Biometrics are not a panacea for data loss

Ian Brown writes, “Biometrics are not a panacea for data loss:”

“What we must ensure is that identity fraud is avoided, and the way to avoid identity fraud is to say that for passport information we will have the biometric support that is necessary, so that people can feel confident that their identity is protected.” – The Prime Minister, Hansard Column 1181, 21/11/07

These assertions are based on a fairy-tale view of the capabilities of the technology, and in addition, only deal with one aspect of the problems that this type of data breach causes.

Ian, you’re too kind. It’s not a fairy-tale view, it’s contempt for the public, and a belief that they can be spun into believing anything.

Japanese Breach Disclosure Law

I believe that I follow breach notification pretty closely. So I was surprised to learn that I had missed the passage of a law in Japan. Bird & Bird, Notification of data security breaches explains:

In Japan, the Personal Information Protection Act (Law No. 57 of 2003; chapters 1 to 3 effective May 30 2003 and chapters 4 to 6 effective April 1 2005) (the “PIPA”), establishes the basic principle regarding the fair handling of personal information and regulates the handling of Personal Information[1] by business operators (“Information Handlers”).

A presentation by Morrison & Foster, “Data Security and Incident Notification: The Impact of Foreign Law” tells us:

You may have obligations under Japanese privacy law if:

  • You are affiliated with a Japanese company or institution.
  • You use or have access to employee or student information maintained in Japan.
  • A Japanese institution with which you are involved, for example, in a study-abroad program enters into a contract with you, according to which you assume privacy obligations under Japanese law.

To date, I’m aware of breach disclosure laws in 38 US states and Japan. Are there others?

There’s got to be an IT secret handshake


I’ve been in the hotel I am in for over a week now. It is a European hotel that has wireless, and you have to get an access card and type a six-character string into an access web page. That authenticates you, and you can go.

The problem I have today is that I can browse the net completely. But I can’t do anything else. No email, no vpn, no ping, no traceroute, no nothing. If I telnet to a useful port on my own servers, I get a syn/ack/syn and no flow.

My hypothesis is that whatever does a redirect on port 80 to get you to the authentication web page is broken.

I’ve talked to first-line tech support at the provider who let it slip that he thinks its in the firewall at the hotel. This is consistent with my evidence. However, he won’t let me talk to anyone who actually knows what “ping” is. I have talked to someone at my front desk, who has talked to the local IT person, and we’ve had mediated back-and-forths.

If I could actually talk to someone who knows what a web redirect is or even what a “port” is, I could let them know. If I knew the URL of the authentication page, I could tell them the problem. The local IT guy is presently talking to the ISP, but I told the gal at the desk that I’m an IT person, too, and if their IT guy will call me, then I will help explain the problem.

As a matter of fact, while writing this, I just connected to an https url, which redirected me to the authentication page, and now everything is working. This is how you’re reading this today. So I know what their problem is and can tell them how to fix it. They just have to know that I know, and that I’m not a mere luser.

We need an IT secret handshake. Perhaps Randall Munroe can help. Remember those old stories about the Freemasons in some pickle or another who suddenly showed the handshake? We need one.

Update: The gal at the front desk has called back. The ISP and the local IT people have decided this is actually my problem. However, she also says that another guest has this problem. I explained this as much as I could to her, and told her to tell the other guest to go to an SSL web page to fix it.

Photo courtesy of photos.tjweb and selected because it matched a search for “authentication web page”

Banksy Would Be Proud

In a feat that would make Banksy proud, members of Untergunther, who the Guardian calls “cultural guerrillas“, restored the antique clock at the Panthéon. They spent about a year, beginning in September of 2005, in a hidden workshop, dismantling and rebuilding the entire clockwork which had been abandoned in the 1960s. They were never discovered despite having taped into the electrical and network systems.

Getting into the building was the easiest part, according to Klausmann. The squad allowed themselves to be locked into the Panthéon one night, and then identified a side entrance near some stairs leading up to their future hiding place. “Opening a lock is the easiest thing for a clockmaker,” said Klausmann. From then on, they sneaked in day or night under the unsuspecting noses of the Panthéon’s officials.

