Privacy in the Digital Era
Mauro Bregolin
Principal Consultant, KIMA P.S.
mauro dot bregolin < at > kimaps dot com
OWASP-Day
Università La Sapienza
Rome
10th September 2007
Copyright © 2007 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License.
The OWASP Foundation
http://www.owasp.org
Agenda
 Who am I
 Purpose of the presentation
 What do we mean with “Privacy”?
 Brief reminder on categories of personal data
 Personal data life cycle
 Threats to privacy
 (Example of) legislative efforts to define and guarantee privacy
 (Example of) technical efforts contributing to ameliorate privacy
 Conclusions and final remarks
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Who am I
 Principal Consultant at KIMA Projects & Services
 Currently involved with security assessments at large

“Traditional” V.A., pentest

Application Assessments

Threat & Risk Assessments

PCI Qualified Security Assessor

PCI Payment Application Security Professional
 Dealing with security since 2000, formerly in firms such as ISS
 In the IT field since the early ‘90s
 Coming from a “traditional” software development background
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
 Small independent security company
 Dealing with ICT Security Assessments

ICT Infrastructure (networks, systems, data, ...)

Triple/Quadruple Play (voice-video-data-wireless) Infrastructure

SW Applications and HW/FW/SW Products

PCI DSS

BS7799 - ISO17799 – ISO27001

ITSEC / Common Criteria (ISO15408)

D.Lgs. 196/2003

Threat & Risk Assessments
 Security Policy definition
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Purpose of the Presentation
 Privacy is a hot topic.
 It is getting more and more complex, and is sometimes hazy.
Boundaries aren’t always well defined.
 When dealing with security, usually privacy appears indirectly.
Do we understand the implications of 21st-century life on privacy?
We will try to shed some light on this topic, in order to understand existing
threats, and possibly devise counter measures.
One thing seems clear beforehand: our privacy is heavily threatened...
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Privacy – What is it?
It appears hard to precisely define what we mean by privacy.
Quoting Wikipedia,
 Privacy has no definite boundaries and it has different meanings for
different people.
 Different cultures, owing to their own traditions, may react differently to
privacy issues or have different expectations.
 It is the ability of an individual or group to keep their lives and personal
affairs out of public view, or to control the flow of information about
themselves.
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Personal Data Taxonomy
Italy’s Personal Data Protection Code, D.Lgs 196/2003 defines Personal
data as “any information relating to natural or legal persons, bodies or
associations that are or can be identified, even indirectly, by reference
to any other information including a personal identification number”
(Italy’s Personal Data Protection Code, D.Lgs 196/2003)
Undue knowledge of personal data may cause adverse financial
implications (and other abuses as well).
D.Lgs 196/2003 recognizes also the following categories of personal data
which appear to be more critical:
 Sensitive data
 Judicial data
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Sensitive Data
Sensitive data is defined by D.Lgs 196/2003 as:
“personal data allowing the disclosure of
 racial or ethnic origin,
 religious, philosophical or other beliefs,
 political opinions, membership of parties, trade unions,
 associations or oganizations of a religious, philosophical, political or
trade-unionist character,
 as well as personal data disclosing health and sex life.”
Simplifying, personal data whose misuse may have far-flung implications...
Such information require (by law) more stringent handling requirements.
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
On the Origins of Privacy...
Technically (though this may seem far fetched) privacy exists since the
advent of writing and the appearance of first records, such as
documents representing contracts.
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Personal Data Life Cycle - 1
Personal information is created in occasion of many events:
 Shortly after we are born (for example, italian Codice Fiscale)
 When our public records are modified or we submit new ones

Change of residence, of marital status, ...

Tax filing

...
 ATM money withdrawal, electronic payments, financial transactions
 When we use technologies such

Telephones, cameras, video recorders...

