Yahoo!! What A Breach That Was….

Well, it seems that a few days ago that Yahoo! security was breached and the details of 450k passwords and user accounts were copied and published online by a group calling itself D33D. Yahoo! were quick to investigate this alleged breach and have assured customers that everything is now safely sorted out, but is it? ‘Computing’, the online magazine, checked some of the accounts and found they were still vulnerable and have suggested that the breach was worse than Yahoo! are making it out to be. With this being a very popular email and shopping site, Yahoo! should have had much stricter encryption policies in place to prevent this sort of thing happening. D33D have assured users that there was no malice involved and issued the following statement: “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in Web servers belonging to Yahoo Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.” This breach prompted Boston-based data security expert, Marcus Carey, to state that “the key thing is from a corporate perspective: perhaps invest more in security. If Yahoo! didn’t encrypt their passwords, they were probably cutting corners on other things.” So what does this mean for the hundreds of thousands of Yahoo! users? There will probably be a rash of strange emails floating around for a few days but their accounts will not be used by D33D for anything other than exposing the failings of Yahoo! However, if anyone has been able to get hold of the account and password details then things may change and we will find a lot of spam coming out and suddenly email accounts becoming unsecure. What can Yahoo! users do about this? Simple, change your passwords immediately to something that is secure. I have espoused on this before but too many people have simple, basic passwords that they use because they are easy to remember and to input. If it is easy for you then it is easy for the hacker as well…. People find creating a password quite a difficult task to do and fall back on their child’s or pet’s name, their date of birth or something even dafter like ‘password’ which is so common as to be unbelievable! Passwords do not have to be scientific equations but they do need to be more than a simple word to stop the easy access to your account. So if you use ‘rover’ as your password, it will be easier to hack into your account than someone who uses ‘S1mPl1cITy’. I am not saying it is not totally secure but it goes a long way towards being there! So what is a password? Passwords need to be long enough to prevent a hacker simply taking chances with random personal identities, it needs to mix UPPER and lower case letters, numbers and characters and, if you have read my previous rant on passwords, should ideally be 15 characters long, as a minimum, to prevent Windows ‘remembering’ it in the operating system. Alternatively you could use a pass-phrase which could be something like ‘I_do_NoT_like_SpiDers_IN_my_hair’ which is easy to remember but really difficult for a hacker to get round. But I detract, the management teams at Yahoo! have got to take responsibility for this breach and hold their hands up to it, not hide away behind corporate statements saying how well they have reacted to the situation (which they have not incidentally!). This breach leaves all other generic email accounts vulnerable and I would suggest that everyone who uses a generic email supplier, go away and change your password now before anything nasty happens…….

Posted in Breaches, Data Protection, Email, Information Security, Password | Leave a comment

Have Too Many Cookies Spoiled The Broth?

May 26th saw a year pass since the introduction of the new ‘cookie rule’ under PECR but still a few things stand out. How many companies have taken this on board and actually done something about it? How many consumers really understand what it is all about and are happy with the consenting system? Then there are the facts thatBelgium,Denmark and theNetherlands are still to implement anything and are now looking at sanctions from the EC. 

So how many companies have complied? It is hard to say as there does not appear to be any controlling function that tests websites for cookie compliance. The ICO has made some investigations and it seems some are struggling auditing their cookies due to the vast number of them whilst others are still setting their plan in place. ICO has also published guidelines on what companies should already be doing, but are they? If they have not got cookie controls in place then they must have a firm plan for implementation and a short term compliance completion date. Failure to do so could end up with formal undertakings or enforcement action being taken by the Commissioner.

The new legislation requires that positive consent is required to place a cookie onto a users PC. This has been vigorously campaigned against by many data administrators as being overkill and likely to result in nobody allowing cookies. These fears seem to be unfounded as more and more users seem to be allowing the cookie to be planted but do they actually understand why they are allowing it, or is it just to allow them access to certain websites? I for one am happy with the new regime, my website does not place cookies and I am now able to manage them much easier and my laptop seems to be operating a lot faster for it too, but that is probably just coincidence……

The ICO guidance for companies has a few interesting stats about consumer awareness of cookies from a study of 1000 users.

