Here on the Internet, we face a related problem. Every time we type something into a web search bar, it is analyzed. Every web site we visit is tracked back to us. Every word we send over email can be read in transit. Every IM can be captured. All of our transactions using credit or debit card are logged, the locations, amounts and purchases used to develop detailed profiles of us. This information can be, and often is, used to manipulate/exploit us. (This doesn’t even take into account spyware, keystroke loggers, and other invasive recording/tracking devices that record many people’s every movements.)

We can’t see it happening, so most people don’t realize that we’re being watched.

Even when we do realize we’re being watched, often the attitude is, “Who cares?” Corporations, dictators and other modern predators aren’t as stupid as the Ravenous Bugblatter Beast, and they’re very ravenous. Many of us operate with a broad trust in human goodness which is unfounded. Humans enslave, hurt, kill and exploit each other. Not all of us, but some. Having equal visibility, or at least an accurate understanding of the playing field, is exceptionally important.

In order to preserve true democracy and individual freedom, we need to demand better publicity and transparency of monitoring. People are not designed for an environment in which we are constantly being watched by an invisible eye. We don’t instinctively take this into account when designing government or conducting business. We need to:

a) Educate people regarding current monitoring techniques by government, corporations, and criminals;
b) Work to make these activities as visible as possible, by demanding signage, lights, labels or other visible indications of surveillance in all forms of technology.

If you have suggestions regarding how and why to make surveillance more visible (on the Internet and beyond), please contribute comments. This is an exceptionally important issue that we need to openly discuss and address.

The letter went on to state that BofA had reviewed her account and saw “no evidence that your account has been misused in any way. We will continue to monitor activity on your account, and if we detect suspicious transactions, we will notify you.” BofA also informed her that “we will close your existing account and issue you a new account number and credit card(s).”

Imagine if your doctor sent you a letter informing you that “you’ve contracted an undisclosed disease from an undisclosed third party. Take these pills and carry on as before. We’ll monitor your symptoms and notify you if you show signs of further infection.”

The underlying subtext here is that a) my friend’s information was probably compromised through a merchant that she has done business with; b) she does not have the right to know who that was; and therefore c) she must continue to do business as usual without the ability to change her behavior based on the fact that the merchant did not safeguard her information appropriately.

BofA referenced a web site where they talk about data compromise:

http://www.bankofamerica.com/compinfo

According to this site, “When a data compromise occurs Bank of America is notified by multiple sources, including Visa®, MasterCard®, American Express® and law enforcement agencies when our accounts have been included in a data compromise… Unless the merchant announces the breach to the public, we are unable to provide the name of the merchant or where the data breach has occurred.”

In other words, the credit industry is facilitating willful ignorance in order to protect their fundamentally broken system. If you or I found out where exactly the breach happened, we might not be so inclined to give our credit-card numbers to the end merchant or payment processors involved. Customers are not provided with the information we need to make educated decisions about who we trust with our information.

Truth be told, the fundamental problem isn’t with the end merchants, anyway. The problem is that our financial infrastructure rests on the broken concept that a short string of numbers can be used to move money from one person’s account to another. This string of numbers has to be kept “secret,” but it also has to be given to dozens of people throughout the course of a day in order to conduct routine transactions.

Here’s my favorite section of BofA’s data compromise FAQ:
“Is it safe to use my new card?
“We are confident that this was an isolated incident and that the steps we have taken will ensure the continued security of your account. Please continue to use your new account as you normally would.”

Yes… an “isolated incident,” just like the other 285 million records that were compromised last year. Take these pills and carry on.

When upper management is notified of a data breach, they have to choose between:

a) Announcing publicly and in a timely manner, which would result in major reputational damage, financial drain, loss of business, and potentially huge lawsuits.

b) Keeping quiet and hoping that no one ever finds out (in which case, nothing happens).

Of course, usually upper management doesn’t find out at all. There is little incentive for IT staff to report compromises all the way up the chain, since it just makes them look bad. System administrators fear that if they detect a compromise on their own servers, managers will accuse them of doing a bad job. Also, the breaches have to be detected in the first place– and often security staff are overworked and have limited resources for tuning IDS or following up on alerts.

The bottom line is that no one is motivated to do a good job detecting and publishing breaches– not corporations, not upper management, not IT staff, and in many cases not even security teams themselves. Ethics can hardly compete against real financial incentives and fears for job security.

Don’t Companies Have to Report Breaches?

Many states have data breach notification laws, but these tend to have major loopholes. Importantly, they don’t provide clear guidelines for deciding whether a “security breach” happened. As a result, if an attacker destroys important evidence or if the company does not retain records that would explicitly prove inappropriate access, then the company will probably decide that they are not required to report. Customers affected never even hear that there was concern about a breach in the first place.

The assumption is that the data is secure unless there is explicit evidence which proves otherwise. This is backwards! When log retention creates a liability, companies have reduced incentive to collect or retain detailed records. If we assume the data is secure unless there is proof otherwise, then there is no reason for companies to work to retain evidence.

The irony is that companies with the worst security practices, who do not keep logs or configure IDS systems effectively, are the ones who get off scot-free because they do not collect or retain the evidence of a breach.

What about the proposed federal Data Accountability and Trust Act?
The Data Accountability and Trust Act which passed the US House of Representatives last month does nothing to address this loophole. It requires that “Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data…notify each individual…”

OK, so what is a “breach of security”?

“(1) BREACH OF SECURITY- The term `breach of security’ means unauthorized access to or acquisition of data in electronic form containing personal information.”

How do you decide if there has been “unauthorized access to or acquisition of data”? The bill does not provide any guidance. As long as the organization does not keep records which would *prove* that confidential data was accessed or exported, their legal counsel may advise them that they do not have to report. I am not a lawyer, but I have seen this happen repeatedly with respect to existing data breach regulations.

How Can We Fix This Loophole?
Here are some ideas:

• Assume insecurity. Companies should be able to produce access logs and records which confirm that the data has been kept safe, rather than vice versa. This will motivate companies to collect and retain access logs in much greater detail than they do now.
• Proactively audit large organizations that retain lots of personal data.
• Publish yearly certificates based on audit results, the same way health inspectors publish certificates for restaurants. This way the public can decide which companies to give our information to, based on how well they secure it.

Today, the vast majority of security breaches are never reported. When you examine the incentives and the myriad of holes which exist in reporting regulations, it’s easy to understand why. Detailed logging and monitoring practices result in greater liability. Reporting incidents to the public can lead to financial ruin. There’s little incentive for organizations to do a genuinely good job tracking access to confidential data.

In this backward system, it’s a wonder we hear about any breaches at all. The fact that we do hear about data breaches frequently should make you stop and think about the number that are *really* occurring, but are never detected, let alone reported. Speaking from experience, I can tell you that the data breaches you hear about are just the tip of the iceberg.

Here are examples of the private information that state and local governments collect:

Health:

• Prescription Drug Monitoring Programs (PDMPs) in which “physicians and pharmacists… log each filled prescription into a state database to help medical professionals prevent abusers from obtaining prescriptions from multiple doctors.”
• Adult Medical histories (including sexual orientation, drug history, lists of medical problems, work history). Gathered for vaccinations and state health testing.
• Vaccine immunnization records (Children and Adults)
• Lists of people who are immunocompromised
• Lists of pregnant women and their doctors
• HIV/AIDS test results

Taxation:

• Income sources and levels
• Bill owed (doctors, lawyers, etc) for certain cases (see p.10)
• Bank statements
• Bank account numbers(see p. 14)
• Credit card numbers(see p. 14)
• Social security numbers
• Pension information
• Life insurance information
• Detailed employment records
• Deductions
• Value of assets (house, car, etc)
• Address, phone, extensive contact information
• Children’s names, Social Security numbers, ages
• Names of daycare providers

Unemployment:

• Names of people who have been unemployed
• Bank routing and checking account numbers
• Extensive personal details, including SSN, Driver’s license info, etc.
• Previous employment history
• Details regarding job search
• Salary records
• Records of unemployment funds received

Transportation:

• Detailed travel records (EZ-Pass, Fastlane, Subway passes)
• Dates, times, and locations that subway/EZ-pass cards were used
• Lists of senior citizens, contact information and photographs
• Lists of disabled people, contact information and photographs
• Credit-card and payment information
• Rider photographs and video footage

Motor Vehicle Services:

• Driver personal info:
• Height
• Weight
• Eye correction
• Address
• Social Security Number
• Payment information
• Violations (see p.3 for a list of info typically included in citations)
• Locations, dates, times
• Description and details
• Images (photographs, videos)
• Red-light camera images
• License-plate tracking

Government Employee records

• Social Security numbers
• Employee reviews
• Health insurance information

Education:

• Childrens’ standardized test scores

Police:

• Confidential informant records
• Confidential juvenile records
• Video surveillance footage of streets and intersections
• Rape victim statements and details
• Officer personal information and disciplinary records
• Investigative data

 
We conduct routine inspections of restaurant kitchens for public safety, and the public is entitled to see inspection certificates. Shouldn’t management of our public data be held to the same standards?

The public deserves to have input regarding what data is put into the hands of companies which are not controlled by the public. We deserve regulations which protect our private information from abuse, and which specify what types of information can or cannot be hosted by foreign companies and private companies.

Most importantly, we deserve assurance. Our government must routinely verify through inspection and public reports that confidential information is not being misused by private companies, and that only appropriate types of information are being shipped off-site. If private companies are to hold taxpayer information, the public deserves independent verification and reassurance that our data is well-managed.

For information about the specific data used by your state, check out your state’s web site and look at the services it offers. (Here’s a nice example from the State of New Mexico.) Then think about all the private information that your government needs to collect and process in order to support those services. You might be surprised.

“Over 60% of the U.S. state governments have gone Google.”

Does this mean that we’ve now handed the majority of our state governments’ operational data to a single privately-controlled company which has well-publicized partnerships with other governments such as China?

To find out more, I contacted Google’s press department. A representative promptly got back to me with more information:

“The reference to Going Google refers to US state governments using one or more of Google’s enterprise products…With regard to data hosting, Google Apps is a cloud computing solution meaning Google hosts the data in our data centers, relieving the customer or gov agency of the burden of managing their own servers in house.”

In other words, according to Google, United States state governments have literally handed over our public data to be held and managed by a private company which has well-publicized partnerships with other governments such as China. The data is physically stored in Google’s buildings, on Google’s servers, managed by Google’s employees. This means Google now controls our government’s access to it’s own data.

Google declined to make their list of state government customers public, so instead I checked to see which states had active Google Apps login pages for their domains. There are 19 states that have active Google Apps login pages (plus Washington D.C.) These include:

In September, Google announced its plans to create a major government data hosting operation for the United States. “Today, we’re excited to announce our intent to create a government cloud, which we expect to become operational in 2010. Offering the same services and features as our existing commercial cloud (such as Google Apps), this dedicated environment within existing Google facilities in the US will serve the unique needs of US federal, state, and local governments…”

Moving the data itself offsite is a BIG change, and one that comes at a BIG price. This effectively places state governments’ data outside the direct control of our government. If Google (or an ISP) were to decide for whatever reason– economic, political– to cut us off from our data, governments using their services would be, well, Scroogled.

To me, this is an unacceptable level of control for a single private company to have over federal, state or local government. When you reach a point where the government cannot operate without a private company, then the private company has effectively gained control of the government.

With Google physically housing and managing state government operational data, they literally gain control of our government’s operations. What’s more, Google also has access to data mine the information. Would this be legal? Hopefully not, depending on the contract that our governments have signed. Would it be technologically possible? Of course.

In another twist, state governments’ moves to outsource their data could also open their information to far greater access by intelligence agencies. It might be legal under homeland security rules for federal intelligence agencies to force Google to turn over information from state and local governments, perhaps without even notifying them. For issues where state laws are in direct conflict with federal laws, the implications for states’ rights are serious. For example, several states maintain lists of registered medical marijuana patients. Could a federal agency force or coerce Google to turn over lists of names without permission from the state?

Google is extremely good at managing its own public image (it undeniably has a leg up due to the fact that it controls news sources and search engine returns). However, it is still a for-profit corporation and ultimately works for the good of its owners, not the public. The fact that Google is working to host a large percentage of U.S. government data should set off alarm bells. How can the U.S. government effectively manage its own security and the interests of the people when large corporations have it by the balls?

