Tag Archives: Data Security

Creating fake passports from your personal data


This robotic installation will steal and share your data — with your help. 


The brainchild of ECAL student Martin Hertig, Sensible Data is a unique project designed to show just how easily people are willing to give up their personal information in exchange for fun. The playful installation collects a user’s data, judges their mood, age, gender and beauty, and creates a faux passport that is also randomly sent to another participant without them knowing.

2-778x584

If you think about, what really happens when you openly give your name, numbers and other information online, and where does it go? Although the experiment was done intentionally to test a small sampling’s confidence in how data is collected, it does highlight a much broader privacy issue that exists today, especially in the wake of several mainstream leaks.

The Maker’s exploration is comprised of three machines that are essentially modified versions of the Piccolo CNC, an open source drawing device based on the Arduino Pro Micro (ATmega32U4). Meanwhile, a Raspberry Pi acts as the brain of the installation, running a Python script for every step of the process. Each script listens to the desired input and relays the plotting commands to the necessary gadget.

5-778x1038

How it works is pretty straightforward. First, a participant snaps a selfie with an iPad that’s automatically synced up to a Raspberry Pi using Dropbox. A Python script takes this picture and converts it into a line drawing with the help of OpenCV. The user is then prompted to send a blank email to the project’s iCloud address.

6-778x1037

From there, the person’s face is analyzed. Upon receiving an email, the Raspberry Pi transmits the previously taken image to the Rekognition API. The facial recognition program is able to properly determine one’s mood, age, gender and their beauty, which is measured as a percentage. This information is stored in a database and inked onto the novelty passport letter by letter using a laser-cut stamp-wheel.

7-778x1037

Last but not least, the participant is asked to press a dubious button that is actually a fingerprint scanner. Once the validation step is complete, an email with a matching participant’s data including their fingerprint, photo and email address is sent to the user. (Absurdly, the matchmaking is determined by the amount of lines in the portrait.)

The idea is that, when encountered with a decision, more times than not people are willing to just hand over their likeness, not knowing what will be done with it. Intrigued? Check out the entire project here, and be sure to watch it in action below!

Breach Brief: UCLA Health data breach may affect 4.5 million people


Hackers have gained access into the network of the Ronald Reagan UCLA Medical Center and three other hospitals.


A cyber attack on the UCLA Health system may have exposed the information of as many as 4.5 million people, officials say.

(Source: Wikipedia)

(Source: Wikipedia)

What information was breached? During the breach, which was announced Friday, the attackers accessed parts of the computer network that contain personal information, including names, addresses, dates of birth, social security numbers, medical record numbers, Medicare and health plan IDs, as well as some medical information like conditions, medications, procedures, and test results.

How many were affected? At this time, it is believed that as many as 4.5 million patients may have been affected across the network, which includes Ronald Reagan UCLA Medical Center and three other hospitals.

When did it occur? Suspicious activity was first detected in the network last October, prompting an investigation assisted by the FBI. Based on the investigation, it appears that the attackers may have even had access to these parts of the system as early as September 2014. It was only on May 5, 2015 that UCLA Health discovered that the part of the network in question had, in fact, been accessed.

What they’re saying: “At this time, there is no evidence that the attacker actually accessed or acquired individuals’ personal or medical information. Because UCLA Health cannot conclusively rule out the possibility that the attackers may have accessed this information, however, individuals whose information was stored on the affected parts of the network are in the process of being notified,” the healthcare provider wrote in a statement.

The latest incident demonstrates that healthcare is among one of the top industries at risk of being targeted by cyber criminals, raising concerns over the safeguarding of electronic medical records and other sensitive data. This attack comes on the heels of several other breaches, namely Anthem which had impacted80 million Americans earlier this year. With the number of breaches on the rise and no apparent end in sight, how can you ensure that your network is protected?

Breach Brief: Cyberattack compromises the data of at least 4 million government workers


Four million current and former federal employees may have had their personal information hacked.


Hackers based in China breached U.S. Office of Personnel Management (OPM) computers, according to officials. One spokesperson has even described the incident as perhaps one of the largest thefts of government data ever.

635566102005778756-1392287189000-OPM

What happened? According to the Washington Post, the cyber intruders accessed information that included employees’ Social Security numbers, job assignments, performance ratings and training information. No direct deposit data was exposed. Unfortunately, they could not say for certain what data was taken, simply which information had been accessed.

How many were affected? It appears that at least four million current and former federal employees could have been impacted.

When did it occur? The hackers, who are believed to have ties to the Chinese government, gained entry into the federal computer system last September. However, the breach wasn’t detected until April.

How did it happen? The hackers are said to have used a previously unknown cyber tool, called “zero-day,” to take advantage of a vulnerability in the system.

