Juha Saarinen is a tech blogger for nzherald.co.nz.

Juha Saarinen: Data hoarding comes back to bite us

"Data should be seen as a liability as well as an asset". Photo / Getty Images
"Data should be seen as a liability as well as an asset". Photo / Getty Images

IT security experts are currently debating if the shadowy Equation Group, a digital attack squad that's been linked to the United States National Security Agency or NSA was itself hacked recently.

Not just hacked, but the Equation Group's malware, exploits, remote access tools and other "cyber weapons" used for network intrusion, surveillance and sabotage might have been stolen in the attack.

The Shadow Brokers as the hackers call themselves appear to have an activist motive to create awareness around the weaponised exploits stored in US spy agency computers - these are flaws, bugs, and mis-features that should be reported to software and hardware vendors so that they can be fixed.

Instead, they're stored by the spy agency, to be used offensively.

The hackers are now trying to auction off the collection of tradecraft tools, asking a whopping one million Bitcoin for them, or just over NZ$786 million at the current exchange rate.

Whether or not the hackers broke into the Equation Group computers but it does beg the question if it's sensible for any government agency to store malicious computer tools.

It's a safe bet that at some stage a mistake or an unforeseen security slip up will see to it that the hacking tools leak out into the hands of people who really shouldn't have them.

This has happened before, when Italian spyware vendor The Hacking Team was "popped open" and its malware taken and posted on the web.

It'll happen again, and when it does, bad things will happen. Much of the offensive software that'll leak will target vulnerabilities which are new and not known. That means there won't be a defence against new malware created to hit such weak spots.

Storing new and dangerous malware is obviously a bad idea, but in the age of Big Data and info analytics by infinitely scalable cloud computing there's potential for misuse of almost any type of stored records.

Australia's government statisticians are once again in the limelight over that particular issue, after the disastrous Census 2016 fiasco on August 9, the first time the population and housing count would be done electronically.

This year, the ABS decided to change its policy for the Census, and asked Australians for their names and addresses - and, these are tied up with the information that people put on the Census forms, which are mandatory to fill out on pain of large fines.

We also need to assess the impact of multiple large data sets being used together: what will be revealed, and how can it be used?

While the ABS and the government promised that the census data would be safe and "de-identified", experts are now poking holes in that statement.

Names of individuals in the census will be obfuscated using so-called Statistical Linkage Keys (SLKs) which can be used across multiple data sets. Such as the massive medical data set released recently, with all sorts of sensitive personal health information like doctors visits, illnesses, mental health problems and more.

The idea is that the more data sets you can link and compare, the greater the insight.

That's certainly true, but the problem is that the SLKs aren't particularly secure, and can be deciphered to reveal the names of the people the records refer back to. Plus, their birthdates and gender.

That means the census information combined with other data sets is a gold mine for health insurers, who will sift through large amounts of information to find that one little excuse not to pay out on policies.

Scientists who've in the past had to battle ethics committees and get the express permission of the people they needed for human research could be tempted to bypass that rigmarole to speed things up.

Blackmailers, violent ex-spouses, and yeah, journalists too, wanting to puzzle together the lives of for instance the politicians who decided that to carelessly release large amounts of sensitive and badly protected data could also have fun here.

Risking the wrath of historians and other researchers, it's just not safe anymore to store sensitive data for any longer than required. We also need to assess the impact of multiple large data sets being used together: what will be revealed, and how can it be used?

As one security expert put it, "data should be seen as a liability as well as an asset", meaning anyone storing it really needs to be a custodian of information and not just a miner of it - and we probably need a good few court cases here, to make it clear that our privacy really does matter, and carelessness around that will really cost.

- NZ Herald

Get the news delivered straight to your inbox

Receive the day’s news, sport and entertainment in our daily email newsletter

SIGN UP NOW
Juha Saarinen is a tech blogger for nzherald.co.nz.

Juha Saarinen is a technology journalist and writer living in Auckland. Apart from contributing to the New Zealand Herald over the years, he has written for the Guardian, Wired, PC World, Computerworld and ITnews Australia, covering networking, hardware, software, enterprise IT as well as the business and social aspects of computing. A firm believer in the principle that trying stuff out makes you understand things better, he spends way too much time wondering why things just don’t work.

Read more by Juha Saarinen

© Copyright 2017, NZME. Publishing Limited

Assembled by: (static) on production bpcf04 at 27 Feb 2017 13:06:16 Processing Time: 678ms