Charge Over Lost Data

September 29, 2008 — 585

The government officer who left the “Terror” Document on a train is be charged under the official secrets act, and not section 55 of the data protection act.

The individual has been charged under Section 8.1 of the Official Secrets Act.

Interestingly the BBC article on the issue states that the individual responsible, who can not be named, “was informed of the decision on Monday morning and was moved from his home to an undisclosed location.”

The systems are in place that allow for this massive failure, holding one man responsible for the entire government systems endemic failure hardly seems fair.

Tags: , ,
Posted in Data Loss, Data Misuse. Tags: , . No Comments »

Data Theft: RAF

September 28, 2008 — 585

50,000 personnel records have been stolen from the RAF, rather than the usual case of “lost data”.

The theft actually took place on 17th September 2008, but has only just been reported publicly.

Three USB hard drives, containing 50,000 records of personnel information, with everything from names, and dates of birth to confidential staff reports, were stolen from the Service Personnel and Veterans Agency office at RAF Innsworth , near Gloucester.

The data was, of course, not encrypted. When will they learn?

Its not even the first time the MoD has had data stolen or lost

Related Articles

BBC

Mirror

IT Vibe

Daily Record

 

 

 

Tags: , , ,
Posted in Data Theft. Tags: , . No Comments »

Examples of misuse of medical records

September 23, 2008 — 585
  • The medical records of a68-year-old man showed he was homosexual. These were leaked to social services, and as such was refused a place in a care home. Source
  • A sales representative employed by a drugs company was given access to confidential National Health Service patient records to identify those who could be given an expensive new drug to treat cholesterol. Source  – MP Paul Flyn
  • Police gain access to medical records, Source
  • Medical Records, with full details including names and addresses passed to researchers. Which resulted in patients receiving intrusive phone calls from researchers. Source
  • A man who was working on a financial audit for the local health authority found that his niece had had an abortion, when he accessed her medical records. His niece had not told her parents about the abortion, so the uncle told them as they were very religious. Source

  • An MP was sent the medical records of a constituent , without the constituent’s consent (this is directly against the NHS own guidance). Source
  • Farrah Fawcetts medical records leaked to the press. Source
  • Britney Spears Medical Records accessed. Source
  • Patients data shared with council – Source
  • Medical Records to be shared with private companies – source

 

 

Tags: ,
Posted in Data Misuse, privacy. No Comments »

Medical Records to be passed to private firms

September 23, 2008 — 585

Telegraphy: 20th September 2008

 

The Government is considering giving firms access to a massive computer database which will contain the records of almost every man, woman and child in England.

The information is a goldmine for private companies, who could use it for medical research or for helping them to sell products to the NHS.

But privacy campaigners say they are “horrified” by the proposals which could see patients’ postcodes, medical conditions and treatments – and in some circumstances, their names – passed on to third parties without their consent.

The database, part of a long-delayed scheme to give NHS staff access to computerised medical records, will hold details of almost all visits by patients to hospitals and GPs.

The plans have been dogged by controversy. Last week. ministers gave in to pressure from privacy campaigners and agreed that medics will have to gain the consent of patients before opening their computer records. Yet patients will have almost no control over the same information being passed on to companies and other bodies outside the NHS.

The Department of Health says most records passed onto third parties would be made anonymous, but admits that identifiable data – which could include patient names – could also be handed on if it was deemed to be more useful.

 

Full Article

 

Posted in Uncategorized. Tags: . No Comments »

Terror Bill lets police scan NHS records (2001)

September 23, 2008 — 585

The Observer, Sunday November 25 2001

 

“Police forces across the world will get unrestricted access to medical records and bank details of Britons under radical powers granted by the new anti-terrorism Bill.

The new powers, which are set to receive their final approval in the House Of Commons tomorrow, have sparked the serious concern of health service regulators and furious opposition from the legal profession.

In an unprecedented move which critics say has ‘threatened to destroy doctor-patient confidentiality’ and ’swept away some of the last vestiges of privacy in the UK’, officials will be able to read NHS records and business details at will. Authorities will not have to establish that a criminal act may have occurred to gain access, as previous laws required.

David Blunkett, the Home Secretary, last week dismissed concerns over civil rights as the worries of ‘airy-fairy liberals’. The new powers, which the Government did not announce last week with the Bill’s other drastic measures, are introduced through a discreet appendix. In the Bill, ‘Clause 17′ makes it legal for police across the world to receive documents from public authorities whether they are relevant to a criminal investigation or not. The Bill lists documents covered by 53 different laws, the privacy of which was previously guaranteed. But they can now be read by police investigating any crime anywhere in the world.

