The Better Crypto project aims to provide copy&paste crypto best practices for sysadmins for common setups, e.g. apache, iis, dovecot, etc..
There’s a PDF with easy copy&paste configurations at
v2.0 August 2014
“This guidance was originally published in 2009. This revised version has been updated to take account of legislative developments and to reflect any changes in the approach of the Office of the Data Protection Commissioner to the audit process. The guidance is designed to assist organisations selected for audit by the Office of the Data Protection Commissioner. It is hoped that
this resource will provide organisations holding personal data with a simple and clear basis to conduct a self-assessment of their compliance with their obligations under Irish Data Protection Law”
Decision No. 2011-316 dated 6 October 2011 adopting a standard for delivering privacy seals in audit procedures covering the protection of persons with regard to the processing of personal data
(which could be read as a good way to deliver a privacy audit – or to expect one being done on you following this procedure)
Interesting case – data breach due to ticket ID enumeration in a standard software URL (developed by a service provider) – CNIL sanctions data controller.
- CNIL was informed in February 2017 of a security vulnerability in the URL http://darty.epticahosting.com/selfdarty/register.do, which would have allowed access to several thousand customer data of the company DARTY.
- Online check by CNIL in March 2017 reveals security vulnerability in http://darty.epticahosting.com/selfdarty/register.do , a form allowing the company’s customers to submit a service request after-sale. Once the form has been filled in with an e-mail address and a password, a hypertext link corresponding to the registration number of the request allowed access to its follow-up. The identifier (ticket number) was contained in the URL as follows: http://darty.epticahosting.com/selfdarty/requests.do?id= XXX.
By changing the ID number in this URL, an attacker would be able to access customer service request forms completed by other customers.
- 912,938 files were potentially accessible. During the inspection, 7,417 of them were downloaded for sampling. It was found that personal data of customers were accessible on cards, such as their surname, first name, postal address, e-mail address and their orders.At the end of the audit, the delegation contacted the company to inform it of the existence of this personal data breach.
- On premise inspection by CNIL revealed that support form was developed by a service provider.
- Controller should have checked access controls and tested for vulnerabilities.
Interessanter Beitrag von Philipp Glas vor Schweizer Hintergrund.
Tool to do correlation of personal data – e.g. from public sources.