Ubiquity and pervasiveness of SQL DBs

In my second essay looking at increase breaches of personal information through malware and some questionable security practices, I will now take a look at the harbinger of the modern Doomsday Book, the pervasiveness of SQL databases.

There is much about data loss and compromise in the news today, almost on a weekly basis it seems. There was a recent data breach with Orange France in May, who lost the personal information of approximately 1.3 million customers. When questioned, Orange France was unable to confirm whether the data they held was encrypted; this is very serious. It is not like asking someone how long would it take to fly a rocket to the moon, making a best guess. Data either is or is not encrypted when stored within ubiquitous database systems. Orange should have encrypted this data. Not being able to provide an adequate answer, demonstrates to customers that their personal information is not safe with this company. Being able to trust in the security of computing systems is paramount in this information age. It is crucial that companies and governments provide evidence that proves our data is kept safe, unfortunately all too often the contrary is occurring.

Rik Ferguson vice president of security research at Trend Micro recently told the Guardian:

“effective security is no longer about designing architecture with the aim of keeping the attacker out permanently, that’s a pipe dream. If they want to get in, they will get in.”

Is this a lack of imagination in protecting personal data or a consequence of how data is stored in the early 21st Century? If we take Mr Ferguson’s advice, then we should stop using computer systems for all personal information. However there are ways of designing computing architecture to reduce the surface area of an attack.

Many online services are far from safe and some are known for not using encryption on personal information stored; remember the Sony hack of 2011. Worse still, many companies not only use web services with associated SQL servers containing personal information connected to the Internet, but also whole networks. This enables their employees to email, process data and surf the web, while also having access to your personal data. As a consequence, crackers and other malfeasants can also gain access.

There are many ways to ensure personal data is kept secure, and having publicly accessible or facing networks with personal sensitive data is not one of them. I can recall making databases in Informix SQL back in the early to mid 1990s. When designing table and data structures, it was good practice to separate out personal records into various different tables. Written SQL queries would anonymised personal records and SQL databases were not held on publicly accessible networks. The resulting anonymised data would be copied to floppy-disk and a website would be hand coded including the anonymised data, for use only on a local LAN network.

Computer systems are far more sophisticated today and databases have so much more processing and analysis capability on aggregated information. Here lies one of the 21st Century’s major issues with personal data security. The ease of access and power to transform information, is not too dissimilar in what followed the Norman invasion of Anglo-Saxon Britain with the introduction of the Doomsday Book.

While the power of SQL databases have increased many fold since the mid 1990s, creating safe data structures and implementing good data practices should not diminish or worse still, be ignored completely. Personal sensitive data should have no form of public access, without exception. While such services like on-line banking make our lives easier, it also makes it easier for such information to be accessed, stolen and exploited by criminals and unscrupulous (malfeasant) elements within government and the security services, as exemplified in recent UK court cases and Edward Snowdon’s files through the Guardian.

Also poorly coded ‘bug ridden’ software enables potential attacks on organisations and individuals who use said software. For example, with the Heartbleed flaw enabling potential exploitation of login accounts and other personal data transmitted via openSSL (with a particular release version), or the recently discovered software bugs within energy company’s power and sub stations that are being Internet connected.

Do we need to take drastic measures such as reverting to a stone-age culture to protect our personal information, or less dramatically revert to paper based systems for personal information? Based on recent high profile data security breaches of the past 7 years, as many governments and businesses seem to take a lax approach towards securing personal information, one might justify reverting to paper based securely located and transported personal information.

Ultimately what we should be looking to achieve is having secure private ‘unplugged’ LAN networks with no personal data being stored on publicly accessible servers. It is possible to setup systems that should protect personal data, while still having the benefit of service access where limited ‘locked away’ personal data is used for transactions, such as with commerce.

Many businesses will now ask for personal information they do not need, such as date of birth (Sony, Google, et. al.) etc. The justification for this highly confidential and personal information is for legal compliance. However seldom is this information really needed, instead age confirmation methods can be used. Also a company can have a legal disclaimer with terms for using their service stating a minimum age requirement. And if a customer of a service joins providing false information on age, for example a 15 year old joins where the age is restricted to 18 years, then liability resides not with the business but with the customer or their legal guardian; web filters can be put in place to restrict and prevent access.

Using complicated data protection systems does not guarantee 100% security. However the surface area for attack by malware should be drastically reduced, save for bugs like Heartbleed. If personal data security is to be taken seriously, more robust security measures are required, otherwise organisations risk loosing customers and WWW commerce growth will be in jeopardy, caused through a loss of confidence, followed by a new dot-com bust.