Internet (just browsing, not to mention subscription to new services)
 (Often unknowillingly) Surveillance systems
 ...the list goes on...
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Personal Data Life Cycle - 2
During its lifetime, each piece of information
 may or may not be subject to some form of obsolescence

Access to (same) broadcasted news tends to zero after a short time

Newspaper copies tend to disappear or degrade in quality, though they remain
accessible in dedicated archives

Data in electronic format, however, tend to persist
 May exist in (multiple) backup copies
 Could be copied / duplicated to other archives
 Could be made accessible via different media

Appearance of digital newspapers; in general, new services appear continuously

Recorded as podcast

Youtube...
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Personal Data Life Cycle - 3
Finally, personal data may
 be designed not to expire as long as we live

for example, italian Codice Fiscale
 be temporary in nature

records may be “old”: For example, an old bank account number, a past
telephone conversation, ...

records linked to a service (bank, utilities, etc.) may make sense as long as such
service is still operational
For the latter we may have (or not) an expectation that such data will be
eventually disposed of.
Disposal may not be immediate, for example due to legislative
requirements (e.g., phone call records).
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Data Retention
 Guaranteeing an appropriate retention to personal data is of the
uttermost importance
 It means that personal data won’t linger around longer than necessary
 Retention requirements are usually defined in privacy laws
 Some legislations adopt stricter views than others...

Example: video data recorded by surveillance cameras can be kept for a very
short time period (in Italy)
...If retention periods are not regulated, data tend to be never deleted
regardless of need to use it!
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Directive 2006/24/CE
Defines retention requirements for
“data generated or processed in connection with the provision of
publicly available electronic communications services or of public
communications networks”
Such data can be “retained for periods of not less than six months and not
more than two years from the date of the communication”.
To be adopted by EU Member States no later than 15 September, 2009.
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Difficulties Related to Data Retention
 Guaranteeing appropriate data retention may be laborious.
 Digital information tend to persist forever (information exist until it is
not explicitly deleted!)... also on discarded media.
 Information exist in (possibly multiple) backup copies as well.
 Information may be copied and replicated; extracted and used by third
parties (a problem made worse by the web).
 An example of the latter are search engines (and their caches).
 Other examples include mirror sites, temporal mirrors, quotations, etc.
 It may be difficult to selectively remove personal information from the
web
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Threats
Classically categorized according to CIA requirements violations:
 Confidentiality
 Integrity
 Availability
Usually, when privacy is at stake, we are more interested in confidentiality
issues.
Even when there are other consequences, the initial violation often regards
confidentiality (e.g., disclosure of personal information leads to abuses,
such as frauds).
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Another Threat Categorization
Or, a different way to understand how our data can be threatened...
 Abuses of functionality or of usage policy
Services can be misused even in the absence of vulnerabilities!
 Attacks at large
< ...your favorite attack or scam here >
 Google hacking
The mere existence of the Internet is a dangerous fact!
 Failure to comply with best practices
This seems obvious...
 ...
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Functional & Policy Service Abuses
 Every service should specify its own expected “usage policy”
 Sometimes this is not the case, or policies are sketchy at best
 If services are not designed properly, functional abuses may occur:

