Tuesday, July 3, 2018

WTH: We left personal data exposed for months to catch "the" hackers.

I often mention that not a week goes by that someone doesn't give me something juicy to blog about.

Some weeks are just amazing.




So this will be an opinion piece since everyone is entitled to an opinion ;-)

If you want the short version, here it is: 


Short version:  Company exposes personal data of over 130,000 citizens is now considering hiring a security firm to test their sub-par application, says that they knew of the security issue for months and is convinced it was only there for 2 months and confirms they left it open to catch "the" hackers.

Short analysis:  They didn't know. and they couldn't have caught "the" hackers since most are in foreign countries and even law enforcement can't catch them.  Conclusion, they are clueless on security, and the cities who outsourced their services to these clowns is to blame for not doing ANY security due diligence.

The longer funny version: 

I blogged about this issue last week (see previous entry).  What has changed is a newspaper article was written on the subject, and it seems that the company in question has no idea how to handle a security incident (like most companies).  They are just opening their big mouths and the vomit that is coming out is so telling on their security maturity, that I will now be using this example as I teach to my students.

Strike 1:  for months "we left the site vulnerable so we could catch the hackers".

Comment 1: Stupidest thing I heard this month (but in their defence, it is only the first week of the month).  The hackers you could catch are the local ones checking out the vulnerability for the fun of it, and that wouldn't do much as they probably have no criminal intent.  The real ones are smart enough to route from another country or are actually from another country.  The fact that they think they will catch someone proves that their maturity is rock bottom.  The simple idea of leaving REAL data exposed in order to catch someone that they can't possibly do anything about is just wow.  This confirms a complete lack of understanding of both security and privacy regulations.  Also, let's see the police report since you obviously contacted law enforcement as soon as you knew someone was hacking you since you wanted to "catch" them.... oh wait... you didn't know about any of this until the journalist called...


Strike 2: Only a few accounts had Social Security Numbers.

Comment 2:  This seems to imply two things; first not much valuable data was exposed and secondly birthdates, home addresses and medical conditions aren't important.  It is important to note that the video I saw seemed to pick out accounts randomly and they all seemed to have Social Insurance Numbers, so I'm not even conformable with the declaration that only a few accounts have a SIN.  In fact, this entire story is a SIN  ;-)


Strike 3: We are looking into hiring an external security firm to test out our application.

Comment 3: What ?  Out of 200 municipalities, no one put this as a requirement! And why are you only looking at it now?  Haven't you proven without a shadow of a doubt that you desperately need adult supervision!?  When reporters started calling you... this didn't strike you as a great time to do this....


Strike 4:  We know exactly when the "bad code" was introduced and it has only been a few months so we know exactly which account have been breached and we are going to contact them.

Comment 4:  Yeah, you have clearly demonstrated that you are in full control of your ecosystem, and I feel confident that you actually "know" everything, had in place detailed logging that goes back years, that your software development lifecycle is solid to the point of finding other major issues in the past that have been introduced at other revisions.  I also feel very confident that you will take immediate action without a journalist calling you up to point out that your exposing all your customers data.  Is it beer time yet.....

UPDATE !:  La Presse just published an article giving even more ammunition to my rant.....




Strike 5 (Because this is that type of ball game):   They are claiming that only 30 personal records have been accessed.... yet an anonymous source sent me a series of videos containing a number way north of 30.

Comment 5:  This means that they have no clue who has accessed what or when.  For all we know, everything may have been scrapped by a bot and all the data ingested by a malicious actor.   Oh yeah... they could also be lying because that seems to come up a lot!


A recommendation for the company in question:  Next time, shut up and hire a professional to handle your PR/security issue.  Also, stop considering security and actually do it.  And as a final recommendation, stop lying and making it up as you go along.

A recommendation for the municipalities handing our private data to contractors:  According to GDPR and many upcoming privacy regulations you are responsable for handing off business processes to QUALIFIED firms.  This doesn't mean what you think it means.  It means they understand their duties.  For a software development firm, this means training developers on security and including security testing within the SDLC (Software Development LifeCycle).  It also means never level an exposed system... exposed.... so you can look at logs.  Oh wait... that was a lie.... since you had no idea you had a breach until the phone rang.....

I guess that is why I always tell senior executives to SHUT UP and let the qualified folks take the microphone.  Blurting out a bunch of incoherent crap like this only proves that you are either lying or incompetent.  

Big trophy for them this week, because in only a few statements they proved both.  Good job !



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com



Tuesday, June 19, 2018

Cross your fingers "security" the current gold standard.

It's mid week, not even a Friday and things are heating up.

Headline: "Enterprises take huge risks with our personal data".   Please.

Not a big surprise to security professionals as we are constantly "fighting" for adequate security.

By adequate, I mean normal, sensible, security.

I was contacted by several journalists this morning with regards to a services portal that operates in the municipal space as an SAAS provider. 

This "service" manages something to do with leisure activities.  I don't want to name them since I like my enemas handled by qualified doctors and not legal teams with an absence of comprehension of security hygiene means.

So this portal supports 100's of municipalities and has 100's of thousands of users, yet security was never addressed.

Why do I say "never addressed", simple.... I cannot say never reviewed, because I do not know if these things where simply ignored or judged not important at the time, or if they simply did not know.

I'm actually still on the fence with which I like best, someone who lies to me or someone who is incompetent.

The issue is simple (and multiple issues should have been identified by a qualified security expert).

For one, the site uses a sequential ID in the calling URL.  This means (you guessed it), changing the ID means accessing someone else's file.




That alone is already an issue, but it gets worst.

You don't need credentials to get to it.  Anyone can create an account without any email validation, so once you have created your fake account, you can read everyones file.

But wait !  There is more!

The personal data includes home address, phone number, birthdate, medical conditions and allergies !

But wait !  There is yet more!

Social insurance numbers are not only stored non hashed within the database but it is returned to your browser when you view your file (or anyone's file since you can change the ID number to "see" someone else's file).

Here is the awesome protection on that one field..... it is return with the awesome html type = "HIDDEN" so it doesn't display on your screen  ;-)




So what is the lessons learnt here....

1) Municipalities (and private sector) should not trust an SAAS provider just because they say "everything is fine.  "These are not the drones you are looking for" is not a security approach.

2) If the SAAS provider tells you they have awesome security because they are hosted as a CLASS 1 datacenter called AZURE, AWS, GOOGLE, etc.   run !  The means they do not grasp that the security of their hosting provider is only the plumbing section and it means nothing as far as the "quality" application that the provider is throwing on top of the certified infrastructure.

3) Security testing is a MUST and it must be performed by someone qualified.  

4) Account creation should be limited to valid email addresses

5) Authentication mechanisms should limit the sessions visibility into data (certainly no client side security)

6) Being a small unknown company in the wild and huge world we call the Internet doesn't mean you do not need security.  Crossing your fingers and hoping for the best is also not the best approach.

7) Logging and alerting when someone is leaching your entire client database is probably a good idea.

I'm going to stop, because I'm getting sarcastic again.  I really do need therapy.

On a very serious note.  When dealing with sensitive, regulated PIPEDA type data, perhaps some security is a fair expectation and a reasonable minimum.

From a GDPR perspective, everyone involved here is a potential winner of a multimillion euro grand prize.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


Thursday, June 14, 2018

When the girl is too good to be true.... dive right in !


So I get a friend request on Instagram.

She is too cute and too young for me to not feel so so special.

I was ready to buy a plane ticket and jump onboard.

Her name is Caren A Lewis.  And this is the story of how I played with her all week.



So being the security pro that I am, I immediately started chatting with her/him/it because I need more friends like her.

I wanted to get to know her.  The real her ;-) 

Well turns out she is from Helena, Montana.  Far enough away that I can't just stop by for a visit.  And turns out what cute young girls want today are online relationships and money to buy a new iPhone because it is her birthday in a few days.  Poor thing, using an old samsung!

After many days of chatting and exchanging, we finally got down to making a deal ;-)



As you can see from this segment of the exchange, she was being a little pushy as her money hungry fangs felt the proximity of potential cash.   Except I finally revealed what I called something kinda kinky... who I was, and that I actually had a good buddy of mine at Instagram online working with me to fry that sausage for good. 

I won't show that part of the message, because I used a lot of military language that my commanding officer warned me about not using in public.


SAFETY TIPS 101

Here are some tips for anyone foolish enough to fall for one of these scams.....

Do yourself a favour and do these two things :

1) Upload some of the pictures to google IMAGE SEARCH.  Google will find all the pictures that look like your new imaginary lover and you may notice that the pictures come from either other fine young ladies or have been identified as pictures used by scammers (as is the case with this one).





2) This one is important, since your blood flow may be ill-routed.  If you still have doubts or are plain delusional that a random sexy young lady picked YOU....  ask her, by her, I mean the hairy dude behind the keyboard... ask her to send you a picture of herself holding the local paper.     Trust me, the conversation will dry up almost as fast as that blood flow issue will resolve.

Important Internet Safety Tip #4931:  Don't be a dumb ass

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


When a security vendor ignores security - What could go wrong.

Another week, another embarrassing security issue.

I'm going for something light this week, to end the week smoothly.

So many news items to pick from, my eyes and heart landed on a highly secure digital padlock.




What could go wrong

Well, it seems, everything could go wrong since this padlock has a list of transgressions longer then Donald Trump.

Note that their selling points include ZAMAK 3 Zinc Alloy metal body with cut-resistant stainless steel shackle.  Double layered design with anti-shim and anti-pry..bla bla bla...

Pretty solid lock right !    Well.....If you loose access to the padlock, no worries, just get a GoPro sticky mount pad, stick it to the back and twist the back open. Once it's popped open, pretty easy to physically unlock it.  That's right... the back twists and pops off... you know... for maintenance and oil changes!



Twist and pop !



And on the digital front, the claim military grade security.  AES128 isn't really military grade, but we can let that one slide.  What is interesting is the fact that the communications from the cloud with the lock are all done over the very secure HTTP protocol.  That's right folks, no S on the HTTP.

The blue tooth low energy:  Vulnerable to replay attack (easy hack)

Quote from the research article:  


Yes. The only thing we need to unlock the lock is to know the BLE MAC address. The BLE MAC address that is broadcast by the lock.

I could go on and on, but the following two articles do a much better job providing something to laugh at and giving you something to avoid in your own projects.

Walk through of all the issues:
https://www.pentestpartners.com/security-blog/totally-pwning-the-tapplock-smart-lock/

SC MAGAZINE article about it all:

https://www.scmagazine.com/tapplock-smart-locks-found-to-be-physically-and-digitally-vulnerable/article/773348/


LESSONS LEARNED

Having a "qualified" security person in any of these architecture and design meetings would certainly have made these issues float to the surface.   Instead, the only thing that floated to the surface, was a genuine sh*t product.

So to be fair, they may have had a security person in these meetings.  So they either had someone with inadequate qualifications or they did like most startups (and cough cough large enterprises) and said shut up with all these issues, we need to push this to market to get our first round of financing pushed through.  

Kids, this is why we can't have nice things.  

If Gordon Ramsey would have been in this kitchen, he would have told their CEO that he is either blind, incompetent or stupid, or a mix of all three.

Nothing wrong with making money but it kinda stinks when you can't make "honest" money and produce "quality" products, especially when the product is a "security" product.

Do we really need more landfill ?

**** (EOR) END OF RANT


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


www.eva-technologies.com

Wednesday, June 6, 2018

INTACT Insurance fails GDPR compliance logic check



It is no secret that every enterprise will claim to be onboard for GDPR compliance.

It is also no secret that no one is GDPR compliant.  However to what degree and how much will they declare remains to be seen.   And some are going out of their way to prove they lack either competence or desire.

Many "normal" citizens feel that large multinational corporations actually care about them.  They love the points programs, and they love the perks.  They also fail to see that these "programs" are meant to keep you as a customer through the illusion that you are special.  You are not.  You are a requirement for doing business, and corporations love taking your money while delivering the most cost effective service possible.  This is a polite way of saying they deliver the least possible costly service while balancing the illusion that what they lay are only golden eggs.

One of the main parts of GDPR (and many would say common sense) is Article 25.

Article 25 is all about "Data Protection By Design and By Default".  It means build something that doesn't get you fired.  Build something that is reasonable and respectful of the data you are processing.

So lets take a look at INTACT INSURANCE TODAY.




They have a great app that they advertise with a catch phrase that translates into "reap the benefit of secure remote access to your data".  I didn't bother going to see the English version because hackers are lazy.  But it turns out, large corporations too.... read on....




Would it be any surprise that they are not GDPR compliant or it seems actually compliant to anything significant when it comes to security ?

Take a look at the User Agreement section on security:





How good do you feel as a customer now? 
Do you still feel valued?   
Do you still feel special?

If you do, contact me immediately, I have a new cryptocurrency to "sell" you at an amazing rate!

So as far as compliance to GDPR, they are failing in many areas way beyond "Secure Design".

It is fascinating to see how a legal department pumps out these gems to "protect" the enterprise and "protect" the share holders while letting everyone know that they will take no responsibility for pushing out bad software to their customers mobile phones and potentially exposing sensitive information or allowing identity theft.

Now what if this was actually all a magic trick and what they are actually doing is full out spying on their customers.   I didn't think of this one, my friend Eric (not the voice in my head) had this genius idea.   A mobile phone certainly knows what locations you visit, how fast you drive, and probably a bunch of other interesting things that they could always claim was done by spyware since "we do not guarantee" anything!

Maybe Facebook and Google have a lot to learn because this is actually pretty clever.  Build a contract that says we don't guarantee anything, hide it in a lot of legal terms, and your golden.  Oh... wait... GDPR actually says you cannot do that.  darn it.  

One thing remains certain is that large corporations have very large legal budgets and will work hard to ensure they take as little responsibility as possible

This is only Mid-Week.  So many breaches can come out before the weekend giving us all many other examples of GDPR failures, this one just happens to come before the breach.

Ultimately, if you read the small print or pay close attention, most enterprises already radiate their GDPR failure through their daily actions as is this example.

If someone takes the time to read through GDPR it all makes sense, but it relies on people knowing what they are doing and doing a good job across the board.  Not something most large enterprises are awesome at.

I'm really eager to see what the end of week breaches will be.  I always feel like Christmas day when Friday is just around the corner !

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com

Friday, June 1, 2018

When praise hides incompetence. How BMO and others are failing their “customers”




We all have to start realizing that we are not really their customers.  That we are their product.  We are an annoyance that is required for them to make money.

If we indeed where their customers, then they wouldn’t be handing over all our personal information to third parties like Equifax without actually doing a quality due diligence.

So this weeks blunder on the BMO and CIBC side shows us just how much big enterprises care, and how big enterprises are actually prepared to deal with major data breaches.  They aren't.

Several “customers” who happen to be friends of mine sent me the messages they received from the banks.  One friend who happens to be at the top of the “security” food chain actually called BMO after receiving the notice that his information had not been exposed and he requested a written confirmation that his information was all safe.  The response……. Sir we cannot do that, if you get a call from us, then your information is involved, if you don’t get a call then you are all good.

Awesome maturity!  Awesome process.   How proud they must all be.

This is unacceptable for many reasons.  The most important one is the fact that waiting for a call that may never come isn’t really a way to manage data breaches.  What if they call the wrong number.  What if I miss the call.  I may never officially know that my information has been exposed.

Then we have the warm feeling some of us got when they announced the breach publicly, it seems, hours after the breach was exposed.

Many (rightfully so) praised the quick “customer” notification.  The reality however is not as awesome.  Turns out I was right…. It was a hostage situation.   A sample set of customer data had been posted on PasteBin. 

Somehow the banks managed to shovel shit down our throats by telling us that they instantly put in place “enhanced security” and that the breach point was identified and closed and everything is now fine.

This alone for any security professional should cause concern.  If someone breaches your system and then asks for a ransom, chances are things aren’t fine.  It could be that they also put in a backdoor, but it is 100% certain that all 90,000 leaked accounts HAVE LOST THEIR INFORMATION TO CYBER CRIMINALS.  The 90,000 can’t change their dates of births or their social insurance numbers. 

So instructing your clients to change their passwords and offering credit watch services for one year is 100% BULLSHIT, 100% SECURITY THEATRE and 100% NOT TREATING YOUR CUSTOMERS LIKE VALUED CUSTOMERS.  After you loose all my shit, you should legally be forced to provide credit monitoring services until I drop dead.

