Monday 27 May 2013

So secure that it's insecure

A few months ago, Jeremiah Grossman, WhiteHatSec CEO, gave a detailed account of the efforts he had to go through to get access to his encrypted disk image.  He had forgotten his password.

Luckily, it all worked out in the end. With the help of very smart people, he managed to retrieve the password.

So we know the encrypted disk image was very secure since even he could not access it.

But was it secure?

Let's start with two definitions from ISO 27000:2012

property of being accessible and usable upon demand by an authorized entity.

Information Security:
preservation of confidentiality (2.13), integrity (2.36) and availability (2.10) of information

The definitions show us that "availability" is an important aspect of information security. The data must be "available on demand". In this case, the data was clearly not available on demand. Therefore the preservation of availability was not achieved. This means that an information security "event" occurred.

The  encrypted disk image was so secure that it was insecure. The ultimate insider attack.

Agreed, the logic outlined above is a bit contorted, but you get the idea.

Most people think about security in terms of confidentiality - the system was "hacked". However, don't forget that availability is the third leg of the information security triad:
  • confidentiality
  • integrity
  • availability
For a system to be secure, it must preserve all three properties.

Useful Links

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Monday 20 May 2013

Irish Data Protection Commissioner - Annual Report 2012

The Irish Data Protection Commissioner released his annual report for 2012. It is worth having a quick look through the press release and  report to see what are the current issues. It is especially worth reading the appendix 4 on the INFOSYS system, which gives access to data held within the department of Social Protection's system.

To quote from the press release:
  • "One of the major themes in this year’s report concerns the issue of sharing personal data in the public sector which has featured regularly in previous annual reports from this Office". 
The importance of audit trails is stressed in relation to who accessed data. This is of particular importance in the public sector where you usually don't have a choice as to whether you appear in the database or not. Usually in the private sector, you have some sort of say about the sites that you use.

A number of cases are highlighted where data was accessed inappropriately by users of the INFOSYS system.

In addition, some members of the Police Force are shown to have accessed the PULSE Police system inappropriately to look at information on celebrities.

This matters. 

A few weeks ago, the Irish Independent reported on the powers that the Revenue Commissioners now have. Revenue Commissioners boss Josephine Feehily told a Government committee: 
  • "that tax officials can now trawl through reams of data, including bank accounts and mobile phone numbers, to spot cheats."
This sounds like the kind of stuff that the old East German secret police could only have dreamed of - and it will only get worse. Governance in relation to how public bodies manages personal data is vital. The audits carried out by the Data Protection Commissioner are critical in making sure that there is some sort of proper security in place.
  • How is this data used?
  • Is this data misused and abused?
  • How is the "mobile phone" and "bank account" data made available to the Revenue?
  • Is it deleted when no longer necessary?
  • Who has access to this data?
  • Is there an audit trail of all access?
  • etc.....the list goes on.

One good thing is that the Commissioner says that his office is adequately funded.

Useful links

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot