It’s been a huge year for security awareness. Terrorist attacks, corporate security breaches and ongoing concerns about government surveillance have meant that people are more aware of information security than ever before. Everyone from politicians to pensioners has been talking about who has access to their data.
The beginning of the year saw a lively debate in the UK about the level of access that governments should have to internet data. Although governments may be sincere in their promise only to use new powers against serious criminals, it’s only a matter of time until they’re using them to silence holocaust survivors exercising their free speech. And who’s doing the promising? The same people that told us that intelligence agencies “uphold UK laws at all times”, which was completely true, until it wasn’t.
In the wake of terrorist atrocities, there have been cries for more surveillance data. But are agencies struggling to deal with the data they already have? Governments have been floundering to ‘do something’ like a homeopath at the scene of a car crash, even if that something is largely ineffective. A review by the UK Intelligence and Security Committee on the murder of soldier Lee Rigby found that there were missed opportunities with the data that agencies already had. The London Metropolitan Police were supposed to arrest one of the suspects for drug offences but lost his address. MI5 were slow to follow up reports of extremist activity. GCHQ failed to share the information they had with other agencies. The obvious conclusion? Facebook let us down.
The Prime Minster of the UK, David Cameron came out in favour of banning encryption that the security services couldn’t break. Should we compromise the security of our internet banking in order to prove that we’re not terrorists? It was a plan so bogus it’s hard to believe that it wasn’t dreamt up by an alliance of Ukrainian Carders. In any case, it wasn’t clear how we could make terrorists cooperate and use weak encryption as approved by the powers that be.
In June we had the news that the United States Office of Personnel Management had been compromised. The intrusion may have lasted longer than a year and put at risk the personal data of more than 21 million people. Guidance was sent to the individuals at risk. Unfortunately many recipients were suspicious since emails came from domains they didn’t recognise and letters arrived without official letterheads. Some who signed up to the recommended credit watch services reported being spammed.
In July the dating site Ashley Madison was hacked and lists of registered users were published. Then it got a bit more complicated when we found out that the registration process didn’t validate the email address which meant you could register other people. Someone had registered [email protected]. Apparently, everyone else on the site was there for ‘research purposes’.
In October the UK’s GCHQ announced the good news that they were committed to more transparency. The bad news is that they were talking about our browsing history. Critics pointed out that a plan for website owners to keep access logs for a minimum of a year would increase the likelihood of website attacks due to the value of the extra data being held. The UK Home Secretary, Theresa May, said everything would be ok since the logs would not include full URL, only the root domain. So don’t worry, other than knowing that you’ve been accessing AshleyMadison.com, LivingWithAids.com or iOpposeGovernmentPolicy.com, no one will have any idea what you’ve been up to. Many large companies came out against the plan, except presumably Seagate.
In October we also learned that UK ISP TalkTalk had suffered one of the largest ever data breaches in Europe. The company proceeded to deliver a master class on how (not) to respond. Initially they said that the leak had happened via a denial of service (DoS) attack. Then the Chief Executive went on TV to attribute the leak to a ‘sequential attack’. Potentially, the DoS wasn’t a DoS at all, it was just the company’s bandwidth disappearing as their databases synchronised with the internet’s latest start up, StalkStalk.
People’s awareness of information security has definitely increased in 2015, but for all the wrong reasons. Here’s to a better 2016.