Via Crooked Timber: “Google is staking a claim on the moral high ground of Internet privacy. The company has called for new international rules, ostensibly to protect privacy online. Little of Google’s search information is strictly ‘personal data’, i.e. data directly concerning named individuals. But search data, potentially tied to individuals’ IP numbers, is dynamite, something it’s taken Google a long time to face up to publicly. ”

As really serious bloggers are wont to say, Read The Whole Thing.

Money Quote: “It can’t be controversial to infer from all this that in the current climate, any changes to data protection will focus more on accommodating business and law enforcement concerns than privacy ones. Opening up data protection negotiations anywhere – in the EU, at the OECD or at some UN forum to be imagined – can only have the effect of weakening existing protections.”

Picking up from where we left off, here’s another horror story (via Kable): “The Dudley Group of Hospitals NHS Trust is trying to find out how one of its computers full of confidential medical information was sold on eBay.”

Even scarier is this line towards the end of the story: “This summer a report from the Information Commissioner’s Office highlighted a “horrifying” number of public sector organisations that were guilty of careless breaches of personal information. It received almost 24,000 complaints concerning personal information over the last year.”

I guess by comparison (also via Kable), this story sounds almost benign: “The Information Commissioner’s Office (ICO) has found the Northern Ireland Office (NIO) in breach of the Data Protection Act after it failed to supply an individual with information it held on him. The ICO said on 14 September 2007 that it had investigated the NIO following a complaint from an individual that the authority had not responded to a subject access request. Under the Data Protection Act individuals have the right to find out what information an organisation holds on them.”

As everyone has a vested interest in encouraging work at home, would it make sense for a single set of guidelines to be used across government? The clarity would be useful for smaller units and if vetted by someone like the CSIA, might increase take-up. I think the areas to be covered are fairly clear:
1. Prohibition of unsecured wireless access to the Internet
2. Password protection of both computer and government files/data
3. Preference for use of government laptops/desktops for home work
4. Minimum set of physical security requirements for computers, including anti-virus protection, protection against malware, etc.
5. Reporting procedures (not punitive) for loss of data or computer
6. Procedures regarding peripheral equipment
7. End of life turnover of computer or hard disk to controlling authority for destruction

I googled the term and the first return was for the Hertfordshire Constabulary. They seem to have done quite a good job, except for end of life issues for personal computers used for work.

However, the Surrey, Heath and Woking Primary Care Trust merely states that employees must keep equipment secure and bizarrely, that the PCT must inform them of security requirements. Hope there’s another document out there.

The Robert Gordon University policy is much more worried about viruses transported back to the University system than anything else, although they mention the importance of backing up data frequently to avoid loss or corruption, and say that employees must have ‘appropriate safeguards’ for home computing. This is followed by a link to the University IT policy, a series of Word documents that must be downloaded separately, and none of which are labeled ‘Security.’

I really think someone like the CSIA should promulgate a policy for basic home work procedures, and tack on an addendum for those who deal with sensitive information. Clarity and consistency would, I think, go a long way. So would the ability for a small business unit to feel that they have covered all the bases. It could be as simple as their Get Safe Online website…

The reaction from (I think) almost everyone who contributes to the Blindside project would be no. However, after hearing our impassioned arguments, many in Government still believe it is in the UK’s best interests to order everyone in the UK to submit DNA to government for inclusion in a national database.

Instead of starting off with my reasons why I think this is a seriously flawed idea, I want to focus on the reasons why some think it is good–or at least necessary. I don’t believe that all who support a comprehensive DNA database are either evil or fools, and some clearly have given thought to this.

A national registry of DNA would help government perform some things more efficiently without requiring structural change. Currently, the national media keeps attention focused on certain major issues–crime, and to a lesser extent (this year at least), immigration. Government supporters of a DNA database evidently believe that it would help deal with those issues.

My argument (FWIW) against this is that a DNA database would help in solving crime and identifying current illegal immigrants, but would do much less in preventing crime and future illegal immigration. Similar arguments were advanced regarding CCTV’s potential for deterrence of crime, and these arguments proved invalid. CCTV has not deterred crime, but has helped identify criminals after the fact. I don’t think DNA DB would play out much differently. Hence, to me it seems a major sacrifice of personal liberty for a false hope. If a DNA database proves ineffective in dealing with crime and immigration, they will not throw away the DB in disgust.

But the current structure of police forces, with fewer cops on the beat actually deterring crime, has shifted its focus to high tech resolution of crime instead. A DNA database would allow them to keep the same structure, beefing it up and increasing their powers. A DNA DB would allow the judicial system, currently fighting a backlog at the same time it resists internal technological change, to be (it hopes) more efficient without, again, undergoing structural change.

The persistence of the desire for such a database in the face of all the problems that have been noted in the concept means to me that government feels besieged, not just by crime and immigration (which aren’t nearly as bad as the effects of media coverage of same), but by all the effects of the 20th and 21st centuries, and are searching for a silver bullet that will allow them to do things the way they want to do them.

There has been considerable reorganisation of government departments over the past 5 years, but it’s hard to avoid the impression that much of that has been name changing and seat shuffling. I think the most passionate advocates of a DNA database are really defending their way of life more than anything else.

I do think every discussion of a national DNA registry should include a brief summary of some of the most important objections to it:

1. Data will be entered incorrectly, lost or sold illegally. As the system gets used for more purposes, the effects will be fatal to some. Lives will be lost.

2. People will learn how to defeat the system, reducing its reliability. The most common means will be via corruption of civil servants.

3. The money spent on such a system, if redirected towards a more visible police presence in city centres on Saturday nights and at the principle points of entry into the UK, would actually reduce crime and illegal immigration to the extent that the DNA registry would not be necessary.

4. As currently constituted, the UK government is incapable of holding this information securely. It will be stolen. It will be sold.

5. Maintaining border security by identifying ‘legitimate’ citizens and assuming anyone not on the list is illegitimate will result in wide-scale violations of human rights and crimes against those who do not appear on the list.

I almost got through that list without mentioning human rights, and I didn’t talk about liberty either. They evidently are not a major consideration in this argument, so why beat a dead horse?

Let me just mention what I would support. A database for the NHS with voluntary contributions of DNA to assist in patient care. Mandatory DNA sampling of criminals convicted of a serious crime. That’s it.

And by the way, it should be obvious that arguments against a national DNA registry transfer without much modification to a National Identity Card Programme. As with a DNA registry, it is being proposed to benefit government, and the burden of proof needs to be placed squarely on the shoulders of its proponents.

Hi all,

I have referred in the past to Dave’s Bit Bucket, run by Dave Walker of Sun. His blog can be a bit of a slog as he actually has the temerity to post code up regarding his Trusted Extension work, which just glides gracefully over my head. However, when he turns his attention to other subjects, we have to pay attention. So I will perform a much-needed public service here and link to specific posts relevant to Blindside:

Dave’s earlier post on Microsoft Vista (Why Microsoft Windows Vista cannot be deployed in Government, Critical National Infrastructure, or Battlespace …and I may well have missed a few categories for the sake of a concise subject line, especially where Finance, Aerospace, etc are not specifically included under the banner of “Critical National Infrastructure”. Read this, and be startled. Update: Putting a black hat on for a moment, this also means that Microsoft’s licensing verification servers will be the number 1 target for any actual Black Hat who wishes to cause general chaos, rather than target specific organisations; taking the licensing servers down in a manner which resulted in an outage of significant duration would precipitate a worldwide Vista outage. Also, in battlespace, if you’re running Solaris and your enemy is running Vista, it may be within the rules of war to target Microsoft’s licensing infrastructure (with either electronic warfare methods or, depending on the sphere of conflict, ordnance) and watch your enemy’s C4I infrastructure collapse…)

led to Dave linking to this: “DRM bites again: the Microsoft Windows Genuine Advantage servers (which every XP and Vista install phones home to) all failed sometime earlier today. The result? Every single Windows XP and Vista installation — except possibly those with volume license keys — is being marked as counterfeit when it tries to check in. Installations which are flagged as counterfeit switch to a “reduced functionality mode” which results in features like Aero and DirectX being disabled.”

When it comes time for Dave to renew his passport, he immediately sees a problem: “From the large list presented - and notwithstanding the extending clause of “someone of similar standing in the community” - I suspect that the average person wouldn’t have too much trouble finding someone who could be duped or bribed into providing a false assertion of identity for the Passport Office… ”

And, although we don’t want to stimulate plot ideas for 24, Dave looks ahead to future problems with remote working: With the continued rise in home-based and mobile working, the possibility of staff being forced to access and potentially modify data by suitably-armed ne’er-do-wells becomes a genuine - if niche - security issue. (…) Taking this into account, it’s possible that a well-designed system which authenticates users based on a username and password would require up to 4 passwords per user - one for legitimate login in a non-duress situation, and three more, one for each type of duress!

This article, by Wired’s Ryan Singel details the FBI’s wiretapping capabilities with DCSNet, a communications surveillance network built under CALEA that sounds like it might have been advertised with the slogan, “Be the envy of other major governments”. The salient points:

- The FBI has extremely wideranging wiretapping facilities that let it log into a provider’s network; the provider turns on the tap once it receives a court order

- It’s having trouble with Skype, because there’s no central point to tap

- These digital wiretaps are more expensive than the traditional physical kind (by nearly a factor of ten) and processing the data is also considerably more expensive (all of which we taxpayers get to pay for)

- There are significant security holes inside DCSNet itself, many of which were spotted in its predecessor system, Carnivore.

wg

I guess I’ll never be a comedian–I don’t do things in the right order.

Here’s the punchline: Safety fears over new register of all children. “It will be available to an estimated 330,000 vetted users. Some of those allowed to check records, such as head teachers, doctors, youth offender and social workers, are uncontroversial, but critics have questioned why other potential users, such as fire and rescue staff, will have access to the database.”