The long-term, hard-to-quantify risks of moving the United States’ operational data to a private company are easy to ignore when you look at the short-term technological benefits and shiny flashy features. No one can deny that Google enables government entities to operate with a level of sophistication that would inconceivable if all operations were done in-house. Governments typically suffer the same problems as many midsize companies with underfunded IT departments and political complexities that make it difficult to centralize and streamline operations. It doesn’t really make sense for every state and local government to reinvent the wheel with respect to IT. With no “public option” for scalable, government-sponsored IT services, it’s understandable that state and local governments would outsource to the private sector.

That said, the practice of outsourcing government IT management is risky and deserves careful scrutiny and regulation. It’s funny that we’re chasing after “terrorists” in our airports, and at the same time our state governments have moved fundamental operations data over to a private company which is not controlled by the public and has strong ties to foreign governments.

Google is outside our system of checks and balances. They are quickly becoming absolutely necessary for our government to function, but their operations are not transparent and are outside the control of the American people.

Here are a few related press materials published by Google:

District of Colombia

Virtual Alabama

City of Los Angeles

‘”Its destruction left a deep and lasting wound in the architectural consciousness of the city. A famous photograph of a smashed caryatid in the landfill of the New Jersey Meadowlands struck a guilty chord.” (Wikipedia)
Patty King wrote in a comment a couple of days ago: “I remember a time about 10 years ago when flying was fun and so easy. Will it ever be like that again?”

Once upon a time, inspiring the traveler was important. The reactions of people in Penn Station were worth the enormous amount of time and effort placed into the space. Cultural and artistic expression were clearly strong and valued.

First impressions matter. Train stations and Airports are places where we welcome people from other countries or cities.

Perhaps someday we’ll remember the art, ambiance and culture that these important spaces brought to us. Perhaps someday we’ll once again decide to make our airports and train stations welcoming instead of paranoid, inspiring instead of intimidating, proud instead of afraid. Then flying will be fun again.

Today a traveler going through the Albuquerque airport was arrested after politely refusing to show his ID. Phil Mocek, a Seattle area native, was traveling with his friend Jesse Gallagos when he politely declined to show ID to TSA agents.

According to reports from friend Ben Livingston, “Phil politely refused to show ID to the TSA employee. The TSA employee then called in a supervisor, and Phil started recording with his digital camera, which caused the supervisor to “freak out” and call the airport police. Approximately six police showed up in force, asked no questions, and told Phil he was being arrested for disturbing the peace.”

Mr. Mocek had previously contacted TSA personnel at the Albuquerque International Sunport Airport(ABQ) to find out if photography was allowed, and was clearly told by local TSA officer Susanne Spencer that advance notification was recommended, but not required. “We only encourage individuals to contact TSA in advance so we can facilitate the photography,” she wrote in an April 10, 2009 email. She subsequently reiterated that statement to Mr. Mocek on April 14. (FlyerTalk)

After Mr. Mocek was detained, “[Police] asked if he was with anyone, and he indicated he was flying with Jesse,” said Mr. Livingston. “The police told Jesse he would also be arrested if he did not leave the compound. They demanded and received Jesse’s ID, then drove him in a police cruiser off the airport property, where they informed him that he was banned from the property for 24 hours.

“I spoke with the Albuquerque jail and Phil hasn’t been booked yet. He’s still in the hands of the airport police… We are actively seeking help from anyone in Albuquerque who might be able to help… I’m hoping a local lawyer, or anyone local, might be able to get a little further.”

Philosecurity contacted local authorities at 7:50PM on Sunday, Nov 15 2009, and confirmed that Mr. Mocek was still in custody and being “processed.” Friend Ben Livingston provided some further perspectives on the issue, as follows:

“As Americans, we have the right to travel freely between the states… In America, we’re supposed to defend against the government demanding our papers in order to travel. A lot of folks remember that in Germany, you had to show your papers in order to travel. Since 9/11, our government has implemented a policy that in order to make
things more ‘safe’ and ‘secure,’ they’re going to force people to show their papers to get into the terminal to board the plane. The airlines don’t necessarily require ID, although it’s their right to decide who they do business with.

“As far as the federal government goes, demanding our papers in order to travel from state to state is actually a violation of our civil rights. If you’re traveling into or out of the country, the federal government has a right to demand your papers. But if you’re  traveling interstate, you have a right to travel freely without interference from the federal government.

“In reality, ID checks don’t make us safer.  All of the terrorists on that 9/11 flight had valid ID. It’s a fake security measure designed make us to feel safer. It’s not actually intended to keep us safe. There are ways around it, too… Just last year TSA announced a new policy for the first time ever, which said that if you don’t have your ID but you cooperate with TSA, show them credit cards etc, you can fly. So if you say you screwed up, it’s cool. If you politely refuse for whatever reason to show ID, TSA will deny you access.”

To the management of Local Liquor Store*,

I’ve been a customer of your store for about a year now. My husband and I stop by to stock up for parties. Your staff are always very friendly and helpful. I am writing because today I purchased a bottle of liquor at your counter. I was paying in cash. The clerk asked to see my identification so that she could verify my age. I handed it to her, and she immediately swiped it into your computer system without my consent.

While I understand that you need to check identification, I do not consent to having my personal information stored in your computer systems for any length of time. I value my privacy and I do not want my location or purchasing habits tracked. Moreover, my personal information is valuable and you have provided me with no assurances regarding the security of your systems.

By law, I am required to show proper identification to prove that I am over the legal age to purchase alcohol. This does not imply that I consent to having you record my identification details. If you insist that your customers submit to having our personal information recorded in order to make purchases, you should clearly inform us and ask permission before swiping.

When I told your store clerk that I did not want my information stored in your computer systems, she said that it was only stored for “about 800 swipes” and that she was required to swipe driver’s licenses of anyone born after 1980. This is discriminatory. Do people under the age of twenty-nine have less right to privacy than those above?

Montana’s constitution protects our rights to privacy in this state. We should be able to go to the store without having our identification and whereabouts tracked. Identity theft is also a big problem, and spreading our personal information around puts us at greater risk.

I like your store and have been a good customer for some time. However, I value my privacy above all. I hope you will consider changing your policy regarding tracking shoppers, because I enjoyed being one of your customers. Until then, I will be shopping elsewhere.

