data – Alice, Eve and Bob – a security blog

Data may be neutral: information is not

We tend to think of data as, well, binary

Bias – particularly unintentional bias – is interesting, as I’ve noted before in my article Trust you? I can’t trust myself. The Guardian published an interesting report recently on bias in the field of digital forensics which is not, as you might expect, a discussion on algorithmic bias AI/ML (a problem which is a major concern in criminal profiling and even sentencing), but actually about the people performing digital forensics.

The story is based on a (“soon to be published”) study which basically found that, presented with the same data set (a hard drive, presumably with logging and system information on it), digital forensics researchers were more likely to find incriminating information on it when they were told that the drive’s owner had already confessed or was likely to be guilty than if they were considered innocent.

This sounds horrifying and, on first consideration, very surprising, but if the raw data put in front of people were a police interview transcript, I think that many of us would be less surprised by such a result. We know that we read words and sentences differently based on our assumptions and biases (just look at research on candidate success for CVs/resumes where the name of the candidate is clearly male versus female, or suggests a particular ethnic group or religious affiliation), and we are even familiar scientific evidence being debated by experts in court. So why are we surprised by the same result when considering data on a hard drive?

I think the answer is that we tend to think of data as, well, binary: it’s either one thing or it’s not. That’s true, of course (quantum effects aside), but data still needs to be found, considered and put into context in order to be useful: it needs to be turned into information. Hopefully, an AI/ML system applied to the same data multiple times would extract the same information but, as noted above, we can’t be sure that there’s no bias inherent in the AI/ML model already. The process of informationising the data, if you will, moves from deterministic ones and zeroes to information via processes (“algorithms”, if you will) which are complex and provide ample opportunity for for the humans carrying them out (or training the AI/ML models which will carry them out) to introduce bias.

This means that digital forensics experts need training to try to expose their own unconscious bias(es!) in just the same way that experts in other types of evidence do. Humans bring their flaws and imperfections to every field of endeavour, and digital forensics is no different. In fact, in my view, the realisation that digital forensics, as a discipline, is messy and complex is a positive step on the way to its maturing as a field of study and taking its place in set of tools available to criminal investigators, technical auditors and beyond.

7 security tips for travelling with your laptop

Our laptop is a key tool that we tend to keep with us.

I do quite a lot of travel, and although I had a quiet month or two over the summer, I’ve got several trips booked over the next few months. For many of us, our laptop is a key tool that we tend to keep with us, and most of us will have sensitive material of some type on our laptops, whether it’s internal emails, customer, partner or competitive information, patent information, details of internal processes, strategic documents or keys and tools for accessing our internal network. I decided to provide a few tips around security and your laptop[1]. Of course, a laptop presents lots of opportunities for attackers – of various types. Before we go any further, let’s think about some of the types of attacker you might be worrying about. The extent to which you need to be paranoid will depend somewhat on what attackers you’re most concerned about.

Attackers

Here are some types of attackers that spring to my mind: bear in mind that there may be overlap, and that different individuals may take on different roles in different situations.

opportunistic thieves – people who will just steal your hardware.
opportunistic viewers – people who will have a good look at information on your screen.
opportunistic probers – people who will try to get information from your laptop if they get access to it.
customers, partners, competitors – it can be interesting and useful for any of these types to gain information from your laptop. The steps they are willing to take to get that information may vary based on a variety of factors.
hackers/crackers – whether opportunistic or targeted, you need to be aware of where you – and your laptop – are most vulnerable.
state actors – these are people with lots and lots of resources, for whom access to your laptop, even for a short amount of time, gives them lots of chances to do short-term and long-term damage to you data and organisation.

