Wednesday, January 23, 2008

IP address = personal information

Yesterday the European Parliament's Civil Liberties Committee discussed the idea of linking your IP address to personal information. This would effectively give legal protection to IP addresses.

Of course, businesses who collect this information are against it. The leader of the pack being Google, which logs massive amounts of data and where it comes from. Tracking IP addresses can help google crack down on click fraud or identify the geographical region of its customers and in many ways is crucial to the company.

Google’s Peter Fleischer was quoted to have said: "There is no black or white answer: sometimes an IP address can be considered as personal data and sometimes not; it depends on the context, and which personal information it reveals" (Link to PDF).

On the opposite side of the debate the Electronic Privacy Information Center argues that with the upcoming IP6 model of the internet, IP addresses are being more and more personal.

Another big supporter of this side of the debate is Germany’s Peter Scharr, who heads the EU’s Data Protection Working Group. He believes that an IP address has to be regarded as personal data in situations where it can be used to identify someone.

If this idea does gain traction in Europe, it's unlikely to prevent the collection of IP addresses, which are used for everything from busting child pornography suspects to finding file-swappers to blacklisting spam domains, but it would no doubt require databases of IP addresses to meet certain security and retention standards.

Do you think IP addresses personal information and as such, should be protected legally?

Nate Evans
The Krell Institute

Labels: , , , , , , , ,

Tuesday, January 15, 2008

Employee anger almost causes problems for company

Before I jump into my story, I wanted to introduce myself. Michael McCoy honored me by asking if I could contribute to this blog. My name is Nate Evans and I am a PHD candidate at Iowa State University in computer engineering. My research expertise is in an area very close to identity theft, social engineering. In some ways you could classify identity theft as a small piece of social engineering, but I don’t want to step on anyones toes here! I currently am working on my dissertation and am employed part time for the Walt Disney Company and The Krell Institute.

So in short, expect stories from me involving people ripping other people off.

When people define social engineering and try to explain the problem about it, they normally start with something like this:

“You can spend millions of dollars building a super secure computer system, but if the system admin sells his pass for $1,000, your system is now worth $1,000.” What if the system admin does not sell the password but instead uses it against the company to destroy or sell company data? This brings me to my story.

Recently a 51 year old administrator, Andy Lin, was given 30 months in jail and fined $81,200 for trying to destroy a medical drug database in a company he was employed with.

Way back in 2003, Andy learned that his company, Medco, was going to lay people off and he wasn’t sure he would survive the layoffs. In a fit of anger, he decided he would make the company pay by writing a script to delete everything in the company’s database. The script was set to go into effect automatically on his birthday April 23, 2004.

Well a couple weeks rolled by and Andy did not get laid off. As such he attempted to edit the code to make it ineffective. He failed and on April 23, 2004, the code deployed anyway.

Luckily the code contained numerous bugs and his program just crashed. Andy, still the cautious type, fixed the bug and reset his doomsday timer to the April 23, 2005.

Fortunately for the company, another System Admin was looking into this odd crash and found Andy’s code. On January 2005, Andy was arrested and pleaded guilty to one count of transmitting computer code with the intent to cause damage in excess of $5,000, and he was sentenced last week.

Its amazing how much damage one employee could do to a company. If that database was deleted the company would be in massive trouble. Imagine if the employee, instead of destroying it, sold it to the competitors...

You could take one of two lessons from this: Either don’t trust people, or pay your system administrators more!

Nate Evans
The Krell Institute

Labels: , , , , , , ,

Monday, January 14, 2008

British Identity - It's mostly LOST!

Americans feel stressed about the safety of their identities.

It's a good thing they are not British!

Here is some of what David Harrison of The Telegraph reported. "A record 37 million items of personal data went missing [in 2007].

Most of the data was lost by government officials but councils, NHS trusts, banks, insurance companies and chain stores also mislaid or published personal information about staff or members of the public. Many losses were caused through CDs going missing in the post, laptop thefts, and inadequate security systems that failed to stop hackers reading information stored on computers."

The details lost included those of names, addresses, passports, bank and mortgage accounts, credit cards, hospital records, dates of birth, national insurance numbers, driving licences and telephone numbers."

Well, that pretty much takes care of every scrap of information someone needs to totally screw over any citizen!

"The "shocking" total of 36,989,300 items prompted calls for the Government to kill its plans for national identity cards.

Nick Clegg, the leader of the Liberal Democrats, who produced the figures, said: "The ID card project is now in freefall, because faith in the Government's ability to handle personal data has hit crisis point - 2007 was the worst ever year for personal privacy. We need a total rethink on data protection enforcement and an immediate end to the identity cards plan."

This really answers the question of why a National ID Card is good in theory but very bad when you understand that government bureaucrats don't give a damn about your security and privacy. How many government employees are doing jail time for putting at risk the security, happiness, and tranquility of citizens? The answer is that I personally have NEVER seen a single story (unless someone actually STOLE this data).

"The biggest single loss was in November when Alistair Darling, the Chancellor, revealed two CDs with personal details of 25 million child benefit claimants and their parents had gone missing."

Yeah and I saw somewhere that this amounts to 40% of all Briots! That's what you get for sucking up so much government welfare!

"Three weeks ago Ruth Kelly, the Transport Secretary, admitted that the details of three million learner drivers had gone missing when a hard drive was lost in Iowa, USA.

Last February it emerged 80 passports are lost in the post every month."

Oh good! And how does this help protect the world against terrorists using illegal British passports?!

Last month, CDs with personal information on thousands of benefit claimants were found at the home of a former contractor to the Department of Work and Pensions.

Three days later the names, dates of birth and national insurance numbers of 45,000 people claiming benefits in west Yorkshire were lost by the Government.

A spokesman for the Home Office said the National Identity Register will not hold tax, benefit or other financial records. "We will draw on any lessons learned from incidents of data loss.The whole scheme will be fully security-accredited."

Stay tuned because the risks to your safety and security are getting greater and greater even if you do not live in England!

Labels: , , , , , , ,

  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft -