I didn’t write about this story at first because we’ve seen it so many times before: a disk with lots of personal information is lost. Encryption is the simple and obvious solution, and that’s the end of it.
But the UK’s loss of 25 million child benefit records — including dates of birth, addresses, bank account information, and national insurance numbers — is turning into a privacy disaster, threatening to derail plans for a national ID card.
Why is it such a big deal? Certainly the scope: 40% of the British population. Also the data: bank account details; plus information about children. There’s already a larger debate on the issue of a database on kids that this feeds into. And it’s a demonstration of government incompetence (think Hurricane Katrina).
In any case, this issue isn’t going away anytime soon. Prime Minister Gordon Brown has apologized. The head of the Revenue and Customs office has resigned. More is certainly coming.
And this is an easy security problem to solve! Disk and file encryption software is cheap, easy to use, and effective.
Posted on November 26, 2007 at 1:15 PM •
According to a new report, the FBI has lost 160 laptops, including at least ten with classified information, in the past four years.
But it’s not all bad news:
The results are an improvement on findings in a similar audit in 2002, which reported that 354 weapons and 317 laptops were lost or stolen at the FBI over about two years. They follow the high-profile losses last year of laptops containing personal information from the Veterans Administration and the Internal Revenue Service.
In a statement yesterday, FBI Assistant Director John Miller emphasized that the report showed “significant progress in decreasing the rate of loss for weapons and laptops” at the FBI. The average number of laptops or guns that went missing dropped from about 12 per month to four per month for each category, according to the report.
The FBI: Now losing fewer laptops!
Posted on February 16, 2007 at 12:14 PM •
Second in our series of stupid comments to the press, here’s Kansas City’s assistant city manager commenting on the fact that they lost 26 computer tapes containing personal information:
“It’s not a situation that if you had a laptop you could access,” Noll said. “You would need some specialized equipment and some specialized knowledge in order to read these tapes.”
While you may be concerned the missing tapes contain your personal information, Cindy Richey, a financial planner, said don’t be too alarmed.
“I think people might be surprised at how much of that is already floating around out there,” Richey said.
Got that? Don’t worry because 1) someone would need a tape drive to read those tapes, and 2) your personal information is all over the net anyway.
Posted on January 24, 2007 at 1:04 PM •
This is a good idea:
To address the issue of data leaks of the kind we’ve seen so often in the last year because of stolen or missing laptops, writes Saqib Ali, the Feds are planning to use Full Disk Encryption (FDE) on all Government-owned computers.
“On June 23, 2006 a Presidential Mandate was put in place requiring all agency laptops to fully encrypt data on the HDD. The U.S. Government is currently conducting the largest single side-by-side comparison and competition for the selection of a Full Disk Encryption product. The selected product will be deployed on Millions of computers in the U.S. federal government space. This implementation will end up being the largest single implementation ever, and all of the information regarding the competition is in the public domain. The evaluation will come to an end in 90 days. You can view all the vendors competing and list of requirements.”
Certainly, encrypting everything is overkill, but it’s much easier than figuring out what to encrypt and what not to. And I really like that there is a open competition to choose which encryption program to use. It’s certainly a high-stakes competition among the vendors, but one that is likely to improve the security of all products. I’ve long said that one of the best things the government can do to improve computer security is to use its vast purchasing power to pressure vendors to improve their security. I would expect the winner to make a lot of sales outside of the contract, and for the losers to correct their deficiencies so they’ll do better next time.
Side note: Key escrow is a requirement, something that makes sense in a government or corporate application:
Capable of secure escrow and recovery of the symetric [sic] encryption key
I wonder if the NSA is involved in the evaluation at all, and if its analysis will be made public.
Posted on January 3, 2007 at 2:00 PM •
According to Newsday:
Hezbollah guerrillas were able to hack into Israeli radio communications during last month’s battles in south Lebanon, an intelligence breakthrough that helped them thwart Israeli tank assaults, according to Hezbollah and Lebanese officials.
Using technology most likely supplied by Iran, special Hezbollah teams monitored the constantly changing radio frequencies of Israeli troops on the ground. That gave guerrillas a picture of Israeli movements, casualty reports and supply routes. It also allowed Hezbollah anti-tank units to more effectively target advancing Israeli armor, according to the officials.
Read the article. Basically, the problem is operational error:
With frequency-hopping and encryption, most radio communications become very difficult to hack. But troops in the battlefield sometimes make mistakes in following secure radio procedures and can give an enemy a way to break into the frequency-hopping patterns. That might have happened during some battles between Israel and Hezbollah, according to the Lebanese official. Hezbollah teams likely also had sophisticated reconnaissance devices that could intercept radio signals even while they were frequency-hopping.