Cyber criminals don’t use stolen personal information for identify theft immediately.  They assemble information into a higher value profile and then use it.  The repercussions of all these data breaches will be felt for many years, not just 12 months.

This is where I like GDPR.   Chances are out of the 90,000 people exposed, some may have dual citizenship (European citizens).  This would mean that BMO and CIBC have just been proven to be NON-COMPLIANT.  This means they are exposed to a significant penalty.  It’s basically 20 million euros or 4% of their numbers, which ever is bigger.  Guess what.... it's way more then 20 million!

But this won’t change anything.

Here is why.

Financial penalties impact the bottom line of the enterprise temporarily.  

Watch the stock fluctuations of any breached traded company and generally they bounce back really quick.

Heck, Equifax MADE MONEY selling their credit protection services!  
Talk about screwing the citizen!

The CEO’s and senior executives will come and go.  They all get paid LARGE sums regardless of their failures, and they never have any real penalties for non-compliance or major failures under their management.

Bottom line, they have NO REAL MOTIVATION to change anything and no real need to do so.

What we need, is a set of laws that includes personal liability for senior managers.

Hey…. We are all allowed to have a dream.

Or, alternatively, we need a NEW system that makes these personal pieced of information irrelevant.  Enter blockchain technologies perhaps.

Things must change because it is simply NOT TRUE that my name, address, DOB, and SIN are actually confidential.  These have all been breached numerous times and should NOT be personally identifiable information.

Something to think about....


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


Monday, May 28, 2018

BMO and CIBC drops the ball and is found bent over trying to pick it up.



I know eh!  Catchy title!




So get this, they have a security breach and they figure it is a great idea to pump out a press release immediately (according to their own statements).

Now who would do that ......  who would advise the media hours after a breach is discovered.

CBC news article: 

BMO Press release:

CIBC - Simplii Press release:

The answer is simple.  Someone who has awesome security, and awesome security folks, and awesome security tools (that they seemingly had forgotten to turn on it seems) !

The last part is sarcasm.  

So lets break down the press release into three main parts

1) They found out about the breach when the bad guys (apparently from another country) called them on Sunday and let them know.

2) They immediately stepped up security (added "enhanced security" .... their term)

3) They are now confident that everything is 100% cool....

Wow..... all within a few hours.

They should shut down the bank and start a security company.  

It is like they didn't have anybody re-read this press release that had both hemisphere working.

Whats wrong with #1
If the bad guys actually called them up on a Sunday (which by itself is a miracle since I couldn't dream of reaching someone at a banks head office on a Sunday), then doesn't this mean it is a hostage situation... they must have called up to ask for something.... where is the beef!

Whats wrong with #2
It implies that they had a lot of security systems turned off at the time of the attack (or had no one tasked at looking at the security systems) since they instantly activated "enhanced security mode" within a few hours of being told of the breach.  Why wouldn't this "enhanced security mode" be on all the time?

Anyone who works in security knows that adding "enhanced security" takes months and sometimes years, yet they pulled it off in a few hours.  Simply amazing!

Whats wrong with #3
I keep telling senior managers and students the same thing..... if any idiot tells you that something is 100% secure or 100% certain.... back away slow, they are dangerously incompetent.

Nice job in the press release / damage control department!  I now have yet another example to use in my teachings with regards to the value of keeping your big mouth shut until you have something of value to throw out there.

In the meantime, no one knows what was exposed and what they should do about it.

Once again... nice job... and no.... not cool.

I was interviewed by CBC (in French) and had a hard time holding back the sarcasm.

Link:  https://vimeo.com/272250062/ad0ef65ba4

So to summarize, either they had a lot of security turned off with no one watching and now they are looking, or they added a lot of security overnight.. I mean...or they lied.

So to summarize further, they are either incompetent or liars.

Great start to the week !


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com



Thursday, May 3, 2018

Equifax finally admits that they had no security...



In a huge turn of events today, Equifax and myself are trying something new.

Equifax is trying to include security within their ecosystem.


I'm trying a catchy title with half truths like all the newspapers keep using.