It maybe convenient to order an item online, to use eBay to purchase a pair of shoes, and PayPal to pay for them, or to access banking information at the touch of an app. However if your name, postal address, date of birth, credit card information, banking information, telephone numbers, and any other personal information you have supplied to use that service is stolen or ‘lost’, you are compromised. It is then easy to create a clone of your identity for fraudulent purposes and you will have to pick up the pieces and deal with the fallout that follows, not the company or government service who “lost” your data.

In my third essay in this series on malware’s far reaching consequences to personal information, I will take a look at alternative approaches with personal and business computing.

Advertisements

Personal data, bugs and security breaches

This is the first in a series of 3 essays, looking at malware’s far reaching consequences to personal information and questionable security practices some organisations implement.

Protecting one’s personal data is becoming more difficult as security breaches of many companies and governments advance at pace. Their has been some recent high profile data losses, with eBay, shoe retailer Office, music service Spotify, and gaming platform Steam over a two week period. What one might think would normally be a trickle of data breaches has turned into a torrent.

With this increased threat from malware exploiting bugs within software code and some organisations implementing poor security practices, a basic understanding of how one can protect personal data from the next hack like eBay is necessary. There are many news articles on ways one can protect personal data following an attack and breach of a database containing approximately 233 million customer records on eBay’s systems.

eBay said the breach, which was detected two weeks ago, had not given the hackers access to customers’ financial information. But it did affect a database holding encrypted passwords as well as customer names, email addresses, physical addresses, phone numbers and dates of birth which were not encrypted. The site has 233 million customers worldwide, including more than 14 million active in Britain.

After the hack of Sony’s unencrypted personal user records, in July 2011 I wrote a brief security guide on protecting your login identity. While this article requires some updating, much of this guidance remains valid and relevant with the increasing use of SQL databases, while companies and governments are amassing huge dossiers on individuals with their computer systems being breached.

Before the first dot-com bubble bust period roughly around 1997-2000, companies with an on-line presence would generally only request an email address and a password to use their service. Wind forward 10 years and the use of on-line services from game playing, shopping, booking hotels, email services, government services… ask all sorts of personal identifying information. If this trend of intrusion into personal data continues from companies and governments, it will not be long before ID photos are requested along with collecting personal data on one’s eye colour, etc. With personal information being stored on private networks often with public access, and worse on public facing servers too, the scope and scale of malicious attacks will increase.

Go back 50 years, to the creation of BASIC programming language, cheques were used, banks had awkward opening times, and debit cards let alone chip and pin was not even a thought, cash was the favourite choice for tokens of exchange. Into the 1970s came ATM cash cards, so money could be taken out when the bank was closed. In the UK & Ireland cheque guarantee cards became widely used around the early 1970s, which later morphed into joint ATM cash cards during the 1980s. Spin forward into the 21st century and debit cards are ubiquitous along with the growing spread of contactless money transfer. Information technology has transformed the way we can access services, and collect and use information, however this has also made criminal activity easier too.

Often there is a willingness to share too much personal identifying information on-line with social networking sites, and some of these companies (Facebook, Google, Yahoo, LinkedIn and many others) have become very competent at harvesting that data and commodifying it. The collected data is then sold on in various formats to other companies and governments to ‘enable’ a wide range of services from ‘targeted advertising’ through to nefarious purposes. There is also a growing trend of governments and businesses (tax & welfare, banking, utility companies, etc.) forcing people into using on-line services and removing paper versions.

Mass marketing, media and other information strategies have successfully sold the notion that individuals should publish on-line as much information as possible about themselves. This includes a growing trend of pushing people into publishing CVs publicly for the world to see, along with a LinkedIn profile; there are huge risks in publishing so much personal information about oneself. It is very easy for any business, government or individual with a bit of know-how to aggregate this information to form a dossier. This increased intrusion is by no means harmless, or even ’mostly harmless’.

Google co-founder Larry Page spoke out about the recent European ruling with the ‘right to be forgotten’ suggesting that:

The EU’s “right to be forgotten” ruling risks empowering repressive governments and their control of the internet, Google’s chief executive, Larry Page, warned.

