I read this article from TheRegister with mild interest:
“Medical Data Experiment goes horribly wrong: 950,000 records lost” – http://www.theregister.co.uk/2016/01/27/centene_loses_95000_medical_records_on_six_hard_disks/
Ok, so yet another ‘company loses personal data, warns as a precaution’ story. In this case, six hard disks apparently containing personal health information of around 950,000 people.
So my initial thought was something along the lines of “are people really misplacing whole hard disks still in 2016”?
Personally, I suspect it is more likely an accounting problem rather than a physical loss – they are probably labelled up wrong, or left in a drawer somewhere, or have been re-used and nobody noticed, that kind of thing. But it is interesting to look at the phraseology of two consecutive press releases from the company involved (no, I’m not quite why I looked them up either – but I did!).
On the data loss:
“Centene has determined the hard drives contained the personal health information of certain individuals who received laboratory services from 2009-2015 including name, address, date of birth, social security number, member ID number and health information. The hard drives do not include any financial or payment information. The total number of affected individuals is approximately 950,000.”
Fair play – they are admitting their mistake and attempting to do the right thing:
“Notification to affected individuals will include an offer of free credit and healthcare monitoring. Centene is in the process of reinforcing and reviewing its procedures related to managing its IT assets.”
Otherwise, without openness and honesty around such issues, how can lessons be learned?
But the following day, the next press release announces their financial results for the year:
“On January 25, 2016, the Company announced an ongoing comprehensive internal search for six hard drives that are unaccounted for in its inventory of approximately 26,000 information technology (IT) devices. This incident resulted from an employee not following established procedures on storing IT hardware. While we cannot estimate the impact with certainty at this time, the Company does not expect the impact of the incident to have a material effect on its future growth opportunities, financial position, cash flow or results of operations.”
Yes – they don’t expect the fact that 950,000 people’s personal health details going missing will affect their financial position now or in the future.
I guess that answers the question of why it is 2016 and companies still lose whole hard disks of personal information. If there is minimal financial impact, it is good business sense for them to keep their procedures at the minimum deemed necessary – that is just sensible business risk-management. In fact the whole ‘free credit and healthcare’ monitoring could be seen as a cost effective insurance policy against possible loss should it occur, compared to the costs of labour intensive, fault-free asset management to prevent any chance of loss up front.
These things will only change when the impact of the issue impacts the companies involved much more significantly, rather than just ending up a problem for the people whose data is lost.
In the UK, I guess we have the Information Commissioner’s Office guidelines for handling data and ability to set fines, but even this misses the point for me. A fine is after the fact and with so many charities and volunteer organisations (cough, Scout National database) storing personal details, a significant fine would end up burying an organisation and an insignificant fine is largely pointless. But either way the data will still be lost. So the answer to this one is really education – so to that end, the ICO Guide to Data Protection is great – but unless someone is actually auditing and proactively educating organisations, or perhaps more appropriately companies now selling online services to organisations, on these principles, I suspect we’ll keep seeing problems occurring.
As we see massive growth in companies providing online payment services (ParentPay, SchoolMoney, PaySchool and so on) information and content management (dbPrimary, Google for Education, etc), communications and mailing services (ParentMail, etc), biometric authentication (40% of secondary schools apparently), online learning, and so on to education and charities, more of our data ends up online regardless of the fact it might not be us putting it there! For a cash-strapped organisation, managing an offline and online database isn’t going to happen. You might not use their online system, but your data will be there as they’ll be using it themselves.
The school use of biometrics is particularly worrisome – many kids may have their biometrics compromised before they are even old enough to decide for themselves if they want to hand over their biometric signatures to any company.
Fundamentally, at present, all the risk from a company storing your data is on you, not them. Until that risk balance is addressed, I guess we will stay at the mercy of “bottom line (non-)impact” reporting. And whilst it is convenient and cost-saving for organisations to use more of these online services, our data will keep being stored who knows where and there is very little we can do to stop the tide of information uploading.
From time to time, especially since my last HP post, I’ve wondered about the various approaches to access control that have appeared in the books, especially the instances where passwords are used.
The most, ahem, common one being entry to the various house common rooms. One thing I’ve never understood is how the system of students knowing the right passwords for entry gets bootstapped? She won’t let anyone in who doesn’t know the password – we see a number of instances where the Fat Lady doesn’t let someone through if they don’t know the password, the most graphic being Sirius Black’s attack in the Prisoner of Askaban. But when she changes the password, who does she tell first? And then how is the password propagated around the house students?
