big data: is our security keeping pace?

Presented at the 2014 Gravitec Store Location Conference by James Puffer

Big Data: Is Our Security Keeping Pace?


Last December Target was hacked for 40 million records


In January Target reports another hack for 70 million records

Total hack: 110 million records!

Was this done by a global cybercrime group?… or by one employee making a bad

choice?



Edward Snowden

He worked for the CIA and then NSA and leaked thousands of classified documents to media outlets.The documents showed details of a global surveillance program, especially the mass collection of phone data.Robert Gates: “He’s a traitor that should face the

music.”SXSW Festival: “He’s a whistleblower and a hero.”

You think we’re divided on this issue?



These Two Incidents Raise Questions About:

► What data are being collected?

► How are the data being collected?

► How are the data being used?

► How secure (private) are the data?

How can we deal with all of this information responsibly?



Objectives:

Better understand the complex issues of big data security and privacy

Make better personal decisions about personal data

Implement better corporate policies regarding collection, use and safeguard of customer data

Overall goal: Produce better, pro-active solutions



Why is This Important to Us?

Because all of us are tangled up in big data at every level:

We are collecting dataOur data are being collectedWe are using BIG DATA in one way or anotherOur privacy and confidentiality are at riskEach of us has a LOT to gain … or lose!



The Current Situation: More Data!

How much is too much?What data should NOT be collected?What techniques of collection step over the “line”?What kinds of analysis are out of bounds?Security is not improving as fast as hacking.We are allowing technology to drive our

boundaries!



Are We Headed Towards “Impossible Privacy”?Case: Who Has Your Social Security Number?

Social Security AdministrationYour bankIRSYour retirement accountsYour insurance companies

Your credit card companiesYour mortgage companyLaw enforcement?Your health care providersYour spouse, kids?

? ? ?Your employer



Are We Headed Towards “Impossible Privacy”?Another Case: Google

Google has every single email you ever sent using Gmail. They have it stored, indexed, and they

have built models of your behavior.

Yahoo and Facebook have been doing similar things.

How secure do you feel?



Are We Headed Towards “Impossible Privacy”?

“Pretty Sure?” Really?



Why is This Important to Us Professionally?

Professional information is being collected about you, much more than you think, probably more than you would approve.What are the corporate risks?

Your company’s data collection and security will affect customer perception.Company data collections are hackable:Store designs

Prospective sitesSales history

Consumer/loyalty dataForecasting models and casing dataEmployee data



Understanding Data Context

Data fields have privacy context

Data fields have utility context

Data analysis has context

The IRS can collect my SSN, but not a grocer.

My photo has great value for my passport, but not for Amazon.

Use my purchase history to generate relevant coupons, but not for determining price.



Understanding Data Context1. Data fields have privacy context

Collecting with permission: customer addresses, phones, purchases, IRS data, medical info (at health provider), banking, schools.Collecting with “sort of” permission: Internet visits (cookies), credit history, security cameras, satellite imagery, unreadable EULAs.Collecting without permission: NSA’s PRISM program, viruses, worms, key logging, store casings, drones, smart phones, tablets, hacking, purchases of data from other sources.



Understanding Data Context2. Data fields have utility

context

Wide Utility: customer addresses, phones, email addresses, purchases, EULAs, demographics.

Medium Utility: Internet visits (cookies), credit card info, security cameras, satellite imagery, store casings, credit history, SSN.Narrow Utility: NSA’s PRISM program, key logging, drones, medical information.



Understanding Data Context3. Data analysis has

context



The Data Rubik Cube

Privacy

Utility

Anal

ysis



Big Data and Security Topics

● The Best Security● Biometrics

● Hacking

● The “Cloud”

● Wireless Data & Encryption

● Social Networks



Big Data and Security TopicsThe Best Security

Starts with a really good planIncorporates multiple tiersUtilizes best technology like firewalls, encryption, etc.Emphasizes well-trained employeesMultiple recovery plans, rehearsedWell-defined accountability

Still, there are random influences: No security is perfect

Lavabit had a special secure email with 2,500 character encryption. NSA sued to get the key, and they won. Instead of turning over the key, Lavabit folded.

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=tpt21w-8VQCb8M&tbnid=aisELNAOa33UdM:&ved=0CAYQjRw&url=http://www.ask.com/question/target-official-site&ei=5XwoU6_hIuTYyAH1ioDADw&bvm=bv.62922401,d.aWc&psig=AFQjCNG3NxSmnhzPfpzASsrjgwwP2aq_AQ&ust=1395248739328038



Big Data and Security TopicsBiometrics

Legal status of gathering and using biometrics is unclear.Police started using biometrics in 2011 to recognize offenders.DNA databases and recognition are far more common.FBI is building next generation database with fingerprints, iris scans, palm prints, voice data and facial recognition.NYC “Domain Awareness System” has 3,000 cameras that can recognize and track people and cars.Who owns your biometric data?It’s easy to replace a stolen credit card,

but how about fingerprints or DNA?



