it security – be paranoid, be very paranoid

Fascinating story in Wired about how one of their writers (Mat Honan) had his “entire digital life” destroyed by a hacker:

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

And why did someone go to all this trouble? Was it to try abscond with thousands of dollars? Was it because Mr. Honan had publicly denigrated and embarrassed one of them in one of his articles? Nope. They did all of this simply because they wanted his twitter account.

While, yes, it is important to note the security failures of various service providers like Apple, Amazon, etc. and admonish them for it, there will always be security weaknesses or failures irrespective of what technology or service provider you choose to use. And while yes, it is a good lesson to think about the extent to which you decide to put your life (or at least the important bits of your life) online (and has made me think quite a bit on what I do), perhaps think about this: If one hacker thinks it worthwhile to do all of this for a mere twitter account, imagine the efforts others might take if you are responsible for securing information for an organization that is orders of magnitude more valuable or sensitive. Be afraid. Be very afraid.

alberta enacts breach notification requirement

Alberta’s Personal Information Protection Amendment Act, 2009 came into effect over the weekend (May 1, to be precise). The amendments included a variety of changes but perhaps most notably include a new notification requirement if an organization experiences a security breach.

The Alberta government has come out with a brochure (PDF) to help organizations understand their obligations under this new requirement. Here’s the Coles Notes version:

  • you must notify the Alberta Privacy Commissioner of any loss, unauthorized access or unauthorized disclosure of personal information without delay
  • notification is mandatory (i.e. it’s an offence if you don’t) if a reasonable person believes there is a real risk of significant harm to an individual as a result of the breach and optional if it isn’t
  • the Commissioner then decides whether individuals need to be notified. If they do, the Commissioner will tell you and you will need to comply accordingly

The brochure itself contains helpful explanations, examples and illustrations on some of these concepts, such as what is meant by “real risk of significant harm” and who is responsible for notification, which I won’t regurgitate here.

While this is old hat in the US, with many (most?) US states already having having such requirements in place, it is relatively new in Canada. Apart from the somewhat terse breach notification requirements under the Ontario Personal Health Information Protection Act, Alberta’s legislation appears to be the first in Canada. The concept however has been subject to discussion for some time now. Other provinces (I believe Newfoundland and New Brunswick) have legislation pending along the same lines, but Alberta’s is the first to address breaches relating to personal information generally, not just health information. The Uniform Law Commission of Canada has also studied the matter a fair bit and came out with a report and draft legislation (PDF) last year. John Gregory, the General Counsel of the Ontario Ministry of the Attorney General, has also given presentations (PPT) on the topic.

In short, all this points to the fact that it isn’t a question of whether there will be such requirements throughout Canada, but rather when. Organizations that hold a significant amount of personal information would be well-advised to consider the adequacy of their existing security measures and whether they need to be upgrade, given the potential cost of security breaches in light of these requirements.

two tales of security

From the “if I had a nickel every time..” category, a story from The Telegraph on the loss of sensitive information by the RAF:

The Ministry of Defence has admitted that files had been stolen, and more than 500 RAF staff have been warned of the possible consequences to them and their families after the unencrypted data – stored on three computer hard drives- went missing.

The extremely personal information had been given by servicemen for an in-depth vetting process to give them high security clearance.(emphasis added)

Now, I certainly can’t comment on the specific facts surrounding the loss of this data, but I did note, in particular that the data recorded was unencrypted. As most readers of this blog know, this is certainly not the first time an incident like this has occurred (i.e. a lost, misplaced, or inadvertently discarded data storage device that contained sensitive information). In fact, to be honest, it is somewhat mind-boggling that this still occurs. Not that things get lost. I understand that things like that may happen despite the physical security protocols that one may put into place. But not encrypting such data? Perhaps  a decade ago, something like that would be understandable. But it should not be today, particularly when there has been story after story about this sort of thing. In this case, not only has the RAF compromised the personal information of certain of its officers, it has also put the UK’s national security at risk. Completely inexcusable. And if I sound harsh, it’s because I intend to.

