On IP and PII: Merely the Location of a Computer? Non!

A recent AP article entitled "EU Official: IP Is Personal" shows that some people still don't understand, or are prepared to willfully misconstrue, one of the basic privacy concepts: personally identifiable information or PII.

On the one hand you have the head of the European Union's group of data privacy regulators stating that "IP addresses, string of numbers that identify computers on the Internet, should generally be regarded as personal information." He is correct.

On the other hand you have Google insisting that "an IP address merely identifies the location of a computer, not who the individual user is." Google is incorrect.

An IP address does not merely identify the location of a computer, just as your street address does not merely identify a physical location and your year of birth does not not merely identify a year. All someone needs is a few 'mere' facts about you and your identity can be established. That's why it is called personally identifiable information.

There are plenty of simple experiments you can conduct to prove this.

Once More Unto the Breach Dear Friends?

I think that I speak for a number of my colleagues in the information security and data privacy communities when I say that "breach burn-out" is a recurring occupational hazard.

Here's how it goes. After some period of time spent working on projects to improve security and privacy you hear about a rash of incidents, a string of security breaches, that elicit weary groans. You find yourself asking, "Why do I bother?"

Sometimes the still small voice of calm will answer, "For the money." You remind yourself of the payments that are due, the mortgage, the doctor bills and the health insurance (which may well be bigger than the mortgage). And you decide to keep going.

Sometimes you find yourself in a position to ease back on the earnings and take some time to smell the roses, and you say to yourself "Them roses, they sure smell good." But then you hear about a rash of breaches that elicit groans of a different kind, groans of anger and frustration, tinged with regret. And sometimes you decide it's time to rejoin the fray.

Speaking for myself, I've been groaning a lot lately. There was Facebook, valued at billions, either failing to get a clue about privacy or arrogantly flaunting privacy conventions to see if it could make a buck. There was the year-end count of private data exposures that topped 160 million records. There was Boeing and its hackable Dreamliner (after the FAA intimated the 787 could be hacked because "it allows new kinds of passenger connectivity to previously isolated data networks," Boeing said that "the plane's networks don't completely connect" as though partial connection was somehow not connection). Now we have CIA statements at SANS about hacking utilities and other SCADA systems, reminding everyone that folks in several sectors have continued to develop and deploy mission critical systems under various false assumptions about security.

(Which part of War Games did these people sleep through? BTW, there is a good primer on SCADA on Wikipedia and here is a well-balanced set of slides--in .pdf--put together by D. Maynor and R. Graham at ISS. Their experience parallels what my colleagues found in the nineties: zero systems they could not penetrate, and many that could be hacked with skills rated 3 or less on a scale of 1 to 5.)

Even cool companies like Aptera seem to be forgetting simple things, like not letting other people sign you up for their email. Hardly on the same scale as diddling with the spent fuel rods at a nuclear power plant, but one more reminder that when it comes to security and privacy, most people just forget this stuff. Which is not so much a criticism of "most people" but a reminder that most people don't have an innate talent for "security-think."

Indeed, this truism is so well-established that the folks in charge should have put well-established mechanism in place to compensate some time ago, like security input at the design stage and security review during development and deployment. With all the other problems the world faces, it would be nice to think that by now we had routed the insecurity dragon or at least chained it up in its cave. Apparently we have not. Darn it!

[Exeunt. Alarum, and chambers go off]

Natural Beauty

Sometimes I find nature more beautiful than any art.

This is the view down the trail from my house right now. Layla, our Springer Spaniel, is looking back at me, encouraging me to take a walk.

The snow on the branches of the birch trees and maples creates a sort of cathedral over the trail. The silence is wonderful and the air is fresh and clear.

A walk down this trail seldom fails to cheer me up. Layla ventures off to the left and the right, bouncing through snow cover, following deer tracks and turkey tracks, but looking back every fifty feet or so to get my nod to continue or return.

I now have a wider shot of this scene as the wallpaper on my laptop (1280x800). That way I can see it long after the snow melts. If you'd like to try it you can download it here (it is free, licensed under Creative Commons Share Alike 3.0, attribute: Stephen Cobb).

Data Exposure Stats Exposed

When I picked the top three privacy/security stories of 2007, the annual toll of privacy breaches was not included. My intention was not to belittle the ongoing plague of personal data exposures. However, this is a plague in progress and in that sense it is not new, thus arguably less newsworthy than some other developments.

