Privacy? Its by the Men’s Room

Image via Wikipedia

While visiting the local Neiman Marcus in San Francisco I happened to go to the basement floor to visit the restrooms and found this interesting notice about a product called Euclid posted on a small sign.

It reads, “To enhance our customer’s experience, we use Euclid to identify mobile devices in and around our stores. Only the information that your device publicly broadcasts will be collected. If you do not want this information collected, or want to learn more information about Euclid, visit euclidelements.com/consumer.”

On the website, the company swears they care about privacy and they do:

• Limited data collection
• Only share aggregated and anonymous information
• Easy opt-out and delete

To opt out you have to share your MAC address with this company. It seems odd to have to share identifying information with a company in order to enable them not to identify you especially since then they will also have the MAC address of the computer you used to access their website and your IP address too! Apparently the company tracks phones listening for wifi access points so they can determine your MAC address (which uniquely identifies your phone on a wifi network.)

As soon as a hacker worth her salt breaks open their database, the movements of thousands of mobile phones through malls will become public information. How much does Euclid invest in information security? No idea.

Of course, the average person entering the store–or merely walking by– will never see this sign. Consumers are advised to kiss their privacy good-bye and perhaps to turn off wifi and Bluetooth on their phones when not in use.

Cyber security predictions for 2012

I’m no cyber security visionary…or am I? Everyone else has made their predictions. Here are my top five. Tell me I’m wrong! Does anyone make a living by doing this?

1. Lots of security professionals will make annual predictions, most of which won’t come true, or will be so general as to be inevitable.
2. Some organization will experience an insignificant hack which will cause an explosion of attention in the media.
3. Some organization will experience a significant hack and most will never hear about it because it won’t be sexy.
4. A security breach will cause a political candidate to change course.
5. At least one organization will build a business continuity plan around the Mayan calendar.

Privacy? But I have nothing to hide!

Daniel Solove wrote a great article on why privacy matters even if one thinks they have nothing to hide. It is high time to dispel  this myth that if we’re “innocent” that we have nothing to hide.

Let me say it this way: Everyone has some information they do not want to fall into the wrong hands at the wrong time.

You may not have information you think needs to be hidden right now. But in a year, you may decide to run for office. You may have information that you are fine if your local bank sees, but you might be embarrassed if your co-workers had access to it. Otherwise, why not wear your social security number, date of birth and bank accounts on a tee-shirt?

Even if you think you have nothing personal to hide, what about those you love? Parents and grandparents, let me ask you some questions and tell me if they start to make you uncomfortable:

• What time do your children get out of school?
• What route to they walk home?
• How long are they home alone?

There is a strong relationship between privacy and security. Each of the answers to these questions is technically “public” information and could in theory be learned legally by a third party who was very interested in the answers. But that doesn’t mean it’s something we’d want to share with a stranger who suddenly began asking these questions. Let’s face it. Even if we don’t care about our own privacy, surely there is someone’s privacy we do care about.

Everyone has some information they do not want to fall into the wrong hands at the wrong time.

A Fresh Start with Smart Grid

The Internet was a paradigm-changing set of technologies that 30 years ago few could have seen how they would change the nature of the way we communicate, the way we do business and even the way we live. Though resilient, the Internet was built on protocols and standards that were not designed with security in mind, resulting in the creation of an entire industry of security professionals, vendors, standards bodies and regulators to better secure it.

Smart Grid and its own emerging technologies, standards and protocols look to be the same kind of game changer that the Internet was. We can only imagine what new products and services the Smart Grid will enable 30 years from now.

Smart grids also represent a new challenge for security pros. For years we’ve been trained (and in some cases regulated) to implement well known sets of security controls, like firewalls or anti-virus, that help make up for the inherit weaknesses in current computing and network platforms. Isn’t the Smart Grid just another large-scale network that requires the same controls we apply to the Internet?

I hope we don’t think so.

