two tales of security

From the “if I had a nickel every time..” category, a story from The Telegraph on the loss of sensitive information by the RAF:

The Ministry of Defence has admitted that files had been stolen, and more than 500 RAF staff have been warned of the possible consequences to them and their families after the unencrypted data – stored on three computer hard drives- went missing.

The extremely personal information had been given by servicemen for an in-depth vetting process to give them high security clearance.(emphasis added)

Now, I certainly can’t comment on the specific facts surrounding the loss of this data, but I did note, in particular that the data recorded was unencrypted. As most readers of this blog know, this is certainly not the first time an incident like this has occurred (i.e. a lost, misplaced, or inadvertently discarded data storage device that contained sensitive information). In fact, to be honest, it is somewhat mind-boggling that this still occurs. Not that things get lost. I understand that things like that may happen despite the physical security protocols that one may put into place. But not encrypting such data? Perhaps  a decade ago, something like that would be understandable. But it should not be today, particularly when there has been story after story about this sort of thing. In this case, not only has the RAF compromised the personal information of certain of its officers, it has also put the UK’s national security at risk. Completely inexcusable. And if I sound harsh, it’s because I intend to.

So, once again for anyone who cares to read this blog: If you are responsible for sensitive data and store it in digital format, you really, really, must ensure that you encrypt that information, particularly if it is on a storage device that may be transported, or is sitting anywhere other than a very secure vault. Otherwise, it’s only a matter of time that someone will come after you for negligence. Or worse.

On the other hand, there is a brief story in Wired about an interesting video on YouTube. It’s basically a faked video showing some “hackers” tapping into a building’s SCADA system. Interestingly, this appeared to set off alarm bells in some circles:

“Perhaps the first demo was just for fun, but the others will have less juvenile goals,” McAfee Avert Labs researcher Francois Paget blogged on Friday. “An attack can involve nationwide damage, a terrible effect on the public’s morale, and huge financial losses.”

To be fair, McAfee’s Paget acknowledged some doubts “about the technical aspects of these light-show ‘attacks’ on unprepared buildings.” But with the enthusiastic faith of cybarmageddonists everywhere, he boldly asserts that it doesn’t matter if the video is genuine.

“Fake or not, the video confirms that hackers and cybercriminals have got their eyes on SCADA networks.”

So, a question for anyone reading this – even if the video were real (and it’s not), why (other than what the article already notes) do you think Mr. Paget’s comments might be a bit off the mark, at least when it comes to the contents of the video itself?

arbitrary electronic search & seizure + canadian border = ok

Following the judgement and policy confirming that US customs can conduct searches without suspicion, some of my colleagues in the trade group at McCarthy have published an e-Alert that describes Canadian authorities’ approach to searches of electronic devices at the Canadian border:

CBSA has yet to publish a report detailing its policy on border searches of electronic devices. That said, the CBSA has stated that its examination authority under the Customs Act extends to electronic storage devices. Other sources of information also suggest that they, like their American counterparts, do not accord electronic devices special status at the border. For example, the Canadian Customs Act broadly defines “goods” to include “any document in any form”, suggesting no special treatment for electronic documents. Canadian case law also supports this interpretation. In a 2008 Ontario Court of Justice decision, the Court stated that it saw no intrinsic difference between a computer search and a detailed examination of the contents of one’s suitcase.

2. Searches Without Suspicion

Given their characterization as ordinary goods, it follows that a border official can search travelers’ electronic goods even in the absence of suspicion regarding the traveler or the electronic device.

The article also provides some background on the situation with the US, confidentiality regarding information obtained from such searches, ability to detain electronic devices for further inspections, privileged information, and some thoughts on how to protect your information.

If you cross the border frequently with sensitive business information, it is well worth a read, as is my previous post on the US policy.

asp issues

Will keep this short – I was reading an article (whose authors will go unnamed) describing some recent trends in software licensing and issues arising from those trends. One trend that was highlighted was the change from licensing of software to be installed and operated by a licensee (with maintenance and support from the licensor) to a vendor-hosted model (or “application service provider” or “ASP” for short), where the vendor instead sets up the software on its own machine and the vendor’s customers then make use of the software remotely – often through a browser, but sometimes through other “thin” clients.

What was the primary issue they identified? To make sure you get acceptance testing. Hmmm. Well, hate to disagree but I would think there might be a few others that might be at least (if not more) important. So, without further ado, some thoughts on what to keep an eye out for if you are thinking of signing up to an ASP service, in no particular order:

Your Data – Will your ASP be storing your data? Will it be your primary repository of your data? Is your data important? Does your data contain sensitive, confidential or personal information? If so, then you should make sure that your ASP is handling your data appropriately, including giving adequate assurances that it is only used for providing the service (and not anything else) and that appropriate security measures are taken to protect it, such as encrypted communications when sending/receiving as well as encrypted storage. We’ve all read the recent horror stories about certain large corporations who have misplaced, lost, or inadvertently disclosed sensitive data, such as credit card numbers. Make sure it isn’t your company making the headlines.