Assuming there is a hierachy of trust in place, maybe she tells Professor McGonagall as head of Gryfindor house, who tells the house prefects who tell the students. But this passing on can only happen by somehow recognising the members of the house and telling them. In which case, I’m sure the Fat Lady would be quite capable of remembering students too – so when Harry doesn’t know the password once (as he was late arriving at school), why doesn’t she let him in? She must know who he is – at least to the same level of trust as any of the students.
In fact, we know that this recognition method can break down anyway – we have an example from The Chamber of Secrets, when Harry and Ron drink polyjuice potion and get into the Slytheryn common room by following Malfoy.
And then of course, it would be entirely possible that someone could slip someone some veritaserum and get the password from them that way. The only defense in this case being its probably too complicated for students to make. But has a student never managed it? In the entire history of Hogwarts?
And there is a very good example, again back in the Prisoner of Askaban, where supposedly increased security practises actually lead to insecurity. It would have been a much better trade off to just tell Sir Cadogan to just remember Neville’s face rather than have passwords changing every week (or was it every day?) and let Neville write them all down. In fact, how did Neville pursuade Sir Cadogan to tell him all the passwords anyway, and if he was trusted enough to receive them all, then he could have just been let in on visual inspection only!
Another interesting example of the folly of passwords for entry is Dumbledore’s office. One can only presume that there is a password to prevent him being bothered by students – it would appear that the staff all know the password. However, seeing as they don’t seem to worry about saying the password out loud in the presence of students, one would expect that over time the password would become well known anyway.
But he does seem to change it, possibly every year, but again some basic social engineering research gives the clues – Harry realised that Dumbledore’s weakness is using passwords based on his love of sweets. So knowing that Sherbert Lemon was one password allows Harry, in the Goblet of Fire I think it was, to brute force entrance by working through other sweets until he stumbles upon Cockroach Cluster as being the correct password.
Good job too really, otherwise this highlights the other general problem of hiding access to the headmaster behind a password – if something really serious happens, only the staff would be able to tell him.
And dispite all these precutions we know eventually Hogwards security is compromised by an insider opening an unknown and unexpected channel to an outside place by way of a vanishing cabinet.
No, with all the possibilities available to those in the wizarding world, it seems very, well, muggle-ish to fall back on the use of passwords so much.
But then maybe its possible to over-analyse things too much 🙂
I’ve been having ‘fun’ recently. A friend had a laptop that was provided under the, now defunct, UK Government Home Access scheme. This scheme provided a laptop to people in order to help get them into computers and online, and I believe the whole thing was set up Becta?
Anyway, these laptops came from certain suppliers – Comet and Misco were involved I believe – and had an ‘out of the box’ secure setup with anti-malware, parental controls and so on all pre-installed and pre-configured. All well and good. Until the scheme goes defunct and the computers are out of warranty and the suppliers no longer want to know. In fact I think even Becta is no more?
So, here we have a computer with parent and child accounts and a special account to set it all up. The Internet filter is protected by a password as is the special account. I assume this was some kind of protection against ‘government scheme free computers used for surfing porn’ headline in the future. All well and good, but the subscriptions to these services have now lapsed. So they are blocking sensible websites, updating the machine is really getting problematical and my friend has reached the point where quite honestly she is ready just to chuck the whole lot in the bin. Can I do anything about it?
Well I can’t stand seeing a decent PC go to waste and don’t mind a bit of a challenge. At the end of the day I’m sure the Internet can provide. If I can’t rescue their installation then Ubuntu or similar beckons, but as I don’t want to be administering this PC for ever and she is a non-technical user, I’ll see if I can unclutter her Windows 7 installation first.
Searching for default admin passwords gives some ideas but none of them work. So permissions is finally solved with a bootable Knoppix CD and chntpw. I now have an Adminstrator account, so to start tidying it all up.
Well the main hurdle is the Net Intelligence filter software. Removal is password protected from main and safe mode. There are some instructions on the Internet though, so taking a copy of the excellent autoruns tool from Mark Russinovich’s SysInternals suite, I set about finding all the references that make it start on boot. But it sure clung on for dear life and put up quite a fight!
I still can’t actually physically uninstall it, well using appwiz.cpl anyway – I might head straight to the disk, but it no longer appears to run, so fingers crossed that is no more.