So, once again for anyone who cares to read this blog: If you are responsible for sensitive data and store it in digital format, you really, really, must ensure that you encrypt that information, particularly if it is on a storage device that may be transported, or is sitting anywhere other than a very secure vault. Otherwise, it’s only a matter of time that someone will come after you for negligence. Or worse.

On the other hand, there is a brief story in Wired about an interesting video on YouTube. It’s basically a faked video showing some “hackers” tapping into a building’s SCADA system. Interestingly, this appeared to set off alarm bells in some circles:

“Perhaps the first demo was just for fun, but the others will have less juvenile goals,” McAfee Avert Labs researcher Francois Paget blogged on Friday. “An attack can involve nationwide damage, a terrible effect on the public’s morale, and huge financial losses.”

To be fair, McAfee’s Paget acknowledged some doubts “about the technical aspects of these light-show ‘attacks’ on unprepared buildings.” But with the enthusiastic faith of cybarmageddonists everywhere, he boldly asserts that it doesn’t matter if the video is genuine.

“Fake or not, the video confirms that hackers and cybercriminals have got their eyes on SCADA networks.”

So, a question for anyone reading this – even if the video were real (and it’s not), why (other than what the article already notes) do you think Mr. Paget’s comments might be a bit off the mark, at least when it comes to the contents of the video itself?

data/privacy breaches – costs are increasing – time for investment?

An interesting piece in E-Commerce News about a new report from PGP and Poneman about the cost of data/privacy/security breaches and the reasons for them. Some excerpts:

Data breach incidents cost U.S. companies US$202 per compromised customer record last year compared with $197 in 2007 according to the study. The average total per-incident cost rose to $6.65 million in 2008 up 5.3 percent from $6.3 million in 2007.

Healthcare and financial services companies experienced the highest customer churn rates — 6.5 percent and 5.5 percent respectively.

Third-party organizations accounted for more than 44 percent of all data breaches in 2008 and the resulting investigation and consulting fees made these the most costly form of data breaches.

Nearly 90 percent of all cases in the 2008 study involved insider negligence.

Many of the security problems companies face are preventable — but most organizations don t have the right software tools and security policies in place to deal with data breaches he observed.

“It s a combination of software and risk management ” explained Ponemon. “Good technology like encryption data-loss prevention tools and data-access tools can help — but they re not the complete answer because so many of these incidents are due to negligence and carelessness.”

Of course, there is a bit of of a conflict here given that the sponsors of the study also happen to offer security solutions. Nonetheless, the figures are important to keep in mind to drive home the point that the direct costs (not to mention the reputational costs) of a privacy or data breach are very real. And very substantial. Hopefully, some figures like this will prompt companies to invest more in proactive measures to reduce the risk (and costs) of privacy breaches.

If you’re beyond that stage, then you might want to read this: Practical Tips for Responding to Privacy Breaches (full disclosure: I work for the firm that published this article).

internet e-mail is not secure

From time to time I have moaned and groaned about the lack of security regarding e-mail. Oddly enough, many people who use e-mail on a daily basis for sensitive business communications don’t realize that, generally speaking, e-mail is, by default, not secure. Nothing is magically encrypted when you send or receive e-mails and, to the extent someone can intercept an e-mail, it can be read very easily. I don’t recall who said it, but I do remember the phrase that e-mail should be considered no different than sending a postcard – anyone along the way will be able to read it.

Oddly enough, for some reason, most folks in the business world – including lawyers, bankers, VCs, as well as very smart technology folks – either are not aware of this issue or, if they are, don’t consider it to be much of a risk. To illustrate – I was talking with someone the other day about the marvels of Blackberries. One reason, I was told, that Blackberries have gained such widespread acceptance is their bulletproof security. From what I understand, transmissions to and from the devices is encrypted using some very serious, very heavy duty technology. I pointed out, however, that the encrypted communication was only between the Enterprise Server and the device. So, while it was great that no one could pick up the wireles signal and eavesdrop that way, it would be quite possible once the e-mail made it back on to their mail server and was transmitted via SMTP, at which point it would no longer be encrypted at all (unless other measures had been taken) between their mail server and to the recipients mail server. So although it might be quite secure for e-mails within the organization, for external e-mails, not so much. That being the case, I questioned the value of a partial encryption path for external e-mails. To me, it seemed like armor plating your body, except for your head and chest. I ruminated that it is a question of when, not if, lawsuit or some other form of liability would attach due to someone exploiting this lack of security.

So I read with interest an article on reportonbusiness.com about insider trading as a result of IT folks hacking e-mail:

Regulators revealed yesterday that an information technology analyst working at TD Securities Inc. in Calgary was reading the personal e-mails of investment bankers working on the deal, and bought Synenco securities using undisclosed information about a pending offer from French energy giant Total SA.

While it appears no senior officials involved in any of the recent cases knew their companies’ confidential information had been breached, regulators say firms are responsible for ensuring critical e-mail is not intercepted.

I didn’t see anything in the article about the consequences for the companies. It will be interesting to see what happens. Then again, according to the article, this isn’t the first time this sort of thing happens.

All that being said, there are tools to ensure that e-mails and other communications are made security. There are built-in encryption tools in Outlook. There is PGP. There are services offering encrypted e-mail and other communications through access to secure websites. The fact of the matter, however, is that they’re all an incredible pain in the ass to use. You need to securely exchange public keys. You need to sign up for the web service. You need to go to the website to read and reply. And so on. So, in the meantime, not much is done and millions of unencrypted, easily read e-mails with highly sensitive and confidential information continue to flow through the ether. I imagine at some point something on a much larger scale will occur, and at that point, the imperative will be much stronger to implement security measures for e-mail (at least sensitive/confidential e-mails) or to replace it with something stronger altogether. My suggestion would be that firms exchanging sensitive information by e-mail seriously think about adopting such measures before that. Or run the risk of being the poster-boy for that imperative.

arbitrary electronic search & seizure + canadian border = ok

Following the judgement and policy confirming that US customs can conduct searches without suspicion, some of my colleagues in the trade group at McCarthy have published an e-Alert that describes Canadian authorities’ approach to searches of electronic devices at the Canadian border:

CBSA has yet to publish a report detailing its policy on border searches of electronic devices. That said, the CBSA has stated that its examination authority under the Customs Act extends to electronic storage devices. Other sources of information also suggest that they, like their American counterparts, do not accord electronic devices special status at the border. For example, the Canadian Customs Act broadly defines “goods” to include “any document in any form”, suggesting no special treatment for electronic documents. Canadian case law also supports this interpretation. In a 2008 Ontario Court of Justice decision, the Court stated that it saw no intrinsic difference between a computer search and a detailed examination of the contents of one’s suitcase.

2. Searches Without Suspicion

Given their characterization as ordinary goods, it follows that a border official can search travelers’ electronic goods even in the absence of suspicion regarding the traveler or the electronic device.

The article also provides some background on the situation with the US, confidentiality regarding information obtained from such searches, ability to detain electronic devices for further inspections, privileged information, and some thoughts on how to protect your information.

If you cross the border frequently with sensitive business information, it is well worth a read, as is my previous post on the US policy.

so much for the paperless revolution

Lexology had an interesting story that serves as a really good reminder that sometimes, despite all the great things about modern technology, plain old paper may sometimes be the best way to go.