7 concrete suggestions

Don’t take a laptop. Do you really need one with you? There may be occasions when it’s safer not to travel with a laptop: leave it in the office, at home, in your bag or in your hotel room. There are risks associated even with your hotel room (see below), but maybe a bluetooth keyboard with your phone, a USB stick or an emailed presentation will be all you need. Not to suggest that any of those are necessarily safe, but you are at least reducing your attack surface. Oh, and if you do travel with your laptop, make sure you keep it with you, or at least secured at all times.
Ensure that you have disk encryption enabled. If you have disk encryption, then if somebody steals your laptop, it’s very difficult for them to get at your data. If you don’t, it’s really, really easy. Turn on disk encryption: just do.
Think about your screen. When your screen is on, people can see it. Many laptop screens have a very broad viewing angle, so people to either side of you can easily see what’s on it. The availability of high resolution cameras on mobile phones means that people don’t need long to capture what’s on your screen, so this is a key issue to consider. What are your options? The most common is to use a privacy screen, which fits over your laptop screen, typically reducing the angle from which it can be viewed. These don’t stop people being able to view what’s on it, but it does mean that viewers need to be almost directly behind you. This may sound like a good thing, but in fact, that’s the place you’re least likely to notice a surreptitious viewer, so employ caution. I worry that these screens can give you a false sense of security, so I don’t use one. Instead, I make a conscious decision never to have anything sensitive on my screen in situations where non-trusted people might see it. If I really need to do some work, I’ll find a private place where nobody can look at my screen – and even try to be aware of the possibility of reflections in windows.
Lock your screen. Even if you’re stepping away for just a few seconds, always, always lock your screen. Even if it’s just colleagues around. Colleagues sometimes find it “funny” to mess with your laptop, or send emails from your account. What’s more, there can be a certain kudos to having messaged with “the security guy/gal’s” laptop. Locking the screen is always a good habit to get into, and rather than thinking “oh, I’ll only be 20 seconds”: think how often you get called over to chat to someone, or decide that you want a cup of tea/coffee, or just forget what you were doing, and just wander off.
Put your laptop into airplane mode. There are a multitude of attacks which can piggy-back on the wifi and bluetooth capabilities of your laptop (and your phone). If you don’t need them, then turn them off. In fact, turn off bluetooth anyway: there’s rarely a reason to leave it on. There may be times to turn on wifi, but be careful about the networks you connect to: there are lots of attacks which pretend to be well-known wifi APs such as “Starbucks” which will let your laptop connect and then attempt to do Bad Things to it. One alternative – if you have sufficient data on your mobile phone plan and you trust the provider you’re using – is to set your mobile (cell) phone up as a mobile access point and to connect to that instead.
Don’t forget to take upgrades. Just because you’re on the road, don’t forget to take software upgrades. Obviously, you can’t do that with wifi off – unless you have Ethernet access – but when you are out on the road, you’re often more vulnerable than when you’re sitting behind the corporate firewall, so keeping your software patched and updated is a sensible precaution.
Don’t suspend. Yes, the suspend mode[2] makes it easy to get back to what you were doing, and doesn’t take much battery, but leaving your laptop in suspend increases the attack surface available to somebody who steals your laptop, or just has access to it for a short while (the classic “evil maid” attack of someone who has access to your hotel room, for instance). If you turn off your laptop, and you’ve turned on disk encryption (see above), then you’re in much better shape.

Are there more things you can do? Yes, of course. But all of the above are simple ways to reduce the chance that you or your laptop are at risk from

1 – After a recent blog post, a colleague emailed me with a criticism. It was well-intentioned, and I took it as such. The comment he made was that although he enjoys my articles, he would prefer it if there were more suggestions on how to act, or things to do. I had a think about it, and decided that this was entirely apt, so this week, I’m going to provide some thoughts and some suggestions this week. I can’t promise to be consistent in meeting this aim, but this is at least a start.

2 – edited: I did have “hibernate” mode in here as well, but a colleague pointed out that hibernate should force disk encryption, so should be safer than suspend. I never use either, as booting from cold is usually so quick these days.

My brush with GDPR

I ended up reporting a possible breach of data. My data

Since the first appearance of GDPR[1], I’ve strenuously avoided any direct interaction with it if at all possible. In particular, I’ve been careful to ensure that nobody is under any illusion that my role involves any responsibility for our company’s implementation of GDPR. In this I have been largely successful. I say largely, because the people who send spam don’t seem to have noticed[2]: I suspect that anybody with the word “security” in their title has had a similar experience.

Of course, I have a decent idea what GDPR is supposed to be about: making sure that data that organisations hold about people is only used as it should be, is kept up to date, and that people can find out what exactly what information relating to them exactly is held[3].

This week, I got more involved GDPR than I’d expected: I ended up reporting a possible breach of data. My data. As it happens, my experience with the process was pretty good: so good, in fact, that I think it’s worth giving it as an example.

Breach!

