Information Security: Press release

So Pea Ridge school district made a press release concerning media attention to a specific case. The press release went like this:

"The Pea Ridge School District is dedicated to providing a safe environment for our students, teachers and staff.

"As reported in the media, the district has recently required some students to provide test results regarding their HIV status in order to formulate a safe and appropriate education plan for those children. This rare requirement is due to certain actions and behaviors that place students and staff at risk. The district respects the privacy and confidentiality of all students. It's is very unfortunate that information regarding this situation is being released by outside organizations.

"Our goal is to provide the best education for every student, including those in questions, in a responsible, respectful and confidential manner."

The press release reveals more information than what has previously been known to the media, and also confirms that the incidence has taken place. In terms of personal information security, this is just wrong. A proper press release should be more like this:

"The Pea Ridge School District is dedicated to providing a safe environment for our students, teachers and staff. As reported in the media, the district has a policy that allows us to demand an HIV test in certain circumstances. The full text of the policy may be found on our web page.

Our goal is to provide the best education for every student, in a respectful and confidential manner. It is therefore unfortunate when a specific case concerning specific individuals is being printed by media, breaking the rule of confidentiality. This is not an issue that concerns the public at large. It is therefore in our policy not to discuss specific cases involving specific people with the media, as we shall also not comment on this specific case.

What is in the public's interest is the district's policy, which, again, may be found on our web page. It is also in the public's interest if we have broken a law. The latter is to be decided in the courts of law."

See the difference?

Information security: Students banned for being HIV positive.

In Arkansas, students have been banned from attending school for failing to declare their "HIV status". A statement from the school acknowledge that this is the case, and that they have educational purposes for knowing whether or not the students have HIV or not.

From an information security point of view, this is fail. Even though they have not named the students, they have still breached personal information: Within the school, it is visible who has been kicked out. By acknowledging that this has to do with HIV, the connection will be made. The appropriate response still is as simple as "I can not comment on individual students." "So is fear of HIV the reason for kicking them out?" "I can not comment on individual students." "Is it true that they have to give a test?" "I can not comment on individual students."

The correct response from media would then be to ask for the things that are supposed to be public. In this case, the assertion is that students that are suspected of having HIV are suspended or kicked out of school for not making a medical test to document their status. If this is the case, there must be a policy about this in the school. Hence, the question is "what is the school's policy on students with or suspected of having HIV?"

Simply because those things should be unrelated to the public unless the victims themselves takes the issue to the media. It might sound unfair, but even then, it is all at the victim's discretion what gets published. Because the institution can not comment on specific people, only recite policy to the media. Even if the victim lies to the media about an issue, the institution can only recite policy.

This is how a dialogue between journalist and institution would go, if the institution cared about information security:

"The victim says you did A, is this true."
"I can not comment on specific incidences concerning individuals."
"Is it normals for the institution to do A?"
"A is the procedural response to B"
"And has the victim done B?"
"I can not comment on specific incidences concerning individuals."
"But the victim has already said you did A."
"Again, I can not comment on specific incidences concerning individuals."
"The victim also said you did C."
"I can not comment on specific incidences concerning individuals."
"But C would cause B. Why would you do C?"
"It is not in our policy to do C. To my knowledge, we have never done C to anyone."
"Are you saying that the victim is lying?"
"I can not comment on specific incidences concerning individuals."

In the specific case in Arkansas, the combination of B and C lead to A. The victim spoke only of how B lead to A, which seems ridiculous. In a press release, the institution also mentions that there is a factor C, which has previously been unknown to the public. What is known is that A is suspension from shool, that B is a missing HIV test, the public is now free to speculate on what can be combined with HIV to cause suspension. And speculations are really nasty animals.

Internetted baby monitor: An analysis

Last week, I promised an analysis of the baby monitor system that was hacked, to the detriment of a family in Texas. This analysis is based on the little information I have about the system and follows several standards for information security analysis.

The analysis occurs in three basic domains: Confidentiality, Integrity and Availability. Each of these three are then seen in three aspects: Storage, Transit and Processing. Each of these nine domain aspects pose risks. Each risk have a degree of probability and consequence.

Confidentiality

Storage: From the promotional video at Foscam, storage is on the device itself. Hence storage is as safe as the location itself. From this, one can assume that a potential intruder will take the camera and therefore render it useless as an instrument of surveillance.

Transit: I do not have information of whether transit is encrypted or not. However, in order to access the camera from the Internet, you go to Foscam's web site in order to access an outgoing tunnel from the camera. Security from that point on is based on username/password, which we know is subject to social engineering.

Processing: Access to the camera means access to anything you might be doing to the camera. So not is your surveillance accessible, but your use of it is also available, and setting you do might be altered by, say, turning off alarms.

Integrity

Storage: Assuming the system has been breached, all integrity of camera storage is also compromised. The major issue is mode of access.

Transit: Centralized access means easy man-in-the-middle attack. This would also reveal username/password.

Processing: Man-in-the-middle attack could potentially give you recorded images.

Availability

Storage: Loss of Internet connectivity will not affect storage. Au contraire, my friend. :)

Transit: Loss of Internet connection reduces global availability. Can the camera be accessed diretly from you LAN, or do you have to go via the web site?

Processing: Loss of Internet connection reduces global availability. A breach allows hacker to change password and lock you out of your own camera.

Main risks

The main risks of the device is the camera's availability through the Internet. Even secure connections are subject to man-in-the-middle attacks, and hacking the company's server will also allow a hacker full access to all cameras.

A firmware update for the camera has arrived to force users to change the default admin password because, as we know, this is where the first fail occurs. It is now also possible to change the admin user name. This will certainly eliminate the easiest brute force attack (select camera, enter default admin password and you're set), but it is still only a delay.

It would be more secure if the camera only accepted access by devices with a specific encryption certificate, installable on the accessing device only when connected to your LAN. Though this approach heightens the threshold to use its Internet connection, that might be a threshold parents should be required to step up to, so that they truly understand the risks they are about to subject their children to. But it won't stop access from the NSA.

However, it is typical for these cameras to also be available directly on your LAN without going through the Internet. And using it as a baby monitor, that is all you really should need. So block the camera's Internet connection, and it's safe to use. If you need surveillance when you're not at home, you'd want a device that
stores your recordings somewhere else.

Baby monitor hacked: Personal information security

A video baby monitor in Texas was hacked via the Internet and abused by a very bad man:

If I connected security cameras at work to the Internet, authorities would come at me with full force. Surveillance is sensitive information and must be treated as such. One of the problems, then, is that most people are not trained to think of information security in their daily lives.

As a trained professional, I would look at the package saying "over the Internet", shake my head in disgust and put it back on the shelf - unless I was looking for a public web camera for Runde. Blinded by the convenience, however, a lot of people will cheer with joy for this invention, not realizing that they are opening themselves wide open to a malicious hacker ready to subvert their children.

The formula is fairly simple: Identify what is sensitive information (or sensitive access to your loud speaker as well, as in this case), identify who needs the information and the shortest route there, make sure you do everything you can to protect that channel in all nine aspects: Confidentiality, Integrity and Availability of Storage, Transit and Processing.

I will leave it for the reader as an exercise, before I reveal my own analysis of this system.