What was not said by Mr Page is just as important, if data is removed from Google servers with the “right to be forgotten” it could hurt Google’s business model, for harvesting and selling off personal data to ad agencies or to other organisations. Change in the EU law will not prevent Google from harvesting personal information and tracking user activity through its web-search engine, cookies and other methods. Google will just make the data not publicly visible, just as FaceBook does when you “delete” information. Information once out there on the net is never really deleted, just hidden from view.

Google claims to want net neutrality and their motto is “Don’t be evil”. Having the right balance is key, as proven with revelations by former US security analyst Edward Snowdon, and published in the Guardian’s NSA files. The same analysis can be applied to other information aggregators with search engine provision, such as Microsoft’s MSN/Bing, Yahoo, Lycos, etc. DuckDuckGo is a search engine provider with a no-tracking policy.

There is often the pretence that personal data will be kept safe on servers, but in reality this can never be guaranteed. The mass storage of information has all become possible through the use of databases within information technology, in particular SQL (Structured Query Language). Databases are not new, but their pervasion into modern technology has grown more rapidly than the spread of an unwanted weed or pest not native to its landscape. As with any tool, it is not the SQL database per se where the problem lies, but the use harvested information is put too.

There are a growing number of IT experts who suggest not handing over your personal data if you think a company is asking too much, and consider if you really need to use that service.

Rik Ferguson vice president of security research at Trend Micro recently told the Guardian:

“It’s all very well telling everyone to go out and change their passwords, but you can’t go and change your postal address, telephone number, name and date of birth.”

“All organisations that are hold any sort of private or financial information should absolutely be encrypting that data at all times – there is no excuse for not doing so.”

Companies ‘loose’ personal data by many means, from lax security through to attacks on their systems. However the rate of security breaches have increased at an alarming rate over the past few years. Since mid 2000, as computers have become rapidly more powerful and software more complicated, the power and potential to crack and be cracked has increased dramatically. However private business is not the only type of organisation to ’loose’ personal data.

Several cases of information breaches and bad practices exposing personal data within government organisations have occurred. For example in November 2007 it was reported that HMRC lost 25 million personal records including bank account details and NI numbers which were unencrypted save a password on the zip file, not difficult to break, by placing data on CDs and putting them into the postal service. Wikipedia has a list of publicly known government data breaches.

Encryption of data is often loudly voiced as being the answer to protecting data securely. However encrypting data is not enough in itself to keep information secure. If password hashes are stolen and subsequently broken, data can be unencrypted. Or worse still, bugs in encryption software will enable back-door access to what one might thought was secure. The recent announcement of TrueCrypt telling its customers to switch to rival encryption software is troubling and leaves many unanswered questions.

Using complicated passwords should in theory be enough to protect your login account, and for the most part they are, for the moment. However as computing power has moved forward at a quantum leap pace, analysts & password crackers can build computer systems which can run 350 billion guesses a second. Advice from some IT analysts is to create a passphrase and not a password, or use a password manager.

With multiple sophisticated malware present on the net, it is not too difficult to breach a computer network. The Heartbleed bug is among one of the more serious programming flaws of recent years. Modern day programs are made with hundreds of thousands to millions of lines of code. This creates problems for software developers (programmers) as mistakes occur through human error. Other threats come from software code designed to harvest information or destroy, and this malware is not only created by frustrated teenagers (the popular media driven stereotype) in their bedrooms angry at the current sociopolitical structures.

Stuxnet is a worm reported to be responsible for ruining almost one-fifty of Iran’s nuclear centrifuges. There are suggestions that government agencies in the US worked in collaboration with other governments around the world to create the Stuxnet worm. But then Stuxnet got released into the wild, available for people to find on the net. The use of Malware was reported within the Snowden files.

To protect yourself one should think carefully about what sort of information is released onto the net. Once uploaded, it is very difficult to remove. While pen names (and other substituted information) can be used for certain services, this is not possible for all on-line services, such as with government. Stronger legal measures and sanctions should be enforced on companies and governments who fail to keep personal data secure.

With the recent campaign for the right to be forgotten on the net, a new legal framework could be employed that not only allows individuals to have a legal right to control their personal information, but also restricts companies and governments access to their personal data.

On-line services should only require an email address and password. Other personal identifying information should only be temporarily held for official purposes, such as a financial transaction. Following the completion of the data’s use it should be classified as obsolete, with personal data being removed within a short period. This won’t solve all of the problems where data breaches occur with personally identifying information, but it would go a long way to reduce the damage caused.

I shall be following up with two further essays continuing this discussion on malware’s far reaching consequences to personal information, with further recommendations and solutions, which could reduce the risk of data theft.