When it comes to personal information, be your own, best custodian

Josh Beckett When it comes to maintaining the security of our information, we expect that others will do a good job with our information. However, when we, ourselves, don't really care and fling info all over the internet, why would anyone act surprised when others fail to do any better? Several days ago I read Bruce Schneier's blog where he characterized society today as a surveillance state.  I think that is a bit generous and would think that the label of police state would be slightly more appropriate.

This got me lamenting on our slippery-slope of voluntarily relinquished personal freedoms. The push to have massive social reach in so many aspects of our lives makes us forget that there could be other uses of that data. If we consider it public and throw it out there, it is tough to be angry at the government or business sectors for holding on to bits and pieces of information that, when put with other information, could be quite valuable. It is a bit like a poker game when every time someone asks you for some of your information that you have to ponder what they might already know.

Data in aggregate

All of this got me pondering on one of my favorite controversial infosec topics, that of the risk induced by issues of data aggregation. For quite a few years, when the issue of classification of information would come up, I would occasionally ask the question of clients:  "Have you given any thought to how much low level information might add up to higher level info?" The standard look of 'are you nuts?' would inevitably be the response.   

When the government begins to get creative and ask business for what seems to be some low level information, why would we be surprised that some enterprising person will aggregate that data into a massive database and make something better out of the pieces?  Every time I see that little GPS icon on my iPhone and I know I'm not using an app that should be using GPS data, I get very nervous.  I feel that I'm the only one that wishes for some sort of proxy app for my iPhone to filter that data flow, along with the ability to filter out advertisements.  How soon will it be before iPhone GPS data will start being tapped into by the police to give you a speeding ticket after the fact?

Little problems lead to big compromises

If it isn't massive, sensationalistic headlines, it must be just a nuisance, right?  Well, any infosec practitioner worth their salt will tell you that a foothold is the first step that any bad guy endeavors to gain. After that, taking the next step of escalating access is the next logical and appropriate tactic.  After a few more steps, the victim of the attack usually utters my favorite phrase: "well, I didn't expect someone to do THAT."

Sure, it was just user IDs and passwords from a web site.  Of course, no one uses an internal central authentication mechanism for the web server.  We all know that users love to have many different IDs and passwords and it is no trouble at all to run a completely separate auth system for external versus internal systems.  What a nuisance!

So where will THAT data be stored?

We have more than a few folks talking about the benefits of having drones blanketing the airspace above our cities and telling us it is good or bad for various reasons. I don't know how you get past the shock of the FAA argument about air traffic safety and the simple logistics of maintaining separation between piloted aircraft and unmanned drones. Who has right of way between a commercial jet liner and a radar-evading drone surveilling a possible terrorist with a suspected weapon of mass destruction? Well, ignore all that for now and assume it can be easily solved.  Where do you store the data and who will protect that? Who gets to say what from that data is public and what should be redacted from the secret archives? I'm sure they'll have a good place somewhere in the government.

Protect your own data

The best protection for your data is to simply not let others have it if they don't need it so they CAN'T lose it.  When cashiers ask for my phone number at checkout, I just say 'no.'  Why?  Because they don't need it to sell me the thing I'm trying to buy.  Those electronic signatures on the credit card consoles do bother me, though.  Most of the time the calibration is so bad it never looks like my signature any way, but still.... Guess I'll just have to start signing with an 'X.'

No comments :

Post a Comment