Their presence only became known when they revealed themselves so the curators would know to wind the clock. This is far from the first project Untergunther has undertaken.

Klausmann and his crew are connoisseurs of the Parisian underworld. Since the 1990s they have restored crypts, staged readings and plays in monuments at night, and organised rock concerts in quarries. The network was unknown to the authorities until 2004, when the police discovered an underground cinema, complete with bar and restaurant, under the Seine. They have tried to track them down ever since.

So keep an eye on the news, you never know where they’ll pop up next.

Is 2,100 breaches of security a lot?


There’s a story in the Yorkshire Post, “2,111 data disasters blamed on disc row bunglers.” At first blush, that’s an awful lot of errors:

THE bungling Government department responsible for losing 25 million people’s personal details in the post was hit by more than 2,100 reported breaches of security in the past year alone.

And 41 laptops – many containing sensitive financial details relating to members of the public – were stolen from employees at HM Revenue and Customs (HMRC) over the last 12 months, demolishing any notion that the loss of two computer discs containing the details of child benefit claimant was a “one-off” error.

There’s a scene in one of the Star Trek movies that’s stuck with me. Captain Kirk is walking around San Francisco and needs some cash. He goes into a pawn shop to sell his glasses, and the guy offers him a hundred bucks. Kirk looks at him and says “Is that a lot?” He doesn’t have the context to understand the number that he’s been given.

When I hear that HMRC has had 2,100 breaches reported, I’m forced to ask, “is that a lot?”

To put the number in context, we need three things:

  • What is a breach? Does it include, for example, leaving your screen unlocked when you go to the restroom? We can’t understand what 2,100 breaches mean without knowing what is being counted.
  • How big is the department? If it’s 10 people, then that’s a breach a day. If it’s 2,100 people, then it’s a breach a year. (As an indicator, page 7 of the HMRC 2007 departmental report indicates that their IT department supports 110,000 workstations and 120,000 mailboxes.) So it seems that they’re at about 1 “breach” per 50 employees per year.
  • How does this compare to other organizations? Do other departments of Her Majesty’s government breach at the same rate? That seems lower than the US Government reported rate of one per hour, but actually, 2,100 breaches is about one per hour per business day for HMRC. So does HMRC leak at the same rate as all of the US government, or are we seeing different definitions of breaches?

This is clearly a bad breach, a meaningful one for the UK, and it will influence what emerges from the many discussions around breaches, breach disclosure and computer security.

To me the most important lesson is that we’re unable to say if this is one of the worst breaches, or simply one one of many bad ones. Like Captain Kirk, we don’t have the context to understand the number.

Credits: Yorkshire Post story via Pogo Was Right. Image: “Forest and Sky,” showing comet Holmes shining a bit more brightly than the many stars. Photo by Vincent Jacques, via Astronomy Picture of the Day, and begging the question: is this a comet, or a star?

HMRC Data discs on EBay

Quite possibly the funniest infosec joke seen in 2007.

Here we have two CD-R’s for auction. They are not blank, but seem to have some sort of database written to them. I found them in my local courier firm’s sorting office, addressed to
“Her Majesties Audit Office – Child Benefits Section” and marked
They were obviously surplus to requirements.
I haven’t read the data myself. The database appears to have approximately 25 milion records in it, but is password protected, so it is impossible to read it and it’s definitely impossible to extract any bank account data from it.

El Reg has it all.

A quick comment on the UK lapse

Thanks to all the readers who have written to tell me about the HM Revenue and Customs breach in the UK. I’m on vacation at the moment, and haven’t had a chance to read in depth. However, example stories include the BBC’s “Pressure on Darling over records:”

Alistair Darling has apologised for the “extremely serious failure”, which has exposed all Child Benefit recipients to the threat of identity fraud.

and the Times Online’s “Moment’s blunder puts half the country at risk.”

In June, 2007, I wrote “It’s not all about ‘identity theft’,” and if you’ll indulge me, I’d like to repeat myself:

Data breaches are not meaningful because of identity theft.

They are about honesty about a commitment that an organization has made while collecting data, and a failure to meet that commitment. They’re about people’s privacy, as the Astroglide and Victoria’s Secret cases make clear.