I agree with this comment from The Register:
Claims that Hezbollah fighters were able to use this intelligence to get some intelligence on troop movement and supply routes are plausible, at least to the layman, but ought to be treated with an appropriate degree of caution as they are substantially corroborated by anonymous sources.
But I have even more skepticism. If indeed Hezbollah was able to do this, the last thing they want is for it to appear in the press. But if Hezbollah can’t do this, then a few good disinformation stories are a good thing.
Posted on September 20, 2006 at 2:35 PM •
CIA agents exposed due to their use of frequent-flier miles and other mistakes:
The man and woman were pretending to be American business executives on international assignments, so they did what globe-trotting executives do. While traveling abroad they used their frequent-flier cards as often as possible to gain credits toward free flights.
In fact, the pair were covert operatives working for the CIA. Thanks to their diligent use of frequent-flier programs, Italian prosecutors have been able to reconstruct much of their itinerary during 2003, including trips to Brussels, Venice, London, Vienna and Oslo.
Aides to former CIA Director Porter Goss have used the word “horrified” to describe Goss’ reaction to the sloppiness of the Milan operation, which Italian police were able to reconstruct through the CIA operatives’ imprudent use of cell phones and other violations of basic CIA “tradecraft.”
I’m not sure how collecting frequent-flier miles is a problem, though. Assuming they’re traveling under the cover of being business executives, it makes sense for them to act just like other business executives.
It’s not like there’s no other way to reconstruct their travel.
Posted on July 26, 2006 at 1:22 PM •
At least one coded note, published in the Web site’s biography, has a strong resemblance to what’s known as Caesar cipher, an encryption scheme used by Julius Caesar to protect important military messages.
The letter, written in January 2001 by Angelo Provenzano to his father, was found with other documents when one of Provenzano’s men, Nicola La Barbera, was arrested.
“…I met 512151522 191212154 and we agreed that we will see each other after the holidays…,” said the letter, which included several other cryptograms.
“The Binnu code is nothing new: each number corresponds to a letter of the alphabet. ‘A’ is 4, ‘B’ is 5, ‘C’ is 6 and so on until the letter Z , which corresponds to number 24,” wrote Palazzolo and Oliva.
I got a nice quote:
“Looks like kindergarten cryptography to me. It will keep your kid sister out, but it won’t keep the police out. But what do you expect from someone who is computer illiterate?” security guru Bruce Schneier, author of several books on cryptography, told Discovery News.
Posted on April 24, 2006 at 6:52 AM •
A couple — living together, I assume — and engaged to be married, shared a computer. He used Firefox to visit a bunch of dating sites, being smart enough not to have the browser save his password. But Firefox did save the names of the sites it was told never to save the password for. She happened to stumble on this list. The details are left to the imagination, but they broke up.
Most bug reports aren’t this colorful.
Posted on March 27, 2006 at 7:53 AM •
Nice essay on the human dimension of the problem of securing information. “Analog hole” is a good name for it.
Along the same lines, here’s a story about the security risks of talking loudly:
About four seats away is a gentleman (on this occasion pronounced ‘fool’) with a BlackBerry mobile device and a very loud voice. He is obviously intent on selling a customer something and is briefing his team. It seems he is the leader as he defines the strategy and assigns each of his unseen team with specific tasks and roles.
Customer products, names, preferences, relationships and monies are being broadcast to everyone within earshot. The strategy for the conference call is discussed, and the specific customer now identified by name and company, and openly described as a BlackBerry nut!
Posted on March 8, 2006 at 12:48 PM •
“A Federal Court Rules That A Financial Institution Has No Duty To Encrypt A Customer Database“:
In a legal decision that could have broad implications for financial institutions, a court has ruled recently that a student loan company was not negligent and did not have a duty under the Gramm-Leach-Bliley statute to encrypt a customer database on a laptop computer that fell into the wrong hands.
Basically, an employee of Brazos Higher Education Service Corporation, Inc., had customer information on a laptop computer he was using at home. The computer was stolen, and a customer sued Brazos.
The judge dismissed the lawsuit. And then he went further:
Significantly, while recognizing that Gramm-Leach-Bliley does require financial institutions to protect against unauthorized access to customer records, Judge Kyle held that the statute “does not prohibit someone from working with sensitive data on a laptop computer in a home office,” and does not require that “any nonpublic personal information stored on a laptop computer should be encrypted.”
I know nothing of the legal merits of the case, nor do I have an opinion about whether Gramm-Leach-Bliley does or does not require financial companies to encrypt personal data in its purview. But I do know that we as a society need to force companies to encrypt personal data about us. Companies won’t do it on their own — the market just doesn’t encourage this behavior — so legislation or liability are the only available mechanisms. If this law doesn’t do it, we need another one.
EDITED TO ADD (2/22): Some commentary here.
Posted on February 21, 2006 at 1:34 PM •
Sidebar photo of Bruce Schneier by Joe MacInnis.