  • 41% were unaware of the different types of cookie (first party, third party, Flash/Local Storage)
  • 50% were aware of first party cookies
  • 13% fully understood how cookies work
  • 37% had heard of cookies but did not know how they worked
  • 2% had not heard of cookies before the survey
  • 37% said they did not know how to manage cookies on their computer

This goes to show just how important the new regulations are as some of those stats are scary numbers and, just like with other new technology, the users have to be taught how it all works so they can decide what they want to do. In the interim it would seem that the planting of cookies will continue unabated for several years until the public get wise to what is happening.

The guidance given by the ICO is, as always, very informative but again, as always, very long winded and in some places open to interpretation. One point made very clear is that of the First principle in that all users of a website must be able to understand what is going to happen to their information, both obvious and hidden in the cookie action. Implied consent is becoming a thing of the past as the public are being given back control of their personal information again. Is that really as bad as the industry is making out? Surely if the consumer has more control then they will have more confidence in websites that are complying with the act won’t they? All that will happen is that the more unscrupulous websites will be found out and lose out, and is that also such a bad thing? Do we actually want companies harvesting and selling on our personal data and likes to all and sundry? I certainly don’t want this and would suggest that this would be the same for most of the general public, which I am also part of….

Another important part of this is making sure the explanation about the cookies is in plain language and not couched in techno-babble, as I found on one site that I promptly turned off the cookie for! Which brings me on to another important area, the ability of the user to be able to turn off cookies that they had previously had turned on. This means that your cookie statement should appear at every occasion a user accesses your site, not just random appearances, to enable them to withdraw their consent if they wish. I have seen quite a few websites where this is not happening and, if yours was one of them, you will have received an email from me explaining why I will not be using that site again. Just because it is electronically handled it does not mean the user has lost their rights of consent, rather they should be enhanced to ensure compliance. I remember back in the ‘old days’ when direct marketing companies harvested names and addresses (now this is pre-email….) and there was a massive selling on of these to anyone who wanted to pay for them. The consent or tick-box soon followed and we had some regulation over how our data was used, all that has happened is that this time it is electronic. A lot of businesses went on about the cost of making this change, exactly the same arguments as 25 years ago, but it will soon pass and we will have something else to worry about…..

The ICO has also published a webpage for the public explaining what cookies are and their rights. They also explain how to control cookies and where to get further information. A link to this is at the end of this text.

We are now hearing that three of the EC regimes have not started compliance work or are nowhere near completing it and they now face legal sanctions. It will be interesting to see what the ECJ do in this case as there are talks of daily ‘fines’ being issued until the legislation is enacted in these countries. What this space!!

ICO Guidance on the EU cookie law / e-Privacy Directive –  V3, May 2012

Cookies – Advice For Members of the Public – ICO

 

Posted in Cookies, Data Protection, Fair Processing, ICO, Information Commissioner, Information Security | Leave a comment

Why All The Fuss About The New EU Data Protection Proposals?

Having read and re-read the EU Data Protection Proposals (EUDPP) I believe they will give much needed strength to the current Act and will also make the data that is held, more robust. There are a couple of downsides but let us look at the whole thing and throw a new perspective on it.

Basically, the EUDPP is giving the data subject more power over what their personal information is used for and by whom. It is also giving them the right to have their personal information removed from a company database and the 3rd party users of that data also notified that it is to be removed. From a citizen’s (data subject’s) perspective, this is a good control to have as it allows them to pick and choose who they wish to process their data and also prevent an unwanted barrage of marketing, sales and ‘information’ letter, texts and emails. It further prevents the secondary use of their information by other organisations who the citizen knows nothing about. The citizen will also have the right to know who has been and is processing their data and lets them know they do not have to have their data further processed when they sign up for something.

Surely this is a good thing? It gives us all the right to say ‘yes’ I am happy for you to process my personal information. You then have a definitive customer rather than one who is constantly trying to get away from your unwanted contact and is unhappy with you. It also puts the onus on companies that sell names on to take responsibility for what they do. If a customer says they want no more contact and to erase their information then the company will need to ensure it notifies the other companies it has sold the data to and made a profit out of it.

