 |
|
|
|||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
|
|
|
|
 |
|||
 |
|||
|
|
|
General confidentiality links
Spy Museum is dedicated to sharing the history of spying with youngsters and young-at-heart grownups too. A paper from the Privacy Rights Clearinghouse giving a Chronology of Data Breaches Since the ChoicePoint Incident identifies that the privacy of well over 54 million Americans has been compromised since February 2005. The list of more than 150 reported incidents in this time (meaning an average of around two or three per week) is an eye opener for anyone who doubts the risk, and should be enough to make everyone think about their personal contingency plans. If you’ve ever ordered a pizza online and wondered what happens to all the personal data on the pizza company’s telephone ordering database, watch this Flash movie. Unfortunately, the scenario is all too believable. A cybersecurity tip on staying safe on social networking sites (such as Friends Reunited) makes the point that you need to consider carefully the implications of posting personal information in such fora. Remember, everything you ever post about yourself online is potentially available to a cyberstalker or identity thief. Speedbit is an example of a software utility that incorporates security as standard, with a feature to erase information about the websites you have visited. “Loose lips sink ships” is the tag line on one of a series of WWII posters about the need to avoid secrets falling into enemy hands. Someone at Birmingham City Council in the UK evidently decided it was perfectly OK to publish letters of complaint to the council (complete with personal details) on their public website. Doh! It took the intervention of an MP to get this resolved. A typical military-style guide to classifying information from New Zealand advises classifying purely according to confidentiality. Six different classes are defined. The notes include examples of the types of information plus the protection to be applied in each class. The NSA (United States National Security Agency) has published advice on redacting i.e. securely removing sensitive text from Word and Acrobat documents so that it cannot be retrieved when they are released. In addition to their offerings to individuals who wish to browse the web anonymously, Anonymizer provides similar services to organizations for whom anonymous browsing is desirable. They don’t exactly explain why organizations would need this type of confidentiality - that little exercise is left to the reader’s fertile imagination. With some analysis of the Enron case, The Register’s piece Shred It! says you should “establish a clear and reasoned and workable [document retention] policy ... [and ideally] automate the process of document destruction ... Your policy should ensure that it is applied to active and archived documents equally, and paper and electronic documents.” However, things change if your organization is under investigation. “Once you know, or reasonably should know that particular documents or categories of documents may be relevant to an actual or anticipated investigation or litigation, your document destruction policy should be suspended.” In other words, you must not artificially use the policy to destroy evidence. US-CERT’s cyber security tip discusses privacy concerns as we browse the Web. Most browsers disclose information about their systems simply by visiting websites. The tip concludes with three straightforward actions to limit our exposure. It is well worthwhile signing-up for the cyber security tips and related materials from CERT whether you are simply a computer user or run a security awareness program. Author Mindi McDowell and colleagues are doing a great job. Some data files include ‘hidden data’ that are not normally displayed and/or printed out by the corresponding programs. An MS Word file, for example, will often include the names of the author and the Word template used to produce it (from the ‘document properties’) and details of recent data edits (used for reviewing and tracking changes). New Scientist magazine reports that a researcher from AT&T has used utilities and scripts systematically to discover such hidden information in Word files available on the web. There is a risk that confidential personal or corporate information may be revealed unintentionally in this way. Until appropriate tools are available, the not-exactly-helpful suggestion is to publish only plain ASCII text on the web ... If you thought shredding was a secure way to destroy confidential paperwork, check out this story in the New York Times (access requires free registration). Specialist companies are using scanning technology, coupled with OCR and handwriting analysis, to speed up the process of reconstructing even crosscut shreddings. [Hinson Tip: burnt shreddings make their task much more difficult.] The previous paragraph brings up the whole issue of secure disposal of redundant IT media and equipment, and privacy concerns when systems are sent away for repair. Silicon dotcom reports that a USB memory stick purchased as new was found to hold confidential records on cancer patients from a Manchester hospital. And now in Wired we read of a Blackberry PDA being sold on eBay by a former employee of Morgan Stanley, complete with the address book and a load of corporate emails containing confidential details about Morgan clients. A “study of disk sanitization practices” by researchers at MIT discovered that a surprising number of the hard disks they purchased secondhand, mostly on eBay, still carried sensitive personal and corporate information such as credit card and bank account numbers. Their original owners had either made no attempt to delete the files (yikes!), or had simply used the operating system’s delete or format utilities which often leave the data intact (doh!). Only 9% of the 158 drives in their sample were properly sanitized. The paper discusses some of the tools for sanitization and forensic analysis of drives. [Presumably, if you are bidding for secondhand hard disks or PDAs on eBay, you should expect competition from others with as much if not more interest in the data as the hardware ...]. Access controlEven mighty Microsoft can get the simple things wrong - like accidentally granting the wrong people read access to confidential newsgroups. A survey found that a significant proportion of the UK public would happily look at confidential information on the boss’s PC or on a partner’s email or cellphone. The article gave basic advice to protect the confidentiality of your personal information. Encryption & cryptography
Looking for a program to encrypt files on-the-fly? Take a look at TrueCrypt. It offers a range of strong encryption methods to encrypt the contents of ‘container files’ or entire disk volumes. Best of all, it’s open source and free of charge. There’s a cool (ZIPped) Flash animation showing how AES works on The Rijndael Page. It doesn’t exactly make it easy to understand - just slightly less obscure. There are many other useful resources on the site for AES crypto fans. If you are an ordinary mortal (rather than an encryption wizard) tasked with evaluating encryption products, this FAQ gives some helpful tips on differentiating the snake oil from true cure-all. If you are selling encryption products, this FAQ gives some helpful tips on how to pull the wool over your customers’ eyes, or some searching questions to ask your back-room encryption gurus before you embarrass yourself in a sales pitch. Ever wanted to own your very own Enigma machine? If you can’t afford a few thousand for the real thing, try this paper Enigma or a cool Enigma simulator program. If you are interested in steganography (secret writing - essentially techniques for hiding information inside other information), you could try looking it up on the web, but you may not find much The CIA mistakenly concluded that Al Jazeera TV was broadcasting terrorist messages using steganography to hide the content in the ticker-tape news banner. The high state of alert, verging on paranoia, led the CIA analysts to see phantom messages, yet they were credible enough to cause US authorities to cancel flights and raise the terror alert level from ‘yellow’ to ‘orange’. At least the false-alert was a fail-safe response. The CISSP study guide’s cryptography chapter has been put on-line as a taster for the book, and the whole Handbook of Applied Cryptography is available on-line for personal use. During World War II, a hand-picked team of extremely talented and dedicated mathematicians at Bletchley Park secretly cracked the Enigma system to read many enemy messages, and undoubtedly altered the course of the war. There is now a fascinating museum at Bletchley where the computers invented to automate the cryptanalysis have been painstakingly reconstructed from original engineering drawings and photographs. This article in the Telegraph notes that the main Soviet codes, as well as the German Enigma, were also broken at Bletchley. If you’d like to read more about secret codes and cyphers, CSO magazine published this useful primer on encryption. If this is gobbledegook to you, don’t worry: your computer systems handle it all behind the scenes. However, if you find the CSO articles a bit lightweight and you’re not afraid of a little mathematics theory, try the Cryptography FAQ for more.
|
Keep up with confidentiality entries on the 
|
|
|