Only problem is that my title isn't actually a half truth, it is more of a mostly true.

Equifax seems very proud to announce to share holders and to the world that they have just poured 100's of million of dollars on security.

The catchy phrase that got me going for this end-of-week post is this gem from their last quarter financial reports as reported by SC Media:

$ 242.7 million overall breach cost:  


This included $45.7 million in IT and security costs to transform the company's IT infrastructure and improve application, network, and data security. 


The thing with traded companies is that we KNOW.  We know that you only spend money when you absolutely must.

So this $45.7 million was needed.  As in, was always needed.

To be clear, this means that their "secure" ecosystem was behind by $45.7 million.

Yet, they always claimed that they met all the compliance requirements both legal and of their partners.

So keep that in mind next time you are doing business with a publicly traded company who by the way had a 125 million dollar cyber insurance policy with a 7.5 million deductible.  

In my humble opinion, a 6% deductible sounds like the insurance company was trying to manage their risk and perhaps had doubts about the quality of the Equifax ecosystem.  But that is pure speculation, just like thinking that "the Equifax clients" are their priority.   And ultimately, it is a traded company, so higher deductible means lower monthly premiums, better short term for the share holders, so basically a win win. And since senior executives have done their "duty" and do have insurance, then the fact that the share holders will suffer the financial hit IF (when) a security breach takes form is a very common board room stance.

The "shirt term, bottom line" is always the only true priority for a traded company.   Until the laws evolve to include stiff financial penalties for willful blindness by senior executives (personal liability) and jail time, things will not change.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com




Wednesday, May 2, 2018

Will your DNA become a liability



A very interesting news article was published this week about the Golden State Serial killer being tracked down with Genetic Testing DNA information.




Turns out that law enforcement had a solid lead that required getting a genetic testing lab to cough up the goods.  Ultimately the information was actually used to clear an innocent person that was on the suspect list.... so really.. a good ending.

In case you aren't aware, numerous Genetic DNA labs exists that help identify your hereditary diseases, ancestry details and many other pretty cool things.

Take a look at 23andme and you can get a good idea on the cool things you too can find out about with just a spit sample.

The problem is how the information is handled, and more importantly, how it could be accessed in the futur.

If your raw DNA results get deleted and can't possibly be pulled back it would be less of an issue, but the nature of genetic DNA testing is that it requires a lot of information for the purpose of correlation.  So in short, they cannot delete anything, the strength of the entire analysis is based on raw numbers.

So in this case, we have a happy ending.  A serial killer was identified.  I doubt that anyone is going to complain about that.

But it does open the door to various abuses by law enforcement, and causes a major ethical ripple in the world of Genetic DNA testing.

I propose to you the following very simple problem.

You order a simple DNA test for $200.

It highlights you're are likely to have a certain disease.

You contract a new life insurance policy and you didn't mention the DNA testing results.

You have probably just broken the law, as most insurance forms will ask "are you aware of anything else we should know about", or something along those lines.

What if you even forgot that the 10 page report mentioned your predisposition to a disease name you didn't even recognize or understand....... your insurance is still technically invalid.

So if the genetic DNA lab suffered a data breach or was purchased by an insurance company and you had dropped dead of that unlucky disease.... the insurance company would not have to pay up since after all, you lied on the insurance form.

Now the likelihood of any of this taking place in our lifetime is maybe nil.

Ask a conspiracy theorist and you will get an ear full about how citizens are voluntarily paying to get genetic testing done and giving up their DNA information to the government.

What if big corporations have access to genetic information?  Could this information be used to their advantage?   If one thing has been proven time and time again, is that information is power, and power involves abuses.

Time will tell.

So from a security professionals point of view, I would recommend that anyone getting genetic testing stick to one basic rule.  Do not provide your real name and birthdate.  It simply isn't required for the DNA testing.

However.... you did pay for the test with that credit card..... so don't go killing anyone and expecting your entire DNA thing to be air tight  ;-)


If you want the full details about the case, this Buzzfeed article really covers it to a good degree.
_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com




WTH: We left personal data exposed for months to catch "the" hackers.

I often mention that not a week goes by that someone doesn't give me something juicy to blog about. Some weeks are just amazing. ...