Thank you for your time.

* Store name has been changed. You probably guessed that.

The document reveals that the DHS is storing the reader’s:

• Credit card number and expiration (really)
• IP address used to make web travel reservations
• Hotel information and itinerary
• Full Name, birth date and passport number
• Full airline itinerary, including flight numbers and seat numbers
• Cruise ship itinerary
• Phone numbers, incl. business, home & cell
• Every frequent flyer and hotel number associated with the subject, even ones not used for the specific reservation

Again, here is the full record. The anonymous reader obtained his/her travel history using Edward Hasbrouck’s excellent guides. Check out his site for more info!

Thanks a ton for sending this in. If anybody else gets a copy of their ATS travel record, send it in! We’d love to see them and compare.

Reverse of the United States Great Seal Novus Ordo Seclorum “A New Order of the Ages”

“Death of Anonymous Travel”
DEFCON 2009 – PDF
MD5sum: c772681c37c9ad5d210c19c12eb43095

Thanks to everyone who sent in comments, suggestions, and encouragement. (Special thanks to the EFF lawyers for reviewing this beforehand– you guys rock!)

I’ll have the full list of references (vendor marketing materials, news articles, FOIA docs, etc) up in the next week, so check back!

Abstract:
Worldwide, people who use cars, buses, trains, and carry cell phones are tracked in increasingly centralized corporate and government databases. This capability is still in its infancy, and has been facilitated by communication and payment systems which are linked to identification and refer to centralized electronic databases.

* Collate and disseminate information about current known travel monitoring practices;
* Discuss technical and social solutions for maintaining personal privacy and the freedom to assemble;
* Encourage greater transparency and public control over data collection and use.

“I recently requested my “file” from the Dept of Homeland Security – Customs. It was interesting to see that they not only knew every flight I took, but also all of the hotels I stayed at too. This surprised me because I didn’t understand how they knew where I was staying.

“I researched this and realized that when I had stayed at hotels that were not booked in advance, they did not have the information on my record. It seems that when you book through Sabre or other services that use Sabre, your entire itinerary become part of the DHS record also. I think this is what they compare your passport stamps to when you come back into the country and the Customs guy is sitting there staring at the computer screen and your passport.”

Sabre is used to book reservations for railways, car rentals, cruises, lodging and airlines around the world.

“Iran’s Web Spying Aided By Western Technology,” read the front page of the Wall Street Journal a few weeks ago. “European Gear Used in Vast Effort to Monitor Communications.”
Judging by the Intelligence Support Systems industry marketing brochures, Iran’s “monitoring center” is not exactly advanced compared with European state-of-the-art. Nokia-Siemens themselves said that they sold Iran a “restricted functionality” monitoring center. (Reports indicate that Iran also has “deep packet inspection” capabilties, presumably from another source.) According to Nokia-Siemens, over 60 countries have been sold a Monitoring Center. But their current “Intelligence Platform” solution is far more full-featured. Check out the Intelligence Platform brochure, which touts its “pattern recognition” and “behavioral analysis” capabilities. It “automatically detects formerly unknown patterns.” (Ah, dragnet.)

We can’t stop the unrelenting march of mass civilian communications monitoring, but perhaps we can turn lemons into lemonade. (Mmm, mass surveillance lemonade…what?)

From the Nokia-Siemens Intelligence Platform Brochure

Consider this technology’s potential for good. You could watch the spread of information through different routes the way doctors watch radioactive materials travel through the blood. You could measure how a population feels about a particular issue and get instantaneous feedback on policies with infinitesimal granularity. Better understanding of human psychiatry and communication could help us make better individual decisions and perhaps collectively govern ourselves more efficiently.

National communications surveillance is a very powerful tool for government right now (not to mention lucrative for phone companies, who are paid for the access). Also, given revelations about NSA wiretapping and FBI’s “Quantico Circuits,” it’s clear that the fundamental infrastructure is already in place (*ahem* NarusInsight).

Mass communications information would be very valuable for scientists– psychiatrists, anthropologists, etc. Unfortunately, today Internet, mobile and transaction surveillance data tends to go exclusively to the people who can pay for it or profit from it– ie. spooky government agencies with big budgets and advertisers. What if academic researchers had access to the same information that intelligence agents already comb every second?

Not that I really want to be under anybody’s microscope. But if anyone’s going to be analyzing my phone calls, payment transactions, emails and IMs, I’d rather it be researchers who will publish their findings, instead of secretive intelligence agencies. If our communications aren’t going to be private, let’s at least use these capabilities for clear, transparent public benefit.

Here’s an e-affirmative action proposal: For every intelligence agent that has access to mass surveillance data, one academic researcher should have access to the same information. And report on it.

At least then we’d know what the heck was going on.

Josh (author of SANS’ excellent Wireless Ethical Hacking class) eloquently describes his encounter and privacy concerns below:

“When I started my DX for the first time, I saw an entry “Archived Items”, which was all the books I had previously purchased. When I downloaded my copy of “ZigBee Wireless Networks and Transceivers” on the DX, I was surprised to see it open on the page where I had left off on my previous Kindle.

“I’d like to find out what Amazon’s privacy policy is about this data, and what they are retaining long-term. Do they record only the last page read for each of my books, purging this information after a period of time, or is it more nefarious?”

Josh Wright is the author of SANS 617 – Wireless Ethical Hacking.

“Red Flag Identity Theft Rule We are now required by law to ask for a Photo ID at the time of each visit. Please have your Photo ID ready for the receptionist to scan.”

As an avid bicyclist, I wasn’t carrying a driver’s license.

“I’m sorry, we’ll have to reschedule you,” said the receptionist. “We need to scan your ID before we can see you. It’s a new law.”

“No, I really don’t have one. I bicycle everywhere. I don’t even know where my old license is any more.”

She looked me in the eye and said, “Sorry. I suggest you get a photo ID. You need to have one to be seen.”

“What if I’m paying for my own visit, and not using health insurance?”

“We need to scan your ID and have it in your file or we can’t see you.”

“I don’t think it’s right to deny care to patients who don’t have a Photo ID,” I said.

“Well, I can talk to my supervisor,” she said. “But I think you’re going to have to reschedule.”