Output pages not limiting the result set size

(Too) powerful querying capabilities; for example, SQL “LIKE” semantics

Vulnerabilities such as SQL Injection make it worse

Information scraping techniques

Large scale, programmatic abuse of operations such as data querying, creation
of users (here CAPTCHA tests may come in handy to curb this abuse)
...even if a service returns public information, it may not be appropriate to
allow to fetch unlimited information, or to perform arbitrary queries
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Functional Limitations Detrimental to
Privacy
Most services on the web require you to sign up for an account.
This is usually not a big problem, since accounts are often given for free.
You usually give away a few pieces of personal information.
But... How many services do you know of where you can deregister
yourself with the same ease? Meaning:
 Your account is deleted and no longer accessible
 Possibly, your existing personal information at that entity is (securely)
disposed of
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Attacks
These are the usual “hacker-style” attacks...
Usually exploiting vulnerabilities:
 in infrastructure, or middleware (less common nowadays)
 in (web) applications: XSS, SQL Injection, CSRF, ...
 but also in other devices (SmartPhones... Home Access Gateways...)
or techniques involving social manipulation:
 classic social engineering
 phishing
 SPAM
or a blend of the two.
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Google Hacking
What is it?
According to Wikipedia, “the art of creating complex search engine queries
in order to filter through large amounts of search results for information
related to computer security”.
So Google hacking techniques can be leveraged to spot vulnerable
sites/applications  we go back to the “Attacks” case.
Actually Google hacking can go further than that, and be used to gather
information pertaining to personal security, i.e. to privacy.
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Google Hacking – A Simple Example
Automating email addresses harvesting
One of many techniques available...
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
More on Google Hacking
You may refer to Johnny Long’s presentations to appreciate numerous
examples regarding critical personal information available on the web:
 Obviously, emails
 School grades
 Personal information including address and SSN
 Bank account numbers
 Bank loan information
 Credit card numbers... Including CVV codes!
...as well as techniques to perform real hacking!
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Google victim of Google hacking itself
WHID 2007-27: Files From Google On the Streets
# Database stuff
DBDriver = <driver>
DBUrl = <JDBC url>
DBLogin = root
DBPassword = <6 characters, and uses ONLY one alpha and one digit>
...Google doesn’t apply security best practices and falls prey to its own
powerful search engine!
Source: www.webappsec.org
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Identity Theft
Over 670,000 consumer fraud and identity theft complaints in 2006 (U.S.)
Of these, 34% were identity theft complaints
Overall losses of more than $1.1 billion; median loss of $500
(Source: FTC)
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
A Few Real-Life Examples
 What follows is a short list of known compromises which put at risk
personal data, gathered from public records.
 The list has been composed by selecting incidents which we believe
may be instructive in showing some of the many different threats
 No claim is made regarding the relevance of such compromises (in
terms of damages, losses, number of people affected, ...); however,
some of them stand out for their sheer magnitude.
 Unfortunately, the possibilities are almost endless.
 The magnitude of security incidents seems to know no bounds, and is
likely to increase.
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Lack of or Improper
Authentication/Authorization
WHID 2007-35: Data lapse involved 51,000 at a hospital
Source: www.webappsec.org
“In a classic case of lack of proper separation between the production and
development sites, an application under production with lack of proper
authentication and authorization was installed on a hospital's public web
site, enabling anyone to query a database of 51,000 names, addresses
and social security numbers.”
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
XSS for real?
We may think that all those application vulnerabilities don’t affect real
corporate applications but only sleazy websites... or not?
WHID 2007-32: XSS vulnerability on various German online banking sites
From the advisory we gather that:
Online banking software used by multiple subsidiaries of SparkassenFinanzgruppe (a group with a transaction volume of over 3,300 billion
euro) is vulnerable to XSS. An attacker may gather login data via this
vulnerability.
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Dangers of the Internet (1)
The Internet is dangerous simply because it’s there.
WHID 2007-16: USDA admits data breach, thousands of social security
numbers revealed
Details about 63,000 loans granted to farmers by USDA (The US
department of agriculture) where posted online by mistake.
Sensitive data is unknowingly made available on the Internet, and shortly
afterwards it becomes accessible via queries to search engines... At this
point it may be already too late
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Dangers of the Internet (2)
WHID 2007-04: College glitch avails student information to public
“A student at a community college in Sacramento who was "Googling"
himself found disconcerting information when he typed his name into
the popular Internet search engine.
A database from Los Rios Community College District popped up that
included his name, birth date and Social Security number. The file also
contained data about more than 2,000 other students.”
"We didn't think the information was open to Google," said a
spokeswoman for Los Rios schools. "It was a shock to learn they were
able to do it."
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
California reports massive data breach
SecurityFocus, 2004-10-19
“The FBI is investigating the penetration of a university research system
that housed sensitive personal data on a staggering 1.4 million
Californians who participated in a state social program, officials said
Tuesday.
The compromised system had the names, addresses, phone numbers,
social security numbers and dates of birth of everyone who provided or
received care under California's In-Home Supportive Services program
since 2001.
The intruder used a known vulnerability to crack the university system on
August 1st, but wasn't detected until August 30th.”
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
California's anti-identity theft law “SB1386”
Requires companies and state agencies to inform Californians of any
security breach in which such personal information is "reasonably
believed to have been" compromised.
In cases involving over 500,000 people, the organization can warn the
potential victims en masse through a website posting and by alerting
the media.
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
How much data is out there? (And ...why?)
“Hackers have gained access to databases at the University of CaliforniaLos Angeles (UCLA), making off with the personal information of
800,000 current and former students, employees, and faculty.
The breach first occurred in October 2005 but was not detected until
November 2006, when it was blocked.”
Worrisome questions... Part 1
1. Are our data safe? It seems that is not always the case.
2. We DO know when there is a security problem, don’t we?
Er, well... eventually...
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
How much data is out there? (And ...why?)
“…The database even contained information on applicants who did not
attend UCLA as well as parents of applicants seeking financial aid, going
back as far as a decade.
UCLA’s CIO did not explain why the university had so much information
and held it for so long.”
Worrisome questions... Part 2
1. The amount, and the variety, of recorded information is staggering.
2. How long that data persists may not always be clear. In the worst
case, it is going to be there virtually forever... Simply because nobody
wipes it out.
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Policy violations (and weak enforcement)
SecurityFocus, 2006-05-22
“... a database containing sensitive information about veterans and their
families had been stolen, after an employee violated policy and brought
the data home. The agency discovered the violation of policy after the
employee's home was burglarized.
The database contained the names, social security numbers and dates of
birth of as many as 26.5 million veterans and their families.”
Causes
1. Security policy violation and weak policy enforcement
2. Lack of encryption
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Massive credit-card breach
SecurityFocus, 2005-06-17
“Data thieves breached the systems of credit-card processor CardSystems
Solutions and made off with data on as many as 40 million accounts
affecting various credit-card brands.
The breach is the largest data leak to date, potentially affecting one out of
every seven credit cards issued in the U.S., according to MasterCard
estimates.”
Scary thought
As the average database size increases, so does the potential magnitude of
a security breach.
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Backup tapes security
SecurityFocus, 2005-04-28
“Trading firm Ameritrade acknowledged that the company that handles its
backup data had lost a tape containing information on about 200,000
customers.”
“In many cases, low paid workers are handling sensitive tapes, but only a
small fraction of companies are securing the data with encryption.”
1.
2.
3.
4.
Scary thoughts
In how many copies is data related to ourselves living?
Is it adequately protected?
Is it properly handled?
Is it appropriately deleted and/or destroyed?
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Failure to Delete Data
What happens to storage media when they are replaced or discarded?
Is the data stored there securely wiped out first?
Well, not always...
A study by Garfinkel (2004) reveals that on a set consisting of more than
150 hard drives acquired on eBay and offline sales, it was possible to
recover data from 64% of the drives. Some of the data recovered:
 3,722 credit card numbers
 Bank account numbers, access dates, account balances, and even ATM
software from a hard drive used in an ATM machine in Illinois
 Memos about corporate personnel issues
 Email messages
 Pornography
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Is it an Intractable Problem?
 Staggering amount of data... and ever increasing
 Difficult to track data around
 Data tend to become dispersed in multiple copies