Opposition groups have been enraged by the ‘blanket’ nature of the powers. Oliver Letwin, the Conservative Shadow Home Secretary, said: ‘It provides for disclosure of confidential information across an enormously wide range of government agencies. Even medical records could be disclosed. One of the more disturbing features is that the disclosure relates to any kind of criminal investigation no matter how slight.’”

 

Full Article

Posted in Data Misuse, Terrorism. Tags: , , . No Comments »

Firewall for the UK

September 23, 2008 — 585

While many people will have heard of the Great Firewall of China, also known as the Golden Shield, not many will know the UK has slowly been growing the capability to have the same thing and, in part, it is already functioning.

In 2004 the Internet Watch Foundation, IWF, a group which tries to stop child pornography worked with BT to put technological systems in place to try and stop child pornography being accessed from the UK, using technology called “CleanFeed”. This technology works by analysing all web traffic, at the ISP level, before getting to the user and then trying to block indecent images of children. The technology by blocking a known list of URLs.

By 2006 BT had fully installed CleanFeed and was claiming to be blocking 35,000 attempts a day to access child pornography. Though this high figure was disputed by some.

So far, so good, blocking access to peadohilic images is a good thing.

Nobody, not even the most liberal, would argue for the right to access child pornography, hence there was no objection to CleanFeed.

What Else is Banned? 

But, what about banning access to other subject matters?

Racial Hatred and violent pornography are now subjects which the IWF, using Cleanfeed, have started to censor on the the internet. While this sounds reasonable, it may not always be.

The laws relating to “racial hatred” are a botched mess and were described by British Comedian Rowan Atkinson as “represent[ing] the relentless pursuit of the interests of a tiny minority of the population with, so far, no consideration or quarter being given to the concerns of the baffled majority”.

The laws relating to violent pornography are not as welcome as some may think.

The EU is already banning terrorist related sites which, again, sounds reasonable. Unfortunately the definition of “terrorism” is pretty felxible. The reality is that terrorism is any political group any given government doesn’t agree with. The PLO, IRA, PKK and even the Taliban, have all been supported, in our generation, by one Western government or another. But now they all are regarded, by the current UK government, as terrorist groups. So access and support to these organisations websites could see you a hero, or a couple of decards later whisked off to prison; it just depends on the timing.

If these concerns were not enough to raise eyebrows the UK Government is also working to ban internet discussions about suicide.

While not all of these subjects are currently blocked at a technical level, the technology and law is in place that could prevent access to all of these subjects at a moments notice.

To make matters worse, this blocking technology is not a fine scalpel, but more of a rusty spoon; in 2007 innocent Lycos users were unable to access sites as they were mistakenly blocked.

Censorship in the UK

The UK has an interesting history of censorship:  From the heavy handed approach of preventing the actual voices of the IRA being broadcast (resulting in nothing more than bad dubbing) to the surreal banning of an episode of Star Trek until 2007.  UK internet users are banned from reading about sucraloses written by Joseph Mercola. The UK Government also uses D Notices to stop certain “national security” articles being published in the UK. The D Notices are supposed to be used for military necessity, but are sometimes used for political expediency or other non-national security reason

With this history of censorship do we want the UK to have its own firewall? Do you trust the government more than they trust you?

The Expansion of CleanFeed

CleanFeed has already spread from just being on BT and stopping child pornography, to getting involved in political issues, such as “race hate” and spreading to all of the UK’s ISPs.

 TJ McIntrye, lecturer in law at University College Dublin, has stated that:

Unlike formal legal mechanisms of censorship that ensure a degree of public accountability (for example: the obscenity trial of D H Lawrence’s Lady Chatterley’s Lover, which lowered the threshold of censorship) filtering systems failed to provide a list of prohibited sites, their criteria for designation, prior notice of prohibition, or an appellate procedure. BT’s Cleanfeed filtering system that tells users attempting to access an unauthorized site that it is unavailable owing to a technical fault; the end-users are deceived by the filter into believing that the temptation does not exist.

Everybody knows about the Great Firewall of China, but few people know about the ever expanding internet censorship in the UK, censorship which is putting in place technical measures that could be used to stop access to virtually anything on the web.

Which is the greater concern, the known threat or the unknown threat?

 

 

 

 

 

 

 

Tags: , ,
Posted in privacy. Tags: , , . No Comments »

Tor and those German Raids

September 21, 2008 — 585

In 2006 there was several raids in Germany, taking in dozens of Tor nodes (the exit node) that were linked to Child Porn.

