February Roundup

This month it’s mostly about data ending up in rather places it has no business being.

1. Weaponised Information In The Bay Area

This month the great and good of the world of information security gathered for their annual knees-up, the RSA Conference in San Francisco. This was, of course, shortly after the inauguration of Donald Trump and just as his National Security Adviser Michael Flynn was forced to resign over allegations he had discussed sanctions against Russia with Russian officials before Trump took office. The Irish Times has a nice summary of the key themes that were covered during the event

Discussions were dominated by new and unprecedented security threats posed not only to businesses, but also to citizens, to infrastructure and to governments as a result of what some speakers termed the “weaponisation of information”.

RSA Conference 2017: Reporter’s Visual Notebook, DataBreachToday.com

Notes for humans

What used to be the realm of specialists with arcane knowledge of network protocols and so on is now very much mainstream. Unfortunately this mainstreaming may have come too late for the data security of millions of individuals, as all the recent concerning incidents involving internet-connected devices with minimal security illustrate. Be aware that devices you can buy off the shelf and install in your home with a few simple clicks and presses may well not be at all secure. Do your research on the individual device and the manufacturer before purchasing anything.

As one speaker at the RSA Conference put it, if the number of devices connected to the internet is to go from approximately ten billion at the start of 2017 to the forecast fifty billion in 2020, that is adding one million new connected devices every hour between now and then.

Data breaches are now so common as to be unremarkable and not widely reported unless they are on a scale that sets records. It is safe for you to work on the assumption that any entity that holds your personal information will suffer a data breach at some stage.

+ If you have a lot of time on your hands, here’s a YouTube playlist of keynotes, highlights and panel discussions. There are 276 videos in the playlist. You have been warned.

2. ‘Don’t Buy Your Kids Internet-connected Toys’

Continuing on with the general theme, here’s the latest from the world of ineptly implemented spytoys innovative parenting solutions.

Two million voice recordings of kids and their families were exposed online and repeatedly held to ransom – because an IoT stuffed-toy maker used an insecure MongoDB installation.

It appears crooks found the database, presumably by scanning the public ‘net for insecure MongoDB installations, took a copy of all the data, deleted that data on the server, and left a note demanding payment for the safe return of a copy of the database. This happened three times, we’re told. Copies of data lifted from the CloudPets system has been passed between underground hacking groups, too, apparently.

Notes for humans

Data will leak. Perfect security is impossible. It is always a preferable option to not collect it in the first place unless there is a clear purpose for doing so. Since many, many companies which have a financial incentive to collect your personal information have shown no indication they will treat it in a responsible manner it is up to you to do some screening of your own regarding devices and services.

If you’ve decided that the privacy tradeoff is acceptable to you and your children, at the very least do a bit of due diligence on the provider that you’ve decided to share audio recordings of your child with.

In this case the company was informed multiple times of the data breach and did not address the issue. They did not inform those affected by the breach, as they are mandated to do by California law.

Well known security researcher Troy Hunt first revealed the breach and ransom on his site. It’s a tale of staggering incompetence and a new nadir for the Internet Of Things That Really Shouldn’t be Connected To The Internet. These low points are only going to keep coming as another couple of hundred poorly secured devices have been connected to the internet since you began reading this sentence (see above).

‘German parents told to destroy doll that can spy on children’

‘If You Have One Of These Toys In Your House, You May Want To Stop Using It’

‘Don’t buy your kids internet-connected toys’

3. The Maurice McCabe Affair

‘Twas the affair that brought down a Taoiseach, albeit in a very slow motion way as he’s still here and it’s unclear when he’s going.

Readers from outside Ireland or who are younger than a certain age may wish to consult Wikipedia for an explanation of GUBU. It’s somewhat similar to an omnishambles.

It’s beyond the scope of mere mortals to try and explain in brief what seems to have happened in this latest round of police scandal and cover-up,  followed by a round of political ‘he said, she said’, so here’s a brief timeline from RTE.

Tusla claimed the ‘administrative error’ which led to false allegations of sexual abuse being made against McCabe was a copy and paste error, whatever that may be. This story was subsequently modified to claim that a template had been used in error. Templates by their nature should not contain any information from other cases. Templates don’t come pre-filled with specific details about particular cases.

Tusla also attempted to apologise to Maurice McCabe for the cascade of what they maintain were errors and ended up delivering this apology to his neighbour.