What they’re saying: “We take all potential threats to public and private sector systems seriously, and will continue to investigate and hold accountable those who pose a threat in cyberspace.” An FBI spokesman has said that the agency is working with other parts of the government to investigate the matter.

In addition, cybersecurity experts have also noted that the OPM was the target of another attack a year ago that was suspected of originating in China. At that time, authorities reported that no personal information had been stolen. This latest high-profile occurrence comes amid growing concerns that even the most trusted sites and systems can be used by hackers aimed at infiltrating sensitive industries. With the number of cyber attacks on the rise and no apparent end in sight, how can you ensure that your network and its data are protected?

The 10 challenges of securing IoT communications


From the very beginning of developing an IoT product, IoT security must be a forethought.


One of the hottest topics at last week’s IoT StreamConf was security. In other words, how are we going to secure communication for billions of connected devices? How can we ensure that attackers can’t take control of our devices, steal information, disrupt services, or take down entire networks of expensive, imperative devices?

With IoT is still in its early stages, security is not fully understood and well-defined when compared to other industries, like the financial and e-commerce sectors. From the very beginning of developing an IoT product, whether it’s small-scale like a wearable device, to massive-scale IoT deployments, like an oil field sensor network or global delivery operation, IoT security must be a forethought.

10-challenges-securing-IoT-PubNub-Atmel

In this talk, Rohini Pandhi, Product Manager at PubNub, walks through the ten challenges of securing Internet of Things communication. Rohini discusses flexible and secure messaging design patterns for IoT communication, and how they can be implemented and scaled. There are a number of security considerations, but after watching this talk, you should have a good idea of how you can secure your IoT deployment.

(Scroll below video for a table of contents of when individual concepts are talked about in the video).

Video Table of Contents

  1. Defining the Internet of Things (10:27)
  2. Unprotected devices will be attacked (13:15)
  3. Encryption (15:46)
  4. Single security model for all communications (17:56)
  5. Access control (20:13)
  6. Tracking device metadata (21:14)
  7. Provisioning in the field (22:38)
  8. Firmware updates in the field (24:07)
  9. Compliance with regulations (25:15)
  10. Reinventing the wheel (26:17)

More Resources on Securing IoT Communication

Below are a couple great pieces on IoT security, and some code tutorials for IoT developers:

Report: 29 million patient records compromised in healthcare breaches


In 2013, two-thirds of healthcare data breaches involved electronic data, almost 60% theft and nearly 10% hacking.


Amid our latest bout with malicious hackers and network intrusions, even more data has emerged that will certainly put any doubts, if any remained, around the insignificance of proper security to rest — particularly in healthcare. According to a new study published in the Journal of the American Medical Association, researchers have revealed that approximately 29 million health records in the U.S. alone were affected by breaches between 2010 and 2013 — 67% of which were stored electronically.

Breaches

In order to conduct their investigation, the researchers sifted through a government database containing information about data breaches involving unencrypted health information reported by clinicians and health plans. What they found was that a majority of incidents (58%) were exposed through theft, while the rest came as a combination of hacks and carelessness, such as loss or improper disposal of data and unauthorized access of information. And, most of the time, these breaches were connected to laptops and mobile devices.

In 2013, the frequency of breaches that occurred through hacking, unauthorized access or unprivileged disclosure increased to 27%, up from 12% just three years prior. The researchers warn that this number will only continue to rise.

“Given the rapid expansion in electronic health record deployment since 2012, as well as the expected increase in cloud-based services… the frequency and scope of electronic healthcare data breaches are likely to increase,” the researchers note. “These security breaches could involve everything from health sensors and gene sequencing technology, to predictive analytics and personal health records.”

Want to delve deeper into the topic? You can find the entire report here. Meanwhile, as attack platforms increase in size and threats become more sophisticated in nature, how can you ensure that your network and its connected devices are indeed protected? Fortunately, you can take comfort in knowing that there are solutions already available to keep those digital systems not only smart, but robustly secured all at the same time.

Greetings from Digitopia!


When it comes to the privacy and security of data, what does the future hold for consumers, companies and governments?


A tremendously interesting document, called “Alternate Worlds,” was published by the U.S. National Intelligence Council. It’s a serious document that not only examines four different alternatives of what 2030 might look like, but possesses some major geo-political thinking about the future.

Digitopia

In the entire report there was only one comment regarding privacy, which is amazing.  This brings up many questions.  Has privacy already become a quaint notion and a relic of times past? Is the loss of privacy a done deal? Will there be any attempt at reclaiming personal privacy? Will renewed privacy only be available to the upper classes? Will companies be required to take responsibility for embedding more security and privacy in their products and systems? Will governments fight for citizens’ rights to privacy or insist on the right to intrude? These all are important 21st century questions, and they are simply impossible to answer now given that there are far too many variables. Only time will tell.