As I waited, I watched the receptionist take another patient’s driver’s license and walk off into a back room. Apparently, in order to comply with the “Red Flag Identity Theft Rule,” the doctor’s office now scans a copy of every patient’s driver’s license and stores it in their computer systems.

How secure are my doctor’s computer systems? Patients don’t have the right to know. Doctor’s offices, hospitals and even health insurance companies get infected with viruses, worms and spyware all the time. These are generally not reported as patient data breaches, because they are far too common.

Just in the past few weeks, there have been news reports of patient data thefts from UC Berkely Health Service, Virginia Prescription Monitoring Program and Memorial Medical Center. The vast majority of breaches never get reported or even detected, however, because tiny little health care clinics and hospitals all over the country have neither the resources nor the incentives to institute appropriate detection measures.

And now they want to store a high-resolution copy of my driver’s license on top of everything else? What is this “Red Flags Identity Theft Rule,” anyway?

The Red Flags Rules are a collection of new Federal Trade Commission regulations aimed at reducing the risk of identity theft. The American Medical Association and dozens of other medical societies “have protested the FTC’s decision to apply the Red Flags rule to medical practices and other health care providers.”

Why on earth does the Federal Trade Commission affect who my doctor treats?

According to the FTC, “Health care providers may be subject to the Rule if they are ‘creditors.’ Although you may not think of your practice as a ‘creditor’ in the traditional sense of a bank or mortgage company, the law defines ‘creditor’ to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance.”

The FTC requires “each financial institution or creditor to develop and implement a written Identity Theft Prevention Program (Program) to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts.” Although the Red Flags Rules do not explicitly require doctor’s offices to make copies of patient identification, they are often implemented this way.

Ironically, spreading more private information around– such as high-resolution copies of driver’s licenses- increases patients’ risk of identity theft. As a 2008 World Privacy Forum report explained:

“When patients are, for example, asked for a drivers’ license when checking in to hospitals for surgery, the license itself may be copied or scanned and added into the actual patient file. This can give hospital insiders with criminal tendencies access to a treasure trove of photographic, biometric, and other information that may have been unavailable to them before. The result can be more identity theft (medical and otherwise).

“…Just because customer identity proofing is commonplace in the financial sector does not mean that it has translated perfectly or even well to the health care sector. The two sectors have different regulatory requirements, approaches to access points, security, and information flows. Banks and health care providers also have different competencies, staffing capacities, training, and in many cases even procedures when it comes to reviewing and managing customer identification documents.”

Everyone should have access to medical care– not just people who have registered with the government and obtained a photo ID. Furthermore, patients should have the right to health care without being forced to give up control of our personal information. As a patient, I don’t really want a copy of my Photo ID stored on a crappy unpatched Windows box at my doctor’s office. Today’s patients do not even have the right to know how well doctor’s offices and hospitals are secured, even in the face of constant reports of medical data breaches. That’s sick.

TSA has stated that Secure Flight record system is exempt to multiple provisions of the Privacy Act. In particular, it claims:

• “Exemption from the Access and Amendment Requirements” which “relate to an individual’s ability to request access to and correction of records…”
• “Exemption from Requirement to Collect Only Relevant and Necessary Information”
• “Exemption from the Requirement of Maintaining All Records Used by the Agency in Making a Determination about an Individual with Accuracy, Relevance, Timeliness and Completeness”
• “Exemption from the Requirement of Judicial Review”

TSA’s transportation security strategy appears to be based on the logic that by tracking civilians en masse and maintaining secret “watch lists” we can somehow identify all people with potentially malicious intent and prevent them from accessing public transportation systems. (“Sorry sir, you’ve already committed three suicide bombings this year, so we can’t allow you on the plane.”)

Of course, air travel is just a small part of the picture. TSA is also “responsible for security in all modes of transportation.” This includes cars, buses, subway and rail. According to their mandate, presumably even bicyclists would fall under TSA’s purview. Ground transportation is arguably even more important than aviation security, particularly because so many phone and network cables run along railways and highways. Although TSA has thus far focused their most draconian regulations on the air, they have been asserting increasing control over ground public transportation.

Last September, TSA flexed their ground-transportation muscles when they mobilized TSA and Amtrak security teams “from approximately 100 commuter rail, state, and local police agencies… for the largest joint, simultaneous Northeast rail security operation of its kind, involving 150 railway stations between Fredericksburg, Virginia, and Essex Junction, Vermont.”

What prompted this massive security exercise?

“The morning rush-hour multi-force security deployment was NOT in response to any particular threat or incident, but rather a demonstration of an ongoing collaborative effort to expand counter-terrorism and incident response capabilities up and down the Northeast Corridor railway system,” wrote TSA in a press release.

I see.

Let’s follow the TSA’s strategy to its logical conclusion. If we accept Secure Flight as a valid security strategy, then in order to effectively and fully “secure” our transportation infrastructure, we would need to:

• Track everyone traveling on a highway, subway, bus, train, or plane;
• Track everyone in or near a transportation interchange;
• Accurately identify every person (ultimately, using biometrics or similar);
• Compare identification to meticulously-maintained “watch lists”;
• Selectively deny travel based on secret information stored in government databases

Even then, it only takes one sneaky attacker to dodge the system and cause havoc. Furthermore, tracking every citizen is an extremely high-impact, resource-intensive strategy, which will require deep, fundamental, rather frightening changes in our society. It requires the abolishment of free society, placing our freedom to travel in the hands of an un-auditable, un-elected elite.

By treating citizens as potential enemy combatants, we waste money and actually degrade our nation’s security. This concept is summarized neatly in the Tao Te Ching: “do not use arms to coerce the world, for these things tend to reverse– brambles grow where an army has been… Weapons are inauspicious instruments, not the tools of the enlightened.” (Translation: Thomas Cleary)

What is a more effective strategy? The key is to examine incentives that lead up to attacks. Millions of people around the world, including American citizens, feel that they have been treated unfairly by United States corporations and the government.

Rather than feeding the fire by treating innocent civilians like potential enemy combatants, perhaps we should spend that money on 1) actually improving quality of life for civilians; 2) diplomatically resolving conflicts; 3) genuinely improving the resilience of our critical infrastructure; 4) non-proliferation and weapons-tracking efforts.

