Privacy

Your Electric Utility and The Privacy Impact

You wouldn’t think that the power meter in your basement could have anything significant to say about you, personally, would you? Well, you (and I) would be wrong, very wrong, on that point.

We tend to have the mindset that only computers store and transport personal information, but there are far more items transmitting across IP or wireless connections, or RFID that by their nature reveal information about us.

Consider the EZ Pass, common on cars throughout the US. Officials can use that to track where your car is (and presumably you, or errant offspring) by watching where you have paid your tolls. That and your phone bill tell a great deal of “where, when and who” information.

There are privacy concerns about what there is in your wallet carrying an RFID chip, and how far away that information could be captured (estimates range from 3 ft to 30 ft). Credit cards, driving license and passports give your life away to the right reader.

Transmission from webcams, security cameras, and smartcards also go across the IP network.

So, imagine my dismay upon reading my colleague Rebecca Herrold’s Blog posting on SmartGrid privacy issues.

A SmartGrid “delivers electricity from suppliers to consumers using digital technology to save energy, reduce cost and increase reliability and transparency. Such a modernized electricity network is being promoted by many governments as a way of addressing energy independence, global warming and emergency resilience issues.” (Quote from Wikipedia) The Wikipedia is a very well written article, by the way.

All this sounds very nice until you read about a utility that planned to use power utilization to target low income customers for a “pre-pay” billing cycle.

Once again, a new technology puts security and privacy last. Her table made my hair curl.

The concept is marvelous for municipalities and governments; it provides an upgrade to an infrastructure put into place 120 years ago.

However, consider one of the points that Rebecca Herrold makes:

“The meter data could reveal resident activities or uses that utility companies may then subsequently decide are inappropriate or should not be allowed. Without restrictions, if this information could then shared with local government, law enforcement, or public media outlets the residents could
suffer embarrassment, harassment, loss of vital appliances, or any number of other damaging actions.”

What happens to privacy when that information is captured during a data breach?

Google Thyself

I have a series of Google Alerts set up to alert me daily on such interesting topics as data theft, data breach, etc., etc., and I have one set up for my full name, or any two parts thereof. I have, as it happens, a very unique name, and should someone decide to post my name and information for sale on any of “those” forums, or otherwise post as me, I will be notified.

It is common these days for HR staff to run a search engine query on potential employees. I still capture emails I sent out in 1999 about a technical issue where I was working that are archived in various places.

So you have a terribly common name - no big deal. Try using your full name in quotes, with a plus sign, then your city and state. So, for example John Smith might start out with Google results of “about 66,500,00,” but use of quotes narrows the results to “about 5,730,00.”

Now add a city, say Atlanta, and the results draw down further to “around `130,000.” Paradoxically, if you add Atlanta, Georgia, the results go up to 150,000, but if you add the state as GA, the results drop further to around 39,000.

If you’re on the web on a regular basis, do yourself a favor and keep an eye on yourself.

Web Bugs and Email

I’m a big advocate of disabling HTML in email messages. The marketing people scream because they can’t run their pretty code to sell products and convey appealing images. Other folks love being able to use those nice fonts you can’t use with Rich Text for signatures.

But a pretty face can’t justify the dangers in accepting HTML email. I’m not talking about Gmail, Yahoo or Hotmail - those are web clients for email. By default they accept HTML email, but you can turn that off.

Virus writers have known for years that the auto-open of Microsoft Outlook will “run” HTML code, including activating embedded web bugs.

The recent report on Web Tracking by the University of California at Berkeley spotlights the use of web bugs on web pages and HTML email messages. HTML Email can be written to:

1. Use a web bug to find out if a particular message has been read by someone and if so, when the message was read.
2. Use a web bug to provide the IP address of the recipient.
3. Use a web bug to report how often a message is being forwarded and read.

Spammers love web bugs, because they can be invisibly embedded in the email HTML code to do the following:

1. To detect if someone is viewed a junk Email message or not. People who do not view a message are removed from the list for future mailings.
2. To synchronize a Web browser cookie to a particular email address. This trick allows a Web site to know the identity of people who come to the site at a later date.