At the moment, however, it is pretty clear that the trend is away from privacy, at least in the way that privacy was defined in prior generations. If you observe first-world high school and college kids, you can easily see that many, if not most, live their lives way out in the open on apps like Facebook, Twitter, Tumblr and others, and don’t really seem to care all that much who is watching. Lately, more limited audience apps like WhatsApp, Snapchat, and WeChat that focus on smaller groups rather than general broadcasts have been growing, which belies some return to privacy concerns (i.e. don’t let mom see this), but the generational theme is clearly “live out loud.” Younger people live in a type of virtual society. Let’s call it “Digitopia.” Digitopia is far from a utopian place because it is insecure — really insecure. Cyber criminals, nosey companies, sneaky governmental operators, and other techno-mischief makers run rampant there.

One of the more intriguing predictions in the Alternate Worlds report points to future brain-machine interfaces that could provide super-human abilities, as well as improve strength, speed and other enhancements (i.e. bestow super powers). This notion could have come right out of author William Gibson’s classic cyber-punk novel Neuromancer where people’s brains directly “jack-into” the matrix.  The report states:

“Future retinal eye implants could enable night vision, and neuro-enhancements could provide superior memory recall or speed of thought. Neuro-pharmaceuticals will allow people to maintain concentration for longer periods of time or enhance their learning abilities.  Augmented reality systems can provide enhanced experiences of real-world situations. Combined with advances in robotics, avatars could provide feedback in the form of sensors providing touch and smell as well as aural and visual information to the operator.”

zz2

Hanging Out in Digitopia

Even the peaceful denizens of Digitopia are by default reckless, especially when it comes to their own privacy.

“A significant uncertainty … involves the complex tradeoffs that users must make between privacy and utility. Thus far, users seem to have voted overwhelmingly in favor of utility over privacy,” the Alternate Worlds report states.

As introduced in a prior article called “Digital Annoymity: The Ultimate Luxury Item,” the desire for personalized services is very seductive, and consumers are now complicit in, and habituated to, revealing a great deal about themselves. Volunteering information is one thing, but much of the content about our digital selves is being collected automatically and used for things we don’t have any idea about. People are increasingly buying products that automatically track their lives including cars storing data about driving habits and downloading that to other parties without the need for consent. As we visit web pages, companies get access to our digital histories and bid against each other in milliseconds fir the ability to display their advertising to us. This is kind of creepy. There is now an unholy trinity of governments snooping on us, corporations targeting our buying behaviors, and cyber-criminals trying to rip us off. The antidote is better security, but cyper-security is not something that individuals will be able to make happen on their own.

Data collection systems are not accessible, and they are not modifiable by people without PhDs in computer science. Because of that, security and privacy could easily become commodities which consumers will demand and thus economically force companies to provide. The only weapon consumers have is what they consume. If consumers only purchase secure products, then only secure products will succeed. In Digitopia, a company’s success may become dependent simply upon how well they protect the interests of their customers and partners — that is not a hard concept to understand.

You can almost see how there could easily be the equivalent of a “UL” label for privacy. Products and services could be vetted for the strength of their security mechanisms. Subsequently, products should then be rated on if they have encryption, data integrity checks, authentication, hardware key storage, and other cryptographic bases.

zz3

Beyond the testing of the products themselves, there could easily be businesses set up to provide secure protections to individuals and companies like a digital Pinkerton’s for digital assets. It is likely that those who can afford digital anonymity will be the first to take measures to regain it. To paraphrase a concept from a famous American financial radio show host, privacy could replace the BMW as the modern status symbol. The top income earners who want to protect themselves and their companies will be looking for a type of “digital Switzerland.” Regaining privacy will likely democratize over time as the general population will demand the same protections as the 1%-ers. Edward Snowdon showed us that everyone is under some sort of surveillance, so we have to face the facts that data gathering on a grand scale is part of the world now and will only grow in scope. However, we don’t have to just accept insecurity because things can be done, including adding secure devices to digital systems.

The Future Belongs to the Middle Classes

Maybe the most important factor noted in the Alternative World report has to do with the forthcoming growth of middle classes. As populations increase and more people worldwide move into the middle class, a growing number of people and things will be connected. That is why the Internet of Things is expected to grow so quickly. More connected things means more points of attack, and more data gathering for legitimate and illegitimate purposes. Therefore, the need for digital security is tied directly to the number of communicating nodes, which is tied directly to the growth of the middle class. More people with financial means means there will be more things to secure. This is becoming obvious. The middle class buys the lions’ share of products and services, and more of those products and services and how they will be ordered and delivered will be electronic. More people, more electronic things, more need for security.