Erm, why is this level of access uncontroversial?
Here’s the set-up:

Five civil servants who help run the national DNA database have been suspended after being accused of industrial espionage. It is alleged they copied confidential information and used it to set up a rival database in competition with their employers, the Government’s Forensic Science Service.

A civil servant who was paid thousands of pounds to rubber stamp passport applications for illegal immigrants and a drug dealer was jailed for two years and two months today.

An internal investigation at the Department for Work and Pensions (DWP) has found that civil servants are colluding with organised criminals to steal personal identities on “an industrial scale”. Ministers have been privately warned that the investigation will show that hundreds of thousands of stolen personal details have been ripped off from official databases, often with inside help. Key personal details such as national insurance numbers can be used to commit benefit fraud, set up false bank accounts and obtain official documents such as passports.

More than 200 civil servants in the Department of Work and Pensions (DWP) have been disciplined for surfing the Web for porn during office hours. In the last eight months the staff accessed over two million pornographic images, including 18,000 involving child abuse. The Sun newspaper reports that some of the sites touted images purported to be of kids as young as 13.

Teacher arrested over child porn

And in a different case,

Teacher arrested over child pictures

And in a different case,

Royal News Princess Eugenies Teacher Arrested On Porn Charges

And in a different case,

Ex-teacher charged with sexual encounter with pupil

And in a different case,

College rocked by new sex scandal

I give up–there’s a lot more out there.

I must confess that when I first heard about SCADA-related security issues, the first thing that came to my mind was some of the hype about the Millenium bug. It just seemed a bit too convenient that the people highlighting the issues were the people selling solutions to combat it. (SCADA refers to Supervisory Control and Data Acquisition, proprietary computer control networks used in a lot of industry, such as utilities and chemical plants, etc., etc.)

But Y2K was not all smoke, of course. In addition to providing a key trigger for the Indian consultancies, it prompted a lot of thinking about IT security, and some of it is relevant to SCADA. And we need to take this to the next level of depth.

If you saw Bruce Willis in Die Hard 4.0, you saw the bad guys hijack a lot of SCADA networks in order to generate pyrotechnics and chances for the hero to get out of DC. My understanding is that this is not at all realistic (What? A Hollywood action movie not realistic?) But we need to have this vetted.

My preliminary understanding of this is that security was not built into them when they were implemented and that organisations have been slow to build them in after the fact. As some of the functionality of SCADA networks migrated onto WANS and the Internet, network owners did not build in normal security protocols to protect from snooping, hacking and the same viruses and worms that bedevil all Internet users.

How correct is this preliminary understanding?

My casual reading of the literature suggests that precautions have been advised since 1999, that groups exist to highlight best practice and stimulate awareness of SCADA security issues, and that the problem is not so dire as to require the services of balding Yank action heroes.

Am I living in a dream world? Digital Bond, a security consultancy, would probably have you think so. This article in the August 22 issue of Forbes, the American business magazine, also expresses a level of concern that goes far beyond my preliminary assessment, talking about a successful penetration of a nuclear power plant’s SCADA network. IT Security expert Bruce Schneier wrote that he didn’t think SCADA was as much of a problem now as it would be in future, but in the same blog post he linked to a March 2007 story that detailed a serious hole found in the U.S. national infrastructure. I read this shortly after I blithely wrote on the Blindside wiki that I thought the maximum impact from SCADA issues was in the present, while solutions were being developed but adopted unevenly.

So which is it? Am I living in a dream world and ignoring a serious threat? Is SCADA security being over-egged by security vendors? Is the problem going to get worse?

We could use a little help on this one, folks.

Here’s what we wrote on the wiki.

Yesterday I asked if anyone is keeping a list of data disasters. Somebody is.

In the comments, Glyn noted that the Open Rights Group started to keep a list, documenting the disasters, as it were… Although it could use some updating, it appears.

http://www.openrightsgroup.org/orgwiki/index.php/Digital_Rights_Case_Studies”>Digital Rights Case Studies

Via the BBC: “US job website Monster.com has suffered an online attack with the personal data of hundreds of thousands of users stolen, says a security firm.
A computer program was used to access the employers’ section of the website using stolen log-in credentials. Symantec said the log-ins were used to harvest user names, e-mail addresses, home addresses and phone numbers, which were uploaded to a remote web server.”

Oops. Is anybody keeping score on these things? It’d be great to be a journalist covering this subject. Write the story once, use search and replace on the company name, hit submit.

If this is happening to companies that live or die based on their security, what do we expect to happen in situations (such as some government applications) where security is a ‘tick the box’ annoyance? Don’t get me wrong, a lot of people in government are passionate about information security–but by no means is it universal.

What are the possible consequences? Well, the story continues: “The program used to access Monster.com user data was a Trojan, which are commonly used to gain access to bank details, usernames and passwords. More than 8,000 new variants of Trojans are found each month, according to internet security specialists Sophos.

Last year, a British nurse was blackmailed by hackers who had used a Trojan to access her personal e-mails. They threatened to reveal personal details unless she paid them.