That said, the year-on-year increase in exposures is worth noting, as Mark Jewell, did recently, writing for the Associated Press. He cites Linda Foley of the San Diego-based Identity Theft Resource Center who says "more than 79 million records" were reported compromised in the United States through Dec. 18 2007. That is almost a fourfold increase from the nearly 20 million records reported compromised in all of 2006.

Another source is Attrition.org, which reckons more than 162 million records were compromised through Dec. 21 of 2007, but that was worldwide and not just the US. The comparable 2006 figure from Attrition was 49 million, so they are suggesting a year-on-year increase of more than 3X.

Jewell points out that the biggest difference between the record-loss counts of the two organizations is Attrition’s estimate that 94 million records were exposed in the TJX case (T.J. Maxx, Marshalls, etc.). Attrition’s figure is based on estimates from Visa and MasterCard officials who were deposed in a lawsuit banks filed against TJX whereas the Identity Theft Resource Center counts about 46 million, which is the number of records TJX acknowledged in March were potentially compromised.

Strangely, Jewell states that Attrition.org and the Identity Theft Resource Center are the only groups, government included, maintaining databases on breaches and trends each year. That's a [hopefully unintentional] slight to the Privacy Rights Clearinghouse where Beth Givens has been keeping track of numbers for several years. The PRC site documents 217,118,526 records exposed from 2005 through 2007. I think a lot of the PRC data is sourced from Attrition, but PRC reviews it and sometimes modifies it. David Shettler has developed a Web site that provides statistical analysis of security breach data, at www.etiolated.org.

When you consider this chart, based on Attrition numbers, the scale of the problem is apparent. While some of the steepness of the curve is probably due to increased reporting of incidents following disclosure laws passed in California and other states, those laws are not creating the exposures, which are all real, real people, for whom exposure causes real problems. Clearly, companies and governments need to do a much better job.

Firewalls 1996 to 2008

January is aptly named after the two-faced god of gates and doors. It's a good month for looking both forwards and backwards. For example, if you look back 12 years in network security you might notice FireWallCon '96, an event orchestrated by the National Computer Security Association (NCSA later became ISCA Labs, was bought by Cybertrust, and is now part of Verizon, so ncsa.com no longer exists; but here is the conference listing in Risks Digest).

It is fairly safe to say that this was the first full-scale, commercial conference dedicated to firewalls and Internet security. Heck, it even had t-shirts, darned good ones at that; after 12 years I'm still wearing mine, shown at left.

And it is amazing to think it was that long ago. These days a sizable percentage of the population has at least an inkling of what the term firewall means in a computer context (as opposed to a building code context). Blockbuster movies and popular TV dramas use the phrase "getting through the firewall" in the expectation that most of the audience will know what it means.

Yet 12 years ago it was not unusual for IT professionals from big companies to be asking "What is a firewall?" and "Do we need one?" The buzz about firewalls built very rapidly from 1995 through 1996 and sales were brisk. I met several people at FireWallCon '96 who had bought a firewall for their company but weren't yet sure where they should put it.

Some organizations took a long time to figure that one out. I recall my colleagues and I putting on a firewall seminar for a very secret government agency three years later, during which it became clear that many of their IT people thought a router with access control lists was the same thing as a firewall. This was somewhat worrying, and puzzling when you consider the fact that one of the best early documents on firewalls was written by two gifted federal employees, John Wack and Lisa Carnahan (NIST Special Publication 800-10: Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls, December 1994). We drew on that document to create the NCSA Firewall Policy Guide, which enjoyed extensive world-wide distribution (NIST SP800-10 does not seem to appear anywhere in its original form, partly because it was superseded by the more complete SP800-41).

We now have firewalls everywhere, even on our personal computers. They haven't made us as comfortably secure as we'd like, but when properly configured and managed they are considerably more difficult to get through than some movies would have you believe.

Blog Beats Beeb on Boeing Blooper?

Sorry about the overly alliterative headline, but I couldn't help myself: My blog post about security "issues" related to the Boeing 787's airborne network apparently appeared three days before the story was reported by BBC News. (As far as the whacky headlines go, I am still trying to beat a London Sunday Times headline from back in the sixties, over a story about Japanese zipper manufacturers beating UK rivals: Jap Zips Zap Brits.)