All of this got me thinking a bit more about who actually owns our devices these days. Taking the obvious reply of ‘a hacker?’ out for a moment, so assuming we aren’t compromised by someone nefarious, how compromised are we by a third party company or organisation who, in reality, we don’t really know anything about. There are lots of people who’d like to own your device – your communications provider, your device manufacturer, the people who wrote the operating system, the people who own the tools you use, your bank, those who own the online services you use … the list is endless (anyone remember the Sony rootkit saga?).
In this case the organisation set up the machine with a whole host of locked-in services and tools that ceased to work properly once their default 1 year was up. Most PCs ship with something similar, although the difference with this scheme was that it wasn’t easy to turn them off. So they were given a PC, but then not given a PC …
But what about your games console? Your mobile? Your TV? Your Car? Do you actually really own any of that technology yourself? Not really. Not anymore.
I’m ready a good book at the moment (albeit slowly – I don’t seem to find much time to finish it) – Jonathan Zittrain’s ‘The Future of the Internet’. He has a lot to say on the subject of how the Internet came to be and how a generative network (the openess of the Internet) and generative platform (a generic PC) led to the current situation of tools, services and uses that no-one could have imagined when these basic building blocks of networks and computers were originally being designed.
However, we are on the cusp of a problem looming. In the interests of ownership, control or simply a desire for something shiny that ‘just works’ we are willing to sacrifice some of the key technological principles that gave us what we have today. I’ve just seen part of the problems such things can cause in trying to untangle the mess left behind by the well-intentioned, but now defunct, scheme that brought that laptop to my door.
If that is a sign of things to come, then the future does not bode well on the current trajectory. We’ll probably get away with it while our interests are aligned enough with the likes of Apple, Microsoft, Google, Facebook and so on (notice I say ‘enough’ – they aren’t really aligned – these are companies seeking to make money from us all naturally). But once those interest diverge, we’ll all be a bit stuck.
Open systems are definately our best hope, but they can’t really compete with ‘shiny’.
In these days of children being online earlier and earlier, there is an increasing worry about online stranger danger and sites like Get Safe Online and organisations such as the Child Exploitation and Online Protection Centre (CEOP) and excellent resources like the ICO Youth website and Own Your Space spend quite a lot of time and effort attempting to educate the general public, and young people in particular about the issues associated with increased use of the Internet.
Well, it struck me today that there is already a very illustrative lesson of the dangers of using a mediated text-based communications environment where you easily build up trust but don’t really know who is on the other end – chapter seventeen of ‘Harry Potter and the Chamber of Secrets’.
When Harry is asking Tom Riddle how come he is standing ghost-like over the barely alive body of Ginny Weasley, he asks ‘How did Ginny get like this?’
‘ … I suppose the real reason Ginny Weasley’s like this is because she opened her heart and spilled all her secrets to an invisible stranger.’
‘My Diary. Little Ginny’s been writing in it for months and months, telling me all her pitiful worries and woes …’
‘It’s very boring, having to listen to the silly little troubles of an eleven-year-old girl … but I was patient. I wrote back, I was sympathetic, I was kind. Ginny simply loved me. No one’s ever understood me like you Tom … I’m so glad I’ve got this diary to confide in … it’s like having a friend I can carry round in my pocket …’
So what is the muggle equivalent of a ‘friend you can carry round in your pocket’? Well, a collection of connected friends in your phone’s contact list of course.
So be careful who your friends are – who recieves your words as you write them on the page and they disappear like magic. The illusion of trust is easy to come by on the Internet. Just never confuse it with the real thing. It could lead to the take over of your mind by the world’s most feared wizard …
So remember the wise words of Arthur Weasley … “Haven’t I taught you anything? What have I always told you? Never trust anything that can think for itself if you can’t see where it keeps it’s brain?”
I’ve always been slightly annoyed with ‘secret questions’ that aren’t secret, and consequently have for ages always made up an answer and if its been for a website I’m going to want to use again (rather than one of of those annoying websites that force you to register just to become a one-off customer of theirs) will keep a record of my answer somewhere.
Well I had classic confirmation of what a waste of time such things can be today. I had an online account with a large retailer that wanted to know my favourite colour. So I found something suitably obscure – at the end of the day there are plenty to choose from!
Now I can understand why the use of a second shared ‘secret’ (as long as it really is a secret) might be useful in an online system where you need some kind of assurance that the remote person is who they say they are. But in this case, my wife was in the store doing something and they needed the answer to the secret question. Of course, she didn’t even know the question let alone my obscure answer.