Plethora of DBMS involved

Site mirroring

Test data taken from production (hey, it should be sanitized! ...is it?)

Backup copies, discarded media, ...
 Behind-the-scene inter-companies personal data sales or exchanges

This topic is dealt with, for example, by the italian privacy law
 Multiple channels/technologies involved with data generation, storage,
transmission and consumption
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
...Where is “my” data? (Storage and origin)
 “Databases” (real DBMS, files, ...)
 Logs – may contain personal information too
 In transit along wires, intermediate systems, on the air (WiFi, GSM...)
 Backup media (tapes, CDs, DVDs, USB keys...)
 Payment systems & related (POS, ATM, ...)
 VOIP conversations
 Email
 Web-accessible content: text, rich formats, digital newspapers, blogs,
podcasts, pictures, videos, ...
 Phones
 (Video, radio, ...) surveillance systems
 RFID
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
RFID Implants
August, 2007
Mandatory RFID implants in humans will be illegal in California.
According to the new legislation, employers cannot require workers to
have identification devices implanted under their skin. Such devices can
be used to identify people.
The measure has been proposed after at least one company began
marketing radio frequency identification devices for use in humans.
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Efforts to Protect and Control Privacy
...so, is it possible to defend privacy at all?
We may broadly distinguish two categories of such efforts
Legislative efforts
 Privacy Laws
 One example: Italian Personal Data Protection Code
“Technical” efforts
 Standards or other technical works
 One example: The Payment Card Industry Data Security Standard (PCIDSS)
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Italy – D.Lgs 196/2003
Key aspects
 Differentiates data handling depending on characteristics

personal data, sensitive data, judicial data...
 Some data handling must be notified to “Garante della Privacy”, e.g.