Plus, phishers can use HTML to disguise the link that they send in the email so that it “looks” like a legit site.

HTML in email can be turned off, and frankly, should be turned off.

Storm Clouds Ahead

It seems like every big vendor is pushing for business to “use the cloud.” Only now are we starting to see some questions arise in the general media about how secure cloud computing is.

The short answer is: it’s not. Intrinsically, whoever has physical ownership of your hardware has your data. It’s all very nice to say you will save money by outsourcing, but there are no hard and fast statistics to support that. What you save in outsourcing may come back in the form of increased costs for securing your data outside of your data center.

And you do know, of course, that the Feds can look at your data in that cloud without a warrant, don’t you?

So what CAN you do to save money and justify the “real costs” of keeping your data local to higher management?

First: Explore virtualization - Many organizations have realized enormous hard savings in electricity, storage space, UPS, etc by utilizing Virtual Machines to run their applications. The added bonus is that you can have immediate full backups stored elsewhere. It’s also marvelously easy to test a patch on a virtual machine, without having to worry about breaking something in production.

Second - Re-negotiate contracts - If a vendor isn’t meeting your standards, now is the time to switch. There is an enormous competition going on with this downturn of the economy. IF nothing else, get a better deal than the contracts you have.

There’s quite a bit on the web that can help you justify costs internally. But when the discussion about clouds comes up, make sure you ask the questions needed, such as:

1. How we will provide audit information from the cloud?
2. How do we control access to our data? (This will be the real question, because ultimately, the cloud vendor will control access, not your company. You may be able to control application access, but that does not address the server OS or underlying database controls.)
3. How will we monitor access to our data? Because there is no standard for thin-client computing security, the answers will be all over the map, and usually cost you more money.

The PCI standards council is currently looking at cloud computing with an eye to evaluating the security of credit card data. I’ll be interested to hear what they come up with. In the mean time, consider on of my Rules of Thumb: You can outsource data, but you can’t outsource data responsibility.

If you do find a vendor that says they can help you stay compliant, make sure you understand the contract very, very well. Your job could depend on it. I suspect the cost savings will be small, but it’s worth examining just for comparison’s sake with what your organization is doing now.

Web Bugs and Web Privacy

A study was just released by the University of California at Berkeley details just how much big business uses web tracking, and how little they appear to care about the privacy of users.

This really is not new information. The biggest businesses use it constantly to track visitors, and even Google gives you quite a lot of information via Google Analytics. The issue, I believe, is how much is really being tracked and how well it is hidden.

Heard of ‘web bugs?” A Web Bug is a graphics on a Web page or in an (HTML) email message that is designed to monitor who is reading the Web page or email message. Web Bugs are almost always invisible on a web page or HTML email because they are typically only 1-by-1 pixel in size. They are represented as HTML IMG tags. Those don’t show up at all in the page, only if you look at the source code of the page. And how many of us do that?

The report goes into some very relevant detail about how web bugs are the predominant tool used by businesses because they are simple and “invisible” to the visiting user. For example, if you look at the source code of a web page, you’ll see something like this:

They are easy to identify because they contain pointers to another IP address.

So, why should we care? After all, marketing people watch what we do all the time in the retail marketplace, so they can target their products to the right audience. Benignly, Ad networks can use web bugs to add information to a personal profile of what sites a person is visiting. The personal profile is identified by the browser cookie of an ad network. At some later time, this personal profile which is stored in a database server belonging to the ad network, determines what banner ad one is shown.

It’s rather like having someone shadow everywhere you go during the course of the day. They just follow you around, writing down everything you look at and/or buy. Then they sell that information to someone else, but they won’t tell you what information they’ve written down or who they’re selling it to.

That seems pretty intrusive, when it’s put that way, doesn’t it?