Now normally, she would probably have rang me to see if I knew or could find out, but in this case the store assistent said ‘never mind, lets try some’ … and typed in ‘red’, ‘blue’, and so on. Then he said, oh, I’m not sure what other colours to try … so he rang their main office and explained that a customer was in store wanting to change something, but couldn’t remember her secret question answer … and then they asked to talk to her and asked for some personal details (date of birth, address, that kind of thing) and then promptly told her the answer to the question!
So, first of all, for the in-store situation, it just shows that it was totally unecessary to need the secret question at all – she was there, with account numbers, physical artifacts, personal knowledge, a store loyalty card – they really didn’t need anything else to know who she was – as evidenced by the fact that they were quite happy with all this information in order to disclose the secret answer!
And secondly, if the secret question is to be of any use, then they really can’t just put customer service over security and give it out to anyone who happens to be in the store, confident, annoyed with their systems and who happens to be armed with enough of someone’s personal information to sound convincing!
So – in summary, security is fine, but not at the expense of customer usability. However, if customer usability just blows holes an any security defenses, and no one seems to mind, then someone should really be asking some serious questions about the need for such security in the first place! Also, while I’m at it, this also shows that something that can be secure enough in one context (e.g. online transactions) can be totally pointless in a different context (i.e. when the same system is used ‘in person’).
I suppose I also should point out that a security question that a huge majority will answer with, I assume, something like one of only twenty odd values is also a bit meaningless. So in future, when asked for your favourite colour for a security question – I recommend getting a little more inventive. Just don’t forget to make a note of it somewhere!
Well, we are now in the odd period where the media is bored hyping the build up to the Olympics – the torch relay, whilst being special to everyone it passes, has now become business as usual for the national news – but they don’t yet have any real sport stories to publish, so they are going through the “who can find the first major problem story” phase.
Hence, we are seeing “security shambles” stories, untrained border guards, and even armed responses closing motorways. Sometimes we manage to see a little common sense creeping in, but mostly fear, uncertainty and doubt reign supreme. Eventually, we will be able to adjust our society to cope with increasing security pressures and security thinking may become common place (link posted with tongue firmly in cheek), but for now, we all just muddle on.
So, with this background, this post is to report on the daftest Olympic disruption story I’ve seen so far.
London Metro: Toxic Caterpillars on the march – “Toxic caterpillars that could kill people with asthma are on the march, experts warn”. But wait, as if that wasn’t bad enough … “The caterpillars, whose toxic hairs are carried in the wind, have been found in west and south-east London. They could disrupt the Olympics by infesting trees near the Games, it is claimed.”
At least the BBC resisted mentioning the O word in their reporting – “Warning over rise in London’s toxic caterpillar population“.
So, maybe all Olympic guards being warned to look out for anyone carrying apples that have suspicious holes in them … Or maybe someone will just train homing pidgeons to drop them over Stratford.
That is infeasible I hear you cry? Well, insert your own favourite Olympic themed movie plot threat here instead 🙂
At least it might give the media something to report on until the sports events actually start.
I’ve slowly been (finally) getting to grips with the Facebook friends lists feature and have been noticing some interesting side effects of using it.
First of all, I finally know how to get Facebook to stop censoring my newsfeed. You add people to your “close friends” list, then you get every gory detail.
So next – do I want my lists to be cumulative or exclusive? Do I want close friends to appear in acquaintances as well? I opted for exclusive – if they are on one, then I won’t put them on the other.
Restricted friends – i.e. those friends you want to list (for whatever reason, friends hardly ever means “friends” on Facebook) that by default, you are happy to not see what you get up to. A smart move by Facebook as by giving this built-in censoring people will be happy to divulge more to the social network “safe” in the knowledge that their boss, parent or otherwise “don’t want to unfriend but don’t want to broadcast to” contact won’t see it.
The “smart lists” are interesting too – grouping those to have openly admitted to going to the same school, working at the same company or otherwise are members of something that is shared with you. But I notice that Facebook still offers up the rest of your friends as suggestions for adding to these lists too.
So, if I haven’t volunteered a piece of information – say which school I went to – but a number of my friends have, then it would be natural for them, if using the school smart list, to “add” me to their list for their school. The upshot is that even if I didn’t want to tell Facebook what school I went to, they don’t need me to anymore. The chances are that at least one of my friends will have put me in their “school” smart list.
This is like other people tagging me in photos but without me being able to opt out.