A bit of scene-setting. I live in the UK, which is (curently[4]) in the EU, and which means that, like pretty much all companies and organisations here, it is subject to the GDPR. Last week, I had occasion to email a department within local government about an issue around services in my area. Their website had suggested that they’d get back to me within 21 days or so, so I was slightly (and pleasantly) surprised when they replied within 5.

The email started so well: the title referred to the village in which I live.

It went downhill from there. “Dear Mr Benedict[5]”, it ran. I should be clear that I had used my actual name (which is not Benedict) for the purposes of this enquiry, so this was something of a surprise. “Oh, well,” I thought to myself, “they’ve failed to mail merge the name field properly.” I read on. “Here is the information you have requested about Ambridge…[5][6]”. I do not live in Ambridge. So far, this was just annoying: clearly the department had responded to the wrong query. But it got worse. “In particular regards to your residence, Willow Farm, Ambridge…[5]”

The department had sent me information which allowed me to identify Mr Benedict and his place of residence. They had also failed to send me the information that I had requested. What worried me more was that this might well not be an isolated event. There was every chance that my name and address details had been sent to somebody else, and even that there was a cascade effect of private details being sent to email address after email address. I mentioned this in annoyance to my wife – and she was the one to point out that it was a likely breach of GDPR. “You should report it,” she said.

So I went to the local government office website and had a quick look around it. Nothing obvious for reporting GDPR breaches. I phoned the main number and got through to enquiries. “I’d like to report a possible data breach, please,” I said. “Could you put me through to whoever covers GDPR?”

To be honest, this was where I thought it would all go wrong. It didn’t. The person on the enquiries desk asked for more information. I explained what department it was, about the email, and the fact that somebody else’s details had been exposed to me, I strongly suspected in breach of GDPR.

“Let me just see if I can find someone in our data team,” she said, and put me on hold.

I don’t know if you’ve ever been put on hold by someone in a local government office, but it’s rarely an event that should be greeted with rejoicing. I prepared myself for a long wait, and was surprised when I was put through to someone fairly quickly.

The man to whom I spoke knew what he was doing. In fact, he did an excellent job. He took my details, he took details of the possible breach, he reassured me that this would be investigated. He was polite, and seemed keen to get to the bottom of the affair. He also immediately grasped what the problem was, and agreed that it needed to be investigated. I’m not sure whether I was the first person ever to call up and so this was an adrenaline-fuelled roller coaster ride into uncharted territory[8] for him, or whether this was a routine conversation in the office, but he pitched his questions and responses at exactly the right level. I offered to forward the relevant email to him so that he had the data himself. He accepted. The last point was the one that impressed me the most. “Could you please delete the email from your system?” he asked. This was absolutely the right request. I agreed and did so.

And how slowly do the wheels of local government grind? How long would it take me to get a response to my query?

I received a response the next day, from the department concerned. They assured me that this was a one-off problem, that my personal data had not been compromised, and that there had not been a widespread breach, as I had feared. They even sent me the information I had initially requested.

My conclusions from this? They’re two-fold:

From an individual’s point of view: yes, it is worth reporting breaches. Action can, and should be taken. If you don’t get a good response, you may need to escalate, but you have rights, and organisations have responsibilities: exercise those rights, and hold the organisations to account. You may be pleasantly surprised by the outcome, as I was.
From an organisation’s point of view: make sure that people within your organisation know what to do if someone contacts them about a data breach, whether it’s covered by statutory regulations (like GDPR) or not. This should include whoever it is answers your main enquiry line or receives messages to generic company email accounts, and not just your IT or legal departments. Educate everybody in the basics, and make sure that those tasked with dealing with issues are as well-trained and ready to respond as the people I encountered.

1 – General Data Protection Regulation, wouldn’t it be more fun if it were something like “Good Dogs Pee Regularly?”

2 – though GDPR does seem to have reduced the amount of spam, I think.

3 – if you’re looking for more information, I did write an article about this on Opensource.com earlier this year: Being open about data privacy.

4 – don’t start me.

5 – I’ve changed this information, for reasons which I hope are obvious.

6 – “dum-di-dum-di-dum-di-dum, dum-di-dum-di-da-da”[7]

7 – if you get this, then you either live in the UK (and probably listen to Radio 4), or you’re a serious Anglophile.

8 – hopefully not so uncharted for the designers and builders of the metaphorical roller coaster.