Do you want to be able to SEE web bugs when you’re surfing? There used to be a nifty piece of software, BugNosis, but it is no longer available. It’s hard to complain about what you can’t see. So the guy following you is now invisible.

Current regulations allow third-party Web tracking without the user’s permission. “Third-party trackers are not governed by a Website’s privacy policy. Therefore, they have no incentive to allow users to view or delete information collected about them. In addition to this lack of participation, users have no ability to avoid third-party tracking. There is no opt-out, let alone opt-in.”

The report states that “In our analysis of privacy policies, 36 of the Websites affirmatively acknowledged the presence of third-party tracking. However, each of these policies also stated that the data collection practices of these third parties were outside the coverage of the privacy policy. This appears to be a critical loophole in privacy protection.”

“In our analysis of the privacy policies, we found that 46 of the top 50 companies affirmatively state that they share data with affiliates, and the four remaining were unclear,” the researchers report. “We sent each company a request via email or an online Web form for a list of each affiliate they may share data with. We received 14 replies, but none included the lists we asked for. Most stated that they do not disclose corporate information. Based on our experience, it appears that users have no practical way of knowing with whom their data will be shared.”

“Electronic Medical Records” or “Ready - Fire - Aim!”

What happens when we build a national database, with everyone’s health records? Will everyone get better, less expensive healthcare? That’s the impetus for funding a portion of the stimulus bill to push more health providers into the electronic age.

There are three items to consider, and they are the same ones we must always deal with:

Confidentiality - WHO has access to your health records? Right now hospitals, doctors, pharmaceutical companies and the government have access to your health records. And probably a lot more marketing companies have pieces of information, as well. A online pharmacy clerk in West Overshoe knows all your prescription medications and is paid minimum wage.

Integrity Is your data accurate? Or has someone stolen your medical information to get health care, died, and left you with a rolling disaster?

Availability Can you inspect and correct your data - ALL your data, including any diagnoses? What if you don’t agree with one? Can you delete it?

If you compare the answers, it looks remarkably similar to where your (and my) credit record is right now - in the hands of the data miners. All my data belong to….them.

From a regulatory perspective, the Feds are not providing any real consequences for medical data breaches, or lack of HIPAA compliance. They are waving a large carrot around, instead. Only one or two organizations have actually been fined for non-compliance, despite a large uptick in data breaches. It is left to the outraged patient to sue for damages. There are no clear statistics for medical identity theft, because the appropriate agency isn’t tracking them.

It’s one thing to get information online, another thing to get it online safely. It seems to be a pattern in every industry that data becomes electronic before any thought of security.

Facebook Hacking

I don’t have a Facebook profile. I’ve never even been ON Facebook. There’s something about posting one’s life constantly that I just don’t find all that appealing. I’ve got too much to do online as it is. I admit to being on LinkedIn, mostly because my University dean pushed the entire graduating class from Norwich to get connected, but I find it is of limited value. I often get people I don’t know trying to connect into my network. If I don’t know you personally, I’m not about to do any connecting.

Posting information about oneself has definite perils. I thought long and hard about doing a blog, and I think (or try to) carefully about what I write and who I write about. When I “google” myself, (you have, haven’t you? I know you have) I still see posts from the year 2000. So consider that what you posted five years ago about your problem with your Exchange server using your work email address is probably still out there. How detailed was your post? If somebody read it today, what would it tell them about your network?

So I read with considerable interest a blog posting detailing the use of Facebook as the social research part of penetration testing, and I’d suggest you read it too, especially if your company is using Facebook as a Team tool.

I guess it’s another way of saying that Facebook isn’t just for identity thieves, stalkers and pedophiles anymore. Considering such articles as “Facebook Killed My Career,” a woman being killed due to her Facebook update, and now using it for hacking, I’m a bit dismayed by the ingenuity of “bad people.”

I’d also like to recommend an article, “Ten Settings Every Facebook User Should Know,” as a good starting point for adults and kids. And take the hacking article to your team if you’re using Facebook/MySpace for team building.