Current legislation makes harvesting of personal data so easy and lucrative. As long as you have a set of T&Cs and an opt-out somewhere on the form/website then it is all ok. The ones that really get me are the companies that say ‘by placing this order you give us permission to pass your details on to other third parties we believe you may be interested in hearing from’. The chances of me being interested? Zero, I always cancel the order at that point!! We are legally required to collect personal data for a specified reason, not just so we can make a small fortune by selling it on. The current harvesting methods are more akin to the Russian factory trawler system than any good direct marketing principal! Companies are hoovering up vast amounts of information that they are processing and using for profiling then selling this enriched data on to other companies who do more of the same to the detriment of the citizen. This new directive will torpedo the factory trawlers and the citizens will once again have a modicum of control over their lives. At the end of the day, would you rather have 100 happy customers who keep buying from you or 1000 unhappy ones who blog and moan about how bad your company is??

There will also be a new set of rules on what defines personal data, such as online identifiers (IP addresses and even pseudonyms used in social networking), locational data where an online placement shows exactly where you are, some search engines have this running in background all the time which is why you see everything local to you advertised first. The EUDPP is looking at restricting these and it could impact on both sides of the fence as more people are now used to their location being used online and there is greater awareness of how IP addresses are being used to assist in fraud and the prevention of SPAM so, with these suggestions, I am not so sure it will be a good move.

Another area I do agree with though is the obligation to notify any data breaches to the regulatory body with ‘no undue delay’ and at least within 24 hours of the breach being discovered. The number of breaches is increasing exponentially but still not all breaches are notified. This is usually from fear of the repercussions but at the end of the day, why should the company or individual losing the data get away with it? If it was my data I would certainly be up in arms about it and looking for something to be done and quickly yet more and more companies and government agencies are getting away with it.

The one area I must disagree with though is the removal of the £10 fee for a Subject Access Request. The amount of time and effort usually taken to fulfil these is ridiculous in some cases and the fee does not even cover the cost of the photocopying let alone the cost of getting someone to do the work! This and the fact that they want companies to employ a Data Protection Officer to manage their DP requirements may make even more companies decide that enough is enough and drop off the ICO’s radar thus creating a lot of hidden data that is being illegally processed. Before you do that though, remember the EUDPP is also suggesting an increase in fines to €1m or 2% of the company’s annual turnover.

If anyone wants to discuss this then feel free, I am always open to debate.

Posted in Breaches, Data Protection, Fair Processing, ICO, Information Commissioner, Justice | Leave a comment

Is The Information Commissioner About Investigate His Own Office Or Is It Something Murkier?

Police in Liverpool, in an early morning raid on a house in Cheshire, seized a memory stick from a retired former police officer who used to work for the Information Commissioner’s Office. Whilst at the ICO he was responsible for working on Operation Motorman, an investigation into the intrusive information gathering that was being performed by the media using Private Investigators, and was part of the team that pounced on Private Investigator, Steven Whittamore, back in 2003. In a statement Cheshire Police said: “Following information received, a warrant was executed at an address inWidnes. The warrant relates to an investigation into allegations concerning breaches of the Data Protection Act 1998.”

When Mr Owens and the team investigated Mr Whittamore, he had a list of transactional services he had performed for various newspaper reporters and these amounted to around 17,000 entries! Mr Owens quit his job in 2006 claiming the Information Commissioner failed to investigate these transactions resulting in Mr Whittamore only getting his knuckles rapped and a two year conditional discharge. This was for a deliberate breach and flouting of The Data Protection Act 1998 where he illegally obtaining personal information and sold it on for personal gain. It also let the hundreds of reporters and newspaper editors off the hook.

Following a request from the current Information Commissioner, the police are looking to question Mr Owens with regards to possible breaches of the Act in that he leaked information to the Independent newspaper. The memory stick the police took relates to the work Mr Owens was doing when employed by the Information Commissioner, he did however, refuse to hand over a copy of the statement prepared for the Leveson Inquiry. Mr Owens has allegedly described the police as being on a ‘fishing expedition’ and that there was no doubt as the result of an ICO complaint.

Mr Owens is meant to be giving evidence to the Leveson Inquiry later this month into the media’s use of private investigators to illegally obtain personal information. He has notified them of the police raid but it is understood he has already supplied Strathclyde Police with a statement and a copy of the Motorman disk to aid their investigations into the media’s illegal practices inScotland.