Service Levels and/or Easy Outs – Addresses the same issue as acceptance testing but in a different way. Typically one big advantage of ASPs is that there is no big upfront licensing fee and therefore no big upfront capital to invest, or risk regarding that capital investment in the event the software doesn’t do what it was expected to do. Thus, the concept of acceptance testing was invented to address this big upfront risk, with the thinking that you get to kick the tires extensively before you hand over the the truckload of cash. And if the testing doesn’t pan out, you don’t pay. OTOH, ASPs usually involve a periodic (typically monthly) payment which is much smaller. In effect, the monthly service fee can be thought of as a replacement for: (1) the amortized cost of the initial license fee; (2) maintenance and support; (3) investment in hardware and infrastructure; and (4) additional people costs on the vendor side, to keep (3) up and running. Very often this is a win-win situation, since vendors can often achieve economies of scale by running a large number of instances centrally at one dedicated data centre (and ironically to some extent harkening back to the days of mainframes + terminals – but I digress) and offer very attactive savings over what it would otherwise cost a customer to maintain the application in-house.

Anyway, the point being that there is less upfront risk with an ASP solution, provided of course, you’re: (a) not locked in to a 50 year contract; or (b) you have really good assurances that the software will be up and running as needed when you need it. Its good to have both, but at the same time it can also be thought of, to some extent, as an either-or proposition – if you can arrange for a month to month contract, then if the ASP stinks, just terminate and go elsewhere. Alternatively, if you get ironclad service levels (including significant credits and termination rights) then you might be willing to commit longer. Of course, you’ll also need to ensure that you have the ability, in the case of a month to month agreement or termination rights, to move to another service easily, and to get your data back, etc. But I’ll leave that for another time.

Anyway, not necessarily saying that acceptance testing isn’t important (and in fact if you need to spend a ton of money to have the vendor customize a solution for you it may still be very important) but just a couple of other issues to keep in mind.

from the “another security headache” department

Yes postings have been sparse lately – things getting busy so alas. Anyway, very short (but rather alarming) note from Wired about copiers. Though I knew most copiers now used digital technology of some sort, I had no idea they actually contained full-blown hard drives that store your copies. The exact reason why they need hard drives to copy documents, and why the data needs to remain on the drives, is a bit of a mystery to me, and something the article doesn’t go into. I’d had always just assumed that the image information was stored somewhere temporarily and disappeared when you finished copying. Apparently not. Anyway, here’s a brief excerpt:

most digital copiers manufactured in the past five years have disk drives – the same kind of data-storage mechanism found in computers – to reproduce documents. As a result, the seemingly innocuous machines that are commonly used to spit out copies of tax returns for millions of Americans can retain the data being scanned.

If the data on the copier’s disk aren’t protected with encryption or an overwrite mechanism, and if someone with malicious motives gets access to the machine, industry experts say sensitive information from original documents could get into the wrong hands.

I guess someone, somewhere, will be selling add-on kits for copiers relatively shortly…

Were You Once a Brobeck Client?

Very interesting post on TechCrunch on how the digital records of law firm Brobeck, Phleger & Harrison, for some 10,000 clients, will be preserved and made available to a limited group of scholars and researchers, through what will be called the Brobeck Closed Archive.
Wow. At first blush I had the same reaction as Michael Arrington (the TechCrunch guy) and the guy who wrote the original article that he cited. But if you read through the FAQ at the sight, as well as the comments that the professor who is running the thing posted on TechCrunch, its pretty clear that they’re not going to be displaying lawyer-client documents on a website for all to see – there will be some measure of protection put into place.

That being said, though I certainly understand the historical significance of these records, and the objectives of the archive (which seem entirely noble) I get a bad feeling about this generally – you know, kind of like that little tickle at the back of your throat that almost, but not quite, wants to make you cough. Heck, if I were a client of a law firm, would I want anyone looking at my counsel’s records on me? Even if it were a researcher? Even under NDA? And even with restrictions? Well, no, I don’t think so. Not at all. Its not any researcher’s business – not at all. So sure, maybe as an opt in program, if the client consents, but otherwise, even, I think, where a corporate client no longer exists to approve disclosure, the records should also do the same.

So, if you were once a Brobeck client, and haven’t seen the notice, you might want to get in touch with the archive.