When it comes to population, South and East Asia are the elephants (and dragons) in the room, as the chart below demonstrates.

zz14

The most powerful trend going forward is arguably the emergence of new “super-sized” middle classes in China and India. The worldwide middle class will grow exponentially, and it has already started to super-charge demand for food, energy, and manufactured products — particularly smart communicating electronic devices, many with sensing capabilities. That, of course, is how the IoT is getting started. Major companies are holding out the IoT as a way to drive efficiencies in production and distribution while keeping costs low.  You can see that in the literature of major companies such as GE who is targeting the Industrial Internet of Things as a major strategic vector.

Population and purchasing power go hand-in-hand, and the evolution of smart, secure, and communicating systems will follow.  As Stalin said, quantity has a quality all its own.   That is why Asia matters so much.

zz15

From the demographic analyses, you can see that most Digitopians will be physically living in South and East Asia and this will continue to rise with time. So, what does that mean for security and privacy?

zz11

There is a very different view of the privacy rights in Asia due to a varied tapestry of intricate and ancient cultures — cultures that differ from Western traditions in many ways. However, it must be pointed out that that Western governments are far from the white-knight protectors of privacy rights by any means. Even with uncertainty in how privacy will be embraced (or not) long-term woldwide, in the short- to medium-term, enhanced security will have to filter into networks, systems, and end products, including the IoT nodes. You can look at that as securing the basic wiring and digital plumbing of Digitopia, even if governmental institutions retain the right to snoop.

Practical Security

To close on a practical note, in the short- to medium-term there will be a strong drive to embed more robust security to embedded systems, PCs, networks, and the Internet of Things. Devices to enhance security are already available, namely crypto element integrated circuits with hardware based key storage. Crypto elements are powerful solutions, whose fundamental value is only starting to be recognized. They contain cryptographic engines to efficiently handle crypto functions such as hashing, sign-verify (ECDSA), key agreement (ECDH), authentication (symmetric or asymmetric), encryption/decryption, message authentication coding (MAC), run crypto algorithms (elliptic curve cryptography, AES, SHA), among many others. Together with microprocessors that run encryption algorithms crypto elements easily bring all three pillars of security (confidentiality, data integrity, and authentication) into play for any digital system.

As certain forces move the world towards less privacy and more insecurity, it is good to know that there are real technologies that have the potential to move things back in the other direction. To make a fearless forecast, it seems that going forward companies will increasingly be held liable for security breaches, and that will force them to provide robust security in the products and services that they offer. Consumers will demand security and enforce their preferences with class action legal remedies which they are damaged by lack of security. The invisible hand of the market will point towards more security.  On the other hand, governments will argue that they have a duty to provide physical and economic security, which gives them license to snoop.  Countervailing forces are in play in Digitopia.

Breach Brief: Insurer Anthem hit by hackers


As many as 80 million customers of America’s second-largest health insurance company, Anthem Inc., have had their account information stolen.


Anthem Inc., which is the second-largest health insurer in the United States with nearly 40 million customers, has confirmed that hackers successfully breached one of its IT systems and have stolen personal information relating to approximately 80 million current and former consumers and employees. While details are still being figured out, the incident could potentially rank among the largest of recent attacks, including J.P. Morgan, Home Depot and Target.

(Source: AP)

(Source: AP)

What information was breached? While Anthem states that the breach did not appear to involve medical information or financial details such as credit card or bank account numbers, the data accessed during the “very sophisticated attack” includes names, birthdays, social security numbers, street addresses, email addresses and employment information, such as income data.

How many were affected? At the moment, the company did not say how many customers and staff were impacted by the hack. However, the Wall Street Journal has shared it was suspected that records of tens of millions of people had been taken, which would likely make it the largest data breach involving a U.S. health insurer. Something to consider: Anthem had 37.5 million medical members as of the end of 2014.

How did it happen? It appears that the attack was the only breach of Anthem’s systems, and the company’s CIO reveals it is not yet clear how the cyber-criminals were able to obtain the necessary credentials needed to access the database. Those responsible are not yet known and an FBI-led investigation is underway. According to Bloombergthere’s speculation that a Chinese state-sponsored hacker group might be behind the breach.

When did it occur? Investigators are still determining the extent of the attack, which was discovered last week.

What they’re saying: “Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem was the target of a very sophisticated external cyber attack,” CEO Joseph R. Swedish shared in a statement. “Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation. Anthem has also retained Mandiant, one of the world’s leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape. Anthem’s own associates’ personal information – including my own – was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data”

It is becoming increasingly clear that embedded system insecurity affects everyone and every company. As we’ve seen, this insecurity can leave sensitive financial and medical data vulnerable to cyber-attackers. With the number of breaches on the rise and no apparent end in sight, how can you ensure that your network is protected?