, since it blocks everything.

Wondering, how many had this configured before the Trustjacking news?