Genetic, biometric, or data disclosing geographic locations of individuals

Data disclosing health and sex life

Data in connection with creditworthness, [...] and unlawful/fraudulent conduct
 Defines “minimum security requirements” which must be met

Annex B defines low-level technical requirement details (such as minimum
password length, password lifetime, etc.)
 Recognizes that security is an on-going process
 Takes risk into account
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Italy – D.Lgs 196/2003
The Code of Protection identifies a set of minimum security measures
required to process personal data by electronic means:
 use of authentication & authorization
 authentication credentials management procedures
 regular update of the definitions of scope of processing operations
(“trattamenti dei dati”)
 data and system protection measures
 backup & recovery
 keeping an up-to-date security policy document (“documento
programmatico sulla sicurezza”)
 use of encryption for specific processing (health, sex life data)
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
D.Lgs 196/2003 – Annexes
The privacy topic is evolving. The Code of Protection is being integrated by
annexes detailing privacy issues specific to particular environments or
situations.
Processing of personal data
 in relationship with journalism
 for historical purposes
 for statistical and scientific purposes
 with regard to consumer credit, reliability and timeliness of payments
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
PCI-DSS
 Is a set of comprehensive requirements for enhancing payment account
data security
 Developed by leading payment brands (VISA, MSC, AMEX, ...)
 Now at version 1.1
 Includes requirements for security management, policies, procedures,
network architecture, software design and other critical protective
measures
 Applies to Service Providers, Merchants depending on their size
 A parallel Standard is dedicated to certify Payment Applications
 recognizes the role of vulnerabilities in applications
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
PCI-DSS contributions to privacy
 Though not directly concerned with privacy, adoption of PCI-DSS
requirements has a positive effect.
 Primarily it should defend ourselves from (some of) the abuses having
financial implications; which are not all, but are surely very relevant to
our lives.
 It is worth to observe how PCI-DSS focuses both on technical aspects,
recognized best practices, adoption of security policies, and related
organizational issues.
 In fact, many PCI-DSS tenets make sense regardless of whether they
are applied to cardholder data, since they are more general in nature
(like: appropriate network configuration and protection, removal of
defaults, individual accountability, encryption, vuln. management, etc.).
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Further Complications...
If the matter weren’t complicated enough,
consider also the following issues...
 Personal data processing may vary widely among different actors
 Privacy policies may vary as well
 Web sites, services, applications may be subject to different regulations,
which could diverge substantially on their view of privacy
 Cross-border personal data transfer issues
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Final Remarks
 Privacy is a complex issue.
 Our perception and understanding of privacy, of its implications and of
potential abuses is likely to increase with the adoption of new
technologies, flourishing of innovative services, automatization at large.
 Said another way, the common meaning associated to the term privacy
is likely to continue to shift as times goes by.
 The evidence seems to suggest that defending privacy in a informationgreedy, heavily interconnected world is going to be increasingly
complex and difficult.
 In fact, we may expect a progressive erosion of our privacy.
 Our personal data are important. Pay care not to unneedily disseminate
personal information; however, this is not enough to protect oneself.
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
Final Remarks (cont’d)
(For those concerned with handling personal data, such as information
officers, IT staff, etc.)
Privacy may be defended by abiding to privacy laws and security best
practices, and by keeping as little data as possible and for the shortest
time possible.
The latter, however, may be in contrast with other (business)
requirements...
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy
The End
<The usual thanks, Q&A slide>
OWASP-Day – La Sapienza, 10th Sep 07
OWASP Italy