Big Data and Security TopicsHacking

A Brief History:In the “early days” hacking was a hobby that could get a little cash or mail-order item.Hacking moved to larger scale, getting lots of info and selling it.Hackers then built great software for sale.Now hackers can make a great living hacking for government covert ops. e.g. Snowden’s TAO

Remember when hackers were criminals?



Big Data and Security TopicsHacking

Hacking is not a hobby: it is a profession with specialties and a very good income.

Nearly every home computer has been hacked.Hacking technology is never very far behind security, and it always catches up quickly.

Many governments are very active hackers:The STUXNET virus disrupted Iran’s enrichment program.The Chinese government has a hacker building.



The “Cloud”

Definition: Expandable storage on network servers.No cloud: Storage is duplicated on every device.



The “Cloud”

Definition: Expandable storage on network servers.Using the cloud: One copy serves every device.

This kind of storage encourages you to buy more devices from the same manufacturer.

“The cloud” or “the leash”?



The “Cloud”

Many companies offer free cloud storage: up to 10 Gb.You could buy a 1Tb drive for less than

$100.That makes 100 “gifts” of storage for $1 each.

If all your pictures, music, data, books are in the cloud, you could use up your wireless data limit quickly.Apple and Microsoft are really pushing cloud storage, beginning to limit non-cloud choices.

Apple devices will now only sync contacts wirelesslyMicrosoft requires CloudDrive account to get apps.



The “Cloud”: The Risks

Internet security breaches happen often.

If the server goes down, your devices can’t access data. (Both Amazon and Gmail have gone dark).Lack of access if you have no Internet access.

Syncing and redundancy bugs are common.

If a hacker gets your password, you may be locked out of all your devices.

Your security is only as good as the weakest link in the chain.



Wireless Data and Encryption

Includes: cell phones, tablets, laptops, desktops, car systems, security cameras, printers, headphones, speakers, mice and keyboards, GPS, gaming systems, pet training, musical instruments, RFID devices, walkie-talkies, marine radios, fans, air conditioners, heaters, lights, door locks, smoke alarms, garage door openers, …

Scrappy remote control garbage

disposal.




Most wireless data is secure (encrypted), but data are almost never encrypted entirely from start to end-point.That makes data susceptible to “man-in-the-middle”.If computer on either end is compromised, then encryption keys can be stolen, as well as data.

Some magnetic things can be sensed from a distance.Some companies have helped NSA get past their own encryption technology..




Snoopy Drone: Can move around and pinch data from your smart phone or tablet without you even being aware of what’s happening.

Which is scarier?

The fact that we have the technology to do this?

The fact that the manufacturer shows it openly and has demonstrated its abilities to the media?

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=WRR4SCuWpKqvYM&tbnid=KDFyt9sfjPcMbM:&ved=0CAUQjRw&url=http://blogs.computerworld.com/cybercrime-and-hacking/23715/flying-spy-snoopy-drone-helps-hackers-steal-data-your-phone&ei=1J85U7rAL4XjsATLsYDwBA&bvm=bv.63808443,d.aWM&psig=AFQjCNGUvAHGCG55XA9Lri6N3lbRitHbxQ&ust=1396371737514395



Social Networks

The NSA is able to access most using “back door” technique.

(Or How to be Stupid With a Lot of Company)

Digital wiretapping is easy and allows access to every keystroke.Most photos from phones are now geo-tagged.

Just assume that everyone has (or will have) access to everything you do on a social site.

Also assume that anything you give anyone will eventually be uploaded to a social site for everyone’s access.



The Future: Option-1We allow technology to continue without

data boundaries, never completely aware of what data are collected, how

they are collected, or how they are used. We allow consumer reactions to

provide controls.

There are lots of companies that remove consumer reactions!



The Future: Option-2We get more alert and aggressive with our understanding and react quickly to create

boundaries.This is absolutely necessary, but not enough.This would be entirely reactive, not proactive.Consumers rarely have the complete picture.Example: The new iPhone has a million

permission switches for your phone apps.

That looks good for Apple, but do you really know what the phone is doing?



The Future: Option-3We begin to anticipate the direction of data collection and use,

and we create the boundaries before technology arrives at those points.

Can we make laws that require data reporting, perhaps including data licensing and annual reports, similar to the SEC?Can we make laws that limit the type of data collected based on its eventual purpose?

Both of the above ideas would rely on very heavy consequences for violations, including government agencies.

We need to carefully define data ownership at the source, and “data theft.”



The Perfectly-secure Computer

big data: is our security keeping pace?

Documents

james pufferbig data

dataour data

recordsbig data

mass collection of phone

social security number

impossible privacy

anotherour privacy

techniques of collection