Crowdsourced personal tagging. Nice one Facebook – you seemed to have snuck that one in on us all and managed to align the incentives so that people will do it because its useful to them. Clever.
What’s next I wonder – smart lists for interests, sexual orientation, age, location? Oh yes, they already do that one – anyone I’m friends with can now tag me as a “local” friend and tell Facebook where I am whether I wanted to tell them or not.
Ok, so how about a generic framework for me to create my own list, add a set of people and then use the Facebook “like” system to categorise it in a way that is meaningful to me – with the side effect of telling Facebook everyone who (in my opinion) likes banana ice-cream, whilst building lego models at Justin Bieber gigs (or whatever criteria I’ve chosen to use).
And of course you’ll have no idea of how others have classified you. And you’ll have no option to refute it. I wonder how long it will be before there is a healthy third-party marketing business to work the system. How about a company paying people a penny to classify their friends with an interest in their product, so that ads for it float to the top of their Facebook page? You can already run “campaigns” to get more likes, visits, page views and so on (the scary one is paying $0.13 to “create a gmail account for me” … no prizes for guessing what that might be trying to circumvent …).
Getting your friends to “out you” on Facebook. Creepy yet? Oh yes. Good job that is a long way into the future … ahem, well actually, maybe it isn’t.
And of course, just deciding not to be part of this is probably non longer an option. Even if you’re not on Facebook, it probably doesn’t need you to be anymore – your friends can tell it all it needs to know. Just imagine the advertising opportunities for Facebook that already exist from sending emails to those not yet on Facebook based on what their friends have already volunteered about them.
This was making me scratch my head the other day – I was trying to backup a Vista machine to a removable hard drive, and the backup kept failing with the obscure error message “80070005 – Access Denied” (or might have said “Permission denied” – something like that).
The references I found to this on the Internet seemed to suggest that turning off your anti-virus software whilst backing up would cure things, but I didn’t fancy that route at all. However that did give me a clue.
Looking at the logs for MS Security Essentials, yes, there was a file that was being backed up that MSSE was blocking by indicating that it contained malware. So I performed the corrective action (removing the file) and started again. However the backup failed yet again with the same error.
That time though, I watched it backing things up and then realised what the issue was. Windows creates a copy of everything it will backup and then copies that copy to the backup media. MSSE was kicking in on the second copy – when trying to copying the backup copy to the removable media. Consequently when I performed the corrective action of removing the offending file, it was removing the copy not the original file. When the next backup started, Windows created another copy of the dodgy file and the backup failed yet again.
So, once I had located the original file on the disk and removed it, the next backup worked fine.
I’m not sure why creating the first backup copy didn’t trigger MSSE – maybe creating Volume Shadow Copies is special and happens “under the hood” – hence is not seen by MSSE. I’m also not sure why MSSE didn’t trigger when the offending file was actually placed on the disk in the first place, but maybe it was a file whose signature appeared in MSSE once it was already installed.
Either way, I managed to ‘solve’ error 80070005 without resorting to turning off the PC’s security defenses. It may have taken an hour to work out, but I’m sure that restoring after a virus problem from a backup that also contains the same virus would take a lot longer than an hour.
Moral of the tale? Don’t ignore your security warnings and if the Internet wisdom says “turn off your AV to solve your problem” … well, I strongly recommend you don’t! Solving the symptoms does not cure the issue.
Just received one of the most blatent and in-your-face banking scam, spam emails I think I’ve ever seen.
The only thing missing is the checkbox at the bottom that states “Yes, I agree to you emptying my account and transferring all my money somewhere else” …
Heard an odd thing on the radio this morning – people inventing their royal wedding name by starting with Lord/Lady, using a great-grandparents forename and then creating a double-barrelled surname by taking the street where you live and appending the name of your first pet.
I think they missed a trick here – they should have asked for your mother’s maiden name, the street where you were born and your first pet’s name. That way you’d have the answers to three of the common ‘I’ve lost my password’, “security” questions …
In fact, why not write a Facebook or iPhone app that asks all these but also creates a “the first”, “the 2nd”, “the third”, etc hashed from your date of birth – then you’d get that too.
And while we’re at it, ask for Facebook credentials and post it to your wall (most people won’t know you don’t actually need to give a site your username and password for them to post to your wall, that Facebook provides federated identity services to third party sites).
Actually I’d be surprised if said app doesn’t already exist … let me know if you find it 🙂