Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/9/2006
12:54 PM
Sharon Gaudin
Sharon Gaudin
Commentary
50%
50%

Keeping Our Private Info Private In An Online World

There were a couple of incidents this week that made me stop and think about my own personal data--and who has it. But more important than any musings about what information about me--my address or financial records or personnel records from various jobs--is stored out there is who could get their hands on it. And it seems the answer to that question is, apparently, absolutely anyone.

There were a couple of incidents this week that made me stop and think about my own personal data--and who has it. But more important than any musings about what information about me--my address or financial records or personnel records from various jobs--is stored out there is who could get their hands on it.

And it seems the answer to that question is, apparently, absolutely anyone.Just ask any of the 38,000 U.S. military veterans who had their data lost by Unisys Corp., a subcontractor for the U.S. Department of Veterans Affairs. Today those vets have to worry that their names, dates of birth, Social Security numbers, and addresses are out there somewhere unsecured and vulnerable. Has the information been sold to identity thieves? Is it in the hands of organized crime, which I'm sure could find a lot of uses for it? Only time will tell, I'm afraid.

The information was on a desktop computer in a Unisys office in Reston, Va. A hacker didn't work his way into the corporate network, breaking through firewalls and jumping onto VPN connections. Oh, no. The whole computer is missing. Somehow someone walked in and walked back out carrying a desktop machine. Now there's some tight security for yah. I'd bet money that someone even held the door open as the thief walked out with his arms loaded up with what could be a whole lot of trouble for nearly 40,000 vets.

It gets even worse when you realize that this is far from an isolated incident for the VA. In another recent case, a laptop and external drive were stolen, jeopardizing personal and financial information on about 25 million veterans, active-duty personnel, and their spouses. Two teenagers were arrested a few days ago in connection with the theft.

Now a handful of senators are calling for Veterans Affairs Secretary Jim Nicholson to resign. Senate Minority Leader Harry Reid (D-Nev.) called Nicholson's reign at the VA a threat to national security. Is this a real concern for our nation's safety? Hard for me to say. However, it's easy enough to realize that it's a serious threat to the privacy and financial stability of U.S. vets. Haven't these folks sacrificed enough? Now they find they're sacrificing their privacy as well.

And talking about sacrificing privacy easily leads us to look at AOL's blunder this past weekend. Early this week, the company admitted exposing the personal search data of 658,000 people. Spokespeople for AOL quickly released an apology, calling it a "screw-up." Well, at least they got that part right.

The information, which focused on about 20 million searches done from its AOL software over a three-month period, was available for download over the weekend on AOL's research site. The company pulled it on Sunday, but not before it was downloaded and not before raising a maelstrom of criticism from the blogosphere.

The information is being made available from a number of Web sites, and it's proving to be interesting reading for a whole lot of people, according to Ray Everett-Church, a founder of CAUCE, an anti-spam advocacy group and a principal with PrivacyClue LLC, a privacy consultancy. Ray and I talked Tuesday night, and he told me AOL says the information has been "anonymized," meaning the users' names have been stripped off. That doesn't mean there isn't enough information in there to identify a lot of users. Come on... How many of us have searched at some point for our own names just to see what's out there? What if someone did just that and then searched for information on a particularly embarrassing or personal medical condition?

I haven't trawled through the 20 million queries, but Everett-Church tells me there's information in there where a woman apparently searched for her own name, her boyfriend's name, and for information on how to keep a relationship secret. Along with the expected searches on Paris Hilton and Angelina Jolie was someone's reported search for ways to starve yourself, while another person searched for ways to kill yourself.

Anonymized or not, this is all intensely personal...and still potentially identifiable. And now it's available for download from a dozen or so sites.

"This information is all out there," says Everett-Church. "Companies are holding information on you for who knows what purpose and for who knows how long. It's catalogued, indexed, and keyword searchable."

Think about all the companies and organizations that are out there collecting data about each and every one of us...bookstores, grocery stores, employers, former employers, doctors' offices, law offices, ISPs, and even search engines. And how much of that information would you like to have posted on a Web site for easy download? Think about all the things you've done searches for over the years. Do you really want your employer to know about it? How about your neighbors, your mother, or a slew of bloggers who need fodder for their next post?

If companies are going to keep this kind of information about us, it better be protected. Data needs to be encrypted. Systems need multiple layers of security. The physical buildings housing offices, desktops, and servers need their own security. And how about running some background checks on the people entrusted to touch this data?

For us average Joes and Janes, we need to think about who we entrust with our information. Do you care that someone somewhere might know what you're Googling for? Will our local Internet cafes be clogged up with people secretly searching for information on medications, new jobs, and the criminal backgrounds of potential dates?

What do you think? How worried are you about who has your information and what they're doing with it?

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
CVE-2021-27363
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...
CVE-2021-26294
PUBLISHED: 2021-03-07
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_...