Notes for humans

Be aware that government and semi-state entities can be just as reckless and cavalier in their approach to data privacy as private sector companies whose entire existence is predicated on accessing and processing your personal information. Be careful what you share with them. Ask more questions. Ask why they need your personal information. Ask if they plan to share your information with any third parties (they have to tell you this, and for what purpose the information will be shared).

4. HSE headline

The HSE – who would also very much like you to trust them to secure all your most sensitive personal information – were in the news for matters of security, both physical and digital.

According to internal HSE documents there were 113 data breaches in 2015 involving sensitive personal information. That’s almost a frequency of one every three days. Bear in mind that these are merely are the breaches that were noticed and reported.

Highlights included confidential patent information being ‘inadvertently posted’ to the wrong address, patient information showing up in Penneys in Mullingar and patient files being faxed to a bank.

In all these cases, it is reported, the HSE has sternly reminded staff members of their data protection responsibilities.

Then at the end of the month a break-in at Dr. Steevens’ hospital was reported. Items were stolen from the office of the person responsible for implementing and securing the HSE’s national database. ¯\_(ツ)_/¯

Notes for humans

The HSE are building a database to hold the most sensitive possible personal information of each and every person in the country. It is up to them to display that they are competent enough to be trusted with this information. It would be difficult to say they are  doing a particularly good job of displaying this competence.

+ In an audit of data centre security covered by the Irish Times in January, Deloitte discovered that visitor cards granted access to the entire premises. If someone didn’t want to go the bother of acquiring a visitor pass they could have gone around the back and walked in the door which was left open.

+ This isn’t a new problem within the HSE. In 2013 an audit in Cork University Hospital “found highly sensitive files left on top of a Cork University Hospital car park ticket machine when they arrived to examine the facility’s data security.

Healthcare data breaches ‘mostly caused by insiders’, Sophos Naked Security

5. The Orange Menace

Donald Trump came into office and signed a flurry of executive orders. The most contentious and high profile of these was the ‘Muslim ban’, an attempt to temporarily halt all immigration from seven predominantly Muslim countries. There was significant resistance to this. There were protests at airports across the United States. Rabbis were arrested. Conferences were cancelled. Museums protested. The 9th Circuit Court threw a spanner in the works and halted it.

As a side measure,  on the 7th February Department of Homeland Security Secretary John Kelly “informed Congress that the DHS is considering requiring refugees and visa applicants from seven Muslim-majority nations to hand over their social media credentials from Facebook and other sites as part of a security check.” This has already started happening in US airports.

In response to this, many media outlets including the home of prim fustiness itself, the New York Times published advice for travellers on how best to approach crossing US borders while keeping their digital privacy intact.

Notes for humans

The highly unpredictable Donald Trump is now in charge of the largest surveillance apparatus the world has ever seen. None of his actions since taking office have shown that his administration will be in any way respectful of privacy laws and best practices when it comes to accessing and processing individuals’ personal information.

There is a lot of exceptionally chilling precedent showing what can happen with mass profiling of populations based on religion or other attributes.

+ ‘Why build a Muslim registry when you can buy it?’, Amnesty Global Insights

Honourable mentions
  • Schrems II started and continues in the courts in Dublin. If you don’t know what Schrems II is, here’s a brief explanation from the Irish Times. There have been some rather startling revelations about Facebook apparently sharing its submissions with the US government before presenting them to the court.
  • The Note To Self podcast (which is highly recommended if you’re human and interested on how technology is impacting on your continued ability to remain sane) ran the Privacy Paradox project. Five days of podcasts about your digital privacy with helpful advice and tips. Concrete things you can do to secure your digital privacy.
  • Amazon is fighting a warrant which demands it hand over voice recordings made by its Alexa AI assistant in a murder trial in Arkansas, arguing that the recordings made by the device are protected speech under the US First Amendment.
  • Google announced it would begin clearing out apps without privacy policies from the Play store. Words such as horse, stable, bolted and door come to mind, but it’s certainly better than the free-for-all of recent years.
  • Back in Ireland, the government is considering setting up a social media watchdog. How precisely the Irish government plans to compel social media platforms to do its bidding is unclear.
  • A man named Nathan Pryor customised an Amazon Dash button so that every time it’s pressed a five dollar donation to the American Civil Liberties Union is made.

[Title image credit: Rodion Kutsaev on Unsplash]

Leave a Reply

Your email address will not be published. Required fields are marked *