The issue here is not ID theft risk. The data in the CDs don’t lead to that. The issue is a massive breach of public trust by Her Majesty’s government, and over that, people are rightly outraged.

[Update: I may have spoken too soon on the question of “can this data lead to ID theft in the UK.” See the comments.]

Breach Disclosure of the Zeroeth Millennium


The BBC reports that the whereabouts of the legendary cave where Romulus and Remus, founders of Rome, were nursed by a she-wolf, Lupa, as foundlings.

The eight-meter-high cave was found buried sixteen meters under a previously-unexplored area of Palatine hill in Rome.

Although their home address has been made public, it is unclear if the Roman founders lost any other personal information such as tax ID numbers, bank information, or date of birth.

In related news, two disks in the UK have been lost with the personal details of 25 million Britons including “name, address, date of birth, National Insurance number and, where relevant, bank details.” This is everyone in the UK who receives a tax deduction from having children.

HMRC Paul Gray resigned over the incident (as if that will help). Liberal Democrat Acting Leader, Vince Cable, clucked: “why does HMRC still use CDs for data transmission in this day and age?” proving that he doesn’t read this blog. Mr Cable as well as Shadow Chancellor George Osborne predicted the end of the National ID Database as a result of this loss.

Commissioner of Obvious Information, Richard Thomas, said: “this is an extremely serious and disturbing security breach” and Chancellor Alistair Darling pointed out that at least no one had had fiber-optic endoscopes pushed into their houses unlike those Roman foundlings.

Vulnerability Disclosure Agents Part N

Recently Dave G of Matasano (and smoked salt) fame two interesting articles on Vulnerability Disclosure Markets. In the second one, he reposted a user’s comment:

Based on the failing (due to agenda) of (particular) Researchers, Coordinators (i.e. FIRST Members) and Vendors – Which “trusted person or organization” is left “that can represent vulnerability researchers whose reputation is at stake when dealing with vendors.”?

Let’s assume for a moment that, in fact, there is no one that currently fills this role to everyone’s satisfaction. Furthermore, let us assume that (at least for certain large vendors) that while the extant systems more or less works, everyone wishes it were smoother and easier.
How do we improve the situation? Vendors really don’t like the vulnerability markets, researchers, quite understandably, fear liability and users just want fixes. How role for a vulnerability disclosure agent straddle this three sided fence? It seems to me that ideally, the agent would be a respected disinterested third party who was preferably a not-for-profit who didn’t accept funding from either vendors or researchers. Coming from the corporate side, that sounds like a good balance to me. What say you? Does this make sense? Are there pitfalls I’m missing?

The costs of liability

It’s become common for people thinking about security economics to call for liability around security failures. The idea is that software creators who who ship insecure products could be held liable, because they’re well positioned to address the problems.

I don’t think this is a trouble-free idea. There are lots of complexities. As one example, are open source vendors going to be liable? Fyodor, who writes and gives away nmap? What about Apple, when they include a package, say bind or bzip, both of which were included in their latest security update. Including such third party software allows Apple to provide basic functionality at lower cost.

Now, the UK Information Commissioner has proposed that doctors who lose laptops with patient data could be subject to a £5,000 fine.

Mr Thomas said: “If a doctor, or hospital [employee] leaves a laptop containing patients’ records in his car and it is stolen, it is hard to see that is anything but gross negligence.”

The commission can currently issue enforcement notices but these “do not impose any element of punishment for wrongdoing”. But Lord Lyell of Markyate, a former Attorney-General, said it would be disproportionate to criminalise doctors for losing a laptop.

Mr Thomas said the intention was not to prosecute for a single incident, but that for gross negligence there was “a need to have some deterrent in place”. He said anyone holding personal data should know the basics of “encryption” to protect that material. (“Doctors may be prosecuted if their laptops are stolen,” Times Online, UK)

I’m with Lord Lyell here, and think that there’s a great deal of specific thinking to be done before we should impose more liability for software flaws. Software creators, including Mozilla, know that it’s hard to make bug-free software, so my employer probably thinks similar things.

Possibly related, “Government ignores Personal Medical Security.”

Via PogoWasRight.