So, who is investigating whom? The current Information Commissioner seems hell bent on investigating something his predecessor did and using the police to do so. Is this right or is there something more sinister happening here? Why would this suddenly come up just days before a former employee was to give evidence? Is the Commissioner’s Office trying to hide something? On speaking to someone at the ICO it was carefully explained that they would not comment about that and also that they would not respond to a Freedom of Information request I tried to file.

I will watch this one carefully as I am sure something else is going to come out about it……

Posted in Uncategorized | 1 Comment

The Legal Profession and Data Protection – Is It Ignorance Or Pure Arrogance?

Once again we hear of another legal eagle being hit by the Information Commissioner for not holding personal information securely. Yet when I contact the local solicitors to try and discuss their data security all I get is silence, is this ignorance or arrogance? To my mind it is a bit of both. Very few solicitors have an in-house specialist that can handle their data protection compliance and, from experience, very few of them have a scooby about what it means to them nor do they care!

The ICO has recently published another press release relating to an advocate of all people who did not keep her laptop secured and it was stolen yet she waited 2 years to report it to the Commissioner!! Why oh why oh why do we put up with this? These people are meant to know the law yet it seems that The Data Protection Act 1998 has slipped ‘off their radar’ either that or they are blissfully ignorant and really do not care about data security, the latter I think is more the case! See what you think after reading the press release and feel free to respond with your thoughts

The ICO’s press release goes like this:

A Scottish advocate breached the Data Protection Act after failing to encrypt a laptop containing sensitive personal data which was later stolen, the Information Commissioner’s Office (ICO) said today.

The laptop was stolen from the home of Ruth Crawford QC in 2009 when she was away on holiday. It contained personal data relating to a number of individuals involved in eight court cases the advocate had been working on. This included some details relating to the physical and mental health of individuals involved in two of the cases. The device has not been recovered; however, most of the information compromised would already have been released as evidence in court papers.

The breach was only reported to the ICO on 30 August 2011 when the last case relating to information held on the laptop was concluded. The ICO’s enquiries found that, whilst Ms Crawford had some physical security measures in place at the time of the theft, she failed to ensure that either the device or the sensitive information stored on it was appropriately encrypted.

The QC has now agreed to put the necessary changes in place to ensure this type of incident does not happen again. This includes locking away any personal information stored at her home and following any future data protection guidance issued by the Faculty of Advocates or her stable.

Ken Macdonald, Assistant Commissioner for Scotland said:

“The legal profession holds some of the most sensitive information available. It is therefore vital that adequate security measures are in place to keep information secure.

“As this incident took place before the 6 April 2010 the ICO is unable to serve a financial penalty in this instance. But this case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000 – it could affect their careers too. If confidential information is made public, it could also jeopardise the important work they do in court.

“The ICO would also like to assure the legal profession that any information reported to this office will not be disclosed unless there is specific legal authority for us to do so. Therefore all breaches should be reported to our office as soon as practically possible.”   

Posted in Breaches, Data Protection, Information Security, Justice, Solicitors | Tagged | Leave a comment

Is My Password A Good Password?

This is something I have been asked about many times over the years and basically the password is a secure as you make it. We all have our own idiosyncrasies for the way we ‘design’ our passwords, myself included, but how secure do we make them?

The vast majority of people use either the names of their children or pets as a password and dates of birth for PINs and other number based passwords. Quite often these passwords are no longer than about 6-8 letters or numbers but does this help?

The Telegraph has published the top 25 worst passwords (from SplashData) and these are:

1. password

2. 123456

3. 12345678

4. qwerty

5. abc123

6. monkey

7. 1234567

8. letmein

9. trustno1

10. dragon

11. baseball

12. 111111

13. iloveyou

14. master

15. sunshine

16. ashley

17. bailey

18. passw0rd

19. shadow

20. 123123

21. 654321

22. superman

23. qazwsx

24. michael

25. football

It may help you as it is easy to remember but it also helps the hackers of this world as it will be easy to get your password and access your computer. If you use names and dates of birth as passwords, anyone who wanted to hack into your PC would try these as a first port of call as they are the easiest way to try. Therefore, the best thing to do is mix up your password by using upper-case letters randomly placed throughout the word, add in some numbers and maybe even a symbol or two.