“When welfare and justice embrace the whole people, when public works are sufficient to meet national emergenices, when the policy of selection for office is satisfactory to the intelligent, when planning is sufficient to know strengths and weaknesses, that is the basis of certain victory.” (Cleary, Translator’s Introduction to the Art of War)

Chances are pretty good that you’re reading this page through a web proxy right now, especially if you’re in an enterprise environment. Web proxying and caching have become increasingly popular, for both filtering traffic and speeding up requests. Even consumer ISPs have latched onto the idea (sometimes using similar techniques to insert ads into pages as they are downloaded). That means your web surfing history is probably being recorded in a proxy log somewhere.

Web proxy and cache servers are untapped gold mines for forensic analysts. They often record the web browsing history for an entire organization, all rolled up into one directory. Web caching servers also contain copies of pages themselves, for a limited time.

This is great for forensic analysts (and not so hot from a privacy perspective). Investigators can examine web browsing histories for everyone in an organization all at once. Moreover, it’s possible to reconstruct web pages from the cache. Right now, investigators often simply visit web sites in order to see what they are. This has some serious drawbacks: first, there is no guarantee you’re seeing what the end user saw earlier; and second, your surfing now appears in the server’s activity logs. If the owner of the server is an attacker or suspect, you may well have just tipped them off. It’s much better to first examine the web cache to see what you can find stored locally.

To learn more, I installed Squid, a popular web proxy/cache server, on my lab network and dissected it. There are a number of tools out there that will reconstruct client browsing history, based the access logs. I really liked squidview (which has a Kismet-style interface) and sarg (HTML clickable).

What I didn’t find was public information or tools for reconstructing pages from the web cache. It’s definitely possible. The proxy cache, by its very nature, stores the pages you view on its local hard drive and may later serve those pages to you or someone else. The precise pages it stores and the length of time they are retained vary depending on the specific server configuration and usage.

As a forensic analyst, I wanted to recover those cached pages. I figured, if Squid could do it, so could I.

By changing Squid’s configuration to “offline” mode, you can use wget to extract some pages directly from the local cache. This is handy because it reconstructs the pages automatically, if they exist. However, I wanted to see what information was stored directly in the cache, and access associated headers and metadata.

Squid’s access log is straightforward: it’s essentially a text file which contains a list of client IP addresses and pages accessed. If you correlate these with DHCP and central authentication logs, you can potentially match web surfing activity to a particular network card or user.

The cache directory is far more mysterious. If you simply list the directory contents, here is what you will see:

$ ls
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F swap.state

Daunting. That swap.state file is Squid’s database, which contains a record of every item in the cache. It’s a binary file. If you delete it while Squid isn’t running, Squid will actually re-create it the next time it starts up. (This is helpful if you’re trying to manually edit the Squid cache in order to create lab exercises for, oh, a new class on network forensics.)

Within each of those subdirectories are files such as these:

And each of those subdirectories contains files such as this:

Finally, each of those eight-character files contains- yes! – the pages actually cached by Squid. Here is an example. When you surf to a web page, Squid will add some metadata to the top, which includes the full URI and its MD5sum. Squid then stores this, along with the full HTTP reply (headers and body) as a file in one of these subdirectories. If the page is requested later, it can look it up in swap.state and fetch it.

Now let’s extract some content directly from the cache.

Let’s say we’re analyzing web traffic associated with 192.168.1.26. We come across the following entry in Squid’s access.log:

1239739309.653 377 192.168.1.26 TCP_MISS/200 30348 GET http://finickypenguin.files.wordpress.com/2007/10/1161451564593.jpg – DIRECT/72.233.69.12 image/jpeg

Interesting… What is this image? Let’s see if it’s in the cache.

We could analyze swap.state, but I created my own table of the URIs stored in Squid, along with their corresponding cache files. This was for two reasons: first, I didn’t have to rely on the accuracy of Squid’s database; and second, I’m a lazy bum and it’s pretty easy to do using a simple Bash script. The URI is stored near the beginning of each cached page, just after the MD5sum of the URI. If you grep for strings beginning with “http” in the first few lines of each cache file, you’ll find it.

Here’s that file we were looking for:
./00/03/0000036A    http://finickypenguin.files.wordpress.com/2007/10/1161451564593.jpg

Now let’s open up that cache file. Running strings on it, we see the following metadata and header info:

Lots of juicy info there. To extract the image itself, let’s open this up in a hex editor. I like to use “bless” on Ubuntu. JPEG images begin with “FFD8,” so extracting this content is fairly easy. Highlight everything before the magic number, click “Cut” and save as 0000036A-edited.jpg.

A quick check with “file” confirms that we got it right:
$ file 0000036A-edited.jpg
0000036A-edited.jpg: JPEG image data, JFIF standard 1.01

Now let’s open it up:

Looks pretty suspicious to me…
 

New York’s “Real Time Crime Center can quickly query millions of pieces of information to uncover previously unknown data relationships and points of connection.”

In Poland “personal and vehicle IDs can be instantly checked in an EU-wide database.”

In Chicago: city staff “have access to video from a multitude of cameras citywide, with advanced analytics built into the infrastructure, that are connected to a fiber/wireless network to assist the operator with potential ‘eyes-on-the-scene’ in the vicinity of an incident.”

I’m all for fighting crime, but these vast, nascent public surveillance programs which have minimal public input and oversight are pretty frightening. If you’re familiar with the history of IBM, their massive surveillance operations are especially creepy. “IBM was founded in 1898 by German inventor Herman Hollerith as a census tabulating company. Census was its business,” wrote Edwin Black in his 2001 book, IBM and the Holocaust.

During the 1930s, IBM subsidiaries worked closely with the Nazis to develop and maintain the registration and tracking systems which were the foundation of their extermination operations. “IBM’s custom-designed prisoner-tracking Hollerith punch card equipment allowed the Nazis to efficiently manage the hundreds of concentration camps and sub-camps throughout Europe, as well as the millions who passed through them. Auschwitz’ camp code in the IBM tabulation system was 001.” (Black, 2002)

“The image of a tattooed number on the forearm of a death-camp survivor is one of the most recognized symbols of the Holocaust. Black shows that these numbers initially correlated to the IBM Hollerith punch-card system.” (AllBusiness, 2002)

Of course, the level of surveillance that we are experiencing today far surpasses anything seen by those living in Nazi Germany. Between GPS-tracked cell phones, OCR license-plate readers, and full-fledged city video surveillance systems, both corporations and law enforcement can track private citizens’ moment-to-moment activities.

