​Security and metadata: Keeping a lid on the honeypot

Damien Manuel

Damien Manuel is Chief Information Security Officer (CISO) for Blue Coat, now part of Symantec, in Australia & New Zealand. With more than 20 years of business, governance and ICT experience in security, Manuel leads Blue Coat’s team of consultants in the region, carrying on the company’s legacy of delivering the best possible protection against advanced adversaries. He works with senior IT executives from Blue Coat’s customers to help ensure they align their security architectures to industry best practices. Before his appointment as Blue Coat’s CISO, Manuel worked as a senior information security governance manager and later as an enterprise IT and Security risk manager at National Australia Bank (NAB) and was responsible for managing the banks’ Information Security Standard globally. Prior to NAB, Manuel was an account director at RSA, where he was responsible for enterprise accounts with a major emphasis on financial services and telecommunications. He also held senior roles at Telstra and Melbourne IT. He is currently on CompTIA’s executive advisory committee and is the national branch director for the Australian Information Security Association (AISA ). Manuel holds an MBA from the University of Melbourne; a Project Management Diploma from the University of New England; a Post Graduate degree in Genetics Engineering from Monash University; and a Bachelor degree in Education majoring in Chemistry & Biology from the University of Melbourne.

Australia’s Data Retention Bill comes into full force this October. Telecommunication companies, phone carriers and Internet service providers will be legally required to store individuals’ metadata for a period of two years.

Although many of these companies already store some elements of your metadata, most do not store so much or for so long.

The government states the bill was urgently needed to “keep our community safe”. Metadata is “vital to nearly every counter-terrorism, organised crime, counter-espionage and cyber-security investigation”. That is true. But widespread, large-scale and lengthy data storage holds new dangers of its own.

Firstly - what is metadata?

If you’re using your phone or computer – it’s likely that your metadata is being recorded.

Your phone use: Metadata includes the phone number of everyone you have called, when you called them and the duration of the call. The number of everyone you SMS’d and when is also included. The metadata also details your approximate location when calling or texting by recording the location of the cell tower your phone communicated with.

Your emails: With some email providers, the government will be able to see; who you have emailed, the date and time you sent the email and the size of any attached files. If you use an overseas webmail provider this information is not available.

Your activity online: The metadata includes your IP address which can be used to identify your device. The time and duration of your web connections are also recorded as well as the volume of uploads and downloads. The metadata also includes the location of the cell tower your phone communicated with whenever it connected to the internet. Many popular apps request location information at regular intervals which can make these cell tower maps fairly detailed.

So exactly what is captured and reported on? Name and address information, contract agreements, billing and payment information, source of communication, destination of communication, date, time and duration of communication, type of communication (e.g. SMS, voice, email, chat, forum etc…), type of service (e.g. ADSL, WiFi, VoIP etc…), features of the service (e.g. call waiting, call forwarding, data volume usage), location of equipment used in the communication (e.g. cell towers, WiFi hotspots etc) and additional data to determine the actual start or end of communications.

What metadata isn’t

It is important to remember that although significant personal information is included in the definition of metadata – the content of communications is not. Agencies cannot listen in on your calls, read emails or view your web browsing history without a warrant.

The metadata ‘honeypot’

Storing hourly data on the habits of nearly every Australian is a huge task for corporations now covered by the amendment.

Major Telcos, CISOs and civil liberties groups have warned that these data stores will be a ‘honeypot’ for malicious actors. It’s very valuable data. It will be a prime target for hackers.

Some hackers will want to access systems for politics or prestige. Criminals will want to use the data to make money. What if metadata reached the wrong hands? Isn’t it inevitable?

Blackmailers could learn who called Narcotics Anonymous, a suicide helpline or a brothel. They could threaten to spill such information to a partner or employer (their numbers guessed from the data) unless a digital currency payment is made.

The addresses and contacts of celebrities and notable figures, and their families, can be gleaned from metadata by those with limited data analytics skills.

What if hackers sold an individual’s regular weekday evening location, which can be seen in the data, to a violent ex-partner?

The Government’s Privacy Commissioner Timothy Pilgrim has admitted: “People could be placed in serious physical danger if there was to be a breach.”

Security

Given the gravity of these potential consequences, clearly it is essential those storing metadata have stringent security measures in place. Many companies have applied for an extension until 2017 to get systems operational. PricewaterhouseCoopers estimated the upfront capital cost to all business to be between $190 million and $320 million. The government has said it will make a ‘reasonable contribution’ towards costs.

The government legislation states that metadata stored by companies must be encrypted and protected from unauthorised interference or access. But the security measures must go beyond the company held repositories.

More than 20 agencies will be able to access this information without a warrant if signed off by a senior officer. Detailed analysis by Fairfax Media found around 2500 officials could sign-off on access, the majority of them police officers.

We need clarity on how metadata will be secured once it has been accessed. How long can it be kept after an individual has been ruled out of an investigation? Are there limits on how much downloaded data can be stored and by whom? How will access be monitored and security enforced? Will we be informed if there is a breach?

It would only take one determined hacker or one careless officer to put thousands of Australians at risk. If your credit card details are stolen you can quickly close the account and get a new one. The consequences of leaked metadata can be irreversible.

How long until we see another amendment and extensions on the type of data captured? The general public didn’t bat an eyelid to this mass surveillance, a realisation that the dynamics of privacy have changed. However, they may be asking themselves later, how long until we see another amendment and possible extensions of these very controversial powers of data collection. Politics aside, the question the public should be asking is regarding the ultimate security of the data itself.


Tags: privacy, data retention, Fairfax Media, honeypot, CSO Australia, Damien Manue

Show Comments