For example, let’s say I decide to use a pet name like Rover. This would be easy to remember and quick to type in but it is something that someone could find out about me. Therefore, what I should be looking at is making it something like rOveR-07. This introduces mixed case in the word, a symbol “-“ and numbers (these representing the year he arrived). This would be harder to crack than just the one word name and I would suggest that you all look at your passwords to see that they are like this.

Some of you will remember the debacle in October 2007 when HM Revenue & Customs lost the records of 25 million child benefit recipients. This caused untold panic as a lot of people had used their children’s names as passwords and we were then telling them all to change passwords quickly to prevent any possible attack on their accounts etc.

The vast majority of us also use Windows as a computer operating system which is probably one of the ‘friendliest’ systems around. It offers to remember your password for any website you want to visit where you have to log in. This is done by windows holding it in two blocks of seven so my password rOveR-07 would be held on Windows as rOveR-0 : 7 in its memory blocks. Now this is really useful as it means I do not have to remember the password and, if I forget it, the website will either reset it for me or give me a hint as to what it is.

The only problem is that there is software available that can be run on your computer and within 30 minutes will give me all your account details and their passwords. Therefore, the only really secure password is one that is mixed case, symbol and number and over 14 characters in length. Why? Simple, if it is over 14 characters, Windows cannot remember it so nobody can get hold of it. I would suggest that if you are storing sensitive information you use this type of password as you can never be too safe. Facebook is reporting that there are over 600,000 attempts per day to hack into accounts so this really brings it into perspective!

Some top industry tips for passwords:

– Vary different types of characters in your passwords; include numbers, letters and special characters when possible.

– Choose passwords of eight characters or more. Separate short words with spaces or underscores.

– Don’t use the same password and username combination for multiple websites. Use an online password manager to keep track of your different accounts

If you have any concerns that you or your company may not have safe passwords or just want more information, please feel free to contact KPG Professional Services on data@kpgps.co.uk or by calling 07413 943228 for help and guidance.

Posted in Blagging, Cookies, Data Protection, Fixing Facebook, Information Security, Password, Uncategorized | Leave a comment

Is Vince Cable Really Guilty Of A DP Breach? What About The Blagger?

Interesting question I think as what actually happened? It appears some of his constituency staff decided to be ‘green’ and put out old paperwork for recycling. Unfortunately this included information about his constituents which, quite rightly, they are up in arms about but how did this all come to light?

Reading through the stories on this one it would appear the newspapers and media became aware of the situation due to a ‘concerned citizen’ opening the recycling bags, rifling through the paperwork in them and taking some papers out of the bag over a series of weeks!!

Now let us look back at who should be in court over this. Mr Cable could be prosecuted for non-notification and an assessment would be made of the breach. If I was involved in the defence of this then we would be looking at damage limitation and instilling some harsh new measures to ensure this does not happen again and throwing ourselves at the mercy of the ICO. But, what I would also be pursuing would be the criminal prosecution of the ‘concerned citizen’ who stolethe papers from those bags.

This person is no better than a blagger, going round and removing confidential information from folks bin bags and waste bins. I am struggling to find any excuses for their behaviour as, when they found out that this was happening, why did they not just speak to the constituency team and point out what they had been putting out in the bags? No, they were so concerned that they kept stealing papers and then once they had enough, allegedly sold it to a newspaper for a sum of money! They are not a concerned citizen, they are a common thief and blagger and I would like to see The Commissioner prosecuting them for this to make a showcase of what can happen if you start dipping your fingers into other people’s waste paper.

We see plenty of other folk being prosecuted for blagging but so far no-one has mentioned this as they are all too concerned with vilifying Mr Cable for his office doing what they thought was the correct thing to do. Yes, they will be sacked and yes, Mr Cable will be fined but if the blagger gets away with it then where is the justice in this world?

I have no political affiliation to Mr Cable nor the Lib Dems but I do have an affiliation with seeing justice being done fairly so let’s start making a noise about it.

Posted in Blagging, Breaches, Data Protection, Fair Processing, Freedom of Information, Information Security, Justice | Leave a comment