Tuesday, 18 December 2007

Securing data - is it really just a problem in government?


We've seen an upsurge in interesting leaks recently regarding data that you would wish to be private, from Her Majesty's Revenue and Customs (HMRC) to the Driver's Vehicle Licensing Agency (DVLA). I've heard so much hyperbole surrounding this issue, with everyone from former Identity fraudsters through to industry experts and MPs commenting on how poorly the government is dealing with the issue of security compared to private companies.

The reality, however, is different; information is being continually leaked from companies with the most recent instances being that from TK-Maxx and Nationwide. Now these are the ones that you have heard of and that could not be denied, but what about those where a person send data to a business partner without checking their security? What about the ones where unencrypted personal data is sent through the post without checks being carried out with regards to the protection required for the data held within it? What about your payment card details being passed to a person with no mandatory protection at all over a phonecall with all the details required to make payments?

Ignorance is bliss!

Don't believe that the above could happen? Think again, there is no standard that companies have to follow regarding security yet many laws that control many other aspects of corporate life. In my previous professional life, the assessments of companies from a security standpoint would often show surprising results; large companies would often have little understanding of the most basic law regarding your privacy - the Data Protection Act 1998 (DPA '98). More concerning is the amount of small companies hosting copies of their customers' (ie Larger companies) customer data having no protection due to them being "too small to have the ability to understand security"! Think about the last point - if you have anti-virus and a firewall and update your Windows system regularly then you are very likely to be more secure than companies storing your customer data outside of the control of the very company that you have entrusted it to!

I have been the victim of data loss three times now over the past year - twice due to a hacking attack and once due to the loss of a CD-ROM (Guess which one!). The hacking attacks were due to the use of eCommerce, and the first of these gave the most glaring example of the issues that we all face - blissful ignorance!

With a marked downturn in physical 'offline' sales this Xmas compared to a 50% increase in 'online' sales, this is probably one of the most relevant topics of conversation, but one that is missed by all of the popular press during the recent data losses!

Returning to the case of blissful ignorance, the company in question had suffered a loss of over 100,000 customer records and when I enquired as to the reason I was told firmly that I was the only customer who didn't understand that the company was the victim here! I was astounded, and when I pressed further was firmly told that the company couldn't be expected to understand the ways that websites can be broken into! This attitude is akin to a person who owns a traditional shop saying that he/she didn't realise that they had to lock the doors and windows at night, and that would never be tolerated by the public at large (Hopefully) as they understand that you would have to do that and they would do this very activity at home.

Understanding the issues

Is security really that hard to comprehend? Well you might say that it's easy for me to say this as I have many years experience in both offline and online security to provide me with an understanding, but I believe that the issue is this - financial savings can be made from the use of the online environment, but with it comes a need for further protections that cost money themselves. If your purse/wallet was stolen then you could apportion blame as you had taken all reasonable precautions, but many companies either leave their purse/wallet in full public view or entrust it to a stranger if we were to continue the analogy.

An interesting point to be raised with this analogy is this - if the purse/wallet was to be stolen then it's theft, but is it theft if customer data is stolen from a website? Within the UK, the answer is no, as the legal definition of theft in the UK is “the dishonest appropriation of property belonging to another with the intention of permanently depriving that person of it”. In english, this means that unless you prevent access to the data, then it's not theft.

This is part of the problem here, you walk into a bank and steal money using a weapon then it's armed robbery and the proof that the robber used the weapon is just part of the trial. Steal money, customer and/or credit card data and it's computer crime/hacking - theft doesn't get mentioned at all! This lack of alignment with computer-related theft into the normal statute means that it's allowed to be complicated in techno-babble rather than related to something that we all understand.

Effective laws?

Computer-related theft has to be tried under the Computer Misuse Act 1990 (CMA '90) which focusses on unauthorised access rather than the intent. As you may be able to gather, this law is now 17 years old and was updated recently to tackle denial of service attacks (The online equivalent of disrupting commerce by blocking access to a shop). No attempt has been made to address the outdated definition of theft; why does this matter, the amount of successful convictions for computer-related theft under the CMA '90 is minimal to my knowledge. Don't believe me? Let's look at the following examples:

In March 2000, Raphael Gray utilised a flaw within a web server to obtain credit card details from a number of websites, including the details of Bill Gates. Gray was subsequently charged under sections two and three of the CMA '90 for the access to the web servers.

In this case, defence council successfully argued that the technique used to exploit the vulnerability, which also disabled logging, could not be brought to trial as there was no evidence to prove that this was successful; even though there were logs to show that Gray had attempted this unsuccessfully on the same device. This defence was mounted on the premise that all websites are designed to be accessed from the internet and at no time after conducting the attack was Gray notified that he was entering a restricted area, either by being presented with a window asking for authentication credentials or even a message stating that the area he was entering was restricted. Gray eventually accepted a plea bargain to plead guilty to the charges under section one in relation to the hacking of the web server in exchange for a more lenient sentence (He was also indicted under the fraudulent use of the stolen credit cards).

In another case, Daniel Cuthbert attempted a directory traversal attack on the DEC website, on New Year’s Eve 2004, by entering /../../ after suspecting it to be a ‘Phishing’ website. The Intrusion Detection Systems at the hosting ISP picked this activity up and informed the police. Although Justice Purdy accepted that Cuthbert had not intended to cause any damage, he found Cuthbert guilty under section one as intent was not required to be proven, but also stated there was almost no case law in this area.

In both of the above cases, the conviction was for the same offence, but the intent was vastly different. The statement of Justice Purdy regarding the lack of case law is wholly correct with regards to web application hacking. Just as the onus to define authorisation with regards to access needs to be defined for networked systems to bring a prosecution under the CMA '90, there is a need to ensure that web applications are fully tested to prevent disclosure of information unless the correct authorisation mechanism has been complied with.


If the government is failing in any areas, it's in the outdated laws regarding computer-related theft, the lack of forcing companies to secure their data and a complete absence of laws forcing all UK companies to have a certain level of security. We need a better public understanding of what the issues are and how to protect themselves, and the government can support this but UK plc has to take a stand too.

1 comment:

Raj said...

Interesting post, one thing of note though is that we are all struggling in the dark with either little or no information.

Yes, its very easy for the media to jump on the bandwagon and say "things are not secure" but seriously how many other unauthorised disclosures have there been?

Its all well and good saying the problem is bad software, and by introducing Notification breach laws we are penalising the drivers behind the wheel, but without this we cannot understand the extent of the problem.

Most people can probably name security incidents that are not publicly disclosed, isnt it time the stigma of an incident is removed and we started as an industry to learn from each others mistakes? I mean after all, when there are physical security incidents organisations have no problems reporting these crimes!