And it was not really my blog post over the weekend that "beat" today's BBC News web site coverage of the Boeing 787, it was the Wired web site, which picked up the story very quickly, namely Kim Zetter on 01.04.08 stamped 7:30 PM. I blogged that story on 01.06.08 so I was a little slow. However, the BBC says the story was first reported by trade magazine Flight International (which is not one of those magazines that publishes its stories on the web, so I am not sure about that claim, although it could well be true--my father-in-law, a battle-tested Navy pilot from the days of prop planes--used to read FI religiously).

As to the blooper, I just got an email from a fellow CISSP containing just the kind of comment I predicted. He saw the story and said, with some sadness: "not surprised." He added: "If aerospace is integrating everything, then rational thought and consideration is failing even in that industry."

Not Surprising? Boeing 787 flight controls vulnerable to hacking (FAA)

You don't have to be a computer security expert to see the problem presented in this revelation, reported by Wired. Heck, your average Internet-using consumer can see the flaw in this:
"The computer network in the Dreamliner's passenger compartment, designed to give passengers in-flight internet access, is connected to the plane's control, navigation and communication systems, an FAA report reveals."

Shot of Boeing 787 via WikipediaLet us all take a moment to digest the staggering clue-less-ness of such a design.

But while this design flaw may come as a shock to consumers who know--from their own home networking and web surfing--that putting actual flight controls for a real airplane on, or anywhere near, the Internet is a really BAD idea, Boeing's decision to do so will not surprise seasoned security professionals. Why? Because we have learned that large organizations have a peculiar way of keeping their collective intelligence from being collective.

Consider the two very nice Boeing people I met in Paris in 2004...

Recommended Reading for Mark Zuckerberg: A free privacy primer

In yesterday's post about 2007 I made a somewhat light-hearted reference to the need for a 'back-to-basics' education in privacy. I also suggested that the Facebook Beacon privacy snafu might not be something other than a privacy ignorance indicator, namely, a calculated attempt to push the limits of user-acceptance of commercial of private data.

Well, the more I read about Facebook Ads, like the use of personal images by commercial advertisers, the more I wonder whether some people really did skip Privacy for Business Owners 101.  On the face of it, pun intended, Facebook Ads comes close to violating several of these fundamental data privacy principles:

  1. There must be no personal data record keeping systems whose existence is secret.

  2. There must be a way for an individual to find out what information about him is in a record and how it is used.

  3. There must be a way for an individual to prevent information about him that was obtained for one purpose being used or made available for other purposes without his consent.

  4. There must be a way for an individual to correct or amend a record of identifiable information about him.

  5. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

And where did these principles come from? Some avant-garde, privacy-obsessed Scandanavian country? No, these are the basic privacy principles that were laid out by the U.S. government ten years before Mr. Zuckerman was born.

And if Mr. Zuckerman had taken Privacy 101 he would already know that the first U.S. legislation to consider privacy in the context of computers appeared after Elliot Richardson, who was Richard Nixon’s Secretary for Health, Education and Welfare, commissioned a study of record-keeping practices in the computer age. The resulting report, commonly known as the “HEW Report,” recommended the enactment of a federal “Code of Fair Information Practice” for all automated personal data systems. The code envisioned by HEW contained the above five principles that would be given legal effect as “safeguard requirements” for automated personal data systems. The Privacy Act of 1974 is embodied HEW principles in law, establishing protections for personal data held by the federal government.

Fortunately, both Mr. Zuckerman, and you, dear reader, can learn these and other fascinating facts about privacy for free. Just download the free electronic version of Privacy for Business available at www.privacyforbusiness.com. Who knows, they might just keep the FTC off your back and the feds out of your IT department.

So Long 2007! Reflections on computer security and data privacy

Well, it’s January 2008 and I’m a little late with my end-of-the-year reflections on information security and data privacy in 2007. Nevertheless, here’s my take on what I think were the three top trends/stories/developments. I think 2007 was the year:

  • of the criminal hack

  • of a new shift in privacy concern

  • of important new tools for data security

Happy New Year!

I'm phoning this in from the snow covered hills of mid-state New York, where the joys [and necessity] of snow-plowing with an ATV are being discovered. I hope everyone out there has a great oh eight!

(With a special thanks to Dana and Clem at the Rose & Kettle for crafting another great New Year's Eve event.)