At the 2011 Smart Grid Security Summit in San Diego, I gave a public challenge to the security pros, vendors and regulators that will help secure the Smart Grid. With Smart Grid we must question everything we assume about the traditional security controls we’ve used to secure devices and information on the Internet and focus instead on the basic security principles like least privilege and separation of duties.

My point was not to imply that we don’t need security controls in Smart Grid, nor that controls we use to protect the Internet won’t also work for Smart Grid, but rather that we should be asking ourselves why we need specific controls and what controls could we use instead that might be more effective. In other words, in Smart Grid we have the chance to design it right the first time. This is especially important considering the sheer amount of legacy gear that will have to be protected.

For example, firewalls are a common security control that security professionals recommend for securing networks. On the Internet firewalls serve a necessary albeit more and more ineffective mechanism for minimizing the attack surface of systems that sit behind the firewall. This is because most computing platforms, regardless of brand, and the applications that run on them, are sometimes less than ideal at defending themselves from the innumerable threats against them. Unfortunately, over the last 30 years attackers have learned how to exploit the inherit weaknesses in firewalls (and the people that configure them) so they don’t provide as much value as they could or should.

Does Smart Grid need firewalls? Certainly in some parts of its architecture. Germany has decided to make smart grid gateways a part of every German household. In the Home Area Network environment this may make sense. However, if smart grid components be designed to communicate only with other authorized devices then would smart grid firewalls still be necessary?

Anti-virus is another popular security control that has become a staple of any reasonable security configuration. I argue that anti-virus is a control has already begun to outlive its usefulness in traditional computer networks. We install it despite its weaknesses because it is a control laypersons have come to expect. In some cases, its mandated. But to introduce it to smart grids would be a crutch we could do without. Imagine millions of smart meters or smart transformers trying to download growing databases of virus signatures and store them in their limited memories. This misses an important point. Because of their mission-specific purposes, we should know every line of code in every piece of smart grid software. If this is true, smart devices should know when their code has been tampered with and malicious code replaced with known good. With advanced configuration management, smart grids could be extremely resistant to malware infections without traditional anti-virus software. Such a thing is nearly impossible on our favorite computing platforms. Too many applications. Smart grid software may be much more manageable.

None of this will be easy. Sometimes decisions may be made to do things quickly–or less expensively–than to meet strenuous security design principles. But the challenge stands. We have a unique opportunity to learn from past mistakes and design a system that brings all the benefits energy customers expect and demand in a way that is cost effective and resistant to cyber attack.

Movie Plot Privacy?

I talk a lot to my colleagues about privacy. Smart Grid is coming, and it’s a paradigm-changing technology much like the Internet was–and still is. By that I mean that no one was quite sure how the Internet would impact our privacy 30 years ago. We’re still learning. So it is with Smart Grid today as we try to imagine the world 30 years from now.

Smart Grid is an amazing set of technologies that could potentially change the way each of us looks at energy, the way we use it, the way we store it. Even the way we buy it.

So I sometimes tell stories about what Smart Grid might mean from a privacy perspective. One story I tell is that someday, someone with access to your energy usage data might be able to tell not only that you are watching T.V., but what you’re watching on T.V. The way a “smart” T.V. might use energy to light up pixels on a part of screen and darken them on others as it creates images to view could generate unique energy patterns and when combined with a particular model of television and other variables, could allow one to determine what movie was being watched.

For example, the movie “Die Hard” (with all its explosions at certain times in the movie) would probably have a different energy pattern than say, “Shakespeare in Love.” In theory, knowing the energy pattern generated by the T.V. would tell one what was being watched. The reaction I get when I tell this story is usually one of disbelief.

Well it turns out that this exact experiment is being done in Germany. Researchers believe that it may be possible to determine this exact sort of information from an energy customer’s usage data.

But why would a utility care about what you watch? Truth is, utilities don’t really care at all. Most utilities want to send you an accurate bill and help make you more knowledgeable about your energy consumption (plus they care about a whole lot of back end automation you would probably never see, but would make the grid even more robust and reliable.) But there are many 3rd parties that are trying to figure out how to monetize Smart Grid in other ways. Some of them might be very interested in what you watch on T.V. so they can sell you products and services they think you might like.

