Nothing to hide but plenty I don’t want to share

I’ve had a number of discussions about online privacy,
security and matters of this sort over the past few months.

All too often I’m faced with someone who says “I have
nothing to hide” and who seems to be quite willing to put up with government
invasion of his or her privacy.

I don’t have anything to hide either, but I do keep some
things to myself. I won’t list them but trust me, they’re better off being
conducted behind closed doors with the lights off.

On top of that, I have other things I like to keep private.
My financial matters are nobody’s business but mine and the bank’s. My health
records are likewise quite important to me. Which books I get out of the
library, where I spend my money, who I call and TXT.

As a former journalist the recent spate of attacks on a
reporter’s freedom to do their job irks me. All too often I hear from readers
(or viewers) bemoaning the state of journalism in New Zealand and I tend to
agree. Today I met with an old colleague and we talked about how many of us
there were at Computerworld in its
heyday. We had 11 journalists working on a niche publication – other newsrooms
had far more. Today, the newsrooms have shrunk dramatically, the pay rates are
stagnant and each reporter is expected to churn out more copy with less time to
do it properly.

The one thing a journalist has in his or her favour is the
ability to ask questions and to get answers from people who may not want their
names splashed about the place. Journalists need access and they need privacy
in order to secure the news that quite often someone doesn’t want you to know

Journalism comes in for a lot of flak for its invasive,
intrusive nature and rightly so. I managed to avoid ever having to ask “How do
you feel” or its bedmate, “Will you apologise?” but there are plenty of
journalists who employ such phrases and far worse. I know of at least one who
likes to goad interview subjects to the point of cracking in order to get a more
salacious story and several have been known to deploy much worse tactics in
order to secure a scoop.

But “keeping the bastards honest” is at the heart of any
good journalist’s role. “Afflict the comfortable and comfort the afflicted” is
one of my favourite definitions of the job of journalist (and check out the link to see who said it – oh the irony), but in this case
perhaps there’s a better one: “News is what somebody does not want you to
print. All the rest is advertising.”

It’s vital we have a strong media that can ask questions that
someone somewhere doesn’t want answered. My hat is off to the likes of Lisa
Owen at TVNZ who once served her own organisation with an Official Information
Act request and to Andrea Vance who got the government’s report into the GCSB
ahead of time and ran a story exposing the information before the government
spin doctors had all their ducks in a row.

That’s why privacy, security and our right to know are
inextricably linked. That’s why it’s important we understand how well the
government handles our data, and what limits are put in place, and why it’s
important we understand the GCSB and associated legislation.

These laws give the government security agencies
unprecedented powers of access to our daily lives. I may not have anything to
hide, but I have plenty I don’t want to share and if I do, I want to know it
will be handled with all due care and diligence.

Unfortunately, the government (in various guises) does not
have a good track record on this score. Take a look at this list and then tell
me – do you think we should give the government agencies more access to our

July 2012 – Immigration privacy breach results in staff being fired

March 2012 – ACC spreadsheet debacle

October 2012 – MSD kiosk debacle

November 2012 – Immigration privacy breach

November 2012 – Novopay sends wrong information to multiple

December 2012 – Corrections faxes sensitive data to removals

March 2013 –  Ministry of Environment email breach

April 2013 – EQC privacy breach twice

April 2013 – IRD privacy breach

April 2013 – Ministry of Justice security flaw revealed (and a note from IITP about white hat hackers)

April 2013 – GCSB “Kitteridge report” leaked

May 2013 – WINZ privacy breach 

June 2013 – Peter Dunne resigns

July 2013 – Journalists described as “subversion” threat to New
Zealand Defence Force

July 2013 – Andrea Vance’s access records handed to PM’s investigator

July 2013 – Andrea Vance’s phone records handed to PM’s
 (and here’s a very good time line of events from Dylan)

August 2013 – Govt admits SIS has a “special protocol” for
spying on journalists

Sundry other “minor” breaches that involved only one or two people’s private information.

The Privacy Commissioner’s annual report last year includes this quote from Marie Schroff and it’s worth repeating here: 

“The public sector can’t afford to be complacent. It’s quite clear that agencies holding large amounts of personal information need to place greater value on that information asset.

“They need to develop strong leadership and a culture of respect for privacy, as well as day to day policies and practices to provide trustworthy stewardship of our personal information at every level of the organisation.

“There has been far too little focus on the fact that there are real people behind the masses of information that government agencies hold.”


GUEST POST: More on PBX security

Those of you with an attention span will remember we talked about PBX security a little while ago and Ben and I had quite a good discussion both in the comments and on Twitter about how important it all is.

Ben blogged on it and kindly allowed me to cross-post it here. Check out more from Ben at his blog.

A couple of weeks ago Paul Brislen posted a really good post on the TUANZ blog about PABX security. It seems some criminals had used a local companies phone system to route a huge number of international calls, leaving them with a colossal ($250k!) phone bill. These attacks are increasing common, and I have heard a number of similar stories.

Phone systems increasingly rely upon IP connectivity and often interface with other business processes, putting them in the domain of IT. But even if your PABX is from 1987 (mmm beige) and hasn’t been attacked yet, doesn’t mean it won’t be.