Was this a crack down on Tor or Child Porn?

Below are some articles from the time, relating to the issue:

German Crack Down

Response To Crack Down

Hackers Build Vulnerability into Tor to track Child Porn Viewers

Vulnerability of Tor over stated

 

 

Tags: ,
Posted in privacy. Tags: . No Comments »

Can Tor be used for Web Browsing?

September 21, 2008 — 585

Tor is known for being slow but secure. But its is usable?

In this article Tor, under its standard settings was used to view the web site news.bbc.co.uk, Google, and YouTube.

 

BBC News

Accessing the site, news.bbc.co.uk, from Computer A (which has a 20 mb internet connection,and using Fire Fox 3) took over 2.5 minutes to load the home page, and took over 2 minutes to load another story.

This time could be reduced by preventing pictures from being shown in the browser options

Google

Google took under a minute to load and produced searches were produced in around 10 seconds.

YouTube

YouTube, bizarrely, loaded fairly quickly – faster than the BBC site, in just over 1 minute – but watching a video was not possible

Summary

Tor can be used for web browsing, though it is like going back to dial up – it is painfully slow

 

 

 

 

 

 

Tags: ,
Posted in privacy. Tags: . No Comments »

What is Tor?

September 21, 2008 — 585

Tor is an application that allows you anonymise your IP address.

I.e you can visit www.google.com on 1st September 2008 and Google will not record your actual IP address, but the one presented by Tor, this means that a review of logs stored by Google will not, in theory, show a record of you visiting the site on that date.

For those campaigning in places like Taiwan, China, Tibet, Iran, or the like, then this anonymity is critical, potentially a matter of life and death.

Tor works by passing the data through numerous different servers or nodes, so that it is all but impossible (in theory) to track the source IP address.

To further prevent traffic analysis Tor jumps IP addresses every 5 or 10 minutes. E.g Your IP address going to Google at 8pm and then at 8:10 pm be different, jumping both range and country.

The emphasis on Tor is that the IP address is hidden and it prevents traffic analysis – however it does not truly encrypt the data – nor does it pretend to.

The data transferred between the nodes is encrypted, but it is transferred from the last node to the destination in clear/un-encrypted text

This does create a vulnerability in that a person at the final node (who could be anyone) can set up a monitoring station, as was done in 2007.  This allows the monitor/hacker to watch and intercept all of the traffic going through this final node.

While this documented feature/flaw in Tor allows a person at the final node to monitor the network traffic is does not allow them know the source IP address (only the content), which is the aim of Tor – to hide the source IP address.

It should also be remembered that this ability to monitor network traffic, during normal use, occurs at every point in the data transmission from your machine to the destination machine, via the ISP. I.e Tor is not adding any more risk to the transmission of information across the internet than already exists.

If the data load to be transmitted needs to be secured, as well as the sender, e.g. email or an attachment, then encryption of the information should be used in conjunction with the obfuscation of the source IP

The encryption of data within emails and the like will be covered in later articles.

Posted in privacy. Tags: , , . No Comments »

Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise

September 21, 2008 — 585

A security researcher intercepted thousands of private e-mail messages sent by foreign embassies and human rights groups around the world by turning portions of the Tor internet anonymity service into his own private listening post.

A little over a week ago, Swedish computer security consultant Dan Egerstad posted the user names and passwords for 100 e-mail accounts used by the victims, but didn’t say how he obtained them. He revealed Friday that he intercepted the information by hosting five Tor exit nodes placed in different locations on the internet as a research project.

Tor is a sophisticated privacy tool designed to prevent tracking of where a web user surfs on the internet and with whom a user communicates. It’s endorsed by the Electronic Frontier Foundation and other civil liberties groups as a method for whistleblowers and human-rights workers to communicate with journalists, among other uses.

It’s also used by law enforcement and other government agencies to visit websites anonymously to read content and gather intelligence without exposing their identity to a website owner.
But Egerstad says that many who use Tor mistakenly believe it is an end-to-end encryption tool. As a result, they aren’t taking the precautions they need to take to protect their web activity.
He believes others are likely exploiting this oversight as well.
“I am absolutely positive that I am not the only one to figure this out,” Egerstad says. “I’m pretty sure there are governments doing the exact same thing. There’s probably a reason why people are volunteering to set up a node.”

Rogue Nodes Turn Tor Anonymizer Into Eavesdropper’s Paradise.

Tags:
Posted in privacy. Tags: , , . No Comments »
« Older posts