What’s happening with all this data? The answer is: we (the public) don’t know. From traffic cameras to full-scale city monitoring systems, mass surveillance programs are being put into place with very little publicized detail regarding information security or data management. Conversely, the implementers seem to have taken a “security through obscurity” approach, where public disclosure of surveillance IT management practices is seen as a threat to security itself.

“Billions of records, accessible in minutes,” reads an IBM advertisement. “At the heart of the Real Time Crime Center is IBM Crime Information Warehouse technology… Advanced data-mining technology provides investigators with access to billions of records.”

Challenge: can you find any record of IT security audits of New York’s powerful public surveillance center, or even just indications that regular IT security audits occur? I can’t. (If you do, post!) If these records exist, they sure aren’t easily accessible by the public. Don’t we deserve verifiable evidence that our personal information is being responsibly managed?

As anyone in the open-source or cryptographic community knows, security through obscurity doesn’t make a system more secure. In the case of mass surveillance and tracking systems, the public is being denied the ability to verify that our data is securely and appropriately managed.

Moreover, what exactly are government and contractors doing with all of this very personal data? Contractors such as IBM are collecting an enormous amount of personal data, yet the public receives very little detail about how long our information is kept, who has access, and precisely how our data managed or used — other than vague, unverified assurances that our information is managed in accordance with regulation. It is impossible for us to assess compliance with referenced privacy and information security regulations without any real data.

Mass surveillance is an extremely powerful tool which is here to stay. Electronic mass tracking systems essentially obviate the need for punch cards and tattooed numbers, while serving effectively the same purpose. “It was the use of raw numbers, punch cards, statistical expertise, and identification cards that made [Nazi genocide] possible…” write Aly and Roth in their excellent book, The Nazi Census. “Every act of extermination was preceded by an act of registration.”

In a free society, the public must have the ability to actively provide input and receive feedback regarding the collection, maintenance and use of our tracking information, surveillance photographs and videos. If mass surveillance systems are not controlled by the population under surveillance, they will be (and have been) used for oppression. “Knowledge is power.”
 

Forensic analysts traditionally focus on hard drive analysis, but hard drives are not always accessible, and they don’t tell the full story. Savvy investigators also include the network environment. Recently I’ve been co-authoring a class on Network Forensics (SANS Sec558), and I’ve been building lab networks, collecting evidence for the class exercises, and practicing network forensics in-depth. Here are a few ways that investigators reconstruct computer activity using network forensics.

Web Surfing: Many organizations use web proxies to improve web surfing performance. As it happens, web proxies maintain a log of web requests and even copies of web pages (for a limited period of time). Forensic investigators can use graphical tools such as Sarg to analyze web proxy logs and view a list of client’s browsing history. Investigators can even extract pages themselves from the web proxy cache with common tools such as wget.

By analyzing web proxy logs, investigators can reconstruct browsing history, view downloads, recover social networking information, identify external email accounts, and even obtain usernames and passwords (which are sometimes included in URLs). Web proxies result in faster web browsing and help lower network congestion. As a side effect, they also accumulate logs which record your web browsing history.

Laptop/Mobile Device Tracking: Investigators can identify a specific laptop even when its IP address changes, and even if it moves to a different network. The network card in your computer has a unique address assigned to it by the manufacturer called the Media Access Control (MAC) address. When you connect your laptop to a hotspot or company network, your network card broadcasts its unique MAC address, and the DHCP server then assigns an IP address to your network card.

Forensic analysts can use DHCP server logs to track which IP addresses belonged to which network cards at a given time. By default, your MAC address also reveals information about the manufacturer, so forensic analysts can infer whether your laptop contains, for example, an Apple-manufactured network interface.

There’s a catch: You can change your network card’s MAC address. It’s actually fairly easy to do, even though most people don’t bother. A MAC address is really about as reliable as using hair color to describe a suspect. Much of the time, it’s accurate, and it takes conscious effort to change– but with a little effort it can be modified. You can even change the MAC address so that it looks as though your network card was made by a different manufacturer. If someone purposefully changed their MAC address, that would make it harder to link network activity to their specific network card.

Logon History: In order to comply with regulations such as HIPAA (as well as standard security best practices), organizations frequently configure workstations to send records of events to central logging servers, which collect and store logs from many workstations all in one place. Typically, central logging servers store login times, failed login attempts, and commands that are executed with administrative privileges (the specifics vary depending on the organization). The workstation must be preconfigured to send logs to the central logging server. My favorite log analysis tool is Splunk. By analyzing a central logging server, forensic investigators can track when you logon (or when you mess up your password), when you run privileged commands, or take other noteworthy actions.

Network traffic: Forensic investigators who are monitoring active connections can collect all network traffic to and from a specific computer, without the user ever knowing. There are many ways to monitor network traffic. If investigators have the support of network administrators, then the administrators can simply set up a SPAN port on a router, mirror all traffic, and filter for interesting bits. Some companies do this all the time, filtering for malicious traffic, proprietary data, or even keywords that might indicate employees are angry. Wireless networks are even easier to analyze. Since wireless access points are hubs, every client can potentially capture traffic destined for any other system– or all systems. Tools such as Wireshark and tcpdump are useful for capturing network traffic (investigators: if you use tcpdump, remember to set the snaplength to zero for full packet contents).

Here are a few things forensic investigators can do with raw traffic captures:

• File carving: Investigators can actually carve files out of raw network traffic and reconstruct file transfers. If you upload a JPG to a web site, send an email attachment, or download an MP3, anyone who has captured your network traffic can reconstruct your file. Tools such as tcpxtract are helpful for this purpose. Investigators can also view images and other file formats in real time as they are transferred across the network, using tools like driftnet.
• Instant message reconstruction: If you’re not encrypting your instant messages, then they are quite easy to see as they travel across the network. One of my clients once half-jokingly said that he considered deploying a scrolling sign in the lunchroom which broadcast everybody’s IMs, in order to reduce the amount of IM usage.
• Email reconstruction: Emails are rarely encrypted as they traverse the network. Much like instant messages, the text is trivial to read. Investigators don’t even need to go to the trouble of reconstructing files: you can simply run “strings” on raw packet captures and dump the output to a file (I recommend always checking both ASCII and Unicode output). If you’re feeling more interactive, you can also view the raw traffic in a hex editor and read the ASCII output.
• Web surfing reconstruction: Perhaps your organization doesn’t have a proxy server, or the forensic investigator doesn’t have access to it. With access to captured traffic from your computer, investigators can extract your web browsing activity, full page content, and form submissions.

