Category Archives: Security

Security

Breaches in Ireland: Data Protection Commissioner Report

Leave a comment

Ireland has published the Twenty-Second Annual Report of the Data Protection Commissioner, an office established by the 1988 Data Protection Act and amended in 2003 to implement provisions of EU Directive 95/46.

Aside from quantitative data (almost 400% increase in breach reports) it has many interesting qualitative stories with analysis. Here are a few examples:

Insurance companies are admonished for collecting data on risk yet not protecting it sufficiently from risk.

Several examples are given of insurance company employees caught performing unauthorised database searches for usual reasons — curiosity about celebrities and news stories, and to help their family and friends.

…far too many individuals in insurance companies had access to the database with little or no oversight of that access. Some serious incidents of inappropriate access were identified and are listed.

Unlike the move in America to put a tamper-proof “black box” on all vehicles, the Commissioner recommends tracking devices have an obvious and usable “privacy” switch.

We explained that the use of tracking systems in vehicles can give rise to data protection issues if they are not deployed in a manner that takes account of the legitimate privacy expectations of vehicle drivers, particularly when they are off-duty. Monitoring or tracking, including in-vehicle monitoring, must comply with the transparency requirements of the Data Protection Acts. Staff must be informed of the existence of the tracking equipment and of the purposes for which their personal data is processed.

3rd-party certification audits of cloud environments are politely questioned in relation to “sectoral regulatory restrictions”; as I’ve mentioned before, not all compliance requirements are equal:

It remains the responsibility of the organisation that chooses to outsource to the “cloud” to ensure that the data is safe. The well-established EU model of a data controller entrusting data to a data processor applies in many cases. Outsourcing requires not only a written contract but also active measures to ensure data is secure in the “cloud”. If a cloud provider has taken the trouble to certify to recognised security standards such as ISO 27001 and SAS 70 or its successor SSAE 16, this provides significant reassurance about data security. But an organisation considering outsourcing also needs assurances about robust access controls, reliable data back-up systems and procedures in the event of data security breaches. Particularly where an organisation is subject to sectoral regulatory restrictions – financial services is a prime example – the organisation may not be satisfied to rely on third party certification and may want to carry out some form of audit at first hand.

Security

Motorcade Security Theatre

Leave a comment

Obama’s motorcade ran into some problems in Dublin.

I hope this turns into a new Guinness advertisement. You knew it was good for you, but did you know a few pints also could break the axle on an armoured presidential limo?

Speaking of theatre, you can drive anywhere you want in America with a fake motorcade…authentication implied, authorisation granted even to run red lights. You just have to avoid the “sleeping policemen“.

History, Security

hUkt On f6nlks

Leave a comment

Excellent research in a paper and presentation from the IEEE Symposium on Security and Privacy: “Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on fon-iks

Encryption of voice conversations on IP networks does not sufficiently obscure it to prevent reconstruction. It essentially applies the way our brains process spoken language to the sounds of an encrypted VoIP channel. We hear sounds that resemble those in our memory, and then we pattern match (e.g. search for collisions). The patterns can still be found even in encrypted VoIP.

The study has numerous references to related works and there have even been similar presentations at the IEEE but this one emphasises that it is a proof — attacks are far easier than previously thought.

In this work, we make no such assumption about a priori knowledge of target phrases. Rather, our ultimate goal is to reconstruct a hypothesized transcript of the conversation from the bottom up: our approach segments the observed sequence of packets into
subsequences corresponding to individual phonemes (i.e., the basic units of speech).

This illustration of the problem is superb:

Color me impressed. Great adaptation of linguistics to information security. However, they only propose two mitigation options:

…a knee-jerk reaction to thwarting this and other aforementioned threats to VoIP is to simply use constant bit-rate codecs or block ciphers. […] Another alternative might even be to drop or pad packets…

I wonder why they did not mention mixing an entire stream of noise/data into the payload, like a salt in a hash. Maybe that’s what is meant by pad packets? The goal would be to at least fill gaps and obscure phrasing to eavesdroppers, such as techniques used in WWII to hide the increase in radio traffic before attacks were launched. Yet that kind of pad defence is different in my mind from actively sending fake data that hostile recipients would want to process instead of ignore (e.g. communication by the Aspidistra high-power (600 kW) medium wave broadcasting transmitter to confuse German attacks).

Latency in encoding and decoding a message is usually cited as an obstacle for filling gaps and running interference to obscure IP communications, but if someone needs the privacy then a short delay or echo on a call seems like a small price to pay and bandwidth/memory/processing is getting less expensive all the time.

History, Security

The Eight Roles of DCID 6/3

Leave a comment

Only five short of a baker’s dozen, there are eight roles provided in Director of Central Intelligence Directive (DCID) 6/3 “Protecting Sensitive Compartmented Information Within Information Systems”.

(pdf) (doc)

  1. Principal Accrediting Authority — responsibility for all intelligence systems within their respective purviews, are the DCI, EXDIR/CIA, AS/DOS (Intelligence & Research), DIRNSA, DIRDIA, ADIC/FBI (National Security Div), D/Office of Intelligence/DOE, SAS/Treasury (National Security), D/NIMA, and the D/NRO
  2. Data Owner — final statutory and operational authority for specified information
  3. Designated Accrediting Authority — authority to assume formal responsibility for operating a system at an acceptable level of risk based on the implementation of an approved set of technical, managerial, and procedural safeguards
  4. Designated Accrediting Authority Representative (DAA Rep) — technical expert responsible to the DAA for ensuring that security is integrated into and implemented throughout the life cycle of a system
  5. Information System Security Manager (ISSM) — responsible for an organization’s IS security program
  6. Information System Security Officer (ISSO) — responsible to the ISSM for ensuring that operational security is maintained for a specific IS
  7. Privileged Users — access to system control, monitoring, or administration functions
  8. General Users — can receive information from, input information to, or modify information on, a system without a reliable human review

They provide a good exercise in defining relationships with compartmentalised information; it’s fun to try and make a diagram that shows the connections and overlap.

DCID 6/3 in 1999 superseded DCID 1/16, which had the much more fun title of “Security Policy for Uniform Protection of Intelligence Processed in Automated Information Systems and Networks“.

DCID 1/16 was from 1988 and superseded DCID 1/16 of 1983 — a time of great US government concern about outsider attacks and NSA’s first attempt to wrestle control of the Internet away from NIST.