Both Telecom NZ and TelstraClear NZ have some good advice to start with, and you might find your PABX vendor can also give expert advice. Unfortunately many PABX systems are insecure from the factory, and a number of vendors don’t do a great job with security.

In a previous role I ended up managing several PABX systems spread across multiple sites, and learnt a few lessons along the way. Here are a few tips to get you started:

Have a single point of contact for phone issues – make it easier for users to change passwords, and get questions answered.
Educate your voicemail users, and work with them to use better passwords. Avoid common sequences like 0000, 1234 etc.

Document all the things! Make sure any company policies are documented and available (think about mobile phones etc too). Putting basic manuals on your intranet can really help new users.

Even if you outsource management of the phone system, make sure someone in your organization is responsible for it. And make sure this person gets more money!

Create calling restrictions, and put appropriate limits on where each line can call. If a line is only used for calls to local, national, and Australian numbers then that is all they should be able to call (don’t forget fax/alarm lines). Whatever you do, make absolutely sure that 111 (emergency services) works from all lines.

Standardise as many things as you can. Look at setting up system-wide call bars. Blocking 0900 numbers is a good start, and if no one will ever call Nigeria, it is a good idea to bar it. Make sure these settings are part of your standard config for new/moved sites.

Work with your vendor to ensure any root/master/service/vendor passwords are complex and unique. I have seen a vendor use the same service password everywhere, until a crafty hacker cracked it and then attacked many systems. Also talk to your vendor about a maintenance contract, and ensure they will install security updates in a timely manner. Restrict any remote service access where possible.

If you use auto attendants or phone menus, make sure they are secured too. Remove any option to dial through to an extension unless you are absolutely sure it is secure.

If you have multiple sites make sure that only appropriate calls can be routed between sites. Some phone hackers have been known to abuse site-site connections to work around restrictions.

If you have lots of sites, you may not always have control over the PABX, so work with your telco and have them restrict international calls as appropriate. Put this in your contract so it happens by default when you add/move sites.

If you have a mix of PABX systems/vendors at different sites, things can get very complicated and expensive, very quickly. Work on reducing the complexity.

Practice good IT security. Most PABX’s from the last 10+ years are Windows/Linux boxes (usually unpatched..) under the hood, and can be attacked over your network too (or used to attack your internal network!).

Ensure that both billing and system logging is enabled, and monitored. Otherwise a problem won’t be spotted until the next phone bill arrives.

The most important thing to take away is an awareness of the problem. Dealing with PABX’s can be complex. Don’t be afraid to get expert help. Your telco and PABX vendor are the best places to start. If you can’t get the support you need, change to one that will. If you have any advice, please add it below.

It’s the long weekend – do you know what your PABX is up to?

Another long weekend, and another PABX hacking takes place.

It tends to come in waves, but lately it’s been particularly
nasty with at least one report of a $250,000 weekend for one local company.

You probably know how it works but it bears repeating.
Ratbags ring around after business hours looking for a PABX system. They try
various combinations of readily available default passwords (user name and
password set to 0000 for example) and once they’ve struck gold they wait for a
long weekend.

Staff clear out on Friday at 5pm, then the diallers start
in. They have access to the set-up systems of the hacked PABX (which hasn’t
really been hacked, just left unguarded) so they assign all the direct dial
outbound lines to call numbers overseas – typically in those countries that
couldn’t care less about such things. Think Somalia or Azerbaijan. These
compromised systems spend the next three days dialling out and every time they
connect the company in questions starts paying through the nose for the toll

The staff return to work on Monday none the wiser until the
phone bill arrives, typically with tens of thousands of dollars’ worth of toll
calling included.

The company will then ring the telco which will say sorry
but your phones made all those calls, and even if the local telco waives any
profit margin and offers the calls at cost, you’re still in the gun for
thousands of dollars owed to a foreign telco that isn’t going to take no for an

The ratbags in question typically get a clip of the revenue
earned in their country and have had quite a profitable weekend. Even if the
host telco over there wises up and kicks them out, there’s always another telco
to use.

Rinse, repeat until wealthy.

This isn’t a new phenomenon – in 2005 we covered the
at Computerworld and even then we referred to advice given in 2003.

There are, however, some simple steps you can take here to
make sure you’re not done over. Fortunately it’s all quite straight forward.

First, talk to your PABX system provider. Actually, the real
first step is to figure out if anyone in your organisation is responsible for
the PABX – in many cases I’m told responsibility has devolved to the IT department
who don’t necessarily know all the old PABX hacker tricks.

But talk to your provider about securing your system and you’ll
probably discover the easiest thing to do is change the default passwords to
something more difficult.

I’m in two minds about password security – on the one hand a
long and tricky password means you’re unlikely to be hacked. On the other hand,
who can remember them? Bruce Schneier once told me the best way to secure a
system was with a long password that’s complex and difficult that is written
down and stored by the computer, on the basis that anyone who steals your PC
won’t know about the bit of paper and will miss it, and anyone who’s hacking in
from outside won’t be able to see the bit of paper because they’re in another
country. I quite like that.

TelstraClear has a page of advice on what to do that’s worth
a read. The TCF put out a warning last year and also has a page of information on what to do.

While the telcos do what they can to limit the damage from
this kind of thing, at the end of the day we the customers have to play our
part and making sure we bolt the door before we head away for a break is a very
good thing to do.