But there are other ways to capture this information, right?  True, but why should your Smart Grid be one of them? Privacy matters. We must all pay attention to it.

Did I tell you my story yet about how someday people may be able to determine what you’re doing on your computer based on its energy output–what you’re viewing, what you’re typing, what you’re downloading? Let’s save that one for next time.

Privacy matters.

Upcoming security events

After the Great San Diego Power Outage of 2011, the security of our power systems has moved back into the forefront of daily conversation (although there’s no indication that this particular event was related to a cyber-security attack.)

I’ll be speaking or appearing at a variety of security events in the coming days to talk about privacy, security and smart grids! Come on out and participate in the discussions.

October 3-5: Smart Grid Security Summit West

• I’ll be discussing smart grid privacy and reference architectures on a variety of panels.

October 25: Securing Our eCity Symposium, San Diego

• The symposium’s theme this year is “critical infrastructure.” Looking forward to it!

Smart Grid Deployment Plans

San Diego Gas & Electric has filed its Smart Grid Deployment Plan with the California Public Utilities Commission today. As a principal author of the security section of this plan, I invite readers to provide feedback and comments on it here.

Securing Our eCity

I participated on a panel about cyber security for small business at a recent Securing Our eCity Symposium. This is a great initiative. If you’re in the San Diego area, check out this important work and if you’re up to it, lend a hand!

What happened to ‘normal’?

By now you may have heard that the Department of Homeland Security has changed its terror alert system from the old color-coding scheme to a much simpler one: Elevated and Imminent.

While most security professionals can agree the old system was vague and confusing, at that the new one should do much to clear that up, I wonder if anyone else has noticed the change in perspective.

As of now, America has only two states of security-being: “High alert,” and “Oh my god, we’re under attack!”

Is that it? Are we stuck forever in the mindset that we are under siege? There’s no chance things could ever return to “normal”, that is, a state of low alert?

I realize there are politics involved in a ‘low threat’ state. No one wants to be the one to change the terror threat state to ‘low’ and then suffer an attack that leaves people thinking the change was premature. And budgets are cut when things are low threat states.

But can’t we at least maintain the hope that there at least exists the possibility that our security status could someday be low threat? Or have we bought into the fact that we have lost this war and that credible threats somewhere in the world will always be plotting against us with a reasonable chance to cause us harm?

Why am I uncomfortable that in the best of times, our state of alert will be “elevated?” Is it just choice of words? Words, as they say, do have meaning. Is it out of the realm of our conventional wisdom anymore to simply be “vigilant?”

Stuxnet, SCADA and Third Party Vendors

Another zero-day attack, no big deal. Its nothing we haven’t seen. Except maybe for the vendor’s response.

Seimens uses a default password on their SCADA gear. This worm attacks it. Seimens had this to say about it (from PC World):

Siemens is advising that its customers not change the password because that can disrupt the system. Siemens plans to launch a Web site addressing the issue and how to remove the malware.

So…a third party vendor wants vulnerable customers to keep using the same weak and well-known password. How are companies with control systems supposed to work with this kind of response?

It’s no secret the password is 2WSXcder. You can find it on the Internet. This site, for example.

Vendors need to step up and take security more seriously. Period. Utilities can’t just decide they don’t like vendor X and go with vendor Y. SCADA gear is too costly (ever try replacing a power plant’s generator? The plant is built *around* the generator) and rate-payers rightly won’t stand for it.

Security is EVERYONE’S responsibility. From the customers, to the companies producing a product, to the vendors supplying those companies, to the government overseeing it all.

EDIT:

Symantec provides a little useful information surrounded in a bubble of speculation here.

Siemens responds with a fair attempt at a FAQ on the problem, some luke warm security advice, a 50MB “sysclean” tool that will be useless in a week, and with little in the way of hard fixes (as of this writing, Siemens customers still can’t change the dang default password) here.