Forensics and privacy are two sides of the same coin. Both investigators and everyday citizens benefit from understanding the types of personal information that companies, hotspots and ISPs routinely store, and how activity can be tracked and reconstructed.

Check out our three-day class: SANS Sec558: Network Forensics, scheduled to run this June at SANSFIRE in Washington, DC. We’ll do lots of advanced, hands-on exercises in which we analyze a virtual network, and spend a full day working as investigative teams to solve a crime. Hope to see some of you there!

Sherri Davidoff

PGP-signed text: 2009-03-16 (current)

Did you like this article? Share it!

]]> http://philosecurity.org/2009/03/16/beyond-hard-drive-forensics/feed 1 http://philosecurity.org/2009/02/23/dtv-coupons-personal-tracking http://philosecurity.org/2009/02/23/dtv-coupons-personal-tracking#comments Mon, 23 Feb 2009 11:43:10 +0000 sherri http://philosecurity.org/?p=983 Last week marked the original official deadline for the Digital Television Transition, after which analog television broadcasts would be terminated. (The official deadline was recently extended to June 12, 2009.) To ease the transition, the US government launched the TV Converter Box Coupon Program, which “allows U.S. households to obtain up to two coupons, each worth $40, that can be applied toward the cost of eligible converter boxes.” (TV converter coupon program site)

The coupon is similar to a credit card, with a serial number and expiration date printed on the front (as well as a nifty hologram that reads “Security”). It also has a magnetic stripe. Curious, I borrowed a coupon and swiped it through my trusty mag-stripe reader. The output was as follows (name/number have been changed for privacy):

%B5897320630985200^SMITH/FRANK ^0903121000000000000000798000000?
;5897320630985200=09031210000079800000?

Much to my surprise, the applicant’s name was encoded on the coupon, in addition to the serial number and expiration date.

Consumers are clearly not aware that their names are encoded on the cards. Although National Telecommunications and Information Administration (NTIA) documents refer to “identifying serial numbers,” (NTIA 2006) there is no mention of the fact that names themselves are encoded on the cards. Since the name is not printed on the face of the card itself, there’s no way for recipients to tell it is there without special card-reader equipment.

As a result, over 24 million Americans have now unknowingly submitted their names into the tracking systems of nationwide corporate retailers such as Wal-Mart and Best Buy. “There are federal privacy laws that say what the government can do with your information, but once that information is given to private industry, it’s theirs,” commented senior security consultant Jonathan Ham.

What’s more, the NTIA itself tracks the location, date and time of each purchase. Retailers are required to “provide NTIA electronically with redemption information and payment receipts related to coupons used in the purchase of converter boxes, specifically tracking each serialized coupon by number with a corresponding [certified converter box] purchase.” (NTIA retailer site.) Each week, the NTIA publishes statistics indicating the number of cards used in each zip code.

Consumers are not explicitly informed of the coupon tracking on the TV Converter Coupon Program web site or application. Buried in the NTIA’s web site is the statement that “to keep track of the number of coupons issued, used and redeemed, as well as to minimize fraud and counterfeiting, NTIA intends to place identifying serial numbers on the coupons.” (NTIA 2006)

I went to Best Buy to get a retailer’s perspective on the TV Converter Coupon Program. Like most retailers, Best Buy likes to track their customers. With cash or check, this is difficult, but with credit cards and similar systems (such as the DTV coupons), customers can be automatically added to their database.

Rob Hooper, the helpful manager on duty, explained, “[The DTV coupon] would probably have their name, a number, and they probably have to put in their phone number for us to ring out the remainder of the transaction. As soon as that number gets rung through a Best Buy retailer or a Wal-Mart retailer or anywhere else, [NTIA can] probably break it down underneath the ID of the retailer, and then also the ID of the individual who applied for that particular card number. Not only do they have demographics, they also have geographics– where each card is used.”

In other words, the government receives detailed information about precisely where and when each card is used, and each card is explicitly linked to a name. What’s more, since the names are stored on the coupon’s magnetic stripe itself, the retailer also receives and can store personal information about the consumer. The consumer may never even be aware that his or her name has been given to the retailer.

My mother, who applied for the program by phone, was shocked to learn that her name was encoded on the card and her purchases were tracked. “The government should have made me aware of the information they would be collecting about me if I used the card,” she said. “They’re taking away my freedom. If they decide they need to collect information, they should do so with the people they are collecting the information from volunteering to give it, not being forced.”

Presumably the names encoded on the coupon’s magnetic stripe can be used to prevent fraud, but in practice this has not been occurring. Even if the name on the coupon doesn’t match the consumer, retailers still accept the coupons.

“We generally don’t check IDs against the card,” said Rob. “If someone’s out there stealing digital converter box cards and they’re just hoarding boxes of those cards, that’s not on the top priority list for Best Buy’s loss prevention.”

“We haven’t really seen too much fraud whatsoever with these coupon cards,” he added. “It would be a really interesting thing to try to steal $40 converter box cards, because you’re basically getting paid off in technology that will be antiquated.”
 
Millions of Americans using the DTV converter coupons have unknowingly had their shopping habits tracked and names given to third parties such as Best Buy and Wal-Mart. What is the value of our privacy? Is watered-down “fraud protection” really worth giving away millions of American’s names to retailers? Would my mother really want her shopping habits recorded in an obscure government database, even to save $40?

“I like to shop for a product without Big Brother watching over me,” said Mom.

 

Sherri Davidoff

PGP-signed text: 2009-02-23 (current)

Did you like this article? Share it!

]]> http://philosecurity.org/2009/02/23/dtv-coupons-personal-tracking/feed 3