What happened? Well, to make a long story short, the US Federal Trade Commission inadvertently disclosed a large amount of information that was filed with the FTC that should have remained confidential. To wit:

The mistake made by the FTC was basic. In preparing its brief for filing, FTC staff wrongly assumed that the metadata in its word processing file would not migrate upon direct conversion from native format to portable document format (.pdf). In particular, they wrongly assumed that using Microsoft’s “Highlight” (or “Borders and Shading”) tool to black out text actually removed the text from the file’s contents. It does not. It “covers up” the text, but the text itself remains in the file, fully searchable and available for copying. The resulting .pdf appears at first glance to contain only black boxes in place of the redacted content. That content, however, is present in the .pdf file and can be easily revealed either by copying and pasting the blacked-out text into a word-processing file or an e-mail message or by viewing the .pdf file in a reader such as Preview or Xpdf.

Its one of those stories that makes you want to laugh and cry at the same time. The laughing because its easy enough to think “What kind of idiot would do that?” because the error was (at least for most readers of this blog) rather obvious. The crying because, if you give it some thought, there are instances that this could very well happen to even the most technically sophisticated of you – not just with PDFs, but any number of other forms of digital documents, communications and storage – and in any number of ways. The bottom line is that when things are put into digital form, they are often harder to get rid of. Its something well worth keeping in mind.

from the “another security headache” department

Yes postings have been sparse lately – things getting busy so alas. Anyway, very short (but rather alarming) note from Wired about copiers. Though I knew most copiers now used digital technology of some sort, I had no idea they actually contained full-blown hard drives that store your copies. The exact reason why they need hard drives to copy documents, and why the data needs to remain on the drives, is a bit of a mystery to me, and something the article doesn’t go into. I’d had always just assumed that the image information was stored somewhere temporarily and disappeared when you finished copying. Apparently not. Anyway, here’s a brief excerpt:

most digital copiers manufactured in the past five years have disk drives – the same kind of data-storage mechanism found in computers – to reproduce documents. As a result, the seemingly innocuous machines that are commonly used to spit out copies of tax returns for millions of Americans can retain the data being scanned.

If the data on the copier’s disk aren’t protected with encryption or an overwrite mechanism, and if someone with malicious motives gets access to the machine, industry experts say sensitive information from original documents could get into the wrong hands.

I guess someone, somewhere, will be selling add-on kits for copiers relatively shortly…

Thoughts on Quantum Computing

Interesting article in Wired News where they interview David Deutsch who they refer to as the Father of Quantum Computing. He has a kind of low key but interesting take on the recent demonstration of a real, live 16 qubit quantum computer by D-Wave, a Canadian company based out of Vancouver.

Low key insofar as he doesn’t seem particularly enthused about the potential of quantum computers, other than perhaps their ability to be used to simulate quantum systems and of course encryption:

Deutsch: It’s not anywhere near as big a revolution as, say, the internet, or the introduction of computers in the first place. The practical application, from a ordinary consumer’s point of view, are just quantitative.

One field that will be revolutionized is cryptography. All, or nearly all, existing cryptographic systems will be rendered insecure, and even retrospectively insecure, in that messages sent today, if somebody keeps them, will be possible to decipher … with a quantum computer as soon as one is built.

Most fields won’t be revolutionized in that way.

Fortunately, the already existing technology of quantum cryptography is not only more secure than any existing classical system, but it’s invulnerable to attack by a quantum computer. Anyone who cares sufficiently much about security ought to be instituting quantum cryptography wherever it’s technically feasible.

Apart from that, as I said, mathematical operations will become easier. Algorithmic search is the most important one, I think. Computers will become a little bit faster, especially in certain applications. Simulating quantum systems will become important because quantum technology will become important generally, in the form of nanotechnology.

(my emphasis). Interesting thought about being retrospectively insecure. Particularly given spy agencies have, in the past, been sufficiently bold to transmit encoded messages on easily accessible shortwave frequencies.

I imagine the spook shops already have their purchase orders in for quantum crypto stuff (or have developed it already internally). Was a bit surprised by the statement above regarding existing technology for quantum computing. I had heard of some demos a while back, but didn